grpc 1.17.1 → 1.18.0.pre1

data/src/core/lib/security/security_connector/security_connector.cc

@@ -35,150 +35,67 @@
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/core/lib/security/security_connector/load_system_roots.h"
+#include "src/core/lib/security/security_connector/security_connector.h"
 #include "src/core/lib/security/transport/security_handshaker.h"
 
 grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount(
     false, "security_connector_refcount");
 
-void grpc_channel_security_connector_add_handshakers(
-    grpc_channel_security_connector* connector,
-    grpc_pollset_set* interested_parties,
-    grpc_handshake_manager* handshake_mgr) {
-  if (connector != nullptr) {
-    connector->add_handshakers(connector, interested_parties, handshake_mgr);
-  }
-}
-
-void grpc_server_security_connector_add_handshakers(
-    grpc_server_security_connector* connector,
-    grpc_pollset_set* interested_parties,
-    grpc_handshake_manager* handshake_mgr) {
-  if (connector != nullptr) {
-    connector->add_handshakers(connector, interested_parties, handshake_mgr);
-  }
-}
-
-void grpc_security_connector_check_peer(grpc_security_connector* sc,
-                                        tsi_peer peer,
-                                        grpc_auth_context** auth_context,
-                                        grpc_closure* on_peer_checked) {
-  if (sc == nullptr) {
-    GRPC_CLOSURE_SCHED(on_peer_checked,
-                       GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-                           "cannot check peer -- no security connector"));
-    tsi_peer_destruct(&peer);
-  } else {
-    sc->vtable->check_peer(sc, peer, auth_context, on_peer_checked);
-  }
-}
-
-int grpc_security_connector_cmp(grpc_security_connector* sc,
-                                grpc_security_connector* other) {
+grpc_server_security_connector::grpc_server_security_connector(
+    const char* url_scheme,
+    grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
+    : grpc_security_connector(url_scheme),
+      server_creds_(std::move(server_creds)) {}
+
+grpc_channel_security_connector::grpc_channel_security_connector(
+    const char* url_scheme,
+    grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
+    grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds)
+    : grpc_security_connector(url_scheme),
+      channel_creds_(std::move(channel_creds)),
+      request_metadata_creds_(std::move(request_metadata_creds)) {}
+grpc_channel_security_connector::~grpc_channel_security_connector() {}
+
+int grpc_security_connector_cmp(const grpc_security_connector* sc,
+                                const grpc_security_connector* other) {
   if (sc == nullptr || other == nullptr) return GPR_ICMP(sc, other);
-  int c = GPR_ICMP(sc->vtable, other->vtable);
-  if (c != 0) return c;
-  return sc->vtable->cmp(sc, other);
+  return sc->cmp(other);
 }
 
-int grpc_channel_security_connector_cmp(grpc_channel_security_connector* sc1,
-                                        grpc_channel_security_connector* sc2) {
-  GPR_ASSERT(sc1->channel_creds != nullptr);
-  GPR_ASSERT(sc2->channel_creds != nullptr);
-  int c = GPR_ICMP(sc1->channel_creds, sc2->channel_creds);
-  if (c != 0) return c;
-  c = GPR_ICMP(sc1->request_metadata_creds, sc2->request_metadata_creds);
-  if (c != 0) return c;
-  c = GPR_ICMP((void*)sc1->check_call_host, (void*)sc2->check_call_host);
-  if (c != 0) return c;
-  c = GPR_ICMP((void*)sc1->cancel_check_call_host,
-               (void*)sc2->cancel_check_call_host);
+int grpc_channel_security_connector::channel_security_connector_cmp(
+    const grpc_channel_security_connector* other) const {
+  const grpc_channel_security_connector* other_sc =
+      static_cast<const grpc_channel_security_connector*>(other);
+  GPR_ASSERT(channel_creds() != nullptr);
+  GPR_ASSERT(other_sc->channel_creds() != nullptr);
+  int c = GPR_ICMP(channel_creds(), other_sc->channel_creds());
   if (c != 0) return c;
-  return GPR_ICMP((void*)sc1->add_handshakers, (void*)sc2->add_handshakers);
+  return GPR_ICMP(request_metadata_creds(), other_sc->request_metadata_creds());
 }
 
-int grpc_server_security_connector_cmp(grpc_server_security_connector* sc1,
-                                       grpc_server_security_connector* sc2) {
-  GPR_ASSERT(sc1->server_creds != nullptr);
-  GPR_ASSERT(sc2->server_creds != nullptr);
-  int c = GPR_ICMP(sc1->server_creds, sc2->server_creds);
-  if (c != 0) return c;
-  return GPR_ICMP((void*)sc1->add_handshakers, (void*)sc2->add_handshakers);
-}
-
-bool grpc_channel_security_connector_check_call_host(
-    grpc_channel_security_connector* sc, const char* host,
-    grpc_auth_context* auth_context, grpc_closure* on_call_host_checked,
-    grpc_error** error) {
-  if (sc == nullptr || sc->check_call_host == nullptr) {
-    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-        "cannot check call host -- no security connector");
-    return true;
-  }
-  return sc->check_call_host(sc, host, auth_context, on_call_host_checked,
-                             error);
-}
-
-void grpc_channel_security_connector_cancel_check_call_host(
-    grpc_channel_security_connector* sc, grpc_closure* on_call_host_checked,
-    grpc_error* error) {
-  if (sc == nullptr || sc->cancel_check_call_host == nullptr) {
-    GRPC_ERROR_UNREF(error);
-    return;
-  }
-  sc->cancel_check_call_host(sc, on_call_host_checked, error);
-}
-
-#ifndef NDEBUG
-grpc_security_connector* grpc_security_connector_ref(
-    grpc_security_connector* sc, const char* file, int line,
-    const char* reason) {
-  if (sc == nullptr) return nullptr;
-  if (grpc_trace_security_connector_refcount.enabled()) {
-    gpr_atm val = gpr_atm_no_barrier_load(&sc->refcount.count);
-    gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG,
-            "SECURITY_CONNECTOR:%p   ref %" PRIdPTR " -> %" PRIdPTR " %s", sc,
-            val, val + 1, reason);
-  }
-#else
-grpc_security_connector* grpc_security_connector_ref(
-    grpc_security_connector* sc) {
-  if (sc == nullptr) return nullptr;
-#endif
-  gpr_ref(&sc->refcount);
-  return sc;
-}
-
-#ifndef NDEBUG
-void grpc_security_connector_unref(grpc_security_connector* sc,
-                                   const char* file, int line,
-                                   const char* reason) {
-  if (sc == nullptr) return;
-  if (grpc_trace_security_connector_refcount.enabled()) {
-    gpr_atm val = gpr_atm_no_barrier_load(&sc->refcount.count);
-    gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG,
-            "SECURITY_CONNECTOR:%p unref %" PRIdPTR " -> %" PRIdPTR " %s", sc,
-            val, val - 1, reason);
-  }
-#else
-void grpc_security_connector_unref(grpc_security_connector* sc) {
-  if (sc == nullptr) return;
-#endif
-  if (gpr_unref(&sc->refcount)) sc->vtable->destroy(sc);
+int grpc_server_security_connector::server_security_connector_cmp(
+    const grpc_server_security_connector* other) const {
+  const grpc_server_security_connector* other_sc =
+      static_cast<const grpc_server_security_connector*>(other);
+  GPR_ASSERT(server_creds() != nullptr);
+  GPR_ASSERT(other_sc->server_creds() != nullptr);
+  return GPR_ICMP(server_creds(), other_sc->server_creds());
 }
 
