projects / platform / upstream / grpc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Imported Upstream version 1.26.0
[platform/upstream/grpc.git] / src / core / lib / security / security_connector / tls / spiffe_security_connector.cc
1 /*
2  *
3  * Copyright 2018 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18
19 #include <grpc/support/port_platform.h>
20
21 #include "src/core/lib/security/security_connector/tls/spiffe_security_connector.h"
22
23 #include <stdbool.h>
24 #include <string.h>
25
26 #include <grpc/grpc.h>
27 #include <grpc/support/alloc.h>
28 #include <grpc/support/log.h>
29 #include <grpc/support/string_util.h>
30
31 #include "src/core/lib/gprpp/host_port.h"
32 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
33 #include "src/core/lib/security/credentials/tls/spiffe_credentials.h"
34 #include "src/core/lib/security/security_connector/ssl_utils.h"
35 #include "src/core/lib/security/transport/security_handshaker.h"
36 #include "src/core/lib/slice/slice_internal.h"
37 #include "src/core/lib/transport/transport.h"
38 #include "src/core/tsi/ssl_transport_security.h"
39 #include "src/core/tsi/transport_security.h"
40
41 namespace grpc_core {
42
43 namespace {
44
45 tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
46     const grpc_tls_key_materials_config::PemKeyCertPairList& cert_pair_list) {
47   tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
48   size_t num_key_cert_pairs = cert_pair_list.size();
49   if (num_key_cert_pairs > 0) {
50     GPR_ASSERT(cert_pair_list.data() != nullptr);
51     tsi_pairs = static_cast<tsi_ssl_pem_key_cert_pair*>(
52         gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair)));
53   }
54   for (size_t i = 0; i < num_key_cert_pairs; i++) {
55     GPR_ASSERT(cert_pair_list[i].private_key() != nullptr);
56     GPR_ASSERT(cert_pair_list[i].cert_chain() != nullptr);
57     tsi_pairs[i].cert_chain = gpr_strdup(cert_pair_list[i].cert_chain());
58     tsi_pairs[i].private_key = gpr_strdup(cert_pair_list[i].private_key());
59   }
60   return tsi_pairs;
61 }
62
63 }  // namespace
64
65 /** -- Util function to fetch SPIFFE server/channel credentials. -- */
66 grpc_status_code TlsFetchKeyMaterials(
67     const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
68         key_materials_config,
69     const grpc_tls_credentials_options& options,
70     grpc_ssl_certificate_config_reload_status* reload_status) {
71   GPR_ASSERT(key_materials_config != nullptr);
72   bool is_key_materials_empty =
73       key_materials_config->pem_key_cert_pair_list().empty();
74   if (options.credential_reload_config() == nullptr && is_key_materials_empty) {
75     gpr_log(GPR_ERROR,
76             "Either credential reload config or key materials should be "
77             "provisioned.");
78     return GRPC_STATUS_FAILED_PRECONDITION;
79   }
80   grpc_status_code status = GRPC_STATUS_OK;
81   /* Use credential reload config to fetch credentials. */
82   if (options.credential_reload_config() != nullptr) {
83     grpc_tls_credential_reload_arg* arg = new grpc_tls_credential_reload_arg();
84     arg->key_materials_config = key_materials_config.get();
85     int result = options.credential_reload_config()->Schedule(arg);
86     if (result) {
87       /* Do not support async credential reload. */
88       gpr_log(GPR_ERROR, "Async credential reload is unsupported now.");
89       status =
90           is_key_materials_empty ? GRPC_STATUS_UNIMPLEMENTED : GRPC_STATUS_OK;
91     } else {
92       GPR_ASSERT(reload_status != nullptr);
93       *reload_status = arg->status;
94       if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
95         /* Key materials is not empty. */
96         gpr_log(GPR_DEBUG, "Credential does not change after reload.");
97       } else if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL) {
98         gpr_log(GPR_ERROR, "Credential reload failed with an error:");
99         if (arg->error_details != nullptr) {
100           gpr_log(GPR_ERROR, "%s", arg->error_details);
101         }
102         status = is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
103       }
104     }
105     gpr_free((void*)arg->error_details);
106     if (arg->destroy_context != nullptr) {
107       arg->destroy_context(arg->context);
108     }
109     delete arg;
110   }
111   return status;
112 }
113
114 SpiffeChannelSecurityConnector::SpiffeChannelSecurityConnector(
115     grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
116     grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
117     const char* target_name, const char* overridden_target_name)
118     : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
119                                       std::move(channel_creds),
120                                       std::move(request_metadata_creds)),
