grpc 1.33.0.pre1 → 1.34.0

data/src/core/lib/security/credentials/tls/tls_credentials.cc

@@ -40,18 +40,18 @@ bool CredentialOptionSanityCheck(const grpc_tls_credentials_options* options,
     gpr_log(GPR_ERROR, "TLS credentials options is nullptr.");
     return false;
   }
-  if (options->key_materials_config() == nullptr &&
-      options->credential_reload_config() == nullptr) {
-    gpr_log(GPR_ERROR,
-            "TLS credentials options must specify either key materials or "
-            "credential reload config.");
-    return false;
-  }
+  // TODO(ZhenLian): remove this when it is also supported on server side.
   if (!is_client && options->server_authorization_check_config() != nullptr) {
     gpr_log(GPR_INFO,
             "Server's credentials options should not contain server "
             "authorization check config.");
   }
+  if (options->server_verification_option() != GRPC_TLS_SERVER_VERIFICATION &&
+      options->server_authorization_check_config() == nullptr) {
+    gpr_log(GPR_ERROR,
+            "Should provider custom verifications if bypassing default ones.");
+    return false;
+  }
   return true;
 }
 
@@ -85,14 +85,16 @@ TlsCredentials::create_security_connector(
   }
   grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
       grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
-          this->Ref(), std::move(call_creds), target_name,
+          this->Ref(), options_, std::move(call_creds), target_name,
           overridden_target_name, ssl_session_cache);
   if (sc == nullptr) {
     return nullptr;
   }
-  grpc_arg new_arg = grpc_channel_arg_string_create(
-      (char*)GRPC_ARG_HTTP2_SCHEME, (char*)"https");
-  *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1);
+  if (args != nullptr) {
+    grpc_arg new_arg = grpc_channel_arg_string_create(
+        (char*)GRPC_ARG_HTTP2_SCHEME, (char*)"https");
+    *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1);
+  }
   return sc;
 }
 
@@ -106,9 +108,11 @@ TlsServerCredentials::~TlsServerCredentials() {}
 grpc_core::RefCountedPtr<grpc_server_security_connector>
 TlsServerCredentials::create_security_connector() {
   return grpc_core::TlsServerSecurityConnector::
-      CreateTlsServerSecurityConnector(this->Ref());
+      CreateTlsServerSecurityConnector(this->Ref(), options_);
 }
 
+/** -- Wrapper APIs declared in grpc_security.h -- **/
+
 grpc_channel_credentials* grpc_tls_credentials_create(
     grpc_tls_credentials_options* options) {
   if (!CredentialOptionSanityCheck(options, true /* is_client */)) {

data/src/core/lib/security/credentials/tls/tls_credentials.h

@@ -38,7 +38,7 @@ class TlsCredentials final : public grpc_channel_credentials {
       const char* target_name, const grpc_channel_args* args,
       grpc_channel_args** new_args) override;
 
-  const grpc_tls_credentials_options& options() const { return *options_; }
+  grpc_tls_credentials_options* options() const { return options_.get(); }
 
  private:
   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
@@ -53,7 +53,7 @@ class TlsServerCredentials final : public grpc_server_credentials {
   grpc_core::RefCountedPtr<grpc_server_security_connector>
   create_security_connector() override;
 
-  const grpc_tls_credentials_options& options() const { return *options_; }
+  grpc_tls_credentials_options* options() const { return options_.get(); }
 
  private:
   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;

data/src/core/lib/security/security_connector/fake/fake_security_connector.cc

@@ -223,7 +223,7 @@ static void fake_check_peer(
   }
   prop_name = peer.properties[0].name;
   if (prop_name == nullptr ||
-      strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) {
+      strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY) != 0) {
     error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
         absl::StrCat("Unexpected property in fake peer: ",
                      prop_name == nullptr ? "<EMPTY>" : prop_name)
@@ -231,7 +231,7 @@ static void fake_check_peer(
     goto end;
   }
   if (strncmp(peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE,
-              peer.properties[0].value.length)) {
+              peer.properties[0].value.length) != 0) {
     error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
         "Invalid value for cert type property.");
     goto end;

data/src/core/lib/security/security_connector/insecure/insecure_security_connector.cc