 static void connector_arg_destroy(void* p) {
-  GRPC_SECURITY_CONNECTOR_UNREF((grpc_security_connector*)p,
-                                "connector_arg_destroy");
+  static_cast<grpc_security_connector*>(p)->Unref(DEBUG_LOCATION,
+                                                  "connector_arg_destroy");
 }
 
 static void* connector_arg_copy(void* p) {
-  return GRPC_SECURITY_CONNECTOR_REF((grpc_security_connector*)p,
-                                     "connector_arg_copy");
+  return static_cast<grpc_security_connector*>(p)
+      ->Ref(DEBUG_LOCATION, "connector_arg_copy")
+      .release();
 }
 
 static int connector_cmp(void* a, void* b) {
-  return grpc_security_connector_cmp(static_cast<grpc_security_connector*>(a),
-                                     static_cast<grpc_security_connector*>(b));
+  return static_cast<grpc_security_connector*>(a)->cmp(
+      static_cast<grpc_security_connector*>(b));
 }
 
 static const grpc_arg_pointer_vtable connector_arg_vtable = {

data/src/core/lib/security/security_connector/security_connector.h

@@ -26,6 +26,7 @@
 #include <grpc/grpc_security.h>
 
 #include "src/core/lib/channel/handshaker.h"
+#include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/iomgr/endpoint.h"
 #include "src/core/lib/iomgr/pollset.h"
 #include "src/core/lib/iomgr/tcp_server.h"
@@ -34,8 +35,6 @@
 
 extern grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount;
 
-/* --- status enum. --- */
-
 typedef enum { GRPC_SECURITY_OK = 0, GRPC_SECURITY_ERROR } grpc_security_status;
 
 /* --- security_connector object. ---
@@ -43,54 +42,34 @@ typedef enum { GRPC_SECURITY_OK = 0, GRPC_SECURITY_ERROR } grpc_security_status;
     A security connector object represents away to configure the underlying
     transport security mechanism and check the resulting trusted peer.  */
 
-typedef struct grpc_security_connector grpc_security_connector;
-
 #define GRPC_ARG_SECURITY_CONNECTOR "grpc.security_connector"
 
-typedef struct {
-  void (*destroy)(grpc_security_connector* sc);
-  void (*check_peer)(grpc_security_connector* sc, tsi_peer peer,
-                     grpc_auth_context** auth_context,
-                     grpc_closure* on_peer_checked);
-  int (*cmp)(grpc_security_connector* sc, grpc_security_connector* other);
-} grpc_security_connector_vtable;
-
-struct grpc_security_connector {
-  const grpc_security_connector_vtable* vtable;
-  gpr_refcount refcount;
-  const char* url_scheme;
-};
+class grpc_security_connector
+    : public grpc_core::RefCounted<grpc_security_connector> {
+ public:
+  explicit grpc_security_connector(const char* url_scheme)
+      : grpc_core::RefCounted<grpc_security_connector>(
+            &grpc_trace_security_connector_refcount),
+        url_scheme_(url_scheme) {}
+  virtual ~grpc_security_connector() = default;
+
+  /* Check the peer. Callee takes ownership of the peer object.
+     When done, sets *auth_context and invokes on_peer_checked. */
+  virtual void check_peer(
+      tsi_peer peer, grpc_endpoint* ep,
+      grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
+      grpc_closure* on_peer_checked) GRPC_ABSTRACT;
+
+  /* Compares two security connectors. */
+  virtual int cmp(const grpc_security_connector* other) const GRPC_ABSTRACT;
+
+  const char* url_scheme() const { return url_scheme_; }
 
-/* Refcounting. */
-#ifndef NDEBUG
-#define GRPC_SECURITY_CONNECTOR_REF(p, r) \
-  grpc_security_connector_ref((p), __FILE__, __LINE__, (r))
-#define GRPC_SECURITY_CONNECTOR_UNREF(p, r) \
-  grpc_security_connector_unref((p), __FILE__, __LINE__, (r))
-grpc_security_connector* grpc_security_connector_ref(
-    grpc_security_connector* policy, const char* file, int line,
-    const char* reason);
-void grpc_security_connector_unref(grpc_security_connector* policy,
-                                   const char* file, int line,
-                                   const char* reason);
-#else
-#define GRPC_SECURITY_CONNECTOR_REF(p, r) grpc_security_connector_ref((p))
-#define GRPC_SECURITY_CONNECTOR_UNREF(p, r) grpc_security_connector_unref((p))
-grpc_security_connector* grpc_security_connector_ref(
-    grpc_security_connector* policy);
-void grpc_security_connector_unref(grpc_security_connector* policy);
-#endif
-
-/* Check the peer. Callee takes ownership of the peer object.
-   When done, sets *auth_context and invokes on_peer_checked. */
-void grpc_security_connector_check_peer(grpc_security_connector* sc,
-                                        tsi_peer peer,
-                                        grpc_auth_context** auth_context,
-                                        grpc_closure* on_peer_checked);
-
-/* Compares two security connectors. */
-int grpc_security_connector_cmp(grpc_security_connector* sc,
-                                grpc_security_connector* other);
+  GRPC_ABSTRACT_BASE_CLASS
+
+ private:
+  const char* url_scheme_;
+};
 
 /* Util to encapsulate the connector in a channel arg. */
 grpc_arg grpc_security_connector_to_arg(grpc_security_connector* sc);
@@ -107,71 +86,89 @@ grpc_security_connector* grpc_security_connector_find_in_args(
     A channel security connector object represents a way to configure the
     underlying transport security mechanism on the client side.  */
 
