3 * Copyright 2018 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #include <grpc/support/port_platform.h>
21 #include "src/core/lib/security/security_connector/tls/spiffe_security_connector.h"
26 #include <grpc/grpc.h>
27 #include <grpc/support/alloc.h>
28 #include <grpc/support/log.h>
29 #include <grpc/support/string_util.h>
31 #include "src/core/lib/gprpp/host_port.h"
32 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
33 #include "src/core/lib/security/credentials/tls/spiffe_credentials.h"
34 #include "src/core/lib/security/security_connector/ssl_utils.h"
35 #include "src/core/lib/security/transport/security_handshaker.h"
36 #include "src/core/lib/slice/slice_internal.h"
37 #include "src/core/lib/transport/transport.h"
38 #include "src/core/tsi/ssl_transport_security.h"
39 #include "src/core/tsi/transport_security.h"
45 tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
46 const grpc_tls_key_materials_config::PemKeyCertPairList& cert_pair_list) {
47 tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
48 size_t num_key_cert_pairs = cert_pair_list.size();
49 if (num_key_cert_pairs > 0) {
50 GPR_ASSERT(cert_pair_list.data() != nullptr);
51 tsi_pairs = static_cast<tsi_ssl_pem_key_cert_pair*>(
52 gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair)));
54 for (size_t i = 0; i < num_key_cert_pairs; i++) {
55 GPR_ASSERT(cert_pair_list[i].private_key() != nullptr);
56 GPR_ASSERT(cert_pair_list[i].cert_chain() != nullptr);
57 tsi_pairs[i].cert_chain = gpr_strdup(cert_pair_list[i].cert_chain());
58 tsi_pairs[i].private_key = gpr_strdup(cert_pair_list[i].private_key());
65 /** -- Util function to fetch SPIFFE server/channel credentials. -- */
66 grpc_status_code TlsFetchKeyMaterials(
67 const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
69 const grpc_tls_credentials_options& options,
70 grpc_ssl_certificate_config_reload_status* reload_status) {
71 GPR_ASSERT(key_materials_config != nullptr);
72 bool is_key_materials_empty =
73 key_materials_config->pem_key_cert_pair_list().empty();
74 if (options.credential_reload_config() == nullptr && is_key_materials_empty) {
76 "Either credential reload config or key materials should be "
78 return GRPC_STATUS_FAILED_PRECONDITION;
80 grpc_status_code status = GRPC_STATUS_OK;
81 /* Use credential reload config to fetch credentials. */
82 if (options.credential_reload_config() != nullptr) {
83 grpc_tls_credential_reload_arg* arg = new grpc_tls_credential_reload_arg();
84 arg->key_materials_config = key_materials_config.get();
85 int result = options.credential_reload_config()->Schedule(arg);
87 /* Do not support async credential reload. */
88 gpr_log(GPR_ERROR, "Async credential reload is unsupported now.");
90 is_key_materials_empty ? GRPC_STATUS_UNIMPLEMENTED : GRPC_STATUS_OK;
92 GPR_ASSERT(reload_status != nullptr);
93 *reload_status = arg->status;
94 if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
95 /* Key materials is not empty. */
96 gpr_log(GPR_DEBUG, "Credential does not change after reload.");
97 } else if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL) {
98 gpr_log(GPR_ERROR, "Credential reload failed with an error:");
99 if (arg->error_details != nullptr) {
100 gpr_log(GPR_ERROR, "%s", arg->error_details);
102 status = is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
105 gpr_free((void*)arg->error_details);
106 if (arg->destroy_context != nullptr) {
107 arg->destroy_context(arg->context);
114 SpiffeChannelSecurityConnector::SpiffeChannelSecurityConnector(
115 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
116 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
117 const char* target_name, const char* overridden_target_name)
118 : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
119 std::move(channel_creds),
120 std::move(request_metadata_creds)),
121 overridden_target_name_(overridden_target_name == nullptr
123 : gpr_strdup(overridden_target_name)) {
124 key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
125 check_arg_ = ServerAuthorizationCheckArgCreate(this);
126 grpc_core::StringView host;
127 grpc_core::StringView port;
128 grpc_core::SplitHostPort(target_name, &host, &port);
129 target_name_ = grpc_core::StringViewToCString(host);
132 SpiffeChannelSecurityConnector::~SpiffeChannelSecurityConnector() {
133 if (client_handshaker_factory_ != nullptr) {
134 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
136 if (key_materials_config_.get() != nullptr) {
137 key_materials_config_.get()->Unref();
139 ServerAuthorizationCheckArgDestroy(check_arg_);
142 void SpiffeChannelSecurityConnector::add_handshakers(
143 const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
144 grpc_core::HandshakeManager* handshake_mgr) {
145 if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
146 gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
149 // Instantiate TSI handshaker.
