3 * Copyright 2015 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #include <grpc/support/port_platform.h>
21 #include "src/core/lib/security/security_connector/ssl_utils.h"
25 #include "absl/strings/str_cat.h"
27 #include <grpc/slice_buffer.h>
28 #include <grpc/support/alloc.h>
29 #include <grpc/support/log.h>
31 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
32 #include "src/core/lib/channel/channel_args.h"
33 #include "src/core/lib/gpr/string.h"
34 #include "src/core/lib/gprpp/host_port.h"
35 #include "src/core/lib/gprpp/ref_counted_ptr.h"
36 #include "src/core/lib/iomgr/load_file.h"
37 #include "src/core/lib/security/context/security_context.h"
38 #include "src/core/lib/security/security_connector/load_system_roots.h"
39 #include "src/core/lib/security/security_connector/ssl_utils_config.h"
40 #include "src/core/tsi/ssl_transport_security.h"
42 /* -- Constants. -- */
44 #if defined(GRPC_ROOT_PEM_PATH)
45 static const char* installed_roots_path = GRPC_ROOT_PEM_PATH;
46 #elif defined(INSTALL_PREFIX)
47 static const char* installed_roots_path =
48 INSTALL_PREFIX "/usr/share/grpc/roots.pem";
50 static const char* installed_roots_path = "/usr/share/grpc/roots.pem";
53 #ifndef TSI_OPENSSL_ALPN_SUPPORT
54 #define TSI_OPENSSL_ALPN_SUPPORT 1
57 /* -- Overridden default roots. -- */
59 static grpc_ssl_roots_override_callback ssl_roots_override_cb = nullptr;
61 void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) {
62 ssl_roots_override_cb = cb;
65 /* -- Cipher suites. -- */
67 static gpr_once cipher_suites_once = GPR_ONCE_INIT;
68 static const char* cipher_suites = nullptr;
70 // All cipher suites for default are compliant with HTTP2.
71 GPR_GLOBAL_CONFIG_DEFINE_STRING(
72 grpc_ssl_cipher_suites,
73 "TLS_AES_128_GCM_SHA256:"
74 "TLS_AES_256_GCM_SHA384:"
75 "TLS_CHACHA20_POLY1305_SHA256:"
76 "ECDHE-ECDSA-AES128-GCM-SHA256:"
77 "ECDHE-ECDSA-AES256-GCM-SHA384:"
78 "ECDHE-RSA-AES128-GCM-SHA256:"
79 "ECDHE-RSA-AES256-GCM-SHA384",
80 "A colon separated list of cipher suites to use with OpenSSL")
82 static void init_cipher_suites(void) {
83 grpc_core::UniquePtr<char> value =
84 GPR_GLOBAL_CONFIG_GET(grpc_ssl_cipher_suites);
85 cipher_suites = value.release();
90 const char* grpc_get_ssl_cipher_suites(void) {
91 gpr_once_init(&cipher_suites_once, init_cipher_suites);
95 grpc_security_level grpc_tsi_security_level_string_to_enum(
96 const char* security_level) {
97 if (strcmp(security_level, "TSI_INTEGRITY_ONLY") == 0) {
98 return GRPC_INTEGRITY_ONLY;
99 } else if (strcmp(security_level, "TSI_PRIVACY_AND_INTEGRITY") == 0) {
100 return GRPC_PRIVACY_AND_INTEGRITY;
102 return GRPC_SECURITY_NONE;
105 const char* grpc_security_level_to_string(grpc_security_level security_level) {
106 if (security_level == GRPC_PRIVACY_AND_INTEGRITY) {
107 return "GRPC_PRIVACY_AND_INTEGRITY";
108 } else if (security_level == GRPC_INTEGRITY_ONLY) {
109 return "GRPC_INTEGRITY_ONLY";
111 return "GRPC_SECURITY_NONE";
114 bool grpc_check_security_level(grpc_security_level channel_level,
115 grpc_security_level call_cred_level) {
116 return static_cast<int>(channel_level) >= static_cast<int>(call_cred_level);
119 tsi_client_certificate_request_type
120 grpc_get_tsi_client_certificate_request_type(
121 grpc_ssl_client_certificate_request_type grpc_request_type) {
122 switch (grpc_request_type) {
123 case GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE:
124 return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
126 case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
127 return TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
129 case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
130 return TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY;
132 case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
133 return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
