3 * Copyright 2018 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H
20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H
22 #include <grpc/support/port_platform.h>
24 #include "src/core/lib/gprpp/sync.h"
25 #include "src/core/lib/security/context/security_context.h"
26 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
27 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
29 #define GRPC_TLS_TRANSPORT_SECURITY_TYPE "tls"
33 // Channel security connector using TLS as transport security protocol.
34 class TlsChannelSecurityConnector final
35 : public grpc_channel_security_connector {
37 // static factory method to create a TLS channel security connector.
38 static grpc_core::RefCountedPtr<grpc_channel_security_connector>
39 CreateTlsChannelSecurityConnector(
40 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
41 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options,
42 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
43 const char* target_name, const char* overridden_target_name,
44 tsi_ssl_session_cache* ssl_session_cache);
46 TlsChannelSecurityConnector(
47 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
48 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options,
49 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
50 const char* target_name, const char* overridden_target_name,
51 tsi_ssl_session_cache* ssl_session_cache);
53 ~TlsChannelSecurityConnector() override;
55 void add_handshakers(const grpc_channel_args* args,
56 grpc_pollset_set* interested_parties,
57 grpc_core::HandshakeManager* handshake_mgr) override;
59 void check_peer(tsi_peer peer, grpc_endpoint* ep,
60 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
61 grpc_closure* on_peer_checked) override;
63 int cmp(const grpc_security_connector* other_sc) const override;
65 bool check_call_host(absl::string_view host, grpc_auth_context* auth_context,
66 grpc_closure* on_call_host_checked,
67 grpc_error** error) override;
69 void cancel_check_call_host(grpc_closure* on_call_host_checked,
70 grpc_error* error) override;
72 tsi_ssl_client_handshaker_factory* ClientHandshakerFactoryForTesting() {
73 grpc_core::MutexLock lock(&mu_);
74 return client_handshaker_factory_;
77 const absl::optional<absl::string_view>& RootCertsForTesting() {
78 grpc_core::MutexLock lock(&mu_);
79 return pem_root_certs_;
82 const absl::optional<grpc_core::PemKeyCertPairList>&
83 KeyCertPairListForTesting() {
84 grpc_core::MutexLock lock(&mu_);
85 return pem_key_cert_pair_list_;
89 // A watcher that watches certificate updates from
90 // grpc_tls_certificate_distributor. It will never outlive
91 // |security_connector_|.
92 class TlsChannelCertificateWatcher : public grpc_tls_certificate_distributor::
93 TlsCertificatesWatcherInterface {
95 explicit TlsChannelCertificateWatcher(
96 TlsChannelSecurityConnector* security_connector)
97 : security_connector_(security_connector) {}
98 void OnCertificatesChanged(
99 absl::optional<absl::string_view> root_certs,
100 absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) override;
101 void OnError(grpc_error* root_cert_error,
102 grpc_error* identity_cert_error) override;
105 TlsChannelSecurityConnector* security_connector_ = nullptr;
108 // Updates |client_handshaker_factory_| when the certificates that
109 // |certificate_watcher_| is watching get updated.
110 grpc_security_status UpdateHandshakerFactoryLocked();
112 // gRPC-provided callback executed by application, which servers to bring the
113 // control back to gRPC core.
114 static void ServerAuthorizationCheckDone(
115 grpc_tls_server_authorization_check_arg* arg);
117 // A util function to process server authorization check result.
118 static grpc_error* ProcessServerAuthorizationCheckResult(
119 grpc_tls_server_authorization_check_arg* arg);
121 // A util function to create a server authorization check arg instance.
122 static grpc_tls_server_authorization_check_arg*
123 ServerAuthorizationCheckArgCreate(void* user_data);
125 // A util function to destroy a server authorization check arg instance.
126 static void ServerAuthorizationCheckArgDestroy(
127 grpc_tls_server_authorization_check_arg* arg);
129 grpc_core::Mutex mu_;
130 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
131 grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
132 certificate_watcher_ = nullptr;
133 grpc_closure* on_peer_checked_ = nullptr;
134 std::string target_name_;
135 std::string overridden_target_name_;
136 tsi_ssl_client_handshaker_factory* client_handshaker_factory_ = nullptr;
137 grpc_tls_server_authorization_check_arg* check_arg_ = nullptr;
138 tsi_ssl_session_cache* ssl_session_cache_ = nullptr;
139 absl::optional<absl::string_view> pem_root_certs_;
140 absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pair_list_;
143 // Server security connector using TLS as transport security protocol.
144 class TlsServerSecurityConnector final : public grpc_server_security_connector {
146 // static factory method to create a TLS server security connector.
147 static grpc_core::RefCountedPtr<grpc_server_security_connector>
148 CreateTlsServerSecurityConnector(
149 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds,
150 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options);
152 TlsServerSecurityConnector(
153 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds,
154 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options);
155 ~TlsServerSecurityConnector() override;
157 void add_handshakers(const grpc_channel_args* args,
158 grpc_pollset_set* interested_parties,
159 grpc_core::HandshakeManager* handshake_mgr) override;
161 void check_peer(tsi_peer peer, grpc_endpoint* ep,
162 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
163 grpc_closure* on_peer_checked) override;
165 int cmp(const grpc_security_connector* other) const override;
167 tsi_ssl_server_handshaker_factory* ServerHandshakerFactoryForTesting() {
168 grpc_core::MutexLock lock(&mu_);
169 return server_handshaker_factory_;
172 const absl::optional<absl::string_view>& RootCertsForTesting() {
173 grpc_core::MutexLock lock(&mu_);
174 return pem_root_certs_;
177 const absl::optional<grpc_core::PemKeyCertPairList>&
178 KeyCertPairListForTesting() {
179 grpc_core::MutexLock lock(&mu_);
180 return pem_key_cert_pair_list_;
184 // A watcher that watches certificate updates from
185 // grpc_tls_certificate_distributor. It will never outlive
186 // |security_connector_|.
187 class TlsServerCertificateWatcher : public grpc_tls_certificate_distributor::
188 TlsCertificatesWatcherInterface {
190 explicit TlsServerCertificateWatcher(
191 TlsServerSecurityConnector* security_connector)
192 : security_connector_(security_connector) {}
193 void OnCertificatesChanged(
194 absl::optional<absl::string_view> root_certs,
195 absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) override;
196 void OnError(grpc_error* root_cert_error,
197 grpc_error* identity_cert_error) override;
200 TlsServerSecurityConnector* security_connector_ = nullptr;
203 // Updates |server_handshaker_factory_| when the certificates that
204 // |certificate_watcher_| is watching get updated.
205 grpc_security_status UpdateHandshakerFactoryLocked();
207 grpc_core::Mutex mu_;
208 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
209 grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface*
210 certificate_watcher_ = nullptr;
212 tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
213 absl::optional<absl::string_view> pem_root_certs_;
214 absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pair_list_;
217 // ---- Functions below are exposed for testing only -----------------------
220 // TlsCheckHostName checks if |peer_name| matches the identity information
221 // contained in |peer|. This is AKA hostname check.
222 grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer);
224 } // namespace internal
226 } // namespace grpc_core
228 #endif // GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H