-typedef struct grpc_channel_security_connector grpc_channel_security_connector;
-
-struct grpc_channel_security_connector {
-  grpc_security_connector base;
-  grpc_channel_credentials* channel_creds;
-  grpc_call_credentials* request_metadata_creds;
-  bool (*check_call_host)(grpc_channel_security_connector* sc, const char* host,
-                          grpc_auth_context* auth_context,
-                          grpc_closure* on_call_host_checked,
-                          grpc_error** error);
-  void (*cancel_check_call_host)(grpc_channel_security_connector* sc,
-                                 grpc_closure* on_call_host_checked,
-                                 grpc_error* error);
-  void (*add_handshakers)(grpc_channel_security_connector* sc,
-                          grpc_pollset_set* interested_parties,
-                          grpc_handshake_manager* handshake_mgr);
+class grpc_channel_security_connector : public grpc_security_connector {
+ public:
+  grpc_channel_security_connector(
+      const char* url_scheme,
+      grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
+      grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds);
+  ~grpc_channel_security_connector() override;
+
+  /// Checks that the host that will be set for a call is acceptable.
+  /// Returns true if completed synchronously, in which case \a error will
+  /// be set to indicate the result.  Otherwise, \a on_call_host_checked
+  /// will be invoked when complete.
+  virtual bool check_call_host(const char* host,
+                               grpc_auth_context* auth_context,
+                               grpc_closure* on_call_host_checked,
+                               grpc_error** error) GRPC_ABSTRACT;
+  /// Cancels a pending asychronous call to
+  /// grpc_channel_security_connector_check_call_host() with
+  /// \a on_call_host_checked as its callback.
+  virtual void cancel_check_call_host(grpc_closure* on_call_host_checked,
+                                      grpc_error* error) GRPC_ABSTRACT;
+  /// Registers handshakers with \a handshake_mgr.
+  virtual void add_handshakers(grpc_pollset_set* interested_parties,
+                               grpc_handshake_manager* handshake_mgr)
+      GRPC_ABSTRACT;
+
+  const grpc_channel_credentials* channel_creds() const {
+    return channel_creds_.get();
+  }
+  grpc_channel_credentials* mutable_channel_creds() {
+    return channel_creds_.get();
+  }
+  const grpc_call_credentials* request_metadata_creds() const {
+    return request_metadata_creds_.get();
+  }
+  grpc_call_credentials* mutable_request_metadata_creds() {
+    return request_metadata_creds_.get();
+  }
+
+  GRPC_ABSTRACT_BASE_CLASS
+
+ protected:
+  // Helper methods to be used in subclasses.
+  int channel_security_connector_cmp(
+      const grpc_channel_security_connector* other) const;
+
+ private:
+  grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds_;
+  grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds_;
 };
 
-/// A helper function for use in grpc_security_connector_cmp() implementations.
-int grpc_channel_security_connector_cmp(grpc_channel_security_connector* sc1,
-                                        grpc_channel_security_connector* sc2);
-
-/// Checks that the host that will be set for a call is acceptable.
-/// Returns true if completed synchronously, in which case \a error will
-/// be set to indicate the result.  Otherwise, \a on_call_host_checked
-/// will be invoked when complete.
-bool grpc_channel_security_connector_check_call_host(
-    grpc_channel_security_connector* sc, const char* host,
-    grpc_auth_context* auth_context, grpc_closure* on_call_host_checked,
-    grpc_error** error);
-
-/// Cancels a pending asychronous call to
-/// grpc_channel_security_connector_check_call_host() with
-/// \a on_call_host_checked as its callback.
-void grpc_channel_security_connector_cancel_check_call_host(
-    grpc_channel_security_connector* sc, grpc_closure* on_call_host_checked,
-    grpc_error* error);
-
-/* Registers handshakers with \a handshake_mgr. */
-void grpc_channel_security_connector_add_handshakers(
-    grpc_channel_security_connector* connector,
-    grpc_pollset_set* interested_parties,
-    grpc_handshake_manager* handshake_mgr);
-
 /* --- server_security_connector object. ---
 
     A server security connector object represents a way to configure the
     underlying transport security mechanism on the server side.  */
 
-typedef struct grpc_server_security_connector grpc_server_security_connector;
-
-struct grpc_server_security_connector {
-  grpc_security_connector base;
-  grpc_server_credentials* server_creds;
-  void (*add_handshakers)(grpc_server_security_connector* sc,
-                          grpc_pollset_set* interested_parties,
-                          grpc_handshake_manager* handshake_mgr);
+class grpc_server_security_connector : public grpc_security_connector {
+ public:
+  grpc_server_security_connector(
+      const char* url_scheme,
+      grpc_core::RefCountedPtr<grpc_server_credentials> server_creds);
+  ~grpc_server_security_connector() override = default;
+
+  virtual void add_handshakers(grpc_pollset_set* interested_parties,
+                               grpc_handshake_manager* handshake_mgr)
+      GRPC_ABSTRACT;
+
+  const grpc_server_credentials* server_creds() const {
+    return server_creds_.get();
+  }
+  grpc_server_credentials* mutable_server_creds() {
+    return server_creds_.get();
+  }
+
+  GRPC_ABSTRACT_BASE_CLASS
+
+ protected:
+  // Helper methods to be used in subclasses.
+  int server_security_connector_cmp(
+      const grpc_server_security_connector* other) const;
+
+ private:
+  grpc_core::RefCountedPtr<grpc_server_credentials> server_creds_;
 };
 
-/// A helper function for use in grpc_security_connector_cmp() implementations.
-int grpc_server_security_connector_cmp(grpc_server_security_connector* sc1,
-                                       grpc_server_security_connector* sc2);
-
-void grpc_server_security_connector_add_handshakers(
-    grpc_server_security_connector* sc, grpc_pollset_set* interested_parties,
-    grpc_handshake_manager* handshake_mgr);
-
 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SECURITY_CONNECTOR_H */

data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc

@@ -30,6 +30,7 @@
 #include "src/core/lib/channel/handshaker.h"
 #include "src/core/lib/gpr/host_port.h"
 #include "src/core/lib/gpr/string.h"
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
@@ -39,172 +40,10 @@
 #include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/tsi/transport_security.h"
 
