1 // 2 // 3 // Copyright 2023 gRPC authors. 4 // 5 // Licensed under the Apache License, Version 2.0 (the "License"); 6 // you may not use this file except in compliance with the License. 7 // You may obtain a copy of the License at 8 // 9 // http://www.apache.org/licenses/LICENSE-2.0 10 // 11 // Unless required by applicable law or agreed to in writing, software 12 // distributed under the License is distributed on an "AS IS" BASIS, 13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 // See the License for the specific language governing permissions and 15 // limitations under the License. 16 // 17 // 18 19 #ifndef GRPC_GRPC_CRL_PROVIDER_H 20 #define GRPC_GRPC_CRL_PROVIDER_H 21 22 #include <grpc/credentials.h> 23 #include <grpc/grpc_security.h> 24 #include <grpc/support/port_platform.h> 25 26 #include <memory> 27 #include <string> 28 29 #include "absl/status/statusor.h" 30 #include "absl/strings/string_view.h" 31 32 namespace grpc_core { 33 namespace experimental { 34 35 // Opaque representation of a CRL. Must be thread safe. 36 class Crl { 37 public: 38 static absl::StatusOr<std::unique_ptr<Crl>> Parse( 39 absl::string_view crl_string); 40 virtual ~Crl() = default; 41 virtual absl::string_view Issuer() = 0; 42 }; 43 44 // Information about a certificate to be used to fetch its associated CRL. Must 45 // be thread safe. 46 class CertificateInfo { 47 public: 48 virtual ~CertificateInfo() = default; 49 virtual absl::string_view Issuer() const = 0; 50 virtual absl::string_view AuthorityKeyIdentifier() const = 0; 51 }; 52 53 // The base class for CRL Provider implementations. 54 // CrlProviders can be passed in as a way to supply CRLs during handshakes. 55 // CrlProviders must be thread safe. They are on the critical path of gRPC 56 // creating a connection and doing a handshake, so the implementation of 57 // `GetCrl` should be very fast. It is suggested to have an in-memory map of 58 // CRLs for quick lookup and return, and doing expensive updates to this map 59 // asynchronously. 60 class CrlProvider { 61 public: 62 virtual ~CrlProvider() = default; 63 // Get the CRL associated with a certificate. Read-only. 64 virtual std::shared_ptr<Crl> GetCrl( 65 const CertificateInfo& certificate_info) = 0; 66 }; 67 68 absl::StatusOr<std::shared_ptr<CrlProvider>> CreateStaticCrlProvider( 69 absl::Span<const std::string> crls); 70 71 // Creates a CRL Provider that periodically and asynchronously reloads a 72 // directory. The refresh_duration minimum is 60 seconds. The 73 // reload_error_callback provides a way for the user to specifically log or 74 // otherwise notify of errors during reloading. Since reloading is asynchronous 75 // and not on the main codepath, the grpc process will continue to run through 76 // reloading errors, so this mechanism is an important way to provide signals to 77 // your monitoring and alerting setup. 78 absl::StatusOr<std::shared_ptr<CrlProvider>> CreateDirectoryReloaderCrlProvider( 79 absl::string_view directory, std::chrono::seconds refresh_duration, 80 std::function<void(absl::Status)> reload_error_callback); 81 82 } // namespace experimental 83 } // namespace grpc_core 84 85 // TODO(gtcooke94) - Mark with api macro when all wrapped languages support C++ 86 // in core APIs 87 /** 88 * EXPERIMENTAL API - Subject to change 89 * 90 * Sets the crl provider in the options. 91 */ 92 void grpc_tls_credentials_options_set_crl_provider( 93 grpc_tls_credentials_options* options, 94 std::shared_ptr<grpc_core::experimental::CrlProvider> provider); 95 #endif /* GRPC_GRPC_CRL_PROVIDER_H */ 96