@@ -0,0 +1,88 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h"
+
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/security/transport/security_handshaker.h"
+#include "src/core/tsi/local_transport_security.h"
+
+namespace grpc_core {
+
+const char kInsecureTransportSecurityType[] = "insecure";
+
+// check_call_host and cancel_check_call_host are no-ops since we want to
+// provide an insecure channel.
+bool InsecureChannelSecurityConnector::check_call_host(
+    absl::string_view host, grpc_auth_context* auth_context,
+    grpc_closure* on_call_host_checked, grpc_error** error) {
+  *error = GRPC_ERROR_NONE;
+  return true;
+}
+
+void InsecureChannelSecurityConnector::cancel_check_call_host(
+    grpc_closure* on_call_host_checked, grpc_error* error) {
+  GRPC_ERROR_UNREF(error);
+}
+
+// add_handshakers should have been a no-op but we need to add a minimalist
+// security handshaker so that check_peer is invoked and an auth_context is
+// created with the security level of TSI_SECURITY_NONE.
+void InsecureChannelSecurityConnector::add_handshakers(
+    const grpc_channel_args* args, grpc_pollset_set* /* interested_parties */,
+    HandshakeManager* handshake_manager) {
+  tsi_handshaker* handshaker = nullptr;
+  // Re-use local_tsi_handshaker_create as a minimalist handshaker.
+  GPR_ASSERT(tsi_local_handshaker_create(true /* is_client */, &handshaker) ==
+             TSI_OK);
+  handshake_manager->Add(SecurityHandshakerCreate(handshaker, this, args));
+}
+
+void InsecureChannelSecurityConnector::check_peer(
+    tsi_peer peer, grpc_endpoint* ep,
+    RefCountedPtr<grpc_auth_context>* auth_context,
+    grpc_closure* on_peer_checked) {
+  *auth_context = MakeAuthContext();
+  tsi_peer_destruct(&peer);
+  ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, GRPC_ERROR_NONE);
+}
+
+int InsecureChannelSecurityConnector::cmp(
+    const grpc_security_connector* other_sc) const {
+  return channel_security_connector_cmp(
+      static_cast<const grpc_channel_security_connector*>(other_sc));
+}
+
+RefCountedPtr<grpc_auth_context>
+InsecureChannelSecurityConnector::MakeAuthContext() {
+  auto ctx = MakeRefCounted<grpc_auth_context>(nullptr);
+  grpc_auth_context_add_cstring_property(
+      ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
+      kInsecureTransportSecurityType);
+  GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
+                 ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME) == 1);
+  const char* security_level = tsi_security_level_to_string(TSI_SECURITY_NONE);
+  grpc_auth_context_add_property(ctx.get(),
+                                 GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
+                                 security_level, strlen(security_level));
+  return ctx;
+}
+
+}  // namespace grpc_core

data/src/core/lib/security/security_connector/insecure/insecure_security_connector.h

@@ -0,0 +1,70 @@
+//
+//
+// Copyright 2020 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H
+#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/context/security_context.h"
+#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/security_connector/security_connector.h"
+
+namespace grpc_core {
+
+extern const char kInsecureTransportSecurityType[];
+
+class InsecureChannelSecurityConnector
+    : public grpc_channel_security_connector {
+ public:
+  InsecureChannelSecurityConnector(
+      grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
+      grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds)
+      : grpc_channel_security_connector(/* url_scheme */ nullptr,
+                                        std::move(channel_creds),
+                                        std::move(request_metadata_creds)) {}
+
+  bool check_call_host(absl::string_view host, grpc_auth_context* auth_context,
+                       grpc_closure* on_call_host_checked,
+                       grpc_error** error) override;
+
+  void cancel_check_call_host(grpc_closure* on_call_host_checked,
+                              grpc_error* error) override;
+
+  void add_handshakers(const grpc_channel_args* args,
+                       grpc_pollset_set* /* interested_parties */,
+                       grpc_core::HandshakeManager* handshake_manager) override;
+
+  void check_peer(tsi_peer peer, grpc_endpoint* ep,
+                  grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
+                  grpc_closure* on_peer_checked) override;
+
+  int cmp(const grpc_security_connector* other_sc) const override;
+
+  // Exposed for testing purposes only.
+  // Create an auth context which is necessary to pass the santiy check in
+  // client_auth_filter that verifies if the peer's auth context is obtained
+  // during handshakes. The auth context is only checked for its existence and
+  // not actually used.
+  static RefCountedPtr<grpc_auth_context> MakeAuthContext();
+};
+
+}  // namespace grpc_core
+
+#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_INSECURE_INSECURE_SECURITY_CONNECTOR_H \
+        */

data/src/core/lib/security/security_connector/load_system_roots.h

@@ -19,6 +19,10 @@
 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOAD_SYSTEM_ROOTS_H
 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOAD_SYSTEM_ROOTS_H
 
