• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //
2 //
3 // Copyright 2015 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 //     http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #ifndef GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
20 #define GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
21 
22 #include <grpc/grpc_crl_provider.h>
23 #include <grpc/grpc_security.h>
24 #include <grpc/grpc_security_constants.h>
25 #include <grpc/slice.h>
26 #include <grpc/support/port_platform.h>
27 #include <stddef.h>
28 
29 #include <memory>
30 #include <string>
31 #include <utility>
32 #include <vector>
33 
34 #include "absl/status/status.h"
35 #include "absl/strings/string_view.h"
36 #include "src/core/lib/iomgr/error.h"
37 #include "src/core/lib/security/security_connector/security_connector.h"
38 #include "src/core/tsi/ssl/key_logging/ssl_key_logging.h"
39 #include "src/core/tsi/ssl_transport_security.h"
40 #include "src/core/tsi/transport_security_interface.h"
41 #include "src/core/util/ref_counted_ptr.h"
42 
43 // --- Util ---
44 
45 // Check ALPN information returned from SSL handshakes.
46 grpc_error_handle grpc_ssl_check_alpn(const tsi_peer* peer);
47 
48 // Check peer name information returned from SSL handshakes.
49 grpc_error_handle grpc_ssl_check_peer_name(absl::string_view peer_name,
50                                            const tsi_peer* peer);
51 // Compare target_name information extracted from SSL security connectors.
52 int grpc_ssl_cmp_target_name(absl::string_view target_name,
53                              absl::string_view other_target_name,
54                              absl::string_view overridden_target_name,
55                              absl::string_view other_overridden_target_name);
56 
57 namespace grpc_core {
58 // Check the host that will be set for a call is acceptable.
59 absl::Status SslCheckCallHost(absl::string_view host,
60                               absl::string_view target_name,
61                               absl::string_view overridden_target_name,
62                               grpc_auth_context* auth_context);
63 }  // namespace grpc_core
64 
65 // Return HTTP2-compliant cipher suites that gRPC accepts by default.
66 const char* grpc_get_ssl_cipher_suites(void);
67 
68 // Map from grpc_ssl_client_certificate_request_type to
69 // tsi_client_certificate_request_type.
70 tsi_client_certificate_request_type
71 grpc_get_tsi_client_certificate_request_type(
72     grpc_ssl_client_certificate_request_type grpc_request_type);
73 
74 // Map grpc_tls_version to tsi_tls_version.
75 tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version);
76 
77 // Return an array of strings containing alpn protocols.
78 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
79 
80 // Initialize TSI SSL server/client handshaker factory.
81 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
82     tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
83     bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
84     tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
85     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
86     const char* crl_directory,
87     std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
88     tsi_ssl_client_handshaker_factory** handshaker_factory);
89 
90 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
91     tsi_ssl_pem_key_cert_pair* key_cert_pairs, size_t num_key_cert_pairs,
92     const char* pem_root_certs,
93     grpc_ssl_client_certificate_request_type client_certificate_request,
94     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
95     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
96     const char* crl_directory, bool send_client_ca_list,
97     std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
98     tsi_ssl_server_handshaker_factory** handshaker_factory);
99 
100 // Free the memory occupied by key cert pairs.
101 void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
102                                              size_t num_key_cert_pairs);
103 // Exposed for testing only.
104 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
105     const tsi_peer* peer, const char* transport_security_type);
106 tsi_peer grpc_shallow_peer_from_ssl_auth_context(
107     const grpc_auth_context* auth_context);
108 void grpc_shallow_peer_destruct(tsi_peer* peer);
109 int grpc_ssl_host_matches_name(const tsi_peer* peer,
110                                absl::string_view peer_name);
111 
112 // --- Default SSL Root Store. ---
113 namespace grpc_core {
114 
115 // The class implements default SSL root store.
116 class DefaultSslRootStore {
117  public:
118   // Gets the default SSL root store. Returns nullptr if not found.
119   static const tsi_ssl_root_certs_store* GetRootStore();
120 
121   // Gets the default PEM root certificate.
122   static const char* GetPemRootCerts();
123 
124  protected:
125   // Returns default PEM root certificates in nullptr terminated grpc_slice.
126   // This function is protected instead of private, so that it can be tested.
127   static grpc_slice ComputePemRootCerts();
128 
129  private:
130   // Construct me not!
131   DefaultSslRootStore();
132 
133   // Initialization of default SSL root store.
134   static void InitRootStore();
135 
136   // One-time initialization of default SSL root store.
137   static void InitRootStoreOnce();
138 
139   // SSL root store in tsi_ssl_root_certs_store object.
140   static tsi_ssl_root_certs_store* default_root_store_;
141 
142   // Default PEM root certificates.
143   static grpc_slice default_pem_root_certs_;
144 };
145 
146 class PemKeyCertPair {
147  public:
PemKeyCertPair(absl::string_view private_key,absl::string_view cert_chain)148   PemKeyCertPair(absl::string_view private_key, absl::string_view cert_chain)
149       : private_key_(private_key), cert_chain_(cert_chain) {}
150 
151   // Movable.
PemKeyCertPair(PemKeyCertPair && other)152   PemKeyCertPair(PemKeyCertPair&& other) noexcept {
153     private_key_ = std::move(other.private_key_);
154     cert_chain_ = std::move(other.cert_chain_);
155   }
156   PemKeyCertPair& operator=(PemKeyCertPair&& other) noexcept {
157     private_key_ = std::move(other.private_key_);
158     cert_chain_ = std::move(other.cert_chain_);
159     return *this;
160   }
161 
162   // Copyable.
PemKeyCertPair(const PemKeyCertPair & other)163   PemKeyCertPair(const PemKeyCertPair& other)
164       : private_key_(other.private_key()), cert_chain_(other.cert_chain()) {}
165   PemKeyCertPair& operator=(const PemKeyCertPair& other) {
166     private_key_ = other.private_key();
167     cert_chain_ = other.cert_chain();
168     return *this;
169   }
170 
171   bool operator==(const PemKeyCertPair& other) const {
172     return this->private_key() == other.private_key() &&
173            this->cert_chain() == other.cert_chain();
174   }
175 
private_key()176   const std::string& private_key() const { return private_key_; }
cert_chain()177   const std::string& cert_chain() const { return cert_chain_; }
178 
179  private:
180   std::string private_key_;
181   std::string cert_chain_;
182 };
183 
184 using PemKeyCertPairList = std::vector<PemKeyCertPair>;
185 
186 }  // namespace grpc_core
187 
188 #endif  // GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
189