1*cc02d7e2SAndroid Build Coastguard Worker // 2*cc02d7e2SAndroid Build Coastguard Worker // 3*cc02d7e2SAndroid Build Coastguard Worker // Copyright 2023 gRPC authors. 4*cc02d7e2SAndroid Build Coastguard Worker // 5*cc02d7e2SAndroid Build Coastguard Worker // Licensed under the Apache License, Version 2.0 (the "License"); 6*cc02d7e2SAndroid Build Coastguard Worker // you may not use this file except in compliance with the License. 7*cc02d7e2SAndroid Build Coastguard Worker // You may obtain a copy of the License at 8*cc02d7e2SAndroid Build Coastguard Worker // 9*cc02d7e2SAndroid Build Coastguard Worker // http://www.apache.org/licenses/LICENSE-2.0 10*cc02d7e2SAndroid Build Coastguard Worker // 11*cc02d7e2SAndroid Build Coastguard Worker // Unless required by applicable law or agreed to in writing, software 12*cc02d7e2SAndroid Build Coastguard Worker // distributed under the License is distributed on an "AS IS" BASIS, 13*cc02d7e2SAndroid Build Coastguard Worker // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14*cc02d7e2SAndroid Build Coastguard Worker // See the License for the specific language governing permissions and 15*cc02d7e2SAndroid Build Coastguard Worker // limitations under the License. 16*cc02d7e2SAndroid Build Coastguard Worker // 17*cc02d7e2SAndroid Build Coastguard Worker // 18*cc02d7e2SAndroid Build Coastguard Worker 19*cc02d7e2SAndroid Build Coastguard Worker #ifndef GRPC_GRPC_CRL_PROVIDER_H 20*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_GRPC_CRL_PROVIDER_H 21*cc02d7e2SAndroid Build Coastguard Worker 22*cc02d7e2SAndroid Build Coastguard Worker #include <memory> 23*cc02d7e2SAndroid Build Coastguard Worker #include <string> 24*cc02d7e2SAndroid Build Coastguard Worker 25*cc02d7e2SAndroid Build Coastguard Worker #include "absl/status/statusor.h" 26*cc02d7e2SAndroid Build Coastguard Worker #include "absl/strings/string_view.h" 27*cc02d7e2SAndroid Build Coastguard Worker 28*cc02d7e2SAndroid Build Coastguard Worker #include <grpc/grpc_security.h> 29*cc02d7e2SAndroid Build Coastguard Worker #include <grpc/support/port_platform.h> 30*cc02d7e2SAndroid Build Coastguard Worker 31*cc02d7e2SAndroid Build Coastguard Worker namespace grpc_core { 32*cc02d7e2SAndroid Build Coastguard Worker namespace experimental { 33*cc02d7e2SAndroid Build Coastguard Worker 34*cc02d7e2SAndroid Build Coastguard Worker // Opaque representation of a CRL. Must be thread safe. 35*cc02d7e2SAndroid Build Coastguard Worker class Crl { 36*cc02d7e2SAndroid Build Coastguard Worker public: 37*cc02d7e2SAndroid Build Coastguard Worker static absl::StatusOr<std::unique_ptr<Crl>> Parse( 38*cc02d7e2SAndroid Build Coastguard Worker absl::string_view crl_string); 39*cc02d7e2SAndroid Build Coastguard Worker virtual ~Crl() = default; 40*cc02d7e2SAndroid Build Coastguard Worker virtual absl::string_view Issuer() = 0; 41*cc02d7e2SAndroid Build Coastguard Worker }; 42*cc02d7e2SAndroid Build Coastguard Worker 43*cc02d7e2SAndroid Build Coastguard Worker // Information about a certificate to be used to fetch its associated CRL. Must 44*cc02d7e2SAndroid Build Coastguard Worker // be thread safe. 45*cc02d7e2SAndroid Build Coastguard Worker class CertificateInfo { 46*cc02d7e2SAndroid Build Coastguard Worker public: 47*cc02d7e2SAndroid Build Coastguard Worker virtual ~CertificateInfo() = default; 48*cc02d7e2SAndroid Build Coastguard Worker virtual absl::string_view Issuer() const = 0; 49*cc02d7e2SAndroid Build Coastguard Worker virtual absl::string_view AuthorityKeyIdentifier() const = 0; 50*cc02d7e2SAndroid Build Coastguard Worker }; 51*cc02d7e2SAndroid Build Coastguard Worker 52*cc02d7e2SAndroid Build Coastguard Worker // The base class for CRL Provider implementations. 