grpc 1.17.1 → 1.18.0.pre1

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h

@@ -54,46 +54,91 @@ void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token* refresh_token);
 //  This object is a base for credentials that need to acquire an oauth2 token
 //  from an http service.
 
-typedef void (*grpc_fetch_oauth2_func)(grpc_credentials_metadata_request* req,
-                                       grpc_httpcli_context* http_context,
-                                       grpc_polling_entity* pollent,
-                                       grpc_iomgr_cb_func cb,
-                                       grpc_millis deadline);
-
-typedef struct grpc_oauth2_pending_get_request_metadata {
+struct grpc_oauth2_pending_get_request_metadata {
   grpc_credentials_mdelem_array* md_array;
   grpc_closure* on_request_metadata;
   grpc_polling_entity* pollent;
   struct grpc_oauth2_pending_get_request_metadata* next;
-} grpc_oauth2_pending_get_request_metadata;
-
-typedef struct {
-  grpc_call_credentials base;
-  gpr_mu mu;
-  grpc_mdelem access_token_md;
-  gpr_timespec token_expiration;
-  bool token_fetch_pending;
-  grpc_oauth2_pending_get_request_metadata* pending_requests;
-  grpc_httpcli_context httpcli_context;
-  grpc_fetch_oauth2_func fetch_func;
-  grpc_polling_entity pollent;
-} grpc_oauth2_token_fetcher_credentials;
+};
+
+class grpc_oauth2_token_fetcher_credentials : public grpc_call_credentials {
+ public:
+  grpc_oauth2_token_fetcher_credentials();
+  ~grpc_oauth2_token_fetcher_credentials() override;
+
+  bool get_request_metadata(grpc_polling_entity* pollent,
+                            grpc_auth_metadata_context context,
+                            grpc_credentials_mdelem_array* md_array,
+                            grpc_closure* on_request_metadata,
+                            grpc_error** error) override;
+
+  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
+                                   grpc_error* error) override;
+
+  void on_http_response(grpc_credentials_metadata_request* r,
+                        grpc_error* error);
+
+  GRPC_ABSTRACT_BASE_CLASS
+
+ protected:
+  virtual void fetch_oauth2(grpc_credentials_metadata_request* req,
+                            grpc_httpcli_context* httpcli_context,
+                            grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
+                            grpc_millis deadline) GRPC_ABSTRACT;
+
+ private:
+  gpr_mu mu_;
+  grpc_mdelem access_token_md_ = GRPC_MDNULL;
+  gpr_timespec token_expiration_;
+  bool token_fetch_pending_ = false;
+  grpc_oauth2_pending_get_request_metadata* pending_requests_ = nullptr;
+  grpc_httpcli_context httpcli_context_;
+  grpc_polling_entity pollent_;
+};
 
 // Google refresh token credentials.
-typedef struct {
-  grpc_oauth2_token_fetcher_credentials base;
-  grpc_auth_refresh_token refresh_token;
-} grpc_google_refresh_token_credentials;
+class grpc_google_refresh_token_credentials final
+    : public grpc_oauth2_token_fetcher_credentials {
+ public:
+  grpc_google_refresh_token_credentials(grpc_auth_refresh_token refresh_token);
+  ~grpc_google_refresh_token_credentials() override;
+
+  const grpc_auth_refresh_token& refresh_token() const {
+    return refresh_token_;
+  }
+
+ protected:
+  void fetch_oauth2(grpc_credentials_metadata_request* req,
+                    grpc_httpcli_context* httpcli_context,
+                    grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
+                    grpc_millis deadline) override;
+
+ private:
+  grpc_auth_refresh_token refresh_token_;
+};
 
 // Access token credentials.
-typedef struct {
-  grpc_call_credentials base;
-  grpc_mdelem access_token_md;
-} grpc_access_token_credentials;
+class grpc_access_token_credentials final : public grpc_call_credentials {
+ public:
+  grpc_access_token_credentials(const char* access_token);
+  ~grpc_access_token_credentials() override;
+
+  bool get_request_metadata(grpc_polling_entity* pollent,
+                            grpc_auth_metadata_context context,
+                            grpc_credentials_mdelem_array* md_array,
+                            grpc_closure* on_request_metadata,
+                            grpc_error** error) override;
+
+  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
+                                   grpc_error* error) override;
+
+ private:
+  grpc_mdelem access_token_md_;
+};
 
