GRPC Core  9.0.0
ssl_utils.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2015 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
21 
23 
24 #include <stdbool.h>
25 
26 #include <grpc/grpc_security.h>
27 #include <grpc/slice_buffer.h>
28 
38 
39 /* --- Util --- */
40 
41 /* --- URL schemes. --- */
42 #define GRPC_SSL_URL_SCHEME "https"
43 
44 /* Check ALPN information returned from SSL handshakes. */
46 
47 /* Check peer name information returned from SSL handshakes. */
49  const tsi_peer* peer);
50 /* Compare targer_name information extracted from SSL security connectors. */
52  grpc_core::StringView target_name, grpc_core::StringView other_target_name,
53  grpc_core::StringView overridden_target_name,
54  grpc_core::StringView other_overridden_target_name);
55 /* Check the host that will be set for a call is acceptable.*/
57  grpc_core::StringView target_name,
58  grpc_core::StringView overridden_target_name,
59  grpc_auth_context* auth_context,
60  grpc_closure* on_call_host_checked,
61  grpc_error** error);
62 /* Return HTTP2-compliant cipher suites that gRPC accepts by default. */
63 const char* grpc_get_ssl_cipher_suites(void);
64 
65 /* Map from grpc_ssl_client_certificate_request_type to
66  * tsi_client_certificate_request_type. */
70 
71 /* Return an array of strings containing alpn protocols. */
72 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
73 
74 /* Initialize TSI SSL server/client handshaker factory. */
76  tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
77  tsi_ssl_session_cache* ssl_session_cache,
78  tsi_ssl_client_handshaker_factory** handshaker_factory);
79 
81  tsi_ssl_pem_key_cert_pair* key_cert_pairs, size_t num_key_cert_pairs,
82  const char* pem_root_certs,
83  grpc_ssl_client_certificate_request_type client_certificate_request,
84  tsi_ssl_server_handshaker_factory** handshaker_factory);
85 
86 /* Exposed for testing only. */
88  const tsi_peer* peer, const char* transport_security_type);
90  const grpc_auth_context* auth_context);
92 int grpc_ssl_host_matches_name(const tsi_peer* peer,
93  grpc_core::StringView peer_name);
94 
95 /* --- Default SSL Root Store. --- */
96 namespace grpc_core {
97 
98 // The class implements default SSL root store.
100  public:
101  // Gets the default SSL root store. Returns nullptr if not found.
102  static const tsi_ssl_root_certs_store* GetRootStore();
103 
104  // Gets the default PEM root certificate.
105  static const char* GetPemRootCerts();
106 
107  protected:
108  // Returns default PEM root certificates in nullptr terminated grpc_slice.
109  // This function is protected instead of private, so that it can be tested.
111 
112  private:
113  // Construct me not!
115 
116  // Initialization of default SSL root store.
117  static void InitRootStore();
118 
119  // One-time initialization of default SSL root store.
120  static void InitRootStoreOnce();
121 
122  // SSL root store in tsi_ssl_root_certs_store object.
123  static tsi_ssl_root_certs_store* default_root_store_;
124 
125  // Default PEM root certificates.
126  static grpc_slice default_pem_root_certs_;
127 };
128 
130  public:
131  // Construct from the C struct. We steal its members and then immediately
132  // free it.
134  : private_key_(const_cast<char*>(pair->private_key)),
135  cert_chain_(const_cast<char*>(pair->cert_chain)) {
136  gpr_free(pair);
137  }
138 
139  // Movable.
141  private_key_ = std::move(other.private_key_);
142  cert_chain_ = std::move(other.cert_chain_);
143  }
145  private_key_ = std::move(other.private_key_);
146  cert_chain_ = std::move(other.cert_chain_);
147  return *this;
148  }
149 
150  // Copyable.