121       overridden_target_name_(overridden_target_name == nullptr
122                                   ? nullptr
123                                   : gpr_strdup(overridden_target_name)) {
124   key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
125   check_arg_ = ServerAuthorizationCheckArgCreate(this);
126   grpc_core::StringView host;
127   grpc_core::StringView port;
128   grpc_core::SplitHostPort(target_name, &host, &port);
129   target_name_ = grpc_core::StringViewToCString(host);
130 }
131
132 SpiffeChannelSecurityConnector::~SpiffeChannelSecurityConnector() {
133   if (client_handshaker_factory_ != nullptr) {
134     tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
135   }
136   if (key_materials_config_.get() != nullptr) {
137     key_materials_config_.get()->Unref();
138   }
139   ServerAuthorizationCheckArgDestroy(check_arg_);
140 }
141
142 void SpiffeChannelSecurityConnector::add_handshakers(
143     const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
144     grpc_core::HandshakeManager* handshake_mgr) {
145   if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
146     gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
147     return;
148   }
149   // Instantiate TSI handshaker.
150   tsi_handshaker* tsi_hs = nullptr;
151   tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
152       client_handshaker_factory_,
153       overridden_target_name_ != nullptr ? overridden_target_name_.get()
154                                          : target_name_.get(),
155       &tsi_hs);
156   if (result != TSI_OK) {
157     gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
158             tsi_result_to_string(result));
159     return;
160   }
161   // Create handshakers.
162   handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
163 }
164
165 void SpiffeChannelSecurityConnector::check_peer(
166     tsi_peer peer, grpc_endpoint* /*ep*/,
167     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
168     grpc_closure* on_peer_checked) {
169   const char* target_name = overridden_target_name_ != nullptr
170                                 ? overridden_target_name_.get()
171                                 : target_name_.get();
172   grpc_error* error = grpc_ssl_check_alpn(&peer);
173   if (error != GRPC_ERROR_NONE) {
174     grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
175     tsi_peer_destruct(&peer);
176     return;
177   }
178   *auth_context = grpc_ssl_peer_to_auth_context(
179       &peer, GRPC_TLS_SPIFFE_TRANSPORT_SECURITY_TYPE);
180   const SpiffeCredentials* creds =
181       static_cast<const SpiffeCredentials*>(channel_creds());
182   const grpc_tls_server_authorization_check_config* config =
183       creds->options().server_authorization_check_config();
184   /* If server authorization config is not null, use it to perform
185    * server authorization check. */
186   if (config != nullptr) {
187     const tsi_peer_property* p =
188         tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
189     if (p == nullptr) {
190       error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
191           "Cannot check peer: missing pem cert property.");
192     } else {
193       char* peer_pem = static_cast<char*>(gpr_malloc(p->value.length + 1));
194       memcpy(peer_pem, p->value.data, p->value.length);
195       peer_pem[p->value.length] = '\0';
196       GPR_ASSERT(check_arg_ != nullptr);
197       check_arg_->peer_cert = check_arg_->peer_cert == nullptr
198                                   ? gpr_strdup(peer_pem)
199                                   : check_arg_->peer_cert;
200       check_arg_->target_name = check_arg_->target_name == nullptr
201                                     ? gpr_strdup(target_name)
202                                     : check_arg_->target_name;
203       on_peer_checked_ = on_peer_checked;
204       gpr_free(peer_pem);
205       int callback_status = config->Schedule(check_arg_);
206       /* Server authorization check is handled asynchronously. */
207       if (callback_status) {
208         tsi_peer_destruct(&peer);
209         return;
210       }
211       /* Server authorization check is handled synchronously. */
212       error = ProcessServerAuthorizationCheckResult(check_arg_);
213     }
214   }
215   grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
216   tsi_peer_destruct(&peer);
217 }
218
219 int SpiffeChannelSecurityConnector::cmp(
220     const grpc_security_connector* other_sc) const {
221   auto* other =
222       reinterpret_cast<const SpiffeChannelSecurityConnector*>(other_sc);
223   int c = channel_security_connector_cmp(other);
224   if (c != 0) {
225     return c;
226   }
227   return grpc_ssl_cmp_target_name(target_name_.get(), other->target_name_.get(),