 // Private constructor for refresh token credentials from an already parsed
 // refresh token. Takes ownership of the refresh token.
-grpc_call_credentials*
+grpc_core::RefCountedPtr<grpc_call_credentials>
 grpc_refresh_token_credentials_create_from_auth_refresh_token(
     grpc_auth_refresh_token token);
 

data/src/core/lib/security/credentials/plugin/plugin_credentials.cc

@@ -35,20 +35,17 @@
 
 grpc_core::TraceFlag grpc_plugin_credentials_trace(false, "plugin_credentials");
 
-static void plugin_destruct(grpc_call_credentials* creds) {
-  grpc_plugin_credentials* c =
-      reinterpret_cast<grpc_plugin_credentials*>(creds);
-  gpr_mu_destroy(&c->mu);
-  if (c->plugin.state != nullptr && c->plugin.destroy != nullptr) {
-    c->plugin.destroy(c->plugin.state);
+grpc_plugin_credentials::~grpc_plugin_credentials() {
+  gpr_mu_destroy(&mu_);
+  if (plugin_.state != nullptr && plugin_.destroy != nullptr) {
+    plugin_.destroy(plugin_.state);
   }
 }
 
-static void pending_request_remove_locked(
-    grpc_plugin_credentials* c,
-    grpc_plugin_credentials_pending_request* pending_request) {
+void grpc_plugin_credentials::pending_request_remove_locked(
+    pending_request* pending_request) {
   if (pending_request->prev == nullptr) {
-    c->pending_requests = pending_request->next;
+    pending_requests_ = pending_request->next;
   } else {
     pending_request->prev->next = pending_request->next;
   }
@@ -62,17 +59,17 @@ static void pending_request_remove_locked(
 // cancelled out from under us.
 // When this returns, r->cancelled indicates whether the request was
 // cancelled before completion.
-static void pending_request_complete(
-    grpc_plugin_credentials_pending_request* r) {
-  gpr_mu_lock(&r->creds->mu);
-  if (!r->cancelled) pending_request_remove_locked(r->creds, r);
-  gpr_mu_unlock(&r->creds->mu);
+void grpc_plugin_credentials::pending_request_complete(pending_request* r) {
+  GPR_DEBUG_ASSERT(r->creds == this);
+  gpr_mu_lock(&mu_);
+  if (!r->cancelled) pending_request_remove_locked(r);
+  gpr_mu_unlock(&mu_);
   // Ref to credentials not needed anymore.
-  grpc_call_credentials_unref(&r->creds->base);
+  Unref();
 }
 
 static grpc_error* process_plugin_result(
-    grpc_plugin_credentials_pending_request* r, const grpc_metadata* md,
+    grpc_plugin_credentials::pending_request* r, const grpc_metadata* md,
     size_t num_md, grpc_status_code status, const char* error_details) {
   grpc_error* error = GRPC_ERROR_NONE;
   if (status != GRPC_STATUS_OK) {
@@ -119,8 +116,8 @@ static void plugin_md_request_metadata_ready(void* request,
   /* called from application code */
   grpc_core::ExecCtx exec_ctx(GRPC_EXEC_CTX_FLAG_IS_FINISHED |
                               GRPC_EXEC_CTX_FLAG_THREAD_RESOURCE_LOOP);
-  grpc_plugin_credentials_pending_request* r =
-      static_cast<grpc_plugin_credentials_pending_request*>(request);
+  grpc_plugin_credentials::pending_request* r =
+      static_cast<grpc_plugin_credentials::pending_request*>(request);
   if (grpc_plugin_credentials_trace.enabled()) {
     gpr_log(GPR_INFO,
             "plugin_credentials[%p]: request %p: plugin returned "
@@ -128,7 +125,7 @@ static void plugin_md_request_metadata_ready(void* request,
             r->creds, r);
   }
   // Remove request from pending list if not previously cancelled.
-  pending_request_complete(r);
+  r->creds->pending_request_complete(r);
   // If it has not been cancelled, process it.
   if (!r->cancelled) {
     grpc_error* error =
@@ -143,65 +140,59 @@ static void plugin_md_request_metadata_ready(void* request,
   gpr_free(r);
 }
 