+#include <grpc/support/port_platform.h>
+
+#include <grpc/slice.h>
+
 namespace grpc_core {
 
 // Returns a slice containing roots from the OS trust store

data/src/core/lib/security/security_connector/load_system_roots_linux.h

@@ -21,6 +21,8 @@
 
 #include <grpc/support/port_platform.h>
 
+#include <grpc/slice.h>
+
 #ifdef GPR_LINUX
 
 namespace grpc_core {

data/src/core/lib/security/security_connector/local/local_security_connector.cc

@@ -157,7 +157,7 @@ class grpc_local_channel_security_connector final
       const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
       grpc_core::HandshakeManager* handshake_manager) override {
     tsi_handshaker* handshaker = nullptr;
-    GPR_ASSERT(local_tsi_handshaker_create(true /* is_client */, &handshaker) ==
+    GPR_ASSERT(tsi_local_handshaker_create(true /* is_client */, &handshaker) ==
                TSI_OK);
     handshake_manager->Add(
         grpc_core::SecurityHandshakerCreate(handshaker, this, args));
@@ -215,7 +215,7 @@ class grpc_local_server_security_connector final
       const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
       grpc_core::HandshakeManager* handshake_manager) override {
     tsi_handshaker* handshaker = nullptr;
-    GPR_ASSERT(local_tsi_handshaker_create(false /* is_client */,
+    GPR_ASSERT(tsi_local_handshaker_create(false /* is_client */,
                                            &handshaker) == TSI_OK);
     handshake_manager->Add(
         grpc_core::SecurityHandshakerCreate(handshaker, this, args));

data/src/core/lib/security/security_connector/security_connector.cc

@@ -109,7 +109,7 @@ grpc_arg grpc_security_connector_to_arg(grpc_security_connector* sc) {
 }
 
 grpc_security_connector* grpc_security_connector_from_arg(const grpc_arg* arg) {
-  if (strcmp(arg->key, GRPC_ARG_SECURITY_CONNECTOR)) return nullptr;
+  if (strcmp(arg->key, GRPC_ARG_SECURITY_CONNECTOR) != 0) return nullptr;
   if (arg->type != GRPC_ARG_POINTER) {
     gpr_log(GPR_ERROR, "Invalid type %d for arg %s", arg->type,
             GRPC_ARG_SECURITY_CONNECTOR);

data/src/core/lib/security/security_connector/security_connector.h

@@ -49,9 +49,11 @@ class grpc_security_connector
  public:
   explicit grpc_security_connector(const char* url_scheme)
       : grpc_core::RefCounted<grpc_security_connector>(
-            &grpc_trace_security_connector_refcount),
+            GRPC_TRACE_FLAG_ENABLED(grpc_trace_security_connector_refcount)
+                ? "security_connector_refcount"
+                : nullptr),
         url_scheme_(url_scheme) {}
-  virtual ~grpc_security_connector() = default;
+  ~grpc_security_connector() override = default;
 
   /* Check the peer. Callee takes ownership of the peer object.
      When done, sets *auth_context and invokes on_peer_checked. */

data/src/core/lib/security/security_connector/ssl_utils.h

@@ -154,11 +154,11 @@ class PemKeyCertPair {
   }
 
   // Movable.
-  PemKeyCertPair(PemKeyCertPair&& other) {
+  PemKeyCertPair(PemKeyCertPair&& other) noexcept {
     private_key_ = std::move(other.private_key_);
     cert_chain_ = std::move(other.cert_chain_);
   }
-  PemKeyCertPair& operator=(PemKeyCertPair&& other) {
+  PemKeyCertPair& operator=(PemKeyCertPair&& other) noexcept {
     private_key_ = std::move(other.private_key_);
     cert_chain_ = std::move(other.cert_chain_);
     return *this;
@@ -187,6 +187,8 @@ class PemKeyCertPair {
   grpc_core::UniquePtr<char> cert_chain_;
 };
 
+typedef absl::InlinedVector<grpc_core::PemKeyCertPair, 1> PemKeyCertPairList;
+
 }  // namespace grpc_core
 
 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H \

data/src/core/lib/security/security_connector/tls/tls_security_connector.cc

@@ -46,7 +46,7 @@ namespace grpc_core {
 namespace {
 
 tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
-    const grpc_tls_key_materials_config::PemKeyCertPairList& cert_pair_list) {
+    const grpc_core::PemKeyCertPairList& cert_pair_list) {
   tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
   size_t num_key_cert_pairs = cert_pair_list.size();
   if (num_key_cert_pairs > 0) {
@@ -65,127 +65,120 @@ tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
 