-typedef struct {
-  grpc_channel_security_connector base;
-  tsi_ssl_client_handshaker_factory* client_handshaker_factory;
-  char* target_name;
-  char* overridden_target_name;
-  const verify_peer_options* verify_options;
-} grpc_ssl_channel_security_connector;
-
-typedef struct {
-  grpc_server_security_connector base;
-  tsi_ssl_server_handshaker_factory* server_handshaker_factory;
-} grpc_ssl_server_security_connector;
-
-static bool server_connector_has_cert_config_fetcher(
-    grpc_ssl_server_security_connector* c) {
-  GPR_ASSERT(c != nullptr);
-  grpc_ssl_server_credentials* server_creds =
-      reinterpret_cast<grpc_ssl_server_credentials*>(c->base.server_creds);
-  GPR_ASSERT(server_creds != nullptr);
-  return server_creds->certificate_config_fetcher.cb != nullptr;
-}
-
-static void ssl_channel_destroy(grpc_security_connector* sc) {
-  grpc_ssl_channel_security_connector* c =
-      reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
-  grpc_channel_credentials_unref(c->base.channel_creds);
-  grpc_call_credentials_unref(c->base.request_metadata_creds);
-  tsi_ssl_client_handshaker_factory_unref(c->client_handshaker_factory);
-  c->client_handshaker_factory = nullptr;
-  if (c->target_name != nullptr) gpr_free(c->target_name);
-  if (c->overridden_target_name != nullptr) gpr_free(c->overridden_target_name);
-  gpr_free(sc);
-}
-
-static void ssl_server_destroy(grpc_security_connector* sc) {
-  grpc_ssl_server_security_connector* c =
-      reinterpret_cast<grpc_ssl_server_security_connector*>(sc);
-  grpc_server_credentials_unref(c->base.server_creds);
-  tsi_ssl_server_handshaker_factory_unref(c->server_handshaker_factory);
-  c->server_handshaker_factory = nullptr;
-  gpr_free(sc);
-}
-
-static void ssl_channel_add_handshakers(grpc_channel_security_connector* sc,
-                                        grpc_pollset_set* interested_parties,
-                                        grpc_handshake_manager* handshake_mgr) {
-  grpc_ssl_channel_security_connector* c =
-      reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
-  // Instantiate TSI handshaker.
-  tsi_handshaker* tsi_hs = nullptr;
-  tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
-      c->client_handshaker_factory,
-      c->overridden_target_name != nullptr ? c->overridden_target_name
-                                           : c->target_name,
-      &tsi_hs);
-  if (result != TSI_OK) {
-    gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
-            tsi_result_to_string(result));
-    return;
-  }
-  // Create handshakers.
-  grpc_handshake_manager_add(
-      handshake_mgr, grpc_security_handshaker_create(tsi_hs, &sc->base));
-}
-
-/* Attempts to replace the server_handshaker_factory with a new factory using
- * the provided grpc_ssl_server_certificate_config. Should new factory creation
- * fail, the existing factory will not be replaced. Returns true on success (new
- * factory created). */
-static bool try_replace_server_handshaker_factory(
-    grpc_ssl_server_security_connector* sc,
-    const grpc_ssl_server_certificate_config* config) {
-  if (config == nullptr) {
-    gpr_log(GPR_ERROR,
-            "Server certificate config callback returned invalid (NULL) "
-            "config.");
-    return false;
-  }
-  gpr_log(GPR_DEBUG, "Using new server certificate config (%p).", config);
-
-  size_t num_alpn_protocols = 0;
-  const char** alpn_protocol_strings =
-      grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
-  tsi_ssl_pem_key_cert_pair* cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
-      config->pem_key_cert_pairs, config->num_key_cert_pairs);
-  tsi_ssl_server_handshaker_factory* new_handshaker_factory = nullptr;
-  grpc_ssl_server_credentials* server_creds =
-      reinterpret_cast<grpc_ssl_server_credentials*>(sc->base.server_creds);
-  tsi_result result = tsi_create_ssl_server_handshaker_factory_ex(
-      cert_pairs, config->num_key_cert_pairs, config->pem_root_certs,
-      grpc_get_tsi_client_certificate_request_type(
-          server_creds->config.client_certificate_request),
-      grpc_get_ssl_cipher_suites(), alpn_protocol_strings,
-      static_cast<uint16_t>(num_alpn_protocols), &new_handshaker_factory);
-  gpr_free(cert_pairs);
-  gpr_free((void*)alpn_protocol_strings);
-
-  if (result != TSI_OK) {
-    gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
-            tsi_result_to_string(result));
-    return false;
-  }
-  tsi_ssl_server_handshaker_factory_unref(sc->server_handshaker_factory);
-  sc->server_handshaker_factory = new_handshaker_factory;
-  return true;
-}
-
-/* Attempts to fetch the server certificate config if a callback is available.
- * Current certificate config will continue to be used if the callback returns
- * an error. Returns true if new credentials were sucessfully loaded. */
-static bool try_fetch_ssl_server_credentials(
-    grpc_ssl_server_security_connector* sc) {
-  grpc_ssl_server_certificate_config* certificate_config = nullptr;
-  bool status;
-
-  GPR_ASSERT(sc != nullptr);
-  if (!server_connector_has_cert_config_fetcher(sc)) return false;
-
-  grpc_ssl_server_credentials* server_creds =
-      reinterpret_cast<grpc_ssl_server_credentials*>(sc->base.server_creds);
-  grpc_ssl_certificate_config_reload_status cb_result =
-      server_creds->certificate_config_fetcher.cb(
-          server_creds->certificate_config_fetcher.user_data,
-          &certificate_config);
-  if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
-    gpr_log(GPR_DEBUG, "No change in SSL server credentials.");
-    status = false;
-  } else if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
-    status = try_replace_server_handshaker_factory(sc, certificate_config);
-  } else {
-    // Log error, continue using previously-loaded credentials.
-    gpr_log(GPR_ERROR,
-            "Failed fetching new server credentials, continuing to "
-            "use previously-loaded credentials.");
-    status = false;
-  }
-
-  if (certificate_config != nullptr) {
-    grpc_ssl_server_certificate_config_destroy(certificate_config);
-  }
-  return status;
-}
-
-static void ssl_server_add_handshakers(grpc_server_security_connector* sc,
-                                       grpc_pollset_set* interested_parties,
-                                       grpc_handshake_manager* handshake_mgr) {
-  grpc_ssl_server_security_connector* c =
-      reinterpret_cast<grpc_ssl_server_security_connector*>(sc);
-  // Instantiate TSI handshaker.
-  try_fetch_ssl_server_credentials(c);
-  tsi_handshaker* tsi_hs = nullptr;
-  tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
-      c->server_handshaker_factory, &tsi_hs);
-  if (result != TSI_OK) {
-    gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
-            tsi_result_to_string(result));
-    return;
-  }
-  // Create handshakers.
-  grpc_handshake_manager_add(
-      handshake_mgr, grpc_security_handshaker_create(tsi_hs, &sc->base));
-}
-
-static grpc_error* ssl_check_peer(grpc_security_connector* sc,
-                                  const char* peer_name, const tsi_peer* peer,
-                                  grpc_auth_context** auth_context) {
+namespace {
+grpc_error* ssl_check_peer(
+    const char* peer_name, const tsi_peer* peer,
+    grpc_core::RefCountedPtr<grpc_auth_context>* auth_context) {
 #if TSI_OPENSSL_ALPN_SUPPORT
   /* Check the ALPN if ALPN is supported. */
   const tsi_peer_property* p =
@@ -230,245 +69,384 @@ static grpc_error* ssl_check_peer(grpc_security_connector* sc,
   return GRPC_ERROR_NONE;
 }
 