150 tsi_handshaker* tsi_hs = nullptr;
151 tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
152 client_handshaker_factory_,
153 overridden_target_name_ != nullptr ? overridden_target_name_.get()
154 : target_name_.get(),
156 if (result != TSI_OK) {
157 gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
158 tsi_result_to_string(result));
161 // Create handshakers.
162 handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
165 void SpiffeChannelSecurityConnector::check_peer(
166 tsi_peer peer, grpc_endpoint* /*ep*/,
167 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
168 grpc_closure* on_peer_checked) {
169 const char* target_name = overridden_target_name_ != nullptr
170 ? overridden_target_name_.get()
171 : target_name_.get();
172 grpc_error* error = grpc_ssl_check_alpn(&peer);
173 if (error != GRPC_ERROR_NONE) {
174 grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
175 tsi_peer_destruct(&peer);
178 *auth_context = grpc_ssl_peer_to_auth_context(
179 &peer, GRPC_TLS_SPIFFE_TRANSPORT_SECURITY_TYPE);
180 const SpiffeCredentials* creds =
181 static_cast<const SpiffeCredentials*>(channel_creds());
182 const grpc_tls_server_authorization_check_config* config =
183 creds->options().server_authorization_check_config();
184 /* If server authorization config is not null, use it to perform
185 * server authorization check. */
186 if (config != nullptr) {
187 const tsi_peer_property* p =
188 tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
190 error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
191 "Cannot check peer: missing pem cert property.");
193 char* peer_pem = static_cast<char*>(gpr_malloc(p->value.length + 1));
194 memcpy(peer_pem, p->value.data, p->value.length);
195 peer_pem[p->value.length] = '\0';
196 GPR_ASSERT(check_arg_ != nullptr);
197 check_arg_->peer_cert = check_arg_->peer_cert == nullptr
198 ? gpr_strdup(peer_pem)
199 : check_arg_->peer_cert;
200 check_arg_->target_name = check_arg_->target_name == nullptr
201 ? gpr_strdup(target_name)
202 : check_arg_->target_name;
203 on_peer_checked_ = on_peer_checked;
205 int callback_status = config->Schedule(check_arg_);
206 /* Server authorization check is handled asynchronously. */
207 if (callback_status) {
208 tsi_peer_destruct(&peer);
211 /* Server authorization check is handled synchronously. */
212 error = ProcessServerAuthorizationCheckResult(check_arg_);
215 grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
216 tsi_peer_destruct(&peer);
219 int SpiffeChannelSecurityConnector::cmp(
220 const grpc_security_connector* other_sc) const {
222 reinterpret_cast<const SpiffeChannelSecurityConnector*>(other_sc);
223 int c = channel_security_connector_cmp(other);
227 return grpc_ssl_cmp_target_name(target_name_.get(), other->target_name_.get(),
228 overridden_target_name_.get(),
229 other->overridden_target_name_.get());
232 bool SpiffeChannelSecurityConnector::check_call_host(
233 grpc_core::StringView host, grpc_auth_context* auth_context,
234 grpc_closure* on_call_host_checked, grpc_error** error) {
235 return grpc_ssl_check_call_host(host, target_name_.get(),
236 overridden_target_name_.get(), auth_context,
237 on_call_host_checked, error);
240 void SpiffeChannelSecurityConnector::cancel_check_call_host(
241 grpc_closure* /*on_call_host_checked*/, grpc_error* error) {
242 GRPC_ERROR_UNREF(error);
245 grpc_core::RefCountedPtr<grpc_channel_security_connector>
246 SpiffeChannelSecurityConnector::CreateSpiffeChannelSecurityConnector(
247 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
248 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
249 const char* target_name, const char* overridden_target_name,
250 tsi_ssl_session_cache* ssl_session_cache) {
251 if (channel_creds == nullptr) {
253 "channel_creds is nullptr in "
254 "SpiffeChannelSecurityConnectorCreate()");
257 if (target_name == nullptr) {
259 "target_name is nullptr in "
260 "SpiffeChannelSecurityConnectorCreate()");
263 grpc_core::RefCountedPtr<SpiffeChannelSecurityConnector> c =
264 grpc_core::MakeRefCounted<SpiffeChannelSecurityConnector>(
265 std::move(channel_creds), std::move(request_metadata_creds),
266 target_name, overridden_target_name);
267 if (c->InitializeHandshakerFactory(ssl_session_cache) != GRPC_SECURITY_OK) {
268 gpr_log(GPR_ERROR, "Could not initialize client handshaker factory.");
274 grpc_security_status SpiffeChannelSecurityConnector::ReplaceHandshakerFactory(
275 tsi_ssl_session_cache* ssl_session_cache) {
276 /* Free the client handshaker factory if exists. */
277 if (client_handshaker_factory_) {
278 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
280 GPR_ASSERT(!key_materials_config_->pem_key_cert_pair_list().empty());