135 case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY:
136 return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
139 return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
143 tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version) {
144 switch (tls_version) {
145 case grpc_tls_version::TLS1_2:
146 return tsi_tls_version::TSI_TLS1_2;
147 case grpc_tls_version::TLS1_3:
148 return tsi_tls_version::TSI_TLS1_3;
150 gpr_log(GPR_INFO, "Falling back to TLS 1.2.");
151 return tsi_tls_version::TSI_TLS1_2;
155 grpc_error_handle grpc_ssl_check_alpn(const tsi_peer* peer) {
156 #if TSI_OPENSSL_ALPN_SUPPORT
157 /* Check the ALPN if ALPN is supported. */
158 const tsi_peer_property* p =
159 tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL);
161 return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
162 "Cannot check peer: missing selected ALPN property.");
164 if (!grpc_chttp2_is_alpn_version_supported(p->value.data, p->value.length)) {
165 return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
166 "Cannot check peer: invalid ALPN value.");
168 #endif /* TSI_OPENSSL_ALPN_SUPPORT */
169 return GRPC_ERROR_NONE;
172 grpc_error_handle grpc_ssl_check_peer_name(absl::string_view peer_name,
173 const tsi_peer* peer) {
174 /* Check the peer name if specified. */
175 if (!peer_name.empty() && !grpc_ssl_host_matches_name(peer, peer_name)) {
176 return GRPC_ERROR_CREATE_FROM_CPP_STRING(
177 absl::StrCat("Peer name ", peer_name, " is not in peer certificate"));
179 return GRPC_ERROR_NONE;
182 bool grpc_ssl_check_call_host(absl::string_view host,
183 absl::string_view target_name,
184 absl::string_view overridden_target_name,
185 grpc_auth_context* auth_context,
186 grpc_error_handle* error) {
187 grpc_security_status status = GRPC_SECURITY_ERROR;
188 tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
189 if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
190 /* If the target name was overridden, then the original target_name was
191 'checked' transitively during the previous peer check at the end of the
193 if (!overridden_target_name.empty() && host == target_name) {
194 status = GRPC_SECURITY_OK;
196 if (status != GRPC_SECURITY_OK) {
197 *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
198 "call host does not match SSL server name");
200 grpc_shallow_peer_destruct(&peer);
204 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols) {
205 GPR_ASSERT(num_alpn_protocols != nullptr);
206 *num_alpn_protocols = grpc_chttp2_num_alpn_versions();
207 const char** alpn_protocol_strings = static_cast<const char**>(
208 gpr_malloc(sizeof(const char*) * (*num_alpn_protocols)));
209 for (size_t i = 0; i < *num_alpn_protocols; i++) {
210 alpn_protocol_strings[i] = grpc_chttp2_get_alpn_version_index(i);
212 return alpn_protocol_strings;
215 int grpc_ssl_host_matches_name(const tsi_peer* peer,
216 absl::string_view peer_name) {
217 absl::string_view allocated_name;
218 absl::string_view ignored_port;
219 grpc_core::SplitHostPort(peer_name, &allocated_name, &ignored_port);
220 if (allocated_name.empty()) return 0;
222 // IPv6 zone-id should not be included in comparisons.
223 const size_t zone_id = allocated_name.find('%');
224 if (zone_id != absl::string_view::npos) {
225 allocated_name.remove_suffix(allocated_name.size() - zone_id);
227 return tsi_ssl_peer_matches_name(peer, allocated_name);
230 int grpc_ssl_cmp_target_name(absl::string_view target_name,
231 absl::string_view other_target_name,
232 absl::string_view overridden_target_name,
233 absl::string_view other_overridden_target_name) {
234 int c = target_name.compare(other_target_name);
235 if (c != 0) return c;
236 return overridden_target_name.compare(other_overridden_target_name);
239 static bool IsSpiffeId(absl::string_view uri) {
240 // Return false without logging for a non-spiffe uri scheme.
