Home Explore Help
Register Sign In
nzk1
/
Asteria-APP
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 2ffce1ab0a
Branches Tags
Asteria-APP
/
Pods
/
gRPC-C++
/
include
/
grpcpp
/
security
/
tls_credentials_options.h

tls_credentials_options.h 6.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150 
  1. /*
    2. 

  2.  *
    3. 

  3.  * Copyright 2019 gRPC authors.
    4. 

  4.  *
    5. 

  5.  * Licensed under the Apache License, Version 2.0 (the "License");
    6. 

  6.  * you may not use this file except in compliance with the License.
    7. 

  7.  * You may obtain a copy of the License at
    8. 

  8.  *
    9. 

  9.  *     http://www.apache.org/licenses/LICENSE-2.0
    10. 

  10.  *
    11. 

  11.  * Unless required by applicable law or agreed to in writing, software
    12. 

  12.  * distributed under the License is distributed on an "AS IS" BASIS,
    13. 

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14. 

  14.  * See the License for the specific language governing permissions and
    15. 

  15.  * limitations under the License.
    16. 

  16.  *
    17. 

  17.  */
    18. 

  18. 

  19. #ifndef GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H
    20. 

  20. #define GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H
    21. 

  21. 

  22. #include <memory>
    23. 

  23. #include <vector>
    24. 

  24. 

  25. #include <grpc/grpc_security_constants.h>
    26. 

  26. #include <grpc/status.h>
    27. 

  27. #include <grpc/support/log.h>
    28. 

  28. #include <grpcpp/security/tls_certificate_provider.h>
    29. 

  29. #include <grpcpp/security/tls_certificate_verifier.h>
    30. 

  30. #include <grpcpp/support/config.h>
    31. 

  31. 

  32. // TODO(yihuazhang): remove the forward declaration here and include
    33. 

  33. // <grpc/grpc_security.h> directly once the insecure builds are cleaned up.
    34. 

  34. typedef struct grpc_tls_server_authorization_check_arg
    35. 

  35.     grpc_tls_server_authorization_check_arg;
    36. 

  36. typedef struct grpc_tls_server_authorization_check_config
    37. 

  37.     grpc_tls_server_authorization_check_config;
    38. 

  38. typedef struct grpc_tls_credentials_options grpc_tls_credentials_options;
    39. 

  39. typedef struct grpc_tls_certificate_provider grpc_tls_certificate_provider;
    40. 

  40. typedef struct grpc_tls_certificate_verifier grpc_tls_certificate_verifier;
    41. 

  41. 

  42. namespace grpc {
    43. 

  43. namespace experimental {
    44. 

  44. 

  45. // Base class of configurable options specified by users to configure their
    46. 

  46. // certain security features supported in TLS. It is used for experimental
    47. 

  47. // purposes for now and it is subject to change.
    48. 

  48. class TlsCredentialsOptions {
    49. 

  49.  public:
    50. 

  50.   // Constructor for base class TlsCredentialsOptions.
    51. 

  51.   //
    52. 

  52.   // @param certificate_provider the provider which fetches TLS credentials that
    53. 

  53.   // will be used in the TLS handshake
    54. 

  54.   TlsCredentialsOptions();
    55. 

  55.   // ---- Setters for member fields ----
    56. 

  56.   // Sets the certificate provider used to store root certs and identity certs.
    57. 

  57.   void set_certificate_provider(
    58. 

  58.       std::shared_ptr<CertificateProviderInterface> certificate_provider);
    59. 

  59.   // Watches the updates of root certificates with name |root_cert_name|.
    60. 

  60.   // If used in TLS credentials, setting this field is optional for both the
    61. 

  61.   // client side and the server side.
    62. 

  62.   // If this is not set on the client side, we will use the root certificates
    63. 

  63.   // stored in the default system location, since client side must provide root
    64. 

  64.   // certificates in TLS(no matter single-side TLS or mutual TLS).
    65. 

  65.   // If this is not set on the server side, we will not watch any root
    66. 

  66.   // certificate updates, and assume no root certificates needed for the server
    67. 

  67.   // (in the one-side TLS scenario, the server is not required to provide root
    68. 

  68.   // certs). We don't support default root certs on server side.
    69. 

  69.   void watch_root_certs();
    70. 

  70.   // Sets the name of root certificates being watched, if |watch_root_certs| is
    71. 

  71.   // called. If not set, an empty string will be used as the name.
    72. 

  72.   //
    73. 