-static bool plugin_get_request_metadata(grpc_call_credentials* creds,
-                                        grpc_polling_entity* pollent,
-                                        grpc_auth_metadata_context context,
-                                        grpc_credentials_mdelem_array* md_array,
-                                        grpc_closure* on_request_metadata,
-                                        grpc_error** error) {
-  grpc_plugin_credentials* c =
-      reinterpret_cast<grpc_plugin_credentials*>(creds);
+bool grpc_plugin_credentials::get_request_metadata(
+    grpc_polling_entity* pollent, grpc_auth_metadata_context context,
+    grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata,
+    grpc_error** error) {
   bool retval = true;  // Synchronous return.
-  if (c->plugin.get_metadata != nullptr) {
+  if (plugin_.get_metadata != nullptr) {
     // Create pending_request object.
-    grpc_plugin_credentials_pending_request* pending_request =
-        static_cast<grpc_plugin_credentials_pending_request*>(
-            gpr_zalloc(sizeof(*pending_request)));
-    pending_request->creds = c;
-    pending_request->md_array = md_array;
-    pending_request->on_request_metadata = on_request_metadata;
+    pending_request* request =
+        static_cast<pending_request*>(gpr_zalloc(sizeof(*request)));
+    request->creds = this;
+    request->md_array = md_array;
+    request->on_request_metadata = on_request_metadata;
     // Add it to the pending list.
-    gpr_mu_lock(&c->mu);
-    if (c->pending_requests != nullptr) {
-      c->pending_requests->prev = pending_request;
+    gpr_mu_lock(&mu_);
+    if (pending_requests_ != nullptr) {
+      pending_requests_->prev = request;
     }
-    pending_request->next = c->pending_requests;
-    c->pending_requests = pending_request;
-    gpr_mu_unlock(&c->mu);
+    request->next = pending_requests_;
+    pending_requests_ = request;
+    gpr_mu_unlock(&mu_);
     // Invoke the plugin.  The callback holds a ref to us.
     if (grpc_plugin_credentials_trace.enabled()) {
       gpr_log(GPR_INFO, "plugin_credentials[%p]: request %p: invoking plugin",
-              c, pending_request);
+              this, request);
     }
-    grpc_call_credentials_ref(creds);
+    Ref().release();
     grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX];
     size_t num_creds_md = 0;
     grpc_status_code status = GRPC_STATUS_OK;
     const char* error_details = nullptr;
-    if (!c->plugin.get_metadata(c->plugin.state, context,
-                                plugin_md_request_metadata_ready,
-                                pending_request, creds_md, &num_creds_md,
-                                &status, &error_details)) {
+    if (!plugin_.get_metadata(
+            plugin_.state, context, plugin_md_request_metadata_ready, request,
+            creds_md, &num_creds_md, &status, &error_details)) {
       if (grpc_plugin_credentials_trace.enabled()) {
         gpr_log(GPR_INFO,
                 "plugin_credentials[%p]: request %p: plugin will return "
                 "asynchronously",
-                c, pending_request);
+                this, request);
       }
       return false;  // Asynchronous return.
     }
     // Returned synchronously.
     // Remove request from pending list if not previously cancelled.
-    pending_request_complete(pending_request);
+    request->creds->pending_request_complete(request);
     // If the request was cancelled, the error will have been returned
     // asynchronously by plugin_cancel_get_request_metadata(), so return
     // false.  Otherwise, process the result.
-    if (pending_request->cancelled) {
+    if (request->cancelled) {
       if (grpc_plugin_credentials_trace.enabled()) {
         gpr_log(GPR_INFO,
                 "plugin_credentials[%p]: request %p was cancelled, error "
                 "will be returned asynchronously",
-                c, pending_request);
+                this, request);
       }
       retval = false;
     } else {
@@ -209,10 +200,10 @@ static bool plugin_get_request_metadata(grpc_call_credentials* creds,
         gpr_log(GPR_INFO,
                 "plugin_credentials[%p]: request %p: plugin returned "
                 "synchronously",
-                c, pending_request);
+                this, request);
       }
-      *error = process_plugin_result(pending_request, creds_md, num_creds_md,
-                                     status, error_details);
+      *error = process_plugin_result(request, creds_md, num_creds_md, status,
+                                     error_details);
     }
     // Clean up.
     for (size_t i = 0; i < num_creds_md; ++i) {
@@ -220,51 +211,42 @@ static bool plugin_get_request_metadata(grpc_call_credentials* creds,
       grpc_slice_unref_internal(creds_md[i].value);
     }
     gpr_free((void*)error_details);
-    gpr_free(pending_request);
+    gpr_free(request);
   }
   return retval;
 }
 