281 tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = ConvertToTsiPemKeyCertPair(
282 key_materials_config_->pem_key_cert_pair_list());
283 grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
284 pem_key_cert_pair, key_materials_config_->pem_root_certs(),
285 ssl_session_cache, &client_handshaker_factory_);
287 grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
292 SpiffeChannelSecurityConnector::InitializeHandshakerFactory(
293 tsi_ssl_session_cache* ssl_session_cache) {
294 grpc_core::MutexLock lock(&mu_);
295 const SpiffeCredentials* creds =
296 static_cast<const SpiffeCredentials*>(channel_creds());
297 grpc_tls_key_materials_config* key_materials_config =
298 creds->options().key_materials_config();
299 /* Copy key materials config from credential options. */
300 if (key_materials_config != nullptr) {
301 grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
302 key_materials_config->pem_key_cert_pair_list();
303 auto pem_root_certs = grpc_core::UniquePtr<char>(
304 gpr_strdup(key_materials_config->pem_root_certs()));
305 key_materials_config_->set_key_materials(std::move(pem_root_certs),
306 std::move(cert_pair_list));
308 grpc_ssl_certificate_config_reload_status reload_status =
309 GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
310 if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
311 &reload_status) != GRPC_STATUS_OK) {
312 /* Raise an error if key materials are not populated. */
313 return GRPC_SECURITY_ERROR;
315 return ReplaceHandshakerFactory(ssl_session_cache);
319 SpiffeChannelSecurityConnector::RefreshHandshakerFactory() {
320 grpc_core::MutexLock lock(&mu_);
321 const SpiffeCredentials* creds =
322 static_cast<const SpiffeCredentials*>(channel_creds());
323 grpc_ssl_certificate_config_reload_status reload_status =
324 GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
325 if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
326 &reload_status) != GRPC_STATUS_OK) {
327 return GRPC_SECURITY_ERROR;
329 if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
330 // Re-use existing handshaker factory.
331 return GRPC_SECURITY_OK;
333 return ReplaceHandshakerFactory(nullptr);
337 void SpiffeChannelSecurityConnector::ServerAuthorizationCheckDone(
338 grpc_tls_server_authorization_check_arg* arg) {
339 GPR_ASSERT(arg != nullptr);
340 grpc_core::ExecCtx exec_ctx;
341 grpc_error* error = ProcessServerAuthorizationCheckResult(arg);
342 SpiffeChannelSecurityConnector* connector =
343 static_cast<SpiffeChannelSecurityConnector*>(arg->cb_user_data);
344 grpc_core::ExecCtx::Run(DEBUG_LOCATION, connector->on_peer_checked_, error);
348 SpiffeChannelSecurityConnector::ProcessServerAuthorizationCheckResult(
349 grpc_tls_server_authorization_check_arg* arg) {
350 grpc_error* error = GRPC_ERROR_NONE;
352 /* Server authorization check is cancelled by caller. */
353 if (arg->status == GRPC_STATUS_CANCELLED) {
355 "Server authorization check is cancelled by the caller with "
358 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
359 } else if (arg->status == GRPC_STATUS_OK) {
360 /* Server authorization check completed successfully but returned check
363 gpr_asprintf(&msg, "Server authorization check failed with error: %s",
365 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
367 /* Server authorization check did not complete correctly. */
371 "Server authorization check did not finish correctly with error: %s",
373 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
379 grpc_tls_server_authorization_check_arg*
380 SpiffeChannelSecurityConnector::ServerAuthorizationCheckArgCreate(
382 grpc_tls_server_authorization_check_arg* arg =
383 new grpc_tls_server_authorization_check_arg();
384 arg->cb = ServerAuthorizationCheckDone;
385 arg->cb_user_data = user_data;
386 arg->status = GRPC_STATUS_OK;
390 void SpiffeChannelSecurityConnector::ServerAuthorizationCheckArgDestroy(
391 grpc_tls_server_authorization_check_arg* arg) {
392 if (arg == nullptr) {
395 gpr_free((void*)arg->target_name);
396 gpr_free((void*)arg->peer_cert);
397 gpr_free((void*)arg->error_details);
398 if (arg->destroy_context != nullptr) {
399 arg->destroy_context(arg->context);
404 SpiffeServerSecurityConnector::SpiffeServerSecurityConnector(
405 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
406 : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
407 std::move(server_creds)) {
408 key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
411 SpiffeServerSecurityConnector::~SpiffeServerSecurityConnector() {
412 if (server_handshaker_factory_ != nullptr) {
413 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
415 if (key_materials_config_.get() != nullptr) {