 }  // namespace
 
-grpc_status_code TlsFetchKeyMaterials(
-    const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
-        key_materials_config,
-    const grpc_tls_credentials_options& options, bool is_server,
-    grpc_ssl_certificate_config_reload_status* status) {
-  GPR_ASSERT(key_materials_config != nullptr);
-  GPR_ASSERT(status != nullptr);
-  bool is_key_materials_empty =
-      key_materials_config->pem_key_cert_pair_list().empty();
-  grpc_tls_credential_reload_config* credential_reload_config =
-      options.credential_reload_config();
-  /** If there are no key materials and no credential reload config and the
-   *  caller is a server, then return an error. We do not require that a client
-   *  always provision certificates. **/
-  if (credential_reload_config == nullptr && is_key_materials_empty &&
-      is_server) {
+// -------------------channel security connector-------------------
+grpc_core::RefCountedPtr<grpc_channel_security_connector>
+TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
+    grpc_core::RefCountedPtr<grpc_channel_credentials> ch_creds,
+    grpc_core::RefCountedPtr<grpc_tls_credentials_options> options,
+    grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
+    const char* target_name, const char* overridden_target_name,
+    tsi_ssl_session_cache* ssl_session_cache) {
+  if (ch_creds == nullptr) {
     gpr_log(GPR_ERROR,
-            "Either credential reload config or key materials should be "
-            "provisioned.");
-    return GRPC_STATUS_FAILED_PRECONDITION;
-  }
-  grpc_status_code reload_status = GRPC_STATUS_OK;
-  /** Use |credential_reload_config| to update |key_materials_config|. **/
-  if (credential_reload_config != nullptr) {
-    grpc_tls_credential_reload_arg* arg = new grpc_tls_credential_reload_arg();
-    arg->key_materials_config = key_materials_config.get();
-    arg->error_details = new grpc_tls_error_details();
-    int result = credential_reload_config->Schedule(arg);
-    if (result) {
-      /** Credential reloading is performed async. This is not yet supported.
-       * **/
-      gpr_log(GPR_ERROR, "Async credential reload is unsupported now.");
-      *status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
-      reload_status =
-          is_key_materials_empty ? GRPC_STATUS_UNIMPLEMENTED : GRPC_STATUS_OK;
-    } else {
-      /** Credential reloading is performed sync. **/
-      *status = arg->status;
-      if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
-        /* Key materials is not empty. */
-        gpr_log(GPR_DEBUG, "Credential does not change after reload.");
-      } else if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL) {
-        gpr_log(GPR_ERROR, "Credential reload failed with an error:");
-        if (arg->error_details != nullptr) {
-          gpr_log(GPR_ERROR, "%s", arg->error_details->error_details().c_str());
-        }
-        reload_status =
-            is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
-      }
-    }
-    delete arg->error_details;
-    /** If the credential reload config was constructed via a wrapped language,
-     *  then |arg->context| and |arg->destroy_context| will not be nullptr. In
-     *  this case, we must destroy |arg->context|, which stores the wrapped
-     *  language-version of the credential reload arg. **/
-    if (arg->destroy_context != nullptr) {
-      arg->destroy_context(arg->context);
-    }
-    delete arg;
+            "channel_creds is nullptr in "
+            "TlsChannelSecurityConnectorCreate()");
+    return nullptr;
   }
-  return reload_status;
-}
-
-grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer) {
-  /* Check the peer name if specified. */
-  if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
-    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
-        absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
-            .c_str());
+  if (options == nullptr) {
+    gpr_log(GPR_ERROR,
+            "options is nullptr in "
+            "TlsChannelSecurityConnectorCreate()");
+    return nullptr;
   }
-  return GRPC_ERROR_NONE;
+  if (target_name == nullptr) {
+    gpr_log(GPR_ERROR,
+            "target_name is nullptr in "
+            "TlsChannelSecurityConnectorCreate()");
+    return nullptr;
+  }
+  grpc_core::RefCountedPtr<TlsChannelSecurityConnector> c =
+      grpc_core::MakeRefCounted<TlsChannelSecurityConnector>(
+          std::move(ch_creds), std::move(options),
+          std::move(request_metadata_creds), target_name,
+          overridden_target_name, ssl_session_cache);
+  return c;
 }
 