  73.   // @param root_cert_name the name of root certs being set.
    74. 

  74.   void set_root_cert_name(const std::string& root_cert_name);
    75. 

  75.   // Watches the updates of identity key-cert pairs with name
    76. 

  76.   // |identity_cert_name|. If used in TLS credentials, it is required to be set
    77. 

  77.   // on the server side, and optional for the client side(in the one-side
    78. 

  78.   // TLS scenario, the client is not required to provide identity certs).
    79. 

  79.   void watch_identity_key_cert_pairs();
    80. 

  80.   // Sets the name of identity key-cert pairs being watched, if
    81. 

  81.   // |watch_identity_key_cert_pairs| is called. If not set, an empty string will
    82. 

  82.   // be used as the name.
    83. 

  83.   //
    84. 

  84.   // @param identity_cert_name the name of identity key-cert pairs being set.
    85. 

  85.   void set_identity_cert_name(const std::string& identity_cert_name);
    86. 

  86.   // Sets the certificate verifier used to perform post-handshake peer identity
    87. 

  87.   // checks.
    88. 

  88.   void set_certificate_verifier(
    89. 

  89.       std::shared_ptr<CertificateVerifier> certificate_verifier);
    90. 

  90.   // Sets the options of whether to check the hostname of the peer on a per-call
    91. 

  91.   // basis. This is usually used in a combination with virtual hosting at the
    92. 

  92.   // client side, where each individual call on a channel can have a different
    93. 

  93.   // host associated with it.
    94. 

  94.   // This check is intended to verify that the host specified for the individual
    95. 

  95.   // call is covered by the cert that the peer presented.
    96. 

  96.   // We will perform such checks by default. This should be disabled if
    97. 

  97.   // verifiers other than the host name verifier is used.
    98. 

  98.   void set_check_call_host(bool check_call_host);
    99. 

  99. 

  100.   // ----- Getters for member fields ----
    101. 

  101.   // Get the internal c options. This function shall be used only internally.
    102. 

  102.   grpc_tls_credentials_options* c_credentials_options() const {
    103. 

  103.     return c_credentials_options_;
    104. 

  104.   }
    105. 

  105. 

  106.  private:
    107. 

  107.   std::shared_ptr<CertificateProviderInterface> certificate_provider_;
    108. 

  108.   std::shared_ptr<CertificateVerifier> certificate_verifier_;
    109. 

  109.   grpc_tls_credentials_options* c_credentials_options_ = nullptr;
    110. 

  110. };
    111. 

  111. 

  112. // Contains configurable options on the client side.
    113. 

  113. // Client side doesn't need to always use certificate provider. When the
    114. 

  114. // certificate provider is not set, we will use the root certificates stored
    115. 

  115. // in the system default locations, and assume client won't provide any
    116. 

  116. // identity certificates(single side TLS).
    117. 

  117. // It is used for experimental purposes for now and it is subject to change.
    118. 

  118. class TlsChannelCredentialsOptions final : public TlsCredentialsOptions {
    119. 

  119.  public:
    120. 

  120.   // Sets the decision of whether to do a crypto check on the server certs.
    121. 

  121.   // The default is true.
    122. 

  122.   void set_verify_server_certs(bool verify_server_certs);
    123. 

  123. 

  124.  private:
    125. 

  125. };
    126. 

  126. 

  127. // Contains configurable options on the server side.
    128. 

  128. // It is used for experimental purposes for now and it is subject to change.
    129. 

  129. class TlsServerCredentialsOptions final : public TlsCredentialsOptions {
    130. 

  130.  public:
    131. 

  131.   // Server side is required to use a provider, because server always needs to
    132. 

  132.   // use identity certs.
    133. 

  133.   explicit TlsServerCredentialsOptions(
    134. 

  134.       std::shared_ptr<CertificateProviderInterface> certificate_provider)
    135. 

  135.       : TlsCredentialsOptions() {
    136. 

  136.     set_certificate_provider(certificate_provider);
    137. 

  137.   }
    138. 

  138. 

  139.   // Sets option to request the certificates from the client.
    140. 

  140.   // The default is GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE.
    141. 

  141.   void set_cert_request_type(
    142. 

  142.       grpc_ssl_client_certificate_request_type cert_request_type);
    143. 

  143. 

  144.  private:
    145. 

  145. };
    146. 

  146. 

  147. }  // namespace experimental
    148. 

  148. }  // namespace grpc
    149. 

  149. 

  150. #endif  // GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H
    151.