-static void plugin_cancel_get_request_metadata(
-    grpc_call_credentials* creds, grpc_credentials_mdelem_array* md_array,
-    grpc_error* error) {
-  grpc_plugin_credentials* c =
-      reinterpret_cast<grpc_plugin_credentials*>(creds);
-  gpr_mu_lock(&c->mu);
-  for (grpc_plugin_credentials_pending_request* pending_request =
-           c->pending_requests;
+void grpc_plugin_credentials::cancel_get_request_metadata(
+    grpc_credentials_mdelem_array* md_array, grpc_error* error) {
+  gpr_mu_lock(&mu_);
+  for (pending_request* pending_request = pending_requests_;
        pending_request != nullptr; pending_request = pending_request->next) {
     if (pending_request->md_array == md_array) {
       if (grpc_plugin_credentials_trace.enabled()) {
-        gpr_log(GPR_INFO, "plugin_credentials[%p]: cancelling request %p", c,
+        gpr_log(GPR_INFO, "plugin_credentials[%p]: cancelling request %p", this,
                 pending_request);
       }
       pending_request->cancelled = true;
       GRPC_CLOSURE_SCHED(pending_request->on_request_metadata,
                          GRPC_ERROR_REF(error));
-      pending_request_remove_locked(c, pending_request);
+      pending_request_remove_locked(pending_request);
       break;
     }
   }
-  gpr_mu_unlock(&c->mu);
+  gpr_mu_unlock(&mu_);
   GRPC_ERROR_UNREF(error);
 }
 
-static grpc_call_credentials_vtable plugin_vtable = {
-    plugin_destruct, plugin_get_request_metadata,
-    plugin_cancel_get_request_metadata};
+grpc_plugin_credentials::grpc_plugin_credentials(
+    grpc_metadata_credentials_plugin plugin)
+    : grpc_call_credentials(plugin.type), plugin_(plugin) {
+  gpr_mu_init(&mu_);
+}
 
 grpc_call_credentials* grpc_metadata_credentials_create_from_plugin(
     grpc_metadata_credentials_plugin plugin, void* reserved) {
-  grpc_plugin_credentials* c =
-      static_cast<grpc_plugin_credentials*>(gpr_zalloc(sizeof(*c)));
   GRPC_API_TRACE("grpc_metadata_credentials_create_from_plugin(reserved=%p)", 1,
                  (reserved));
   GPR_ASSERT(reserved == nullptr);
-  c->base.type = plugin.type;
-  c->base.vtable = &plugin_vtable;
-  gpr_ref_init(&c->base.refcount, 1);
-  c->plugin = plugin;
-  gpr_mu_init(&c->mu);
-  return &c->base;
+  return grpc_core::New<grpc_plugin_credentials>(plugin);
 }

data/src/core/lib/security/credentials/plugin/plugin_credentials.h

@@ -25,22 +25,45 @@
 
 extern grpc_core::TraceFlag grpc_plugin_credentials_trace;
 
-struct grpc_plugin_credentials;
-
-typedef struct grpc_plugin_credentials_pending_request {
-  bool cancelled;
-  struct grpc_plugin_credentials* creds;
-  grpc_credentials_mdelem_array* md_array;
-  grpc_closure* on_request_metadata;
-  struct grpc_plugin_credentials_pending_request* prev;
-  struct grpc_plugin_credentials_pending_request* next;
-} grpc_plugin_credentials_pending_request;
-
-typedef struct grpc_plugin_credentials {
-  grpc_call_credentials base;
-  grpc_metadata_credentials_plugin plugin;
-  gpr_mu mu;
-  grpc_plugin_credentials_pending_request* pending_requests;
-} grpc_plugin_credentials;
+// This type is forward declared as a C struct and we cannot define it as a
+// class. Otherwise, compiler will complain about type mismatch due to
+// -Wmismatched-tags.
+struct grpc_plugin_credentials final : public grpc_call_credentials {
+ public:
+  struct pending_request {
+    bool cancelled;
+    struct grpc_plugin_credentials* creds;
+    grpc_credentials_mdelem_array* md_array;
+    grpc_closure* on_request_metadata;
+    struct pending_request* prev;
+    struct pending_request* next;
+  };
+
+  explicit grpc_plugin_credentials(grpc_metadata_credentials_plugin plugin);
+  ~grpc_plugin_credentials() override;
+
+  bool get_request_metadata(grpc_polling_entity* pollent,
+                            grpc_auth_metadata_context context,
+                            grpc_credentials_mdelem_array* md_array,
+                            grpc_closure* on_request_metadata,
+                            grpc_error** error) override;
+
+  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
+                                   grpc_error* error) override;
+
+  // Checks if the request has been cancelled.
+  // If not, removes it from the pending list, so that it cannot be
+  // cancelled out from under us.
+  // When this returns, r->cancelled indicates whether the request was
+  // cancelled before completion.
+  void pending_request_complete(pending_request* r);
+
+ private:
+  void pending_request_remove_locked(pending_request* pending_request);
+
+  grpc_metadata_credentials_plugin plugin_;
+  gpr_mu mu_;
+  pending_request* pending_requests_ = nullptr;
+};
 
