1 // 2 // Copyright 2020 gRPC authors. 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H 18 #define GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H 19 20 #include <grpc/grpc_security_constants.h> 21 #include <grpc/status.h> 22 #include <grpc/support/log.h> 23 #include <grpcpp/impl/codegen/grpc_library.h> 24 #include <grpcpp/support/config.h> 25 26 #include <memory> 27 #include <vector> 28 29 // TODO(yihuazhang): remove the forward declaration here and include 30 // <grpc/grpc_security.h> directly once the insecure builds are cleaned up. 31 typedef struct grpc_tls_certificate_provider grpc_tls_certificate_provider; 32 33 namespace grpc { 34 namespace experimental { 35 36 // Interface for a class that handles the process to fetch credential data. 37 // Implementations should be a wrapper class of an internal provider 38 // implementation. 39 class CertificateProviderInterface { 40 public: 41 virtual ~CertificateProviderInterface() = default; 42 virtual grpc_tls_certificate_provider* c_provider() = 0; 43 }; 44 45 // A struct that stores the credential data presented to the peer in handshake 46 // to show local identity. The private_key and certificate_chain should always 47 // match. 48 struct IdentityKeyCertPair { 49 std::string private_key; 50 std::string certificate_chain; 51 }; 52 53 // A basic CertificateProviderInterface implementation that will load credential 54 // data from static string during initialization. This provider will always 55 // return the same cert data for all cert names, and reloading is not supported. 56 class StaticDataCertificateProvider : public CertificateProviderInterface { 57 public: 58 StaticDataCertificateProvider( 59 const std::string& root_certificate, 60 const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs); 61 StaticDataCertificateProvider(const std::string & root_certificate)62 explicit StaticDataCertificateProvider(const std::string& root_certificate) 63 : StaticDataCertificateProvider(root_certificate, {}) {} 64 StaticDataCertificateProvider(const std::vector<IdentityKeyCertPair> & identity_key_cert_pairs)65 explicit StaticDataCertificateProvider( 66 const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs) 67 : StaticDataCertificateProvider("", identity_key_cert_pairs) {} 68 69 ~StaticDataCertificateProvider() override; 70 c_provider()71 grpc_tls_certificate_provider* c_provider() override { return c_provider_; } 72 73 private: 74 grpc_tls_certificate_provider* c_provider_ = nullptr; 75 }; 76 77 // A CertificateProviderInterface implementation that will watch the credential 78 // changes on the file system. This provider will always return the up-to-date 79 // cert data for all the cert names callers set through |TlsCredentialsOptions|. 80 // Several things to note: 81 // 1. This API only supports one key-cert file and hence one set of identity 82 // key-cert pair, so SNI(Server Name Indication) is not supported. 83 // 2. The private key and identity certificate should always match. This API 84 // guarantees atomic read, and it is the callers' responsibility to do atomic 85 // updates. There are many ways to atomically update the key and certs in the 86 // file system. To name a few: 87 // 1) creating a new directory, renaming the old directory to a new name, and 88 // then renaming the new directory to the original name of the old directory. 89 // 2) using a symlink for the directory. When need to change, put new 90 // credential data in a new directory, and change symlink. 91 class FileWatcherCertificateProvider final 92 : public CertificateProviderInterface { 93 public: 94 // Constructor to get credential updates from root and identity file paths. 95 // 96 // @param private_key_path is the file path of the private key. 97 // @param identity_certificate_path is the file path of the identity 98 // certificate chain. 99 // @param root_cert_path is the file path to the root certificate bundle. 100 // @param refresh_interval_sec is the refreshing interval that we will check 101 // the files for updates. 102 FileWatcherCertificateProvider(const std::string& private_key_path, 103 const std::string& identity_certificate_path, 104 const std::string& root_cert_path, 105 unsigned int refresh_interval_sec); 106 // Constructor to get credential updates from identity file paths only. FileWatcherCertificateProvider(const std::string & private_key_path,const std::string & identity_certificate_path,unsigned int refresh_interval_sec)107 FileWatcherCertificateProvider(const std::string& private_key_path, 108 const std::string& identity_certificate_path, 109 unsigned int refresh_interval_sec) 110 : FileWatcherCertificateProvider(private_key_path, 111 identity_certificate_path, "", 112 refresh_interval_sec) {} 113 // Constructor to get credential updates from root file path only. FileWatcherCertificateProvider(const std::string & root_cert_path,unsigned int refresh_interval_sec)114 FileWatcherCertificateProvider(const std::string& root_cert_path, 115 unsigned int refresh_interval_sec) 116 : FileWatcherCertificateProvider("", "", root_cert_path, 117 refresh_interval_sec) {} 118 119 ~FileWatcherCertificateProvider() override; 120 c_provider()121 grpc_tls_certificate_provider* c_provider() override { return c_provider_; } 122 123 private: 124 grpc_tls_certificate_provider* c_provider_ = nullptr; 125 }; 126 127 } // namespace experimental 128 } // namespace grpc 129 130 #endif // GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H 131