241 if (!absl::StartsWith(uri, "spiffe://")) {
244 if (uri.size() > 2048) {
245 gpr_log(GPR_INFO, "Invalid SPIFFE ID: ID longer than 2048 bytes.");
248 std::vector<absl::string_view> splits = absl::StrSplit(uri, '/');
249 if (splits.size() < 4 || splits[3] == "") {
250 gpr_log(GPR_INFO, "Invalid SPIFFE ID: workload id is empty.");
253 if (splits[2].size() > 255) {
254 gpr_log(GPR_INFO, "Invalid SPIFFE ID: domain longer than 255 characters.");
260 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
261 const tsi_peer* peer, const char* transport_security_type) {
263 const char* peer_identity_property_name = nullptr;
265 /* The caller has checked the certificate type property. */
266 GPR_ASSERT(peer->property_count >= 1);
267 grpc_core::RefCountedPtr<grpc_auth_context> ctx =
268 grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
269 grpc_auth_context_add_cstring_property(
270 ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
271 transport_security_type);
272 const char* spiffe_data = nullptr;
273 size_t spiffe_length = 0;
275 bool has_spiffe_id = false;
276 for (i = 0; i < peer->property_count; i++) {
277 const tsi_peer_property* prop = &peer->properties[i];
278 if (prop->name == nullptr) continue;
279 if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) {
280 /* If there is no subject alt name, have the CN as the identity. */
281 if (peer_identity_property_name == nullptr) {
282 peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME;
284 grpc_auth_context_add_property(ctx.get(), GRPC_X509_CN_PROPERTY_NAME,
285 prop->value.data, prop->value.length);
286 } else if (strcmp(prop->name,
287 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) {
288 peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME;
289 grpc_auth_context_add_property(ctx.get(), GRPC_X509_SAN_PROPERTY_NAME,
290 prop->value.data, prop->value.length);
291 } else if (strcmp(prop->name, TSI_X509_PEM_CERT_PROPERTY) == 0) {
292 grpc_auth_context_add_property(ctx.get(),
293 GRPC_X509_PEM_CERT_PROPERTY_NAME,
294 prop->value.data, prop->value.length);
295 } else if (strcmp(prop->name, TSI_X509_PEM_CERT_CHAIN_PROPERTY) == 0) {
296 grpc_auth_context_add_property(ctx.get(),
297 GRPC_X509_PEM_CERT_CHAIN_PROPERTY_NAME,
298 prop->value.data, prop->value.length);
299 } else if (strcmp(prop->name, TSI_SSL_SESSION_REUSED_PEER_PROPERTY) == 0) {
300 grpc_auth_context_add_property(ctx.get(),
301 GRPC_SSL_SESSION_REUSED_PROPERTY,
302 prop->value.data, prop->value.length);
303 } else if (strcmp(prop->name, TSI_SECURITY_LEVEL_PEER_PROPERTY) == 0) {
304 grpc_auth_context_add_property(
305 ctx.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
306 prop->value.data, prop->value.length);
307 } else if (strcmp(prop->name, TSI_X509_DNS_PEER_PROPERTY) == 0) {
308 grpc_auth_context_add_property(ctx.get(), GRPC_PEER_DNS_PROPERTY_NAME,
309 prop->value.data, prop->value.length);
310 } else if (strcmp(prop->name, TSI_X509_URI_PEER_PROPERTY) == 0) {
311 grpc_auth_context_add_property(ctx.get(), GRPC_PEER_URI_PROPERTY_NAME,
312 prop->value.data, prop->value.length);
314 absl::string_view spiffe_id(prop->value.data, prop->value.length);
315 if (IsSpiffeId(spiffe_id)) {
316 spiffe_data = prop->value.data;
317 spiffe_length = prop->value.length;
318 has_spiffe_id = true;
320 } else if (strcmp(prop->name, TSI_X509_EMAIL_PEER_PROPERTY) == 0) {
321 grpc_auth_context_add_property(ctx.get(), GRPC_PEER_EMAIL_PROPERTY_NAME,
322 prop->value.data, prop->value.length);
323 } else if (strcmp(prop->name, TSI_X509_IP_PEER_PROPERTY) == 0) {
324 grpc_auth_context_add_property(ctx.get(), GRPC_PEER_IP_PROPERTY_NAME,
325 prop->value.data, prop->value.length);
328 if (peer_identity_property_name != nullptr) {
329 GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
330 ctx.get(), peer_identity_property_name) == 1);
332 // A valid SPIFFE certificate can only have exact one URI SAN field.