 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_PLUGIN_PLUGIN_CREDENTIALS_H */

data/src/core/lib/security/credentials/ssl/ssl_credentials.cc

@@ -44,22 +44,27 @@ void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
   gpr_free(kp);
 }
 
-static void ssl_destruct(grpc_channel_credentials* creds) {
-  grpc_ssl_credentials* c = reinterpret_cast<grpc_ssl_credentials*>(creds);
-  gpr_free(c->config.pem_root_certs);
-  grpc_tsi_ssl_pem_key_cert_pairs_destroy(c->config.pem_key_cert_pair, 1);
-  if (c->config.verify_options.verify_peer_destruct != nullptr) {
-    c->config.verify_options.verify_peer_destruct(
-        c->config.verify_options.verify_peer_callback_userdata);
+grpc_ssl_credentials::grpc_ssl_credentials(
+    const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
+    const verify_peer_options* verify_options)
+    : grpc_channel_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) {
+  build_config(pem_root_certs, pem_key_cert_pair, verify_options);
+}
+
+grpc_ssl_credentials::~grpc_ssl_credentials() {
+  gpr_free(config_.pem_root_certs);
+  grpc_tsi_ssl_pem_key_cert_pairs_destroy(config_.pem_key_cert_pair, 1);
+  if (config_.verify_options.verify_peer_destruct != nullptr) {
+    config_.verify_options.verify_peer_destruct(
+        config_.verify_options.verify_peer_callback_userdata);
   }
 }
 
-static grpc_security_status ssl_create_security_connector(
-    grpc_channel_credentials* creds, grpc_call_credentials* call_creds,
+grpc_core::RefCountedPtr<grpc_channel_security_connector>
+grpc_ssl_credentials::create_security_connector(
+    grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
     const char* target, const grpc_channel_args* args,
-    grpc_channel_security_connector** sc, grpc_channel_args** new_args) {
-  grpc_ssl_credentials* c = reinterpret_cast<grpc_ssl_credentials*>(creds);
-  grpc_security_status status = GRPC_SECURITY_OK;
+    grpc_channel_args** new_args) {
   const char* overridden_target_name = nullptr;
   tsi_ssl_session_cache* ssl_session_cache = nullptr;
   for (size_t i = 0; args && i < args->num_args; i++) {
@@ -74,52 +79,47 @@ static grpc_security_status ssl_create_security_connector(
           static_cast<tsi_ssl_session_cache*>(arg->value.pointer.p);
     }
   }
-  status = grpc_ssl_channel_security_connector_create(
-      creds, call_creds, &c->config, target, overridden_target_name,
-      ssl_session_cache, sc);
-  if (status != GRPC_SECURITY_OK) {
-    return status;
+  grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
+      grpc_ssl_channel_security_connector_create(
+          this->Ref(), std::move(call_creds), &config_, target,
+          overridden_target_name, ssl_session_cache);
+  if (sc == nullptr) {
+    return sc;
   }
   grpc_arg new_arg = grpc_channel_arg_string_create(
       (char*)GRPC_ARG_HTTP2_SCHEME, (char*)"https");
   *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1);
-  return status;
+  return sc;
 }
 