-static void ssl_channel_check_peer(grpc_security_connector* sc, tsi_peer peer,
-                                   grpc_auth_context** auth_context,
-                                   grpc_closure* on_peer_checked) {
-  grpc_ssl_channel_security_connector* c =
-      reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
-  const char* target_name = c->overridden_target_name != nullptr
-                                ? c->overridden_target_name
-                                : c->target_name;
-  grpc_error* error = ssl_check_peer(sc, target_name, &peer, auth_context);
-  if (error == GRPC_ERROR_NONE &&
-      c->verify_options->verify_peer_callback != nullptr) {
-    const tsi_peer_property* p =
-        tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
-    if (p == nullptr) {
-      error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "Cannot check peer: missing pem cert property.");
-    } else {
-      char* peer_pem = static_cast<char*>(gpr_malloc(p->value.length + 1));
-      memcpy(peer_pem, p->value.data, p->value.length);
-      peer_pem[p->value.length] = '\0';
-      int callback_status = c->verify_options->verify_peer_callback(
-          target_name, peer_pem,
-          c->verify_options->verify_peer_callback_userdata);
-      gpr_free(peer_pem);
-      if (callback_status) {
-        char* msg;
-        gpr_asprintf(&msg, "Verify peer callback returned a failure (%d)",
-                     callback_status);
-        error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-        gpr_free(msg);
-      }
-    }
+class grpc_ssl_channel_security_connector final
+    : public grpc_channel_security_connector {
+ public:
+  grpc_ssl_channel_security_connector(
+      grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
+      grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
+      const grpc_ssl_config* config, const char* target_name,
+      const char* overridden_target_name)
+      : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
+                                        std::move(channel_creds),
+                                        std::move(request_metadata_creds)),
+        overridden_target_name_(overridden_target_name == nullptr
+                                    ? nullptr
+                                    : gpr_strdup(overridden_target_name)),
+        verify_options_(&config->verify_options) {
+    char* port;
+    gpr_split_host_port(target_name, &target_name_, &port);
+    gpr_free(port);
   }
-  GRPC_CLOSURE_SCHED(on_peer_checked, error);
-  tsi_peer_destruct(&peer);
-}
 
-static void ssl_server_check_peer(grpc_security_connector* sc, tsi_peer peer,
-                                  grpc_auth_context** auth_context,
-                                  grpc_closure* on_peer_checked) {
-  grpc_error* error = ssl_check_peer(sc, nullptr, &peer, auth_context);
-  tsi_peer_destruct(&peer);
-  GRPC_CLOSURE_SCHED(on_peer_checked, error);
-}
+  ~grpc_ssl_channel_security_connector() override {
+    tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
+    if (target_name_ != nullptr) gpr_free(target_name_);
+    if (overridden_target_name_ != nullptr) gpr_free(overridden_target_name_);
+  }
 
-static int ssl_channel_cmp(grpc_security_connector* sc1,
-                           grpc_security_connector* sc2) {
-  grpc_ssl_channel_security_connector* c1 =
-      reinterpret_cast<grpc_ssl_channel_security_connector*>(sc1);
-  grpc_ssl_channel_security_connector* c2 =
-      reinterpret_cast<grpc_ssl_channel_security_connector*>(sc2);
-  int c = grpc_channel_security_connector_cmp(&c1->base, &c2->base);
-  if (c != 0) return c;
-  c = strcmp(c1->target_name, c2->target_name);
-  if (c != 0) return c;
-  return (c1->overridden_target_name == nullptr ||
-          c2->overridden_target_name == nullptr)
-             ? GPR_ICMP(c1->overridden_target_name, c2->overridden_target_name)
-             : strcmp(c1->overridden_target_name, c2->overridden_target_name);
-}
+  grpc_security_status InitializeHandshakerFactory(
+      const grpc_ssl_config* config, const char* pem_root_certs,
+      const tsi_ssl_root_certs_store* root_store,
+      tsi_ssl_session_cache* ssl_session_cache) {
+    bool has_key_cert_pair =
+        config->pem_key_cert_pair != nullptr &&
+        config->pem_key_cert_pair->private_key != nullptr &&
+        config->pem_key_cert_pair->cert_chain != nullptr;
+    tsi_ssl_client_handshaker_options options;
+    memset(&options, 0, sizeof(options));
+    GPR_DEBUG_ASSERT(pem_root_certs != nullptr);
+    options.pem_root_certs = pem_root_certs;
+    options.root_store = root_store;
+    options.alpn_protocols =
+        grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
+    if (has_key_cert_pair) {
+      options.pem_key_cert_pair = config->pem_key_cert_pair;
+    }
+    options.cipher_suites = grpc_get_ssl_cipher_suites();
+    options.session_cache = ssl_session_cache;
+    const tsi_result result =
+        tsi_create_ssl_client_handshaker_factory_with_options(
+            &options, &client_handshaker_factory_);
+    gpr_free((void*)options.alpn_protocols);
+    if (result != TSI_OK) {
+      gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
+              tsi_result_to_string(result));
+      return GRPC_SECURITY_ERROR;
+    }
+    return GRPC_SECURITY_OK;
+  }
 