53*cc02d7e2SAndroid Build Coastguard Worker // CrlProviders can be passed in as a way to supply CRLs during handshakes. 54*cc02d7e2SAndroid Build Coastguard Worker // CrlProviders must be thread safe. They are on the critical path of gRPC 55*cc02d7e2SAndroid Build Coastguard Worker // creating a connection and doing a handshake, so the implementation of 56*cc02d7e2SAndroid Build Coastguard Worker // `GetCrl` should be very fast. It is suggested to have an in-memory map of 57*cc02d7e2SAndroid Build Coastguard Worker // CRLs for quick lookup and return, and doing expensive updates to this map 58*cc02d7e2SAndroid Build Coastguard Worker // asynchronously. 59*cc02d7e2SAndroid Build Coastguard Worker class CrlProvider { 60*cc02d7e2SAndroid Build Coastguard Worker public: 61*cc02d7e2SAndroid Build Coastguard Worker virtual ~CrlProvider() = default; 62*cc02d7e2SAndroid Build Coastguard Worker // Get the CRL associated with a certificate. Read-only. 63*cc02d7e2SAndroid Build Coastguard Worker virtual std::shared_ptr<Crl> GetCrl( 64*cc02d7e2SAndroid Build Coastguard Worker const CertificateInfo& certificate_info) = 0; 65*cc02d7e2SAndroid Build Coastguard Worker }; 66*cc02d7e2SAndroid Build Coastguard Worker 67*cc02d7e2SAndroid Build Coastguard Worker absl::StatusOr<std::shared_ptr<CrlProvider>> CreateStaticCrlProvider( 68*cc02d7e2SAndroid Build Coastguard Worker absl::Span<const std::string> crls); 69*cc02d7e2SAndroid Build Coastguard Worker 70*cc02d7e2SAndroid Build Coastguard Worker // Creates a CRL Provider that periodically and asynchronously reloads a 71*cc02d7e2SAndroid Build Coastguard Worker // directory. The refresh_duration minimum is 60 seconds. The 72*cc02d7e2SAndroid Build Coastguard Worker // reload_error_callback provides a way for the user to specifically log or 73*cc02d7e2SAndroid Build Coastguard Worker // otherwise notify of errors during reloading. Since reloading is asynchronous 74*cc02d7e2SAndroid Build Coastguard Worker // and not on the main codepath, the grpc process will continue to run through 75*cc02d7e2SAndroid Build Coastguard Worker // reloading errors, so this mechanism is an important way to provide signals to 76*cc02d7e2SAndroid Build Coastguard Worker // your monitoring and alerting setup. 77*cc02d7e2SAndroid Build Coastguard Worker absl::StatusOr<std::shared_ptr<CrlProvider>> CreateDirectoryReloaderCrlProvider( 78*cc02d7e2SAndroid Build Coastguard Worker absl::string_view directory, std::chrono::seconds refresh_duration, 79*cc02d7e2SAndroid Build Coastguard Worker std::function<void(absl::Status)> reload_error_callback); 80*cc02d7e2SAndroid Build Coastguard Worker 81*cc02d7e2SAndroid Build Coastguard Worker } // namespace experimental 82*cc02d7e2SAndroid Build Coastguard Worker } // namespace grpc_core 83*cc02d7e2SAndroid Build Coastguard Worker 84*cc02d7e2SAndroid Build Coastguard Worker // TODO(gtcooke94) - Mark with api macro when all wrapped langauges support C++ 85*cc02d7e2SAndroid Build Coastguard Worker // in core APIs 86*cc02d7e2SAndroid Build Coastguard Worker /** 87*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 88*cc02d7e2SAndroid Build Coastguard Worker * 89*cc02d7e2SAndroid Build Coastguard Worker * Sets the crl provider in the options. 90*cc02d7e2SAndroid Build Coastguard Worker */ 91*cc02d7e2SAndroid Build Coastguard Worker void grpc_tls_credentials_options_set_crl_provider( 92*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, 93*cc02d7e2SAndroid Build Coastguard Worker std::shared_ptr<grpc_core::experimental::CrlProvider> provider); 94*cc02d7e2SAndroid Build Coastguard Worker #endif /* GRPC_GRPC_CRL_PROVIDER_H */ 95