1 // 2 // Copyright 2020 gRPC authors. 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H 18 #define GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H 19 20 #include <memory> 21 #include <vector> 22 23 #include <grpc/grpc_security.h> 24 #include <grpc/grpc_security_constants.h> 25 #include <grpc/status.h> 26 #include <grpc/support/log.h> 27 #include <grpcpp/support/config.h> 28 29 namespace grpc { 30 namespace experimental { 31 32 // Interface for a class that handles the process to fetch credential data. 33 // Implementations should be a wrapper class of an internal provider 34 // implementation. 35 class GRPCXX_DLL CertificateProviderInterface { 36 public: 37 virtual ~CertificateProviderInterface() = default; 38 virtual grpc_tls_certificate_provider* c_provider() = 0; 39 }; 40 41 // A struct that stores the credential data presented to the peer in handshake 42 // to show local identity. The private_key and certificate_chain should always 43 // match. 44 struct GRPCXX_DLL IdentityKeyCertPair { 45 std::string private_key; 46 std::string certificate_chain; 47 }; 48 49 // A basic CertificateProviderInterface implementation that will load credential 50 // data from static string during initialization. This provider will always 51 // return the same cert data for all cert names, and reloading is not supported. 52 class GRPCXX_DLL StaticDataCertificateProvider 53 : public CertificateProviderInterface { 54 public: 55 StaticDataCertificateProvider( 56 const std::string& root_certificate, 57 const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs); 58 StaticDataCertificateProvider(const std::string & root_certificate)59 explicit StaticDataCertificateProvider(const std::string& root_certificate) 60 : StaticDataCertificateProvider(root_certificate, {}) {} 61 StaticDataCertificateProvider(const std::vector<IdentityKeyCertPair> & identity_key_cert_pairs)62 explicit StaticDataCertificateProvider( 63 const std::vector<IdentityKeyCertPair>& identity_key_cert_pairs) 64 : StaticDataCertificateProvider("", identity_key_cert_pairs) {} 65 66 ~StaticDataCertificateProvider() override; 67 c_provider()68 grpc_tls_certificate_provider* c_provider() override { return c_provider_; } 69 70 private: 71 grpc_tls_certificate_provider* c_provider_ = nullptr; 72 }; 73 74 // A CertificateProviderInterface implementation that will watch the credential 75 // changes on the file system. This provider will always return the up-to-date 76 // cert data for all the cert names callers set through |TlsCredentialsOptions|. 77 // Several things to note: 78 // 1. This API only supports one key-cert file and hence one set of identity 79 // key-cert pair, so SNI(Server Name Indication) is not supported. 80 // 2. The private key and identity certificate should always match. This API 81 // guarantees atomic read, and it is the callers' responsibility to do atomic 82 // updates. There are many ways to atomically update the key and certs in the 83 // file system. To name a few: 84 // 1) creating a new directory, renaming the old directory to a new name, and 85 // then renaming the new directory to the original name of the old directory. 86 // 2) using a symlink for the directory. When need to change, put new 87 // credential data in a new directory, and change symlink. 88 class GRPCXX_DLL FileWatcherCertificateProvider final 89 : public CertificateProviderInterface { 90 public: 91 // Constructor to get credential updates from root and identity file paths. 92 // 93 // @param private_key_path is the file path of the private key. 94 // @param identity_certificate_path is the file path of the identity 95 // certificate chain. 96 // @param root_cert_path is the file path to the root certificate bundle. 97 // @param refresh_interval_sec is the refreshing interval that we will check 98 // the files for updates. 99 FileWatcherCertificateProvider(const std::string& private_key_path, 100 const std::string& identity_certificate_path, 101 const std::string& root_cert_path, 102 unsigned int refresh_interval_sec); 103 // Constructor to get credential updates from identity file paths only. FileWatcherCertificateProvider(const std::string & private_key_path,const std::string & identity_certificate_path,unsigned int refresh_interval_sec)104 FileWatcherCertificateProvider(const std::string& private_key_path, 105 const std::string& identity_certificate_path, 106 unsigned int refresh_interval_sec) 107 : FileWatcherCertificateProvider(private_key_path, 108 identity_certificate_path, "", 109 refresh_interval_sec) {} 110 // Constructor to get credential updates from root file path only. FileWatcherCertificateProvider(const std::string & root_cert_path,unsigned int refresh_interval_sec)111 FileWatcherCertificateProvider(const std::string& root_cert_path, 112 unsigned int refresh_interval_sec) 113 : FileWatcherCertificateProvider("", "", root_cert_path, 114 refresh_interval_sec) {} 115 116 ~FileWatcherCertificateProvider() override; 117 c_provider()118 grpc_tls_certificate_provider* c_provider() override { return c_provider_; } 119 120 private: 121 grpc_tls_certificate_provider* c_provider_ = nullptr; 122 }; 123 124 } // namespace experimental 125 } // namespace grpc 126 127 #endif // GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H 128