334 if (uri_count == 1) {
335 GPR_ASSERT(spiffe_length > 0);
336 GPR_ASSERT(spiffe_data != nullptr);
337 grpc_auth_context_add_property(ctx.get(),
338 GRPC_PEER_SPIFFE_ID_PROPERTY_NAME,
339 spiffe_data, spiffe_length);
341 gpr_log(GPR_INFO, "Invalid SPIFFE ID: multiple URI SANs.");
347 static void add_shallow_auth_property_to_peer(tsi_peer* peer,
348 const grpc_auth_property* prop,
349 const char* tsi_prop_name) {
350 tsi_peer_property* tsi_prop = &peer->properties[peer->property_count++];
351 tsi_prop->name = const_cast<char*>(tsi_prop_name);
352 tsi_prop->value.data = prop->value;
353 tsi_prop->value.length = prop->value_length;
356 tsi_peer grpc_shallow_peer_from_ssl_auth_context(
357 const grpc_auth_context* auth_context) {
358 size_t max_num_props = 0;
359 grpc_auth_property_iterator it;
360 const grpc_auth_property* prop;
362 memset(&peer, 0, sizeof(peer));
364 it = grpc_auth_context_property_iterator(auth_context);
365 while (grpc_auth_property_iterator_next(&it) != nullptr) max_num_props++;
367 if (max_num_props > 0) {
368 peer.properties = static_cast<tsi_peer_property*>(
369 gpr_malloc(max_num_props * sizeof(tsi_peer_property)));
370 it = grpc_auth_context_property_iterator(auth_context);
371 while ((prop = grpc_auth_property_iterator_next(&it)) != nullptr) {
372 if (strcmp(prop->name, GRPC_X509_SAN_PROPERTY_NAME) == 0) {
373 add_shallow_auth_property_to_peer(
374 &peer, prop, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY);
375 } else if (strcmp(prop->name, GRPC_X509_CN_PROPERTY_NAME) == 0) {
376 add_shallow_auth_property_to_peer(
377 &peer, prop, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
378 } else if (strcmp(prop->name, GRPC_X509_PEM_CERT_PROPERTY_NAME) == 0) {
379 add_shallow_auth_property_to_peer(&peer, prop,
380 TSI_X509_PEM_CERT_PROPERTY);
381 } else if (strcmp(prop->name,
382 GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME) == 0) {
383 add_shallow_auth_property_to_peer(&peer, prop,
384 TSI_SECURITY_LEVEL_PEER_PROPERTY);
385 } else if (strcmp(prop->name, GRPC_X509_PEM_CERT_CHAIN_PROPERTY_NAME) ==
387 add_shallow_auth_property_to_peer(&peer, prop,
388 TSI_X509_PEM_CERT_CHAIN_PROPERTY);
389 } else if (strcmp(prop->name, GRPC_PEER_DNS_PROPERTY_NAME) == 0) {
390 add_shallow_auth_property_to_peer(&peer, prop,
391 TSI_X509_DNS_PEER_PROPERTY);
392 } else if (strcmp(prop->name, GRPC_PEER_URI_PROPERTY_NAME) == 0) {
393 add_shallow_auth_property_to_peer(&peer, prop,
394 TSI_X509_URI_PEER_PROPERTY);
395 } else if (strcmp(prop->name, GRPC_PEER_SPIFFE_ID_PROPERTY_NAME) == 0) {
396 add_shallow_auth_property_to_peer(&peer, prop,
397 TSI_X509_URI_PEER_PROPERTY);
398 } else if (strcmp(prop->name, GRPC_PEER_EMAIL_PROPERTY_NAME) == 0) {
399 add_shallow_auth_property_to_peer(&peer, prop,
400 TSI_X509_EMAIL_PEER_PROPERTY);
401 } else if (strcmp(prop->name, GRPC_PEER_IP_PROPERTY_NAME) == 0) {
402 add_shallow_auth_property_to_peer(&peer, prop,
403 TSI_X509_IP_PEER_PROPERTY);
410 void grpc_shallow_peer_destruct(tsi_peer* peer) {
411 if (peer->properties != nullptr) gpr_free(peer->properties);
414 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
415 tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
416 bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
417 tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
418 tsi_ssl_client_handshaker_factory** handshaker_factory) {
419 const char* root_certs;
420 const tsi_ssl_root_certs_store* root_store;
421 if (pem_root_certs == nullptr) {
423 "No root certificates specified; use ones stored in system default "
424 "locations instead");
425 // Use default root certificates.