 TlsChannelSecurityConnector::TlsChannelSecurityConnector(
-    grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
+    grpc_core::RefCountedPtr<grpc_channel_credentials> ch_creds,
+    grpc_core::RefCountedPtr<grpc_tls_credentials_options> options,
     grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
-    const char* target_name, const char* overridden_target_name)
-    : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
-                                      std::move(channel_creds),
+    const char* target_name, const char* overridden_target_name,
+    tsi_ssl_session_cache* ssl_session_cache)
+    : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME, std::move(ch_creds),
                                       std::move(request_metadata_creds)),
+      options_(std::move(options)),
       overridden_target_name_(
-          overridden_target_name == nullptr ? "" : overridden_target_name) {
-  key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
+          overridden_target_name == nullptr ? "" : overridden_target_name),
+      ssl_session_cache_(ssl_session_cache) {
+  if (ssl_session_cache_ != nullptr) {
+    tsi_ssl_session_cache_ref(ssl_session_cache_);
+  }
   check_arg_ = ServerAuthorizationCheckArgCreate(this);
   absl::string_view host;
   absl::string_view port;
   grpc_core::SplitHostPort(target_name, &host, &port);
   target_name_ = std::string(host);
+  // Create a watcher.
+  auto watcher_ptr = absl::make_unique<TlsChannelCertificateWatcher>(this);
+  certificate_watcher_ = watcher_ptr.get();
+  // Register the watcher with the distributor.
+  grpc_tls_certificate_distributor* distributor =
+      options_->certificate_distributor();
+  absl::optional<std::string> watched_root_cert_name;
+  if (options_->watch_root_cert()) {
+    watched_root_cert_name = options_->root_cert_name();
+  }
+  absl::optional<std::string> watched_identity_cert_name;
+  if (options_->watch_identity_pair()) {
+    watched_identity_cert_name = options_->identity_cert_name();
+  }
+  distributor->WatchTlsCertificates(std::move(watcher_ptr),
+                                    watched_root_cert_name,
+                                    watched_identity_cert_name);
 }
 
 TlsChannelSecurityConnector::~TlsChannelSecurityConnector() {
+  if (ssl_session_cache_ != nullptr) {
+    tsi_ssl_session_cache_unref(ssl_session_cache_);
+  }
+  // Cancel all the watchers.
+  grpc_tls_certificate_distributor* distributor =
+      options_->certificate_distributor();
+  distributor->CancelTlsCertificatesWatch(certificate_watcher_);
   if (client_handshaker_factory_ != nullptr) {
     tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
   }
-  if (key_materials_config_.get() != nullptr) {
-    key_materials_config_.get()->Unref();
+  if (check_arg_ != nullptr) {
+    ServerAuthorizationCheckArgDestroy(check_arg_);
   }
-  ServerAuthorizationCheckArgDestroy(check_arg_);
 }
 
 void TlsChannelSecurityConnector::add_handshakers(
     const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
     grpc_core::HandshakeManager* handshake_mgr) {
-  if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
-    gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
-    return;
-  }
-  // Instantiate TSI handshaker.
-  tsi_handshaker* tsi_hs = nullptr;
-  tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
-      client_handshaker_factory_,
-      overridden_target_name_.empty() ? target_name_.c_str()
-                                      : overridden_target_name_.c_str(),
-      &tsi_hs);
-  if (result != TSI_OK) {
-    gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
-            tsi_result_to_string(result));
+  grpc_core::MutexLock lock(&mu_);
+  if (client_handshaker_factory_ != nullptr) {
+    // Instantiate TSI handshaker.
+    tsi_handshaker* tsi_hs = nullptr;
+    tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
+        client_handshaker_factory_,
+        overridden_target_name_.empty() ? target_name_.c_str()
+                                        : overridden_target_name_.c_str(),
+        &tsi_hs);
+    if (result != TSI_OK) {
+      gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
+              tsi_result_to_string(result));
+      return;
+    }
+    // Create handshakers.
+    handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
     return;
   }
-  // Create handshakers.
-  handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
+  // TODO(ZhenLian): Implement the logic(delegation to
+  // BlockOnInitialCredentialHandshaker) when certificates are not ready.
+  gpr_log(GPR_ERROR, "%s not supported yet.",
+          "Client BlockOnInitialCredentialHandshaker");
 }
 