-static int ssl_server_cmp(grpc_security_connector* sc1,
-                          grpc_security_connector* sc2) {
-  return grpc_server_security_connector_cmp(
-      reinterpret_cast<grpc_server_security_connector*>(sc1),
-      reinterpret_cast<grpc_server_security_connector*>(sc2));
-}
+  void add_handshakers(grpc_pollset_set* interested_parties,
+                       grpc_handshake_manager* handshake_mgr) override {
+    // Instantiate TSI handshaker.
+    tsi_handshaker* tsi_hs = nullptr;
+    tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
+        client_handshaker_factory_,
+        overridden_target_name_ != nullptr ? overridden_target_name_
+                                           : target_name_,
+        &tsi_hs);
+    if (result != TSI_OK) {
+      gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
+              tsi_result_to_string(result));
+      return;
+    }
+    // Create handshakers.
+    grpc_handshake_manager_add(handshake_mgr,
+                               grpc_security_handshaker_create(tsi_hs, this));
+  }
 
-static bool ssl_channel_check_call_host(grpc_channel_security_connector* sc,
-                                        const char* host,
-                                        grpc_auth_context* auth_context,
-                                        grpc_closure* on_call_host_checked,
-                                        grpc_error** error) {
-  grpc_ssl_channel_security_connector* c =
-      reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
-  grpc_security_status status = GRPC_SECURITY_ERROR;
-  tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
-  if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
-  /* If the target name was overridden, then the original target_name was
-     'checked' transitively during the previous peer check at the end of the
-     handshake. */
-  if (c->overridden_target_name != nullptr &&
-      strcmp(host, c->target_name) == 0) {
-    status = GRPC_SECURITY_OK;
+  void check_peer(tsi_peer peer, grpc_endpoint* ep,
+                  grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
+                  grpc_closure* on_peer_checked) override {
+    const char* target_name = overridden_target_name_ != nullptr
+                                  ? overridden_target_name_
+                                  : target_name_;
+    grpc_error* error = ssl_check_peer(target_name, &peer, auth_context);
+    if (error == GRPC_ERROR_NONE &&
+        verify_options_->verify_peer_callback != nullptr) {
+      const tsi_peer_property* p =
+          tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
+      if (p == nullptr) {
+        error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+            "Cannot check peer: missing pem cert property.");
+      } else {
+        char* peer_pem = static_cast<char*>(gpr_malloc(p->value.length + 1));
+        memcpy(peer_pem, p->value.data, p->value.length);
+        peer_pem[p->value.length] = '\0';
+        int callback_status = verify_options_->verify_peer_callback(
+            target_name, peer_pem,
+            verify_options_->verify_peer_callback_userdata);
+        gpr_free(peer_pem);
+        if (callback_status) {
+          char* msg;
+          gpr_asprintf(&msg, "Verify peer callback returned a failure (%d)",
+                       callback_status);
+          error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
+          gpr_free(msg);
+        }
+      }
+    }
+    GRPC_CLOSURE_SCHED(on_peer_checked, error);
+    tsi_peer_destruct(&peer);
   }
-  if (status != GRPC_SECURITY_OK) {
-    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-        "call host does not match SSL server name");
+
+  int cmp(const grpc_security_connector* other_sc) const override {
+    auto* other =
+        reinterpret_cast<const grpc_ssl_channel_security_connector*>(other_sc);
+    int c = channel_security_connector_cmp(other);
+    if (c != 0) return c;
+    c = strcmp(target_name_, other->target_name_);
+    if (c != 0) return c;
+    return (overridden_target_name_ == nullptr ||
+            other->overridden_target_name_ == nullptr)
+               ? GPR_ICMP(overridden_target_name_,
+                          other->overridden_target_name_)
+               : strcmp(overridden_target_name_,
+                        other->overridden_target_name_);
   }
-  grpc_shallow_peer_destruct(&peer);
-  return true;
-}
 
-static void ssl_channel_cancel_check_call_host(
-    grpc_channel_security_connector* sc, grpc_closure* on_call_host_checked,
-    grpc_error* error) {
-  GRPC_ERROR_UNREF(error);
-}
+  bool check_call_host(const char* host, grpc_auth_context* auth_context,
+                       grpc_closure* on_call_host_checked,
+                       grpc_error** error) override {
+    grpc_security_status status = GRPC_SECURITY_ERROR;
+    tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
+    if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
+    /* If the target name was overridden, then the original target_name was
+       'checked' transitively during the previous peer check at the end of the
+       handshake. */
+    if (overridden_target_name_ != nullptr && strcmp(host, target_name_) == 0) {
+      status = GRPC_SECURITY_OK;
+    }
+    if (status != GRPC_SECURITY_OK) {
+      *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+          "call host does not match SSL server name");
+    }
+    grpc_shallow_peer_destruct(&peer);
+    return true;
+  }
 
-static grpc_security_connector_vtable ssl_channel_vtable = {
-    ssl_channel_destroy, ssl_channel_check_peer, ssl_channel_cmp};
+  void cancel_check_call_host(grpc_closure* on_call_host_checked,
+                              grpc_error* error) override {
+    GRPC_ERROR_UNREF(error);
+  }
 
-static grpc_security_connector_vtable ssl_server_vtable = {
-    ssl_server_destroy, ssl_server_check_peer, ssl_server_cmp};
+ private:
+  tsi_ssl_client_handshaker_factory* client_handshaker_factory_;
+  char* target_name_;
+  char* overridden_target_name_;
+  const verify_peer_options* verify_options_;
+};
+
+class grpc_ssl_server_security_connector
+    : public grpc_server_security_connector {
+ public:
+  grpc_ssl_server_security_connector(
+      grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
+      : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
+                                       std::move(server_creds)) {}
+
+  ~grpc_ssl_server_security_connector() override {
+    tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
+  }
 
-grpc_security_status grpc_ssl_channel_security_connector_create(
-    grpc_channel_credentials* channel_creds,
-    grpc_call_credentials* request_metadata_creds,
-    const grpc_ssl_config* config, const char* target_name,
-    const char* overridden_target_name,
-    tsi_ssl_session_cache* ssl_session_cache,
-    grpc_channel_security_connector** sc) {
-  tsi_result result = TSI_OK;
-  grpc_ssl_channel_security_connector* c;
-  char* port;
-  bool has_key_cert_pair;
-  tsi_ssl_client_handshaker_options options;
-  memset(&options, 0, sizeof(options));
-  options.alpn_protocols =
-      grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
+  bool has_cert_config_fetcher() const {
+    return static_cast<const grpc_ssl_server_credentials*>(server_creds())
+        ->has_cert_config_fetcher();
+  }
 