152  : private_key_(gpr_strdup(other.private_key())),
153  cert_chain_(gpr_strdup(other.cert_chain())) {}
155  private_key_ = grpc_core::UniquePtr<char>(gpr_strdup(other.private_key()));
156  cert_chain_ = grpc_core::UniquePtr<char>(gpr_strdup(other.cert_chain()));
157  return *this;
158  }
159 
160  char* private_key() const { return private_key_.get(); }
161  char* cert_chain() const { return cert_chain_.get(); }
162 
163  private:
164  grpc_core::UniquePtr<char> private_key_;
165  grpc_core::UniquePtr<char> cert_chain_;
166 };
167 
168 } // namespace grpc_core
169 
170 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H \
171  */
Definition: security_context.h:49
Definition: string_view.h:69
int grpc_ssl_cmp_target_name(grpc_core::StringView target_name, grpc_core::StringView other_target_name, grpc_core::StringView overridden_target_name, grpc_core::StringView other_overridden_target_name)
Definition: ssl_utils.cc:188
GPRAPI void gpr_free(void *ptr)
free
Definition: alloc.cc:50
tsi_client_certificate_request_type grpc_get_tsi_client_certificate_request_type(grpc_ssl_client_certificate_request_type grpc_request_type)
Definition: ssl_utils.cc:88
grpc_error * grpc_ssl_check_peer_name(grpc_core::StringView peer_name, const tsi_peer *peer)
Definition: ssl_utils.cc:128
grpc_core::RefCountedPtr< grpc_auth_context > grpc_ssl_peer_to_auth_context(const tsi_peer *peer, const char *transport_security_type)
Definition: ssl_utils.cc:198
struct tsi_ssl_session_cache tsi_ssl_session_cache
Definition: ssl_transport_security.h:58
Definition: ssl_utils.h:129
PemKeyCertPair & operator=(PemKeyCertPair &&other)
Definition: ssl_utils.h:144
GPRAPI char * gpr_strdup(const char *src)
String utility functions.
Definition: string.cc:37
grpc_error * grpc_ssl_check_alpn(const tsi_peer *peer)
Definition: ssl_utils.cc:111
PemKeyCertPair(PemKeyCertPair &&other)
Definition: ssl_utils.h:140
A grpc_slice s, if initialized, represents the byte range s.bytes[0..s.length-1]. ...
Definition: slice.h:60
Definition: error_internal.h:39
Definition: ssl_transport_security.cc:86
char * private_key() const
Definition: ssl_utils.h:160
static const char * GetPemRootCerts()
Definition: ssl_utils.cc:413
Round Robin Policy.
Definition: backend_metric.cc:24
bool grpc_ssl_check_call_host(grpc_core::StringView host, grpc_core::StringView target_name, grpc_core::StringView overridden_target_name, grpc_auth_context *auth_context, grpc_closure *on_call_host_checked, grpc_error **error)
Definition: ssl_utils.cc:142
tsi_peer grpc_shallow_peer_from_ssl_auth_context(const grpc_auth_context *auth_context)
Definition: ssl_utils.cc:251
grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(tsi_ssl_pem_key_cert_pair *key_cert_pair, const char *pem_root_certs, tsi_ssl_session_cache *ssl_session_cache, tsi_ssl_client_handshaker_factory **handshaker_factory)
Definition: ssl_utils.cc:286
Definition: transport_security_interface.h:198
tsi_client_certificate_request_type
Definition: transport_security_interface.h:49
grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(tsi_ssl_pem_key_cert_pair *key_cert_pairs, size_t num_key_cert_pairs, const char *pem_root_certs, grpc_ssl_client_certificate_request_type client_certificate_request, tsi_ssl_server_handshaker_factory **handshaker_factory)
Definition: ssl_utils.cc:330
Object that holds a private key / certificate chain pair in PEM format.
Definition: grpc_security.h:156
const char * grpc_get_ssl_cipher_suites(void)
Definition: ssl_utils.cc:82
grpc_ssl_client_certificate_request_type
Definition: grpc_security_constants.h:59
static grpc_slice ComputePemRootCerts()
Definition: ssl_utils.cc:421
Definition: ssl_transport_security.h:78
std::unique_ptr< T, DefaultDeleteChar > UniquePtr
Definition: memory.h:45
const char ** grpc_fill_alpn_protocol_strings(size_t *num_alpn_protocols)
Definition: ssl_utils.cc:162
Definition: ssl_transport_security.cc:77
A closure over a grpc_iomgr_cb_func.
Definition: closure.h:56
int grpc_ssl_host_matches_name(const tsi_peer *peer, grpc_core::StringView peer_name)
Definition: ssl_utils.cc:173
char * cert_chain() const
Definition: ssl_utils.h:161
PemKeyCertPair(grpc_ssl_pem_key_cert_pair *pair)
Definition: ssl_utils.h:133
PemKeyCertPair(const PemKeyCertPair &other)
Definition: ssl_utils.h:151
static const tsi_ssl_root_certs_store * GetRootStore()
Definition: ssl_utils.cc:408
grpc_security_status
Definition: security_connector.h:38
void grpc_shallow_peer_destruct(tsi_peer *peer)
Definition: ssl_utils.cc:282
Definition: ssl_transport_security.cc:94
PemKeyCertPair & operator=(const PemKeyCertPair &other)
Definition: ssl_utils.h:154
Definition: ssl_utils.h:99