228                                   overridden_target_name_.get(),
229                                   other->overridden_target_name_.get());
230 }
231
232 bool SpiffeChannelSecurityConnector::check_call_host(
233     grpc_core::StringView host, grpc_auth_context* auth_context,
234     grpc_closure* on_call_host_checked, grpc_error** error) {
235   return grpc_ssl_check_call_host(host, target_name_.get(),
236                                   overridden_target_name_.get(), auth_context,
237                                   on_call_host_checked, error);
238 }
239
240 void SpiffeChannelSecurityConnector::cancel_check_call_host(
241     grpc_closure* /*on_call_host_checked*/, grpc_error* error) {
242   GRPC_ERROR_UNREF(error);
243 }
244
245 grpc_core::RefCountedPtr<grpc_channel_security_connector>
246 SpiffeChannelSecurityConnector::CreateSpiffeChannelSecurityConnector(
247     grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
248     grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
249     const char* target_name, const char* overridden_target_name,
250     tsi_ssl_session_cache* ssl_session_cache) {
251   if (channel_creds == nullptr) {
252     gpr_log(GPR_ERROR,
253             "channel_creds is nullptr in "
254             "SpiffeChannelSecurityConnectorCreate()");
255     return nullptr;
256   }
257   if (target_name == nullptr) {
258     gpr_log(GPR_ERROR,
259             "target_name is nullptr in "
260             "SpiffeChannelSecurityConnectorCreate()");
261     return nullptr;
262   }
263   grpc_core::RefCountedPtr<SpiffeChannelSecurityConnector> c =
264       grpc_core::MakeRefCounted<SpiffeChannelSecurityConnector>(
265           std::move(channel_creds), std::move(request_metadata_creds),
266           target_name, overridden_target_name);
267   if (c->InitializeHandshakerFactory(ssl_session_cache) != GRPC_SECURITY_OK) {
268     gpr_log(GPR_ERROR, "Could not initialize client handshaker factory.");
269     return nullptr;
270   }
271   return c;
272 }
273
274 grpc_security_status SpiffeChannelSecurityConnector::ReplaceHandshakerFactory(
275     tsi_ssl_session_cache* ssl_session_cache) {
276   /* Free the client handshaker factory if exists. */
277   if (client_handshaker_factory_) {
278     tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
279   }
280   GPR_ASSERT(!key_materials_config_->pem_key_cert_pair_list().empty());
281   tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = ConvertToTsiPemKeyCertPair(
282       key_materials_config_->pem_key_cert_pair_list());
283   grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
284       pem_key_cert_pair, key_materials_config_->pem_root_certs(),
285       ssl_session_cache, &client_handshaker_factory_);
286   /* Free memory. */
287   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
288   return status;
289 }
290
291 grpc_security_status
292 SpiffeChannelSecurityConnector::InitializeHandshakerFactory(
293     tsi_ssl_session_cache* ssl_session_cache) {
294   grpc_core::MutexLock lock(&mu_);
295   const SpiffeCredentials* creds =
296       static_cast<const SpiffeCredentials*>(channel_creds());
297   grpc_tls_key_materials_config* key_materials_config =
298       creds->options().key_materials_config();
299   /* Copy key materials config from credential options. */
300   if (key_materials_config != nullptr) {
301     grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
302         key_materials_config->pem_key_cert_pair_list();
303     auto pem_root_certs = grpc_core::UniquePtr<char>(
304         gpr_strdup(key_materials_config->pem_root_certs()));
305     key_materials_config_->set_key_materials(std::move(pem_root_certs),
306                                              std::move(cert_pair_list));
307   }
308   grpc_ssl_certificate_config_reload_status reload_status =
309       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
310   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
311                            &reload_status) != GRPC_STATUS_OK) {
312     /* Raise an error if key materials are not populated. */
313     return GRPC_SECURITY_ERROR;
314   }
315   return ReplaceHandshakerFactory(ssl_session_cache);
316 }
317
318 grpc_security_status
319 SpiffeChannelSecurityConnector::RefreshHandshakerFactory() {
320   grpc_core::MutexLock lock(&mu_);
321   const SpiffeCredentials* creds =
322       static_cast<const SpiffeCredentials*>(channel_creds());
323   grpc_ssl_certificate_config_reload_status reload_status =
324       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
325   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
326                            &reload_status) != GRPC_STATUS_OK) {
327     return GRPC_SECURITY_ERROR;
328   }
329   if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
330     // Re-use existing handshaker factory.
