1 // 2 // 3 // Copyright 2020 gRPC authors. 4 // 5 // Licensed under the Apache License, Version 2.0 (the "License"); 6 // you may not use this file except in compliance with the License. 7 // You may obtain a copy of the License at 8 // 9 // http://www.apache.org/licenses/LICENSE-2.0 10 // 11 // Unless required by applicable law or agreed to in writing, software 12 // distributed under the License is distributed on an "AS IS" BASIS, 13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 // See the License for the specific language governing permissions and 15 // limitations under the License. 16 // 17 // 18 19 #ifndef GRPC_CORE_EXT_XDS_XDS_CERTIFICATE_PROVIDER_H 20 #define GRPC_CORE_EXT_XDS_XDS_CERTIFICATE_PROVIDER_H 21 22 #include <grpc/support/port_platform.h> 23 24 #include "src/core/ext/xds/xds_api.h" 25 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h" 26 27 #define GRPC_ARG_XDS_CERTIFICATE_PROVIDER \ 28 "grpc.internal.xds_certificate_provider" 29 30 namespace grpc_core { 31 32 class XdsCertificateProvider : public grpc_tls_certificate_provider { 33 public: 34 XdsCertificateProvider( 35 absl::string_view root_cert_name, 36 RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor, 37 absl::string_view identity_cert_name, 38 RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor, 39 std::vector<XdsApi::StringMatcher> san_matchers); 40 41 ~XdsCertificateProvider() override; 42 43 void UpdateRootCertNameAndDistributor( 44 absl::string_view root_cert_name, 45 RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor); 46 void UpdateIdentityCertNameAndDistributor( 47 absl::string_view identity_cert_name, 48 RefCountedPtr<grpc_tls_certificate_distributor> 49 identity_cert_distributor); 50 void UpdateSubjectAlternativeNameMatchers( 51 std::vector<XdsApi::StringMatcher> matchers); 52 distributor()53 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor() 54 const override { 55 return distributor_; 56 } 57 ProvidesRootCerts()58 bool ProvidesRootCerts() { 59 MutexLock lock(&mu_); 60 return root_cert_distributor_ != nullptr; 61 } 62 ProvidesIdentityCerts()63 bool ProvidesIdentityCerts() { 64 MutexLock lock(&mu_); 65 return identity_cert_distributor_ != nullptr; 66 } 67 subject_alternative_name_matchers()68 std::vector<XdsApi::StringMatcher> subject_alternative_name_matchers() { 69 MutexLock lock(&san_matchers_mu_); 70 return san_matchers_; 71 } 72 73 grpc_arg MakeChannelArg() const; 74 75 static RefCountedPtr<XdsCertificateProvider> GetFromChannelArgs( 76 const grpc_channel_args* args); 77 78 private: 79 void WatchStatusCallback(std::string cert_name, bool root_being_watched, 80 bool identity_being_watched); 81 void UpdateRootCertWatcher( 82 grpc_tls_certificate_distributor* root_cert_distributor); 83 void UpdateIdentityCertWatcher( 84 grpc_tls_certificate_distributor* identity_cert_distributor); 85 86 Mutex mu_; 87 // Use a separate mutex for san_matchers_ to avoid deadlocks since 88 // san_matchers_ needs to be accessed when a handshake is being done and we 89 // run into a possible deadlock scenario if using the same mutex. The mutex 90 // deadlock cycle is formed as - 91 // WatchStatusCallback() -> SetKeyMaterials() -> 92 // TlsChannelSecurityConnector::TlsChannelCertificateWatcher::OnCertificatesChanged() 93 // -> HandshakeManager::Add() -> SecurityHandshaker::DoHandshake() -> 94 // subject_alternative_names_matchers() 95 Mutex san_matchers_mu_; 96 bool watching_root_certs_ = false; 97 bool watching_identity_certs_ = false; 98 std::string root_cert_name_; 99 std::string identity_cert_name_; 100 RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor_; 101 RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor_; 102 std::vector<XdsApi::StringMatcher> san_matchers_; 103 RefCountedPtr<grpc_tls_certificate_distributor> distributor_; 104 grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* 105 root_cert_watcher_ = nullptr; 106 grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* 107 identity_cert_watcher_ = nullptr; 108 }; 109 110 } // namespace grpc_core 111 112 #endif // GRPC_CORE_EXT_XDS_XDS_CERTIFICATE_PROVIDER_H 113