 void TlsChannelSecurityConnector::check_peer(
@@ -203,12 +196,9 @@ void TlsChannelSecurityConnector::check_peer(
   }
   *auth_context =
       grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE);
-  const TlsCredentials* creds =
-      static_cast<const TlsCredentials*>(channel_creds());
-  if (creds->options().server_verification_option() ==
-      GRPC_TLS_SERVER_VERIFICATION) {
+  if (options_->server_verification_option() == GRPC_TLS_SERVER_VERIFICATION) {
     /* Do the default host name check if specifying the target name. */
-    error = TlsCheckHostName(target_name, &peer);
+    error = internal::TlsCheckHostName(target_name, &peer);
     if (error != GRPC_ERROR_NONE) {
       grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
       tsi_peer_destruct(&peer);
@@ -217,7 +207,7 @@ void TlsChannelSecurityConnector::check_peer(
   }
   /* Do the custom server authorization check, if specified by the user. */
   const grpc_tls_server_authorization_check_config* config =
-      creds->options().server_authorization_check_config();
+      options_->server_authorization_check_config();
   /* If server authorization config is not null, use it to perform
    * server authorization check. */
   if (config != nullptr) {
@@ -289,105 +279,86 @@ void TlsChannelSecurityConnector::cancel_check_call_host(
   GRPC_ERROR_UNREF(error);
 }
 
-grpc_core::RefCountedPtr<grpc_channel_security_connector>
-TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
-    grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
-    grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
-    const char* target_name, const char* overridden_target_name,
-    tsi_ssl_session_cache* ssl_session_cache) {
-  if (channel_creds == nullptr) {
-    gpr_log(GPR_ERROR,
-            "channel_creds is nullptr in "
-            "TlsChannelSecurityConnectorCreate()");
-    return nullptr;
+void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::
+    OnCertificatesChanged(
+        absl::optional<absl::string_view> root_certs,
+        absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) {
+  GPR_ASSERT(security_connector_ != nullptr);
+  grpc_core::MutexLock lock(&security_connector_->mu_);
+  if (root_certs.has_value()) {
+    security_connector_->pem_root_certs_ = root_certs;
+  }
+  if (key_cert_pairs.has_value()) {
+    security_connector_->pem_key_cert_pair_list_ = std::move(key_cert_pairs);
+  }
+  bool root_being_watched = security_connector_->options_->watch_root_cert();
+  bool root_has_value = security_connector_->pem_root_certs_.has_value();
+  bool identity_being_watched =
+      security_connector_->options_->watch_identity_pair();
+  bool identity_has_value =
+      security_connector_->pem_key_cert_pair_list_.has_value();
+  if ((root_being_watched && root_has_value && identity_being_watched &&
+       identity_has_value) ||
+      (root_being_watched && root_has_value && !identity_being_watched) ||
+      (!root_being_watched && identity_being_watched && identity_has_value)) {
+    if (security_connector_->UpdateHandshakerFactoryLocked() !=
+        GRPC_SECURITY_OK) {
+      gpr_log(GPR_ERROR, "Update handshaker factory failed.");
+    }
   }
-  if (target_name == nullptr) {
+}
+
+// TODO(ZhenLian): implement the logic to signal waiting handshakers once
+// BlockOnInitialCredentialHandshaker is implemented.
+void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::OnError(
+    grpc_error* root_cert_error, grpc_error* identity_cert_error) {
+  if (root_cert_error != GRPC_ERROR_NONE) {
     gpr_log(GPR_ERROR,
-            "target_name is nullptr in "
-            "TlsChannelSecurityConnectorCreate()");
-    return nullptr;
+            "TlsChannelCertificateWatcher getting root_cert_error: %s",
+            grpc_error_string(root_cert_error));
   }
-  grpc_core::RefCountedPtr<TlsChannelSecurityConnector> c =
-      grpc_core::MakeRefCounted<TlsChannelSecurityConnector>(
-          std::move(channel_creds), std::move(request_metadata_creds),
-          target_name, overridden_target_name);
-  if (c->InitializeHandshakerFactory(ssl_session_cache) != GRPC_SECURITY_OK) {
-    gpr_log(GPR_ERROR, "Could not initialize client handshaker factory.");
-    return nullptr;
+  if (identity_cert_error != GRPC_ERROR_NONE) {
+    gpr_log(GPR_ERROR,
+            "TlsChannelCertificateWatcher getting identity_cert_error: %s",
+            grpc_error_string(identity_cert_error));
   }
-  return c;
+  GRPC_ERROR_UNREF(root_cert_error);
+  GRPC_ERROR_UNREF(identity_cert_error);
 }
 