-static grpc_channel_credentials_vtable ssl_vtable = {
-    ssl_destruct, ssl_create_security_connector, nullptr};
-
-static void ssl_build_config(const char* pem_root_certs,
-                             grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
-                             const verify_peer_options* verify_options,
-                             grpc_ssl_config* config) {
-  if (pem_root_certs != nullptr) {
-    config->pem_root_certs = gpr_strdup(pem_root_certs);
-  }
+void grpc_ssl_credentials::build_config(
+    const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
+    const verify_peer_options* verify_options) {
+  config_.pem_root_certs = gpr_strdup(pem_root_certs);
   if (pem_key_cert_pair != nullptr) {
     GPR_ASSERT(pem_key_cert_pair->private_key != nullptr);
     GPR_ASSERT(pem_key_cert_pair->cert_chain != nullptr);
-    config->pem_key_cert_pair = static_cast<tsi_ssl_pem_key_cert_pair*>(
+    config_.pem_key_cert_pair = static_cast<tsi_ssl_pem_key_cert_pair*>(
         gpr_zalloc(sizeof(tsi_ssl_pem_key_cert_pair)));
-    config->pem_key_cert_pair->cert_chain =
+    config_.pem_key_cert_pair->cert_chain =
         gpr_strdup(pem_key_cert_pair->cert_chain);
-    config->pem_key_cert_pair->private_key =
+    config_.pem_key_cert_pair->private_key =
         gpr_strdup(pem_key_cert_pair->private_key);
+  } else {
+    config_.pem_key_cert_pair = nullptr;
   }
   if (verify_options != nullptr) {
-    memcpy(&config->verify_options, verify_options,
+    memcpy(&config_.verify_options, verify_options,
            sizeof(verify_peer_options));
   } else {
     // Otherwise set all options to default values
-    memset(&config->verify_options, 0, sizeof(verify_peer_options));
+    memset(&config_.verify_options, 0, sizeof(verify_peer_options));
   }
 }
 
 grpc_channel_credentials* grpc_ssl_credentials_create(
     const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
     const verify_peer_options* verify_options, void* reserved) {
-  grpc_ssl_credentials* c = static_cast<grpc_ssl_credentials*>(
-      gpr_zalloc(sizeof(grpc_ssl_credentials)));
   GRPC_API_TRACE(
       "grpc_ssl_credentials_create(pem_root_certs=%s, "
       "pem_key_cert_pair=%p, "
@@ -127,12 +127,9 @@ grpc_channel_credentials* grpc_ssl_credentials_create(
       "reserved=%p)",
       4, (pem_root_certs, pem_key_cert_pair, verify_options, reserved));
   GPR_ASSERT(reserved == nullptr);
-  c->base.type = GRPC_CHANNEL_CREDENTIALS_TYPE_SSL;
-  c->base.vtable = &ssl_vtable;
-  gpr_ref_init(&c->base.refcount, 1);
-  ssl_build_config(pem_root_certs, pem_key_cert_pair, verify_options,
-                   &c->config);
-  return &c->base;
+
+  return grpc_core::New<grpc_ssl_credentials>(pem_root_certs, pem_key_cert_pair,
+                                              verify_options);
 }
 
 //
@@ -145,21 +142,29 @@ struct grpc_ssl_server_credentials_options {
   grpc_ssl_server_certificate_config_fetcher* certificate_config_fetcher;
 };
 
-static void ssl_server_destruct(grpc_server_credentials* creds) {
-  grpc_ssl_server_credentials* c =
-      reinterpret_cast<grpc_ssl_server_credentials*>(creds);
-  grpc_tsi_ssl_pem_key_cert_pairs_destroy(c->config.pem_key_cert_pairs,
-                                          c->config.num_key_cert_pairs);
-  gpr_free(c->config.pem_root_certs);
+grpc_ssl_server_credentials::grpc_ssl_server_credentials(
+    const grpc_ssl_server_credentials_options& options)
+    : grpc_server_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) {
+  if (options.certificate_config_fetcher != nullptr) {
+    config_.client_certificate_request = options.client_certificate_request;
+    certificate_config_fetcher_ = *options.certificate_config_fetcher;
+  } else {
+    build_config(options.certificate_config->pem_root_certs,
+                 options.certificate_config->pem_key_cert_pairs,
+                 options.certificate_config->num_key_cert_pairs,
+                 options.client_certificate_request);
+  }
 }
 