-  if (config == nullptr || target_name == nullptr) {
-    gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name.");
-    goto error;
+  const tsi_ssl_server_handshaker_factory* server_handshaker_factory() const {
+    return server_handshaker_factory_;
   }
-  if (config->pem_root_certs == nullptr) {
-    // Use default root certificates.
-    options.pem_root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
-    options.root_store = grpc_core::DefaultSslRootStore::GetRootStore();
-    if (options.pem_root_certs == nullptr) {
-      gpr_log(GPR_ERROR, "Could not get default pem root certs.");
-      goto error;
+
+  grpc_security_status InitializeHandshakerFactory() {
+    if (has_cert_config_fetcher()) {
+      // Load initial credentials from certificate_config_fetcher:
+      if (!try_fetch_ssl_server_credentials()) {
+        gpr_log(GPR_ERROR,
+                "Failed loading SSL server credentials from fetcher.");
+        return GRPC_SECURITY_ERROR;
+      }
+    } else {
+      auto* server_credentials =
+          static_cast<const grpc_ssl_server_credentials*>(server_creds());
+      size_t num_alpn_protocols = 0;
+      const char** alpn_protocol_strings =
+          grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
+      const tsi_result result = tsi_create_ssl_server_handshaker_factory_ex(
+          server_credentials->config().pem_key_cert_pairs,
+          server_credentials->config().num_key_cert_pairs,
+          server_credentials->config().pem_root_certs,
+          grpc_get_tsi_client_certificate_request_type(
+              server_credentials->config().client_certificate_request),
+          grpc_get_ssl_cipher_suites(), alpn_protocol_strings,
+          static_cast<uint16_t>(num_alpn_protocols),
+          &server_handshaker_factory_);
+      gpr_free((void*)alpn_protocol_strings);
+      if (result != TSI_OK) {
+        gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
+                tsi_result_to_string(result));
+        return GRPC_SECURITY_ERROR;
+      }
     }
-  } else {
-    options.pem_root_certs = config->pem_root_certs;
-  }
-  c = static_cast<grpc_ssl_channel_security_connector*>(
-      gpr_zalloc(sizeof(grpc_ssl_channel_security_connector)));
-
-  gpr_ref_init(&c->base.base.refcount, 1);
-  c->base.base.vtable = &ssl_channel_vtable;
-  c->base.base.url_scheme = GRPC_SSL_URL_SCHEME;
-  c->base.channel_creds = grpc_channel_credentials_ref(channel_creds);
-  c->base.request_metadata_creds =
-      grpc_call_credentials_ref(request_metadata_creds);
-  c->base.check_call_host = ssl_channel_check_call_host;
-  c->base.cancel_check_call_host = ssl_channel_cancel_check_call_host;
-  c->base.add_handshakers = ssl_channel_add_handshakers;
-  gpr_split_host_port(target_name, &c->target_name, &port);
-  gpr_free(port);
-  if (overridden_target_name != nullptr) {
-    c->overridden_target_name = gpr_strdup(overridden_target_name);
+    return GRPC_SECURITY_OK;
   }
-  c->verify_options = &config->verify_options;
 
-  has_key_cert_pair = config->pem_key_cert_pair != nullptr &&
-                      config->pem_key_cert_pair->private_key != nullptr &&
-                      config->pem_key_cert_pair->cert_chain != nullptr;
-  if (has_key_cert_pair) {
-    options.pem_key_cert_pair = config->pem_key_cert_pair;
+  void add_handshakers(grpc_pollset_set* interested_parties,
+                       grpc_handshake_manager* handshake_mgr) override {
+    // Instantiate TSI handshaker.
+    try_fetch_ssl_server_credentials();
+    tsi_handshaker* tsi_hs = nullptr;
+    tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
+        server_handshaker_factory_, &tsi_hs);
+    if (result != TSI_OK) {
+      gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
+              tsi_result_to_string(result));
+      return;
+    }
+    // Create handshakers.
+    grpc_handshake_manager_add(handshake_mgr,
+                               grpc_security_handshaker_create(tsi_hs, this));
   }
-  options.cipher_suites = grpc_get_ssl_cipher_suites();
-  options.session_cache = ssl_session_cache;
-  result = tsi_create_ssl_client_handshaker_factory_with_options(
-      &options, &c->client_handshaker_factory);
-  if (result != TSI_OK) {
-    gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
-            tsi_result_to_string(result));
-    ssl_channel_destroy(&c->base.base);
-    *sc = nullptr;
-    goto error;
+
+  void check_peer(tsi_peer peer, grpc_endpoint* ep,
+                  grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
+                  grpc_closure* on_peer_checked) override {
+    grpc_error* error = ssl_check_peer(nullptr, &peer, auth_context);
+    tsi_peer_destruct(&peer);
+    GRPC_CLOSURE_SCHED(on_peer_checked, error);
   }
-  *sc = &c->base;
-  gpr_free((void*)options.alpn_protocols);
-  return GRPC_SECURITY_OK;
 
-error:
-  gpr_free((void*)options.alpn_protocols);
-  return GRPC_SECURITY_ERROR;
-}
+  int cmp(const grpc_security_connector* other) const override {
+    return server_security_connector_cmp(
+        static_cast<const grpc_server_security_connector*>(other));
+  }
 
-static grpc_ssl_server_security_connector*
-grpc_ssl_server_security_connector_initialize(
-    grpc_server_credentials* server_creds) {
-  grpc_ssl_server_security_connector* c =
-      static_cast<grpc_ssl_server_security_connector*>(
-          gpr_zalloc(sizeof(grpc_ssl_server_security_connector)));
-  gpr_ref_init(&c->base.base.refcount, 1);
-  c->base.base.url_scheme = GRPC_SSL_URL_SCHEME;
-  c->base.base.vtable = &ssl_server_vtable;
-  c->base.add_handshakers = ssl_server_add_handshakers;
-  c->base.server_creds = grpc_server_credentials_ref(server_creds);
-  return c;
-}
+ private:
+  /* Attempts to fetch the server certificate config if a callback is available.
+   * Current certificate config will continue to be used if the callback returns
+   * an error. Returns true if new credentials were sucessfully loaded. */
+  bool try_fetch_ssl_server_credentials() {
+    grpc_ssl_server_certificate_config* certificate_config = nullptr;
+    bool status;
+
+    if (!has_cert_config_fetcher()) return false;
+
+    grpc_ssl_server_credentials* server_creds =
+        static_cast<grpc_ssl_server_credentials*>(this->mutable_server_creds());
+    grpc_ssl_certificate_config_reload_status cb_result =
+        server_creds->FetchCertConfig(&certificate_config);
+    if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
+      gpr_log(GPR_DEBUG, "No change in SSL server credentials.");
+      status = false;
+    } else if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
+      status = try_replace_server_handshaker_factory(certificate_config);
+    } else {
+      // Log error, continue using previously-loaded credentials.
+      gpr_log(GPR_ERROR,
+              "Failed fetching new server credentials, continuing to "
+              "use previously-loaded credentials.");
+      status = false;
+    }
 
