GRPC Core  18.0.0
ssl_utils.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2015 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
21 
23 
24 #include <stdbool.h>
25 
26 #include "absl/strings/str_split.h"
27 #include "absl/strings/string_view.h"
28 
29 #include <grpc/grpc_security.h>
30 #include <grpc/slice_buffer.h>
31 
40 
41 /* --- Util --- */
42 
43 /* --- URL schemes. --- */
44 #define GRPC_SSL_URL_SCHEME "https"
45 
46 /* Check ALPN information returned from SSL handshakes. */
48 
49 /* Check peer name information returned from SSL handshakes. */
50 grpc_error_handle grpc_ssl_check_peer_name(absl::string_view peer_name,
51  const tsi_peer* peer);
52 /* Compare targer_name information extracted from SSL security connectors. */
53 int grpc_ssl_cmp_target_name(absl::string_view target_name,
54  absl::string_view other_target_name,
55  absl::string_view overridden_target_name,
56  absl::string_view other_overridden_target_name);
57 /* Check the host that will be set for a call is acceptable.*/
58 bool grpc_ssl_check_call_host(absl::string_view host,
59  absl::string_view target_name,
60  absl::string_view overridden_target_name,
61  grpc_auth_context* auth_context,
63 /* Return HTTP2-compliant cipher suites that gRPC accepts by default. */
64 const char* grpc_get_ssl_cipher_suites(void);
65 
66 /* Map from grpc_ssl_client_certificate_request_type to
67  * tsi_client_certificate_request_type. */
71 
72 /* Map tsi_security_level string to grpc_security_level enum. */
74  const char* security_level);
75 
76 /* Map grpc_tls_version to tsi_tls_version. */
78 
79 /* Map grpc_security_level enum to a string. */
80 const char* grpc_security_level_to_string(grpc_security_level security_level);
81 
82 /* Check security level of channel and call credential.*/
84  grpc_security_level call_cred_level);
85 
86 /* Return an array of strings containing alpn protocols. */
87 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
88 
89 /* Initialize TSI SSL server/client handshaker factory. */
91  tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
92  bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
93  tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
94  tsi_ssl_client_handshaker_factory** handshaker_factory);
95 
97  tsi_ssl_pem_key_cert_pair* key_cert_pairs, size_t num_key_cert_pairs,
98  const char* pem_root_certs,
99  grpc_ssl_client_certificate_request_type client_certificate_request,
100  tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
101  tsi_ssl_server_handshaker_factory** handshaker_factory);
102 
103 /* Exposed for testing only. */
105  const tsi_peer* peer, const char* transport_security_type);
107  const grpc_auth_context* auth_context);
109 int grpc_ssl_host_matches_name(const tsi_peer* peer,
110  absl::string_view peer_name);
111 
112 /* --- Default SSL Root Store. --- */
113 namespace grpc_core {
114 
115 // The class implements default SSL root store.
117  public:
118  // Gets the default SSL root store. Returns nullptr if not found.
119  static const tsi_ssl_root_certs_store* GetRootStore();
120 
121  // Gets the default PEM root certificate.
122  static const char* GetPemRootCerts();
123 
124  protected:
125  // Returns default PEM root certificates in nullptr terminated grpc_slice.
126  // This function is protected instead of private, so that it can be tested.
128 
129  private:
130  // Construct me not!
132 
133  // Initialization of default SSL root store.
134  static void InitRootStore();
135 
136  // One-time initialization of default SSL root store.
137  static void InitRootStoreOnce();
138 
139  // SSL root store in tsi_ssl_root_certs_store object.
140  static tsi_ssl_root_certs_store* default_root_store_;
141 
142  // Default PEM root certificates.
143  static grpc_slice default_pem_root_certs_;
144 };
145 
147  public:
148  PemKeyCertPair(absl::string_view private_key, absl::string_view cert_chain)
149  : private_key_(private_key), cert_chain_(cert_chain) {}
150 
151  // Movable.
152  PemKeyCertPair(PemKeyCertPair&& other) noexcept {
153  private_key_ = std::move(other.private_key_);
154  cert_chain_ = std::move(other.cert_chain_);
155  }
157  private_key_ = std::move(other.private_key_);
158  cert_chain_ = std::move(other.cert_chain_);
159  return *this;
160  }
161 
162  // Copyable.
