1 // 2 // Copyright 2020 gRPC authors. 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H 18 #define GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H 19 20 #include <memory> 21 #include <vector> 22 23 #include <grpc/grpc_security.h> 24 #include <grpc/grpc_security_constants.h> 25 #include <grpc/status.h> 26 #include <grpc/support/log.h> 27 #include <grpcpp/support/config.h> 28 29 namespace grpc { 30 namespace experimental { 31 32 // Interface for a class that handles the process to fetch credential data. 33 // Implementations should be a wrapper class of an internal provider 34 // implementation. 35 class CertificateProviderInterface { 36 public: 37 virtual ~CertificateProviderInterface() = default; 38 virtual grpc_tls_certificate_provider* c_provider() = 0; 39 }; 40 41 // A struct that stores the credential data presented to the peer in handshake 42 // to show local identity. The private_key and certificate_chain should always 43 // match. 44 struct IdentityKeyCertPair { 45 std::string private_key; 46 std::string certificate_chain; 47 }; 48 49 // A basic CertificateProviderInterface implementation that will load credential 50 // data from static string during initialization. This provider will always 51 // return the same cert data for all cert names, and reloading is not supported. 52 class StaticDataCertificateProvider : public CertificateProviderInterface { 53 public: 54 StaticDataCertificateProvider( 55 const std::string& root_certificate, 56 const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs); 57 StaticDataCertificateProvider(const std::string & root_certificate)58 explicit StaticDataCertificateProvider(const std::string& root_certificate) 59 : StaticDataCertificateProvider(root_certificate, {}) {} 60 StaticDataCertificateProvider(const std::vector<IdentityKeyCertPair> & identity_key_cert_pairs)61 explicit StaticDataCertificateProvider( 62 const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs) 63 : StaticDataCertificateProvider("", identity_key_cert_pairs) {} 64 65 ~StaticDataCertificateProvider() override; 66 c_provider()67 grpc_tls_certificate_provider* c_provider() override { return c_provider_; } 68 69 private: 70 grpc_tls_certificate_provider* c_provider_ = nullptr; 71 }; 72 73 // A CertificateProviderInterface implementation that will watch the credential 74 // changes on the file system. This provider will always return the up-to-date 75 // cert data for all the cert names callers set through |TlsCredentialsOptions|. 76 // Several things to note: 77 // 1. This API only supports one key-cert file and hence one set of identity 78 // key-cert pair, so SNI(Server Name Indication) is not supported. 79 // 2. The private key and identity certificate should always match. This API 80 // guarantees atomic read, and it is the callers' responsibility to do atomic 81 // updates. There are many ways to atomically update the key and certs in the 82 // file system. To name a few: 83 // 1) creating a new directory, renaming the old directory to a new name, and 84 // then renaming the new directory to the original name of the old directory. 85 // 2) using a symlink for the directory. When need to change, put new 86 // credential data in a new directory, and change symlink. 87 class FileWatcherCertificateProvider final 88 : public CertificateProviderInterface { 89 public: 90 // Constructor to get credential updates from root and identity file paths. 91 // 92 // @param private_key_path is the file path of the private key. 93 // @param identity_certificate_path is the file path of the identity 94 // certificate chain. 95 // @param root_cert_path is the file path to the root certificate bundle. 96 // @param refresh_interval_sec is the refreshing interval that we will check 97 // the files for updates. 98 FileWatcherCertificateProvider(const std::string& private_key_path, 99 const std::string& identity_certificate_path, 100 const std::string& root_cert_path, 101 unsigned int refresh_interval_sec); 102 // Constructor to get credential updates from identity file paths only. FileWatcherCertificateProvider(const std::string & private_key_path,const std::string & identity_certificate_path,unsigned int refresh_interval_sec)103 FileWatcherCertificateProvider(const std::string& private_key_path, 104 const std::string& identity_certificate_path, 105 unsigned int refresh_interval_sec) 106 : FileWatcherCertificateProvider(private_key_path, 107 identity_certificate_path, "", 108 refresh_interval_sec) {} 109 // Constructor to get credential updates from root file path only. FileWatcherCertificateProvider(const std::string & root_cert_path,unsigned int refresh_interval_sec)110 FileWatcherCertificateProvider(const std::string& root_cert_path, 111 unsigned int refresh_interval_sec) 112 : FileWatcherCertificateProvider("", "", root_cert_path, 113 refresh_interval_sec) {} 114 115 ~FileWatcherCertificateProvider() override; 116 c_provider()117 grpc_tls_certificate_provider* c_provider() override { return c_provider_; } 118 119 private: 120 grpc_tls_certificate_provider* c_provider_ = nullptr; 121 }; 122 123 } // namespace experimental 124 } // namespace grpc 125 126 #endif // GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H 127