-static grpc_security_status ssl_server_create_security_connector(
-    grpc_server_credentials* creds, grpc_server_security_connector** sc) {
-  return grpc_ssl_server_security_connector_create(creds, sc);
+grpc_ssl_server_credentials::~grpc_ssl_server_credentials() {
+  grpc_tsi_ssl_pem_key_cert_pairs_destroy(config_.pem_key_cert_pairs,
+                                          config_.num_key_cert_pairs);
+  gpr_free(config_.pem_root_certs);
+}
+grpc_core::RefCountedPtr<grpc_server_security_connector>
+grpc_ssl_server_credentials::create_security_connector() {
+  return grpc_ssl_server_security_connector_create(this->Ref());
 }
-
-static grpc_server_credentials_vtable ssl_server_vtable = {
-    ssl_server_destruct, ssl_server_create_security_connector};
 
 tsi_ssl_pem_key_cert_pair* grpc_convert_grpc_to_tsi_cert_pairs(
     const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
@@ -179,18 +184,15 @@ tsi_ssl_pem_key_cert_pair* grpc_convert_grpc_to_tsi_cert_pairs(
   return tsi_pairs;
 }
 
-static void ssl_build_server_config(
+void grpc_ssl_server_credentials::build_config(
     const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
     size_t num_key_cert_pairs,
-    grpc_ssl_client_certificate_request_type client_certificate_request,
-    grpc_ssl_server_config* config) {
-  config->client_certificate_request = client_certificate_request;
-  if (pem_root_certs != nullptr) {
-    config->pem_root_certs = gpr_strdup(pem_root_certs);
-  }
-  config->pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
+    grpc_ssl_client_certificate_request_type client_certificate_request) {
+  config_.client_certificate_request = client_certificate_request;
+  config_.pem_root_certs = gpr_strdup(pem_root_certs);
+  config_.pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
       pem_key_cert_pairs, num_key_cert_pairs);
-  config->num_key_cert_pairs = num_key_cert_pairs;
+  config_.num_key_cert_pairs = num_key_cert_pairs;
 }
 
 grpc_ssl_server_certificate_config* grpc_ssl_server_certificate_config_create(
@@ -200,9 +202,7 @@ grpc_ssl_server_certificate_config* grpc_ssl_server_certificate_config_create(
   grpc_ssl_server_certificate_config* config =
       static_cast<grpc_ssl_server_certificate_config*>(
           gpr_zalloc(sizeof(grpc_ssl_server_certificate_config)));
-  if (pem_root_certs != nullptr) {
-    config->pem_root_certs = gpr_strdup(pem_root_certs);
-  }
+  config->pem_root_certs = gpr_strdup(pem_root_certs);
   if (num_key_cert_pairs > 0) {
     GPR_ASSERT(pem_key_cert_pairs != nullptr);
     config->pem_key_cert_pairs = static_cast<grpc_ssl_pem_key_cert_pair*>(
@@ -311,7 +311,6 @@ grpc_server_credentials* grpc_ssl_server_credentials_create_ex(
 grpc_server_credentials* grpc_ssl_server_credentials_create_with_options(
     grpc_ssl_server_credentials_options* options) {
   grpc_server_credentials* retval = nullptr;
-  grpc_ssl_server_credentials* c = nullptr;
 
   if (options == nullptr) {
     gpr_log(GPR_ERROR,
@@ -331,23 +330,7 @@ grpc_server_credentials* grpc_ssl_server_credentials_create_with_options(
     goto done;
   }
 
-  c = static_cast<grpc_ssl_server_credentials*>(
-      gpr_zalloc(sizeof(grpc_ssl_server_credentials)));
-  c->base.type = GRPC_CHANNEL_CREDENTIALS_TYPE_SSL;
-  gpr_ref_init(&c->base.refcount, 1);
-  c->base.vtable = &ssl_server_vtable;
-
-  if (options->certificate_config_fetcher != nullptr) {
-    c->config.client_certificate_request = options->client_certificate_request;
-    c->certificate_config_fetcher = *options->certificate_config_fetcher;
-  } else {
-    ssl_build_server_config(options->certificate_config->pem_root_certs,
-                            options->certificate_config->pem_key_cert_pairs,
-                            options->certificate_config->num_key_cert_pairs,
-                            options->client_certificate_request, &c->config);
-  }
-
-  retval = &c->base;
+  retval = grpc_core::New<grpc_ssl_server_credentials>(*options);
 
 done:
   grpc_ssl_server_credentials_options_destroy(options);