-grpc_security_status grpc_ssl_server_security_connector_create(
-    grpc_server_credentials* gsc, grpc_server_security_connector** sc) {
-  tsi_result result = TSI_OK;
-  grpc_ssl_server_credentials* server_credentials =
-      reinterpret_cast<grpc_ssl_server_credentials*>(gsc);
-  grpc_security_status retval = GRPC_SECURITY_OK;
+    if (certificate_config != nullptr) {
+      grpc_ssl_server_certificate_config_destroy(certificate_config);
+    }
+    return status;
+  }
 
-  GPR_ASSERT(server_credentials != nullptr);
-  GPR_ASSERT(sc != nullptr);
-
-  grpc_ssl_server_security_connector* c =
-      grpc_ssl_server_security_connector_initialize(gsc);
-  if (server_connector_has_cert_config_fetcher(c)) {
-    // Load initial credentials from certificate_config_fetcher:
-    if (!try_fetch_ssl_server_credentials(c)) {
-      gpr_log(GPR_ERROR, "Failed loading SSL server credentials from fetcher.");
-      retval = GRPC_SECURITY_ERROR;
+  /* Attempts to replace the server_handshaker_factory with a new factory using
+   * the provided grpc_ssl_server_certificate_config. Should new factory
+   * creation fail, the existing factory will not be replaced. Returns true on
+   * success (new factory created). */
+  bool try_replace_server_handshaker_factory(
+      const grpc_ssl_server_certificate_config* config) {
+    if (config == nullptr) {
+      gpr_log(GPR_ERROR,
+              "Server certificate config callback returned invalid (NULL) "
+              "config.");
+      return false;
     }
-  } else {
+    gpr_log(GPR_DEBUG, "Using new server certificate config (%p).", config);
+
     size_t num_alpn_protocols = 0;
     const char** alpn_protocol_strings =
         grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
-    result = tsi_create_ssl_server_handshaker_factory_ex(
-        server_credentials->config.pem_key_cert_pairs,
-        server_credentials->config.num_key_cert_pairs,
-        server_credentials->config.pem_root_certs,
+    tsi_ssl_pem_key_cert_pair* cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
+        config->pem_key_cert_pairs, config->num_key_cert_pairs);
+    tsi_ssl_server_handshaker_factory* new_handshaker_factory = nullptr;
+    const grpc_ssl_server_credentials* server_creds =
+        static_cast<const grpc_ssl_server_credentials*>(this->server_creds());
+    GPR_DEBUG_ASSERT(config->pem_root_certs != nullptr);
+    tsi_result result = tsi_create_ssl_server_handshaker_factory_ex(
+        cert_pairs, config->num_key_cert_pairs, config->pem_root_certs,
         grpc_get_tsi_client_certificate_request_type(
-            server_credentials->config.client_certificate_request),
+            server_creds->config().client_certificate_request),
         grpc_get_ssl_cipher_suites(), alpn_protocol_strings,
-        static_cast<uint16_t>(num_alpn_protocols),
-        &c->server_handshaker_factory);
+        static_cast<uint16_t>(num_alpn_protocols), &new_handshaker_factory);
+    gpr_free(cert_pairs);
     gpr_free((void*)alpn_protocol_strings);
+
     if (result != TSI_OK) {
       gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
               tsi_result_to_string(result));
-      retval = GRPC_SECURITY_ERROR;
+      return false;
     }
+    set_server_handshaker_factory(new_handshaker_factory);
+    return true;
+  }
+
+  void set_server_handshaker_factory(
+      tsi_ssl_server_handshaker_factory* new_factory) {
+    if (server_handshaker_factory_) {
+      tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
+    }
+    server_handshaker_factory_ = new_factory;
+  }
+
+  tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
+};
+}  // namespace
+
+grpc_core::RefCountedPtr<grpc_channel_security_connector>
+grpc_ssl_channel_security_connector_create(
+    grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
+    grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
+    const grpc_ssl_config* config, const char* target_name,
+    const char* overridden_target_name,
+    tsi_ssl_session_cache* ssl_session_cache) {
+  if (config == nullptr || target_name == nullptr) {
+    gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name.");
+    return nullptr;
   }
 
-  if (retval == GRPC_SECURITY_OK) {
-    *sc = &c->base;
+  const char* pem_root_certs;
+  const tsi_ssl_root_certs_store* root_store;
+  if (config->pem_root_certs == nullptr) {
+    // Use default root certificates.
+    pem_root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
+    if (pem_root_certs == nullptr) {
+      gpr_log(GPR_ERROR, "Could not get default pem root certs.");
+      return nullptr;
+    }
+    root_store = grpc_core::DefaultSslRootStore::GetRootStore();
   } else {
-    if (c != nullptr) ssl_server_destroy(&c->base.base);
-    if (sc != nullptr) *sc = nullptr;
+    pem_root_certs = config->pem_root_certs;
+    root_store = nullptr;
+  }
+
+  grpc_core::RefCountedPtr<grpc_ssl_channel_security_connector> c =
+      grpc_core::MakeRefCounted<grpc_ssl_channel_security_connector>(
+          std::move(channel_creds), std::move(request_metadata_creds), config,
+          target_name, overridden_target_name);
+  const grpc_security_status result = c->InitializeHandshakerFactory(
+      config, pem_root_certs, root_store, ssl_session_cache);
+  if (result != GRPC_SECURITY_OK) {
+    return nullptr;
   }
-  return retval;
+  return c;
+}
+
+grpc_core::RefCountedPtr<grpc_server_security_connector>
+grpc_ssl_server_security_connector_create(
+    grpc_core::RefCountedPtr<grpc_server_credentials> server_credentials) {
+  GPR_ASSERT(server_credentials != nullptr);
+  grpc_core::RefCountedPtr<grpc_ssl_server_security_connector> c =
+      grpc_core::MakeRefCounted<grpc_ssl_server_security_connector>(
+          std::move(server_credentials));
+  const grpc_security_status retval = c->InitializeHandshakerFactory();
+  if (retval != GRPC_SECURITY_OK) {
+    return nullptr;
+  }
+  return c;
 }