-grpc_security_status TlsChannelSecurityConnector::ReplaceHandshakerFactory(
-    tsi_ssl_session_cache* ssl_session_cache) {
-  const TlsCredentials* creds =
-      static_cast<const TlsCredentials*>(channel_creds());
+// TODO(ZhenLian): implement the logic to signal waiting handshakers once
+// BlockOnInitialCredentialHandshaker is implemented.
+grpc_security_status
+TlsChannelSecurityConnector::UpdateHandshakerFactoryLocked() {
   bool skip_server_certificate_verification =
-      creds->options().server_verification_option() ==
+      options_->server_verification_option() ==
       GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION;
   /* Free the client handshaker factory if exists. */
-  if (client_handshaker_factory_) {
+  if (client_handshaker_factory_ != nullptr) {
     tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
   }
-  tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = ConvertToTsiPemKeyCertPair(
-      key_materials_config_->pem_key_cert_pair_list());
+  std::string pem_root_certs;
+  if (pem_root_certs_.has_value()) {
+    // TODO(ZhenLian): update the underlying TSI layer to use C++ types like
+    // std::string and absl::string_view to avoid making another copy here.
+    pem_root_certs = std::string(*pem_root_certs_);
+  }
+  tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = nullptr;
+  if (pem_key_cert_pair_list_.has_value()) {
+    pem_key_cert_pair = ConvertToTsiPemKeyCertPair(*pem_key_cert_pair_list_);
+  }
   grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
-      pem_key_cert_pair, key_materials_config_->pem_root_certs(),
+      pem_key_cert_pair,
+      pem_root_certs.empty() ? nullptr : pem_root_certs.c_str(),
       skip_server_certificate_verification,
-      grpc_get_tsi_tls_version(creds->options().min_tls_version()),
-      grpc_get_tsi_tls_version(creds->options().max_tls_version()),
-      ssl_session_cache, &client_handshaker_factory_);
+      grpc_get_tsi_tls_version(options_->min_tls_version()),
+      grpc_get_tsi_tls_version(options_->max_tls_version()), ssl_session_cache_,
+      &client_handshaker_factory_);
   /* Free memory. */
-  grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
-  return status;
-}
-
-grpc_security_status TlsChannelSecurityConnector::InitializeHandshakerFactory(
-    tsi_ssl_session_cache* ssl_session_cache) {
-  grpc_core::MutexLock lock(&mu_);
-  const TlsCredentials* creds =
-      static_cast<const TlsCredentials*>(channel_creds());
-  grpc_tls_key_materials_config* key_materials_config =
-      creds->options().key_materials_config();
-  // key_materials_config_->set_key_materials will handle the copying of the key
-  // materials users provided
-  if (key_materials_config != nullptr) {
-    key_materials_config_->set_key_materials(
-        key_materials_config->pem_root_certs(),
-        key_materials_config->pem_key_cert_pair_list());
-  }
-  grpc_ssl_certificate_config_reload_status reload_status =
-      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
-  /** If |creds->options()| has a credential reload config, then the call to
-   *  |TlsFetchKeyMaterials| will use it to update the root cert and
-   *  pem-key-cert-pair list stored in |key_materials_config_|. **/
-  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), false,
-                           &reload_status) != GRPC_STATUS_OK) {
-    /* Raise an error if key materials are not populated. */
-    return GRPC_SECURITY_ERROR;
-  }
-  return ReplaceHandshakerFactory(ssl_session_cache);
-}
-
-grpc_security_status TlsChannelSecurityConnector::RefreshHandshakerFactory() {
-  grpc_core::MutexLock lock(&mu_);
-  const TlsCredentials* creds =
-      static_cast<const TlsCredentials*>(channel_creds());
-  grpc_ssl_certificate_config_reload_status reload_status =
-      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
-  /** If |creds->options()| has a credential reload config, then the call to
-   *  |TlsFetchKeyMaterials| will use it to update the root cert and
-   *  pem-key-cert-pair list stored in |key_materials_config_|. **/
-  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), false,
-                           &reload_status) != GRPC_STATUS_OK) {
-    return GRPC_SECURITY_ERROR;
-  }
-  if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
-    // Re-use existing handshaker factory.
-    return GRPC_SECURITY_OK;
-  } else {
-    return ReplaceHandshakerFactory(nullptr);
+  if (pem_key_cert_pair != nullptr) {
+    grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
   }
+  return status;
 }
 
 void TlsChannelSecurityConnector::ServerAuthorizationCheckDone(
@@ -457,40 +428,86 @@ void TlsChannelSecurityConnector::ServerAuthorizationCheckArgDestroy(
   delete arg;
 }
 