331     return GRPC_SECURITY_OK;
332   } else {
333     return ReplaceHandshakerFactory(nullptr);
334   }
335 }
336
337 void SpiffeChannelSecurityConnector::ServerAuthorizationCheckDone(
338     grpc_tls_server_authorization_check_arg* arg) {
339   GPR_ASSERT(arg != nullptr);
340   grpc_core::ExecCtx exec_ctx;
341   grpc_error* error = ProcessServerAuthorizationCheckResult(arg);
342   SpiffeChannelSecurityConnector* connector =
343       static_cast<SpiffeChannelSecurityConnector*>(arg->cb_user_data);
344   grpc_core::ExecCtx::Run(DEBUG_LOCATION, connector->on_peer_checked_, error);
345 }
346
347 grpc_error*
348 SpiffeChannelSecurityConnector::ProcessServerAuthorizationCheckResult(
349     grpc_tls_server_authorization_check_arg* arg) {
350   grpc_error* error = GRPC_ERROR_NONE;
351   char* msg = nullptr;
352   /* Server authorization check is cancelled by caller. */
353   if (arg->status == GRPC_STATUS_CANCELLED) {
354     gpr_asprintf(&msg,
355                  "Server authorization check is cancelled by the caller with "
356                  "error: %s",
357                  arg->error_details);
358     error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
359   } else if (arg->status == GRPC_STATUS_OK) {
360     /* Server authorization check completed successfully but returned check
361      * failure. */
362     if (!arg->success) {
363       gpr_asprintf(&msg, "Server authorization check failed with error: %s",
364                    arg->error_details);
365       error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
366     }
367     /* Server authorization check did not complete correctly. */
368   } else {
369     gpr_asprintf(
370         &msg,
371         "Server authorization check did not finish correctly with error: %s",
372         arg->error_details);
373     error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
374   }
375   gpr_free(msg);
376   return error;
377 }
378
379 grpc_tls_server_authorization_check_arg*
380 SpiffeChannelSecurityConnector::ServerAuthorizationCheckArgCreate(
381     void* user_data) {
382   grpc_tls_server_authorization_check_arg* arg =
383       new grpc_tls_server_authorization_check_arg();
384   arg->cb = ServerAuthorizationCheckDone;
385   arg->cb_user_data = user_data;
386   arg->status = GRPC_STATUS_OK;
387   return arg;
388 }
389
390 void SpiffeChannelSecurityConnector::ServerAuthorizationCheckArgDestroy(
391     grpc_tls_server_authorization_check_arg* arg) {
392   if (arg == nullptr) {
393     return;
394   }
395   gpr_free((void*)arg->target_name);
396   gpr_free((void*)arg->peer_cert);
397   gpr_free((void*)arg->error_details);
398   if (arg->destroy_context != nullptr) {
399     arg->destroy_context(arg->context);
400   }
401   delete arg;
402 }
403
404 SpiffeServerSecurityConnector::SpiffeServerSecurityConnector(
405     grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
406     : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
407                                      std::move(server_creds)) {
408   key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
409 }
410
411 SpiffeServerSecurityConnector::~SpiffeServerSecurityConnector() {
412   if (server_handshaker_factory_ != nullptr) {
413     tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
414   }
415   if (key_materials_config_.get() != nullptr) {
416     key_materials_config_.get()->Unref();
417   }
418 }
419
420 void SpiffeServerSecurityConnector::add_handshakers(
421     const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
422     grpc_core::HandshakeManager* handshake_mgr) {
423   /* Refresh handshaker factory if needed. */
424   if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
425     gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
426     return;
427   }
428   /* Create a TLS SPIFFE TSI handshaker for server. */
429   tsi_handshaker* tsi_hs = nullptr;
430   tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
431       server_handshaker_factory_, &tsi_hs);
432   if (result != TSI_OK) {
433     gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
434             tsi_result_to_string(result));
435     return;
436   }
437   handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
438 }
439
440 void SpiffeServerSecurityConnector::check_peer(
441     tsi_peer peer, grpc_endpoint* /*ep*/,
442     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
443     grpc_closure* on_peer_checked) {