426 root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
427 if (root_certs == nullptr) {
428 gpr_log(GPR_ERROR, "Could not get default pem root certs.");
429 return GRPC_SECURITY_ERROR;
431 root_store = grpc_core::DefaultSslRootStore::GetRootStore();
433 root_certs = pem_root_certs;
434 root_store = nullptr;
436 bool has_key_cert_pair = pem_key_cert_pair != nullptr &&
437 pem_key_cert_pair->private_key != nullptr &&
438 pem_key_cert_pair->cert_chain != nullptr;
439 tsi_ssl_client_handshaker_options options;
440 GPR_DEBUG_ASSERT(root_certs != nullptr);
441 options.pem_root_certs = root_certs;
442 options.root_store = root_store;
443 options.alpn_protocols =
444 grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
445 if (has_key_cert_pair) {
446 options.pem_key_cert_pair = pem_key_cert_pair;
448 options.cipher_suites = grpc_get_ssl_cipher_suites();
449 options.session_cache = ssl_session_cache;
450 options.skip_server_certificate_verification =
451 skip_server_certificate_verification;
452 options.min_tls_version = min_tls_version;
453 options.max_tls_version = max_tls_version;
454 const tsi_result result =
455 tsi_create_ssl_client_handshaker_factory_with_options(&options,
457 gpr_free(options.alpn_protocols);
458 if (result != TSI_OK) {
459 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
460 tsi_result_to_string(result));
461 return GRPC_SECURITY_ERROR;
463 return GRPC_SECURITY_OK;
466 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
467 tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs,
468 const char* pem_root_certs,
469 grpc_ssl_client_certificate_request_type client_certificate_request,
470 tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
471 tsi_ssl_server_handshaker_factory** handshaker_factory) {
472 size_t num_alpn_protocols = 0;
473 const char** alpn_protocol_strings =
474 grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
475 tsi_ssl_server_handshaker_options options;
476 options.pem_key_cert_pairs = pem_key_cert_pairs;
477 options.num_key_cert_pairs = num_key_cert_pairs;
478 options.pem_client_root_certs = pem_root_certs;
479 options.client_certificate_request =
480 grpc_get_tsi_client_certificate_request_type(client_certificate_request);
481 options.cipher_suites = grpc_get_ssl_cipher_suites();
482 options.alpn_protocols = alpn_protocol_strings;
483 options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
484 options.min_tls_version = min_tls_version;
485 options.max_tls_version = max_tls_version;
486 const tsi_result result =
487 tsi_create_ssl_server_handshaker_factory_with_options(&options,
489 gpr_free(alpn_protocol_strings);
490 if (result != TSI_OK) {
491 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
492 tsi_result_to_string(result));
493 return GRPC_SECURITY_ERROR;
495 return GRPC_SECURITY_OK;
498 /* --- Ssl cache implementation. --- */
500 grpc_ssl_session_cache* grpc_ssl_session_cache_create_lru(size_t capacity) {
501 tsi_ssl_session_cache* cache = tsi_ssl_session_cache_create_lru(capacity);
502 return reinterpret_cast<grpc_ssl_session_cache*>(cache);
505 void grpc_ssl_session_cache_destroy(grpc_ssl_session_cache* cache) {
506 tsi_ssl_session_cache* tsi_cache =
507 reinterpret_cast<tsi_ssl_session_cache*>(cache);
508 tsi_ssl_session_cache_unref(tsi_cache);
511 static void* grpc_ssl_session_cache_arg_copy(void* p) {
512 tsi_ssl_session_cache* tsi_cache =
513 reinterpret_cast<tsi_ssl_session_cache*>(p);
514 // destroy call below will unref the pointer.