416 key_materials_config_.get()->Unref();
420 void SpiffeServerSecurityConnector::add_handshakers(
421 const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
422 grpc_core::HandshakeManager* handshake_mgr) {
423 /* Refresh handshaker factory if needed. */
424 if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
425 gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
428 /* Create a TLS SPIFFE TSI handshaker for server. */
429 tsi_handshaker* tsi_hs = nullptr;
430 tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
431 server_handshaker_factory_, &tsi_hs);
432 if (result != TSI_OK) {
433 gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
434 tsi_result_to_string(result));
437 handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
440 void SpiffeServerSecurityConnector::check_peer(
441 tsi_peer peer, grpc_endpoint* /*ep*/,
442 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
443 grpc_closure* on_peer_checked) {
444 grpc_error* error = grpc_ssl_check_alpn(&peer);
445 *auth_context = grpc_ssl_peer_to_auth_context(
446 &peer, GRPC_TLS_SPIFFE_TRANSPORT_SECURITY_TYPE);
447 tsi_peer_destruct(&peer);
448 grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
451 int SpiffeServerSecurityConnector::cmp(
452 const grpc_security_connector* other) const {
453 return server_security_connector_cmp(
454 static_cast<const grpc_server_security_connector*>(other));
457 grpc_core::RefCountedPtr<grpc_server_security_connector>
458 SpiffeServerSecurityConnector::CreateSpiffeServerSecurityConnector(
459 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds) {
460 if (server_creds == nullptr) {
462 "server_creds is nullptr in "
463 "SpiffeServerSecurityConnectorCreate()");
466 grpc_core::RefCountedPtr<SpiffeServerSecurityConnector> c =
467 grpc_core::MakeRefCounted<SpiffeServerSecurityConnector>(
468 std::move(server_creds));
469 if (c->InitializeHandshakerFactory() != GRPC_SECURITY_OK) {
470 gpr_log(GPR_ERROR, "Could not initialize server handshaker factory.");
476 grpc_security_status SpiffeServerSecurityConnector::ReplaceHandshakerFactory() {
477 const SpiffeServerCredentials* creds =
478 static_cast<const SpiffeServerCredentials*>(server_creds());
479 /* Free the server handshaker factory if exists. */
480 if (server_handshaker_factory_) {
481 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
483 GPR_ASSERT(!key_materials_config_->pem_key_cert_pair_list().empty());
484 tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(
485 key_materials_config_->pem_key_cert_pair_list());
486 size_t num_key_cert_pairs =
487 key_materials_config_->pem_key_cert_pair_list().size();
488 grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
489 pem_key_cert_pairs, num_key_cert_pairs,
490 key_materials_config_->pem_root_certs(),
491 creds->options().cert_request_type(), &server_handshaker_factory_);
493 grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
499 SpiffeServerSecurityConnector::InitializeHandshakerFactory() {
500 grpc_core::MutexLock lock(&mu_);
501 const SpiffeServerCredentials* creds =
502 static_cast<const SpiffeServerCredentials*>(server_creds());
503 grpc_tls_key_materials_config* key_materials_config =
504 creds->options().key_materials_config();
505 if (key_materials_config != nullptr) {
506 grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
507 key_materials_config->pem_key_cert_pair_list();
508 auto pem_root_certs = grpc_core::UniquePtr<char>(
509 gpr_strdup(key_materials_config->pem_root_certs()));
510 key_materials_config_->set_key_materials(std::move(pem_root_certs),
511 std::move(cert_pair_list));
513 grpc_ssl_certificate_config_reload_status reload_status =
514 GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
515 if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
516 &reload_status) != GRPC_STATUS_OK) {
517 /* Raise an error if key materials are not populated. */
518 return GRPC_SECURITY_ERROR;
520 return ReplaceHandshakerFactory();
523 grpc_security_status SpiffeServerSecurityConnector::RefreshHandshakerFactory() {
524 grpc_core::MutexLock lock(&mu_);
525 const SpiffeServerCredentials* creds =
526 static_cast<const SpiffeServerCredentials*>(server_creds());
527 grpc_ssl_certificate_config_reload_status reload_status =
528 GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
529 if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
530 &reload_status) != GRPC_STATUS_OK) {
531 return GRPC_SECURITY_ERROR;
533 if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
534 /* At this point, we should have key materials populated. */
535 return GRPC_SECURITY_OK;
537 return ReplaceHandshakerFactory();
541 } // namespace grpc_core