#region Copyright notice and license
// Copyright 2019 The gRPC Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#endregion
namespace Grpc.Core
{
///
/// Callback invoked with the expected targetHost and the peer's certificate.
/// If false is returned by this callback then it is treated as a
/// verification failure and the attempted connection will fail.
/// Invocation of the callback is blocking, so any
/// implementation should be light-weight.
/// Note that the callback can potentially be invoked multiple times,
/// concurrently from different threads (e.g. when multiple connections
/// are being created for the same credentials).
///
/// The associated with the callback
/// true if verification succeeded, false otherwise.
/// Note: experimental API that can change or be removed without any prior notice.
public delegate bool VerifyPeerCallback(VerifyPeerContext context);
///
/// Client-side SSL credentials.
///
public sealed class SslCredentials : ChannelCredentials
{
readonly string rootCertificates;
readonly KeyCertificatePair keyCertificatePair;
readonly VerifyPeerCallback verifyPeerCallback;
///
/// Creates client-side SSL credentials loaded from
/// disk file pointed to by the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable.
/// If that fails, gets the roots certificates from a well known place on disk.
///
public SslCredentials() : this(null, null, null)
{
}
///
/// Creates client-side SSL credentials from
/// a string containing PEM encoded root certificates.
///
public SslCredentials(string rootCertificates) : this(rootCertificates, null, null)
{
}
///
/// Creates client-side SSL credentials.
///
/// string containing PEM encoded server root certificates.
/// a key certificate pair.
public SslCredentials(string rootCertificates, KeyCertificatePair keyCertificatePair) :
this(rootCertificates, keyCertificatePair, null)
{
}
///
/// Creates client-side SSL credentials.
///
/// string containing PEM encoded server root certificates.
/// a key certificate pair.
/// a callback to verify peer's target name and certificate.
/// Note: experimental API that can change or be removed without any prior notice.
public SslCredentials(string rootCertificates, KeyCertificatePair keyCertificatePair, VerifyPeerCallback verifyPeerCallback)
{
this.rootCertificates = rootCertificates;
this.keyCertificatePair = keyCertificatePair;
this.verifyPeerCallback = verifyPeerCallback;
}
///
/// PEM encoding of the server root certificates.
///
public string RootCertificates
{
get
{
return this.rootCertificates;
}
}
///
/// Client side key and certificate pair.
/// If null, client will not use key and certificate pair.
///
public KeyCertificatePair KeyCertificatePair
{
get
{
return this.keyCertificatePair;
}
}
///
/// Populates channel credentials configurator with this instance's configuration.
/// End users never need to invoke this method as it is part of internal implementation.
///
public override void InternalPopulateConfiguration(ChannelCredentialsConfiguratorBase configurator, object state)
{
configurator.SetSslCredentials(state, rootCertificates, keyCertificatePair, verifyPeerCallback);
}
internal override bool IsComposable => true;
}
}