515 tsi_ssl_session_cache_ref(tsi_cache);
519 static void grpc_ssl_session_cache_arg_destroy(void* p) {
520 tsi_ssl_session_cache* tsi_cache =
521 reinterpret_cast<tsi_ssl_session_cache*>(p);
522 tsi_ssl_session_cache_unref(tsi_cache);
525 static int grpc_ssl_session_cache_arg_cmp(void* p, void* q) {
526 return GPR_ICMP(p, q);
529 grpc_arg grpc_ssl_session_cache_create_channel_arg(
530 grpc_ssl_session_cache* cache) {
531 static const grpc_arg_pointer_vtable vtable = {
532 grpc_ssl_session_cache_arg_copy,
533 grpc_ssl_session_cache_arg_destroy,
534 grpc_ssl_session_cache_arg_cmp,
536 return grpc_channel_arg_pointer_create(
537 const_cast<char*>(GRPC_SSL_SESSION_CACHE_ARG), cache, &vtable);
540 /* --- Default SSL root store implementation. --- */
542 namespace grpc_core {
544 tsi_ssl_root_certs_store* DefaultSslRootStore::default_root_store_;
545 grpc_slice DefaultSslRootStore::default_pem_root_certs_;
547 const tsi_ssl_root_certs_store* DefaultSslRootStore::GetRootStore() {
549 return default_root_store_;
552 const char* DefaultSslRootStore::GetPemRootCerts() {
554 return GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)
556 : reinterpret_cast<const char*>
557 GRPC_SLICE_START_PTR(default_pem_root_certs_);
560 grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
561 grpc_slice result = grpc_empty_slice();
562 const bool not_use_system_roots =
563 GPR_GLOBAL_CONFIG_GET(grpc_not_use_system_ssl_roots);
564 // First try to load the roots from the configuration.
565 grpc_core::UniquePtr<char> default_root_certs_path =
566 GPR_GLOBAL_CONFIG_GET(grpc_default_ssl_roots_file_path);
567 if (strlen(default_root_certs_path.get()) > 0) {
569 "load_file", grpc_load_file(default_root_certs_path.get(), 1, &result));
571 // Try overridden roots if needed.
572 grpc_ssl_roots_override_result ovrd_res = GRPC_SSL_ROOTS_OVERRIDE_FAIL;
573 if (GRPC_SLICE_IS_EMPTY(result) && ssl_roots_override_cb != nullptr) {
574 char* pem_root_certs = nullptr;
575 ovrd_res = ssl_roots_override_cb(&pem_root_certs);
576 if (ovrd_res == GRPC_SSL_ROOTS_OVERRIDE_OK) {
577 GPR_ASSERT(pem_root_certs != nullptr);
578 result = grpc_slice_from_copied_buffer(
580 strlen(pem_root_certs) + 1); // nullptr terminator.
582 gpr_free(pem_root_certs);
584 // Try loading roots from OS trust store if flag is enabled.
585 if (GRPC_SLICE_IS_EMPTY(result) && !not_use_system_roots) {
586 result = LoadSystemRootCerts();
588 // Fallback to roots manually shipped with gRPC.
589 if (GRPC_SLICE_IS_EMPTY(result) &&
590 ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) {
591 GRPC_LOG_IF_ERROR("load_file",
592 grpc_load_file(installed_roots_path, 1, &result));
597 void DefaultSslRootStore::InitRootStore() {
598 static gpr_once once = GPR_ONCE_INIT;
599 gpr_once_init(&once, DefaultSslRootStore::InitRootStoreOnce);
602 void DefaultSslRootStore::InitRootStoreOnce() {
603 default_pem_root_certs_ = ComputePemRootCerts();
604 if (!GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)) {
605 default_root_store_ =
606 tsi_ssl_root_certs_store_create(reinterpret_cast<const char*>(
607 GRPC_SLICE_START_PTR(default_pem_root_certs_)));
611 } // namespace grpc_core