164  : private_key_(other.private_key()), cert_chain_(other.cert_chain()) {}
166  private_key_ = other.private_key();
167  cert_chain_ = other.cert_chain();
168  return *this;
169  }
170 
171  bool operator==(const PemKeyCertPair& other) const {
172  return this->private_key() == other.private_key() &&
173  this->cert_chain() == other.cert_chain();
174  }
175 
176  const std::string& private_key() const { return private_key_; }
177  const std::string& cert_chain() const { return cert_chain_; }
178 
179  private:
180  std::string private_key_;
181  std::string cert_chain_;
182 };
183 
184 typedef absl::InlinedVector<grpc_core::PemKeyCertPair, 1> PemKeyCertPairList;
185 
186 } // namespace grpc_core
187 
188 #endif // GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
Definition: ssl_utils.h:116
static const char * GetPemRootCerts()
Definition: ssl_utils.cc:553
static const tsi_ssl_root_certs_store * GetRootStore()
Definition: ssl_utils.cc:548
static grpc_slice ComputePemRootCerts()
Definition: ssl_utils.cc:561
Definition: ssl_utils.h:146
PemKeyCertPair(PemKeyCertPair &&other) noexcept
Definition: ssl_utils.h:152
const std::string & cert_chain() const
Definition: ssl_utils.h:177
bool operator==(const PemKeyCertPair &other) const
Definition: ssl_utils.h:171
PemKeyCertPair & operator=(const PemKeyCertPair &other)
Definition: ssl_utils.h:165
PemKeyCertPair & operator=(PemKeyCertPair &&other) noexcept
Definition: ssl_utils.h:156
PemKeyCertPair(const PemKeyCertPair &other)
Definition: ssl_utils.h:163
const std::string & private_key() const
Definition: ssl_utils.h:176
PemKeyCertPair(absl::string_view private_key, absl::string_view cert_chain)
Definition: ssl_utils.h:148
grpc_ssl_client_certificate_request_type
Definition: grpc_security_constants.h:77
grpc_security_level
Definition: grpc_security_constants.h:129
grpc_tls_version
The TLS versions that are supported by the SSL stack.
Definition: grpc_security_constants.h:158
grpc_error_handle error
Definition: lame_client.cc:54
Round Robin Policy.
Definition: backend_metric.cc:26
absl::InlinedVector< grpc_core::PemKeyCertPair, 1 > PemKeyCertPairList
Definition: ssl_utils.h:184
grpc_security_status
Definition: security_connector.h:38
struct tsi_ssl_session_cache tsi_ssl_session_cache
Definition: ssl_transport_security.h:66
grpc_core::RefCountedPtr< grpc_auth_context > grpc_ssl_peer_to_auth_context(const tsi_peer *peer, const char *transport_security_type)
Definition: ssl_utils.cc:261
const char ** grpc_fill_alpn_protocol_strings(size_t *num_alpn_protocols)
Definition: ssl_utils.cc:205
grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(tsi_ssl_pem_key_cert_pair *key_cert_pair, const char *pem_root_certs, bool skip_server_certificate_verification, tsi_tls_version min_tls_version, tsi_tls_version max_tls_version, tsi_ssl_session_cache *ssl_session_cache, tsi_ssl_client_handshaker_factory **handshaker_factory)
Definition: ssl_utils.cc:415
grpc_security_level grpc_tsi_security_level_string_to_enum(const char *security_level)
Definition: ssl_utils.cc:95
int grpc_ssl_host_matches_name(const tsi_peer *peer, absl::string_view peer_name)
Definition: ssl_utils.cc:216
tsi_client_certificate_request_type grpc_get_tsi_client_certificate_request_type(grpc_ssl_client_certificate_request_type grpc_request_type)
Definition: ssl_utils.cc:120
grpc_error_handle grpc_ssl_check_peer_name(absl::string_view peer_name, const tsi_peer *peer)
Definition: ssl_utils.cc:172
grpc_error_handle grpc_ssl_check_alpn(const tsi_peer *peer)
Definition: ssl_utils.cc:155
const char * grpc_get_ssl_cipher_suites(void)
Definition: ssl_utils.cc:90
const char * grpc_security_level_to_string(grpc_security_level security_level)
Definition: ssl_utils.cc:105
tsi_peer grpc_shallow_peer_from_ssl_auth_context(const grpc_auth_context *auth_context)
Definition: ssl_utils.cc:357
void grpc_shallow_peer_destruct(tsi_peer *peer)
Definition: ssl_utils.cc:411
int grpc_ssl_cmp_target_name(absl::string_view target_name, absl::string_view other_target_name, absl::string_view overridden_target_name, absl::string_view other_overridden_target_name)
Definition: ssl_utils.cc:231
tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version)
Definition: ssl_utils.cc:143
bool grpc_ssl_check_call_host(absl::string_view host, absl::string_view target_name, absl::string_view overridden_target_name, grpc_auth_context *auth_context, grpc_error_handle *error)
Definition: ssl_utils.cc:183
bool grpc_check_security_level(grpc_security_level channel_level, grpc_security_level call_cred_level)
Definition: ssl_utils.cc:114
grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(tsi_ssl_pem_key_cert_pair *key_cert_pairs, size_t num_key_cert_pairs, const char *pem_root_certs, grpc_ssl_client_certificate_request_type client_certificate_request, tsi_tls_version min_tls_version, tsi_tls_version max_tls_version, tsi_ssl_server_handshaker_factory **handshaker_factory)
Definition: ssl_utils.cc:467
Definition: security_context.h:51
Definition: error_internal.h:41
A grpc_slice s, if initialized, represents the byte range s.bytes[0..s.length-1].
Definition: slice.h:60
Definition: transport_security_interface.h:216
Definition: ssl_transport_security.cc:92
Definition: ssl_transport_security.h:86
Definition: ssl_transport_security.cc:83
Definition: ssl_transport_security.cc:100
tsi_tls_version
Definition: transport_security_interface.h:67
tsi_client_certificate_request_type
Definition: transport_security_interface.h:58