1 //
2 //
3 // Copyright 2015 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 //     http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #ifndef GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
20 #define GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
21 
22 #include <grpc/support/port_platform.h>
23 
24 #include <stddef.h>
25 
26 #include <string>
27 #include <utility>
28 #include <vector>
29 
30 #include "absl/status/status.h"
31 #include "absl/strings/string_view.h"
32 
33 #include <grpc/grpc_security.h>
34 #include <grpc/grpc_security_constants.h>
35 #include <grpc/slice.h>
36 
37 #include "src/core/lib/gprpp/ref_counted_ptr.h"
38 #include "src/core/lib/iomgr/error.h"
39 #include "src/core/lib/security/security_connector/security_connector.h"
40 #include "src/core/tsi/ssl/key_logging/ssl_key_logging.h"
41 #include "src/core/tsi/ssl_transport_security.h"
42 #include "src/core/tsi/transport_security_interface.h"
43 
44 // --- Util ---
45 
46 // Check ALPN information returned from SSL handshakes.
47 grpc_error_handle grpc_ssl_check_alpn(const tsi_peer* peer);
48 
49 // Check peer name information returned from SSL handshakes.
50 grpc_error_handle grpc_ssl_check_peer_name(absl::string_view peer_name,
51                                            const tsi_peer* peer);
52 // Compare targer_name information extracted from SSL security connectors.
53 int grpc_ssl_cmp_target_name(absl::string_view target_name,
54                              absl::string_view other_target_name,
55                              absl::string_view overridden_target_name,
56                              absl::string_view other_overridden_target_name);
57 
58 namespace grpc_core {
59 // Check the host that will be set for a call is acceptable.
60 absl::Status SslCheckCallHost(absl::string_view host,
61                               absl::string_view target_name,
62                               absl::string_view overridden_target_name,
63                               grpc_auth_context* auth_context);
64 }  // namespace grpc_core
65 
66 // Return HTTP2-compliant cipher suites that gRPC accepts by default.
67 const char* grpc_get_ssl_cipher_suites(void);
68 
69 // Map from grpc_ssl_client_certificate_request_type to
70 // tsi_client_certificate_request_type.
71 tsi_client_certificate_request_type
72 grpc_get_tsi_client_certificate_request_type(
73     grpc_ssl_client_certificate_request_type grpc_request_type);
74 
75 // Map grpc_tls_version to tsi_tls_version.
76 tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version);
77 
78 // Return an array of strings containing alpn protocols.
79 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
80 
81 // Initialize TSI SSL server/client handshaker factory.
82 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
83     tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
84     bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
85     tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
86     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
87     const char* crl_directory,
88     tsi_ssl_client_handshaker_factory** handshaker_factory);
89 
90 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
91     tsi_ssl_pem_key_cert_pair* key_cert_pairs, size_t num_key_cert_pairs,
92     const char* pem_root_certs,
93     grpc_ssl_client_certificate_request_type client_certificate_request,
94     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
95     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
96     const char* crl_directory, bool send_client_ca_list,
97     tsi_ssl_server_handshaker_factory** handshaker_factory);
98 
99 // Free the memory occupied by key cert pairs.
100 void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
101                                              size_t num_key_cert_pairs);
102 // Exposed for testing only.
103 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
104     const tsi_peer* peer, const char* transport_security_type);
105 tsi_peer grpc_shallow_peer_from_ssl_auth_context(
106     const grpc_auth_context* auth_context);
107 void grpc_shallow_peer_destruct(tsi_peer* peer);
108 int grpc_ssl_host_matches_name(const tsi_peer* peer,
109                                absl::string_view peer_name);
110 
111 // --- Default SSL Root Store. ---
112 namespace grpc_core {
113 
114 // The class implements default SSL root store.
115 class DefaultSslRootStore {
116  public:
117   // Gets the default SSL root store. Returns nullptr if not found.
118   static const tsi_ssl_root_certs_store* GetRootStore();
119 
120   // Gets the default PEM root certificate.
121   static const char* GetPemRootCerts();
122 
123  protected:
124   // Returns default PEM root certificates in nullptr terminated grpc_slice.
125   // This function is protected instead of private, so that it can be tested.
126   static grpc_slice ComputePemRootCerts();
127 
128  private:
129   // Construct me not!
130   DefaultSslRootStore();
131 
132   // Initialization of default SSL root store.
133   static void InitRootStore();
134 
135   // One-time initialization of default SSL root store.
136   static void InitRootStoreOnce();
137 
138   // SSL root store in tsi_ssl_root_certs_store object.
139   static tsi_ssl_root_certs_store* default_root_store_;
140 
141   // Default PEM root certificates.
142   static grpc_slice default_pem_root_certs_;
143 };
144 
145 class PemKeyCertPair {
146  public:
PemKeyCertPair(absl::string_view private_key,absl::string_view cert_chain)147   PemKeyCertPair(absl::string_view private_key, absl::string_view cert_chain)
148       : private_key_(private_key), cert_chain_(cert_chain) {}
149 
150   // Movable.
PemKeyCertPair(PemKeyCertPair && other)151   PemKeyCertPair(PemKeyCertPair&& other) noexcept {
152     private_key_ = std::move(other.private_key_);
153     cert_chain_ = std::move(other.cert_chain_);
154   }
155   PemKeyCertPair& operator=(PemKeyCertPair&& other) noexcept {
156     private_key_ = std::move(other.private_key_);
157     cert_chain_ = std::move(other.cert_chain_);
158     return *this;
159   }
160 
161   // Copyable.
PemKeyCertPair(const PemKeyCertPair & other)162   PemKeyCertPair(const PemKeyCertPair& other)
163       : private_key_(other.private_key()), cert_chain_(other.cert_chain()) {}
164   PemKeyCertPair& operator=(const PemKeyCertPair& other) {
165     private_key_ = other.private_key();
166     cert_chain_ = other.cert_chain();
167     return *this;
168   }
169 
170   bool operator==(const PemKeyCertPair& other) const {
171     return this->private_key() == other.private_key() &&
172            this->cert_chain() == other.cert_chain();
173   }
174 
private_key()175   const std::string& private_key() const { return private_key_; }
cert_chain()176   const std::string& cert_chain() const { return cert_chain_; }
177 
178  private:
179   std::string private_key_;
180   std::string cert_chain_;
181 };
182 
183 using PemKeyCertPairList = std::vector<PemKeyCertPair>;
184 
185 }  // namespace grpc_core
186 
187 #endif  // GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
188