1 /* 2 * 3 * Copyright 2016 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 #ifndef GRPC_GRPC_SECURITY_CONSTANTS_H 20 #define GRPC_GRPC_SECURITY_CONSTANTS_H 21 22 #ifdef __cplusplus 23 extern "C" { 24 #endif 25 26 #define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME "transport_security_type" 27 #define GRPC_SSL_TRANSPORT_SECURITY_TYPE "ssl" 28 29 #define GRPC_X509_CN_PROPERTY_NAME "x509_common_name" 30 #define GRPC_X509_SAN_PROPERTY_NAME "x509_subject_alternative_name" 31 #define GRPC_X509_PEM_CERT_PROPERTY_NAME "x509_pem_cert" 32 #define GRPC_X509_PEM_CERT_CHAIN_PROPERTY_NAME "x509_pem_cert_chain" 33 #define GRPC_SSL_SESSION_REUSED_PROPERTY "ssl_session_reused" 34 #define GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME "security_level" 35 #define GRPC_PEER_SPIFFE_ID_PROPERTY_NAME "peer_spiffe_id" 36 37 /** Environment variable that points to the default SSL roots file. This file 38 must be a PEM encoded file with all the roots such as the one that can be 39 downloaded from https://pki.google.com/roots.pem. */ 40 #define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \ 41 "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH" 42 43 /** Environment variable that points to the google default application 44 credentials json key or refresh token. Used in the 45 grpc_google_default_credentials_create function. */ 46 #define GRPC_GOOGLE_CREDENTIALS_ENV_VAR "GOOGLE_APPLICATION_CREDENTIALS" 47 48 /** Results for the SSL roots override callback. */ 49 typedef enum { 50 GRPC_SSL_ROOTS_OVERRIDE_OK, 51 GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /** Do not try fallback options. */ 52 GRPC_SSL_ROOTS_OVERRIDE_FAIL 53 } grpc_ssl_roots_override_result; 54 55 /** Callback results for dynamically loading a SSL certificate config. */ 56 typedef enum { 57 GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED, 58 GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW, 59 GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL 60 } grpc_ssl_certificate_config_reload_status; 61 62 typedef enum { 63 /** Server does not request client certificate. 64 The certificate presented by the client is not checked by the server at 65 all. (A client may present a self signed or signed certificate or not 66 present a certificate at all and any of those option would be accepted) */ 67 GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, 68 /** Server requests client certificate but does not enforce that the client 69 presents a certificate. 70 71 If the client presents a certificate, the client authentication is left to 72 the application (the necessary metadata will be available to the 73 application via authentication context properties, see grpc_auth_context). 74 75 The client's key certificate pair must be valid for the SSL connection to 76 be established. */ 77 GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, 78 /** Server requests client certificate but does not enforce that the client 79 presents a certificate. 80 81 If the client presents a certificate, the client authentication is done by 82 the gRPC framework. (For a successful connection the client needs to either 83 present a certificate that can be verified against the root certificate 84 configured by the server or not present a certificate at all) 85 86 The client's key certificate pair must be valid for the SSL connection to 87 be established. */ 88 GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY, 89 /** Server requests client certificate and enforces that the client presents a 90 certificate. 91 92 If the client presents a certificate, the client authentication is left to 93 the application (the necessary metadata will be available to the 94 application via authentication context properties, see grpc_auth_context). 95 96 The client's key certificate pair must be valid for the SSL connection to 97 be established. */ 98 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, 99 /** Server requests client certificate and enforces that the client presents a 100 certificate. 101 102 The certificate presented by the client is verified by the gRPC framework. 103 (For a successful connection the client needs to present a certificate that 104 can be verified against the root certificate configured by the server) 105 106 The client's key certificate pair must be valid for the SSL connection to 107 be established. */ 108 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY 109 } grpc_ssl_client_certificate_request_type; 110 111 /* Security levels of grpc transport security. It represents an inherent 112 * property of a backend connection and is determined by a channel credential 113 * used to create the connection. */ 114 typedef enum { 115 GRPC_SECURITY_MIN, 116 GRPC_SECURITY_NONE = GRPC_SECURITY_MIN, 117 GRPC_INTEGRITY_ONLY, 118 GRPC_PRIVACY_AND_INTEGRITY, 119 GRPC_SECURITY_MAX = GRPC_PRIVACY_AND_INTEGRITY, 120 } grpc_security_level; 121 122 typedef enum { 123 /** Default option: performs server certificate verification and hostname 124 verification. */ 125 GRPC_TLS_SERVER_VERIFICATION, 126 /** Performs server certificate verification, but skips hostname verification 127 Client is responsible for verifying server's identity via 128 server authorization check callback. */ 129 GRPC_TLS_SKIP_HOSTNAME_VERIFICATION, 130 /** Skips both server certificate and hostname verification. 131 Client is responsible for verifying server's identity and 132 server's certificate via server authorization check callback. */ 133 GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION 134 } grpc_tls_server_verification_option; 135 136 /** 137 * Type of local connections for which local channel/server credentials will be 138 * applied. It supports UDS and local TCP connections. 139 */ 140 typedef enum { UDS = 0, LOCAL_TCP } grpc_local_connect_type; 141 142 /** The TLS versions that are supported by the SSL stack. **/ 143 typedef enum { TLS1_2, TLS1_3 } grpc_tls_version; 144 145 #ifdef __cplusplus 146 } 147 #endif 148 149 #endif /* GRPC_GRPC_SECURITY_CONSTANTS_H */ 150