444   grpc_error* error = grpc_ssl_check_alpn(&peer);
445   *auth_context = grpc_ssl_peer_to_auth_context(
446       &peer, GRPC_TLS_SPIFFE_TRANSPORT_SECURITY_TYPE);
447   tsi_peer_destruct(&peer);
448   grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
449 }
450
451 int SpiffeServerSecurityConnector::cmp(
452     const grpc_security_connector* other) const {
453   return server_security_connector_cmp(
454       static_cast<const grpc_server_security_connector*>(other));
455 }
456
457 grpc_core::RefCountedPtr<grpc_server_security_connector>
458 SpiffeServerSecurityConnector::CreateSpiffeServerSecurityConnector(
459     grpc_core::RefCountedPtr<grpc_server_credentials> server_creds) {
460   if (server_creds == nullptr) {
461     gpr_log(GPR_ERROR,
462             "server_creds is nullptr in "
463             "SpiffeServerSecurityConnectorCreate()");
464     return nullptr;
465   }
466   grpc_core::RefCountedPtr<SpiffeServerSecurityConnector> c =
467       grpc_core::MakeRefCounted<SpiffeServerSecurityConnector>(
468           std::move(server_creds));
469   if (c->InitializeHandshakerFactory() != GRPC_SECURITY_OK) {
470     gpr_log(GPR_ERROR, "Could not initialize server handshaker factory.");
471     return nullptr;
472   }
473   return c;
474 }
475
476 grpc_security_status SpiffeServerSecurityConnector::ReplaceHandshakerFactory() {
477   const SpiffeServerCredentials* creds =
478       static_cast<const SpiffeServerCredentials*>(server_creds());
479   /* Free the server handshaker factory if exists. */
480   if (server_handshaker_factory_) {
481     tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
482   }
483   GPR_ASSERT(!key_materials_config_->pem_key_cert_pair_list().empty());
484   tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(
485       key_materials_config_->pem_key_cert_pair_list());
486   size_t num_key_cert_pairs =
487       key_materials_config_->pem_key_cert_pair_list().size();
488   grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
489       pem_key_cert_pairs, num_key_cert_pairs,
490       key_materials_config_->pem_root_certs(),
491       creds->options().cert_request_type(), &server_handshaker_factory_);
492   /* Free memory. */
493   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
494                                           num_key_cert_pairs);
495   return status;
496 }
497
498 grpc_security_status
499 SpiffeServerSecurityConnector::InitializeHandshakerFactory() {
500   grpc_core::MutexLock lock(&mu_);
501   const SpiffeServerCredentials* creds =
502       static_cast<const SpiffeServerCredentials*>(server_creds());
503   grpc_tls_key_materials_config* key_materials_config =
504       creds->options().key_materials_config();
505   if (key_materials_config != nullptr) {
506     grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
507         key_materials_config->pem_key_cert_pair_list();
508     auto pem_root_certs = grpc_core::UniquePtr<char>(
509         gpr_strdup(key_materials_config->pem_root_certs()));
510     key_materials_config_->set_key_materials(std::move(pem_root_certs),
511                                              std::move(cert_pair_list));
512   }
513   grpc_ssl_certificate_config_reload_status reload_status =
514       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
515   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
516                            &reload_status) != GRPC_STATUS_OK) {
517     /* Raise an error if key materials are not populated. */
518     return GRPC_SECURITY_ERROR;
519   }
520   return ReplaceHandshakerFactory();
521 }
522
523 grpc_security_status SpiffeServerSecurityConnector::RefreshHandshakerFactory() {
524   grpc_core::MutexLock lock(&mu_);
525   const SpiffeServerCredentials* creds =
526       static_cast<const SpiffeServerCredentials*>(server_creds());
527   grpc_ssl_certificate_config_reload_status reload_status =
528       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
529   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
530                            &reload_status) != GRPC_STATUS_OK) {
531     return GRPC_SECURITY_ERROR;
532   }
533   if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
534     /* At this point, we should have key materials populated. */
535     return GRPC_SECURITY_OK;
536   } else {
537     return ReplaceHandshakerFactory();
538   }
539 }
540
541 }  // namespace grpc_core
Domain: System / Base;