+// -------------------server security connector-------------------
+grpc_core::RefCountedPtr<grpc_server_security_connector>
+TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
+    grpc_core::RefCountedPtr<grpc_server_credentials> server_creds,
+    grpc_core::RefCountedPtr<grpc_tls_credentials_options> options) {
+  if (server_creds == nullptr) {
+    gpr_log(GPR_ERROR,
+            "server_creds is nullptr in "
+            "TlsServerSecurityConnectorCreate()");
+    return nullptr;
+  }
+  if (options == nullptr) {
+    gpr_log(GPR_ERROR,
+            "options is nullptr in "
+            "TlsServerSecurityConnectorCreate()");
+    return nullptr;
+  }
+  grpc_core::RefCountedPtr<TlsServerSecurityConnector> c =
+      grpc_core::MakeRefCounted<TlsServerSecurityConnector>(
+          std::move(server_creds), std::move(options));
+  return c;
+}
+
 TlsServerSecurityConnector::TlsServerSecurityConnector(
-    grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
+    grpc_core::RefCountedPtr<grpc_server_credentials> server_creds,
+    grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
     : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
-                                     std::move(server_creds)) {
-  key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
+                                     std::move(server_creds)),
+      options_(std::move(options)) {
+  // Create a watcher.
+  auto watcher_ptr = absl::make_unique<TlsServerCertificateWatcher>(this);
+  certificate_watcher_ = watcher_ptr.get();
+  // Register the watcher with the distributor.
+  grpc_tls_certificate_distributor* distributor =
+      options_->certificate_distributor();
+  absl::optional<std::string> watched_root_cert_name;
+  if (options_->watch_root_cert()) {
+    watched_root_cert_name = options_->root_cert_name();
+  }
+  absl::optional<std::string> watched_identity_cert_name;
+  if (options_->watch_identity_pair()) {
+    watched_identity_cert_name = options_->identity_cert_name();
+  }
+  distributor->WatchTlsCertificates(std::move(watcher_ptr),
+                                    watched_root_cert_name,
+                                    watched_identity_cert_name);
 }
 
 TlsServerSecurityConnector::~TlsServerSecurityConnector() {
+  // Cancel all the watchers.
+  grpc_tls_certificate_distributor* distributor =
+      options_->certificate_distributor();
+  distributor->CancelTlsCertificatesWatch(certificate_watcher_);
   if (server_handshaker_factory_ != nullptr) {
     tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
   }
-  if (key_materials_config_.get() != nullptr) {
-    key_materials_config_.get()->Unref();
-  }
 }
 
 void TlsServerSecurityConnector::add_handshakers(
     const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
     grpc_core::HandshakeManager* handshake_mgr) {
-  /* Refresh handshaker factory if needed. */
-  if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
-    gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
-    return;
-  }
-  /* Create a TLS TSI handshaker for server. */
-  tsi_handshaker* tsi_hs = nullptr;
-  tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
-      server_handshaker_factory_, &tsi_hs);
-  if (result != TSI_OK) {
-    gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
-            tsi_result_to_string(result));
+  grpc_core::MutexLock lock(&mu_);
+  if (server_handshaker_factory_ != nullptr) {
+    // Instantiate TSI handshaker.
+    tsi_handshaker* tsi_hs = nullptr;
+    tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
+        server_handshaker_factory_, &tsi_hs);
+    if (result != TSI_OK) {
+      gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
+              tsi_result_to_string(result));
+      return;
+    }
+    // Create handshakers.
+    handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
     return;
   }
-  handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
+  // TODO(ZhenLian): Implement the logic(delegation to
+  // BlockOnInitialCredentialHandshaker) when certificates are not ready.
+  gpr_log(GPR_ERROR, "%s not supported yet.",
+          "Server BlockOnInitialCredentialHandshaker");
 }
 
 void TlsServerSecurityConnector::check_peer(
@@ -510,43 +527,79 @@ int TlsServerSecurityConnector::cmp(
       static_cast<const grpc_server_security_connector*>(other));
 }
 
-grpc_core::RefCountedPtr<grpc_server_security_connector>
-TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
-    grpc_core::RefCountedPtr<grpc_server_credentials> server_creds) {
-  if (server_creds == nullptr) {
+void TlsServerSecurityConnector::TlsServerCertificateWatcher::
+    OnCertificatesChanged(
+        absl::optional<absl::string_view> root_certs,
+        absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) {
+  GPR_ASSERT(security_connector_ != nullptr);
+  grpc_core::MutexLock lock(&security_connector_->mu_);
+  if (root_certs.has_value()) {
+    security_connector_->pem_root_certs_ = root_certs;
+  }
+  if (key_cert_pairs.has_value()) {
+    security_connector_->pem_key_cert_pair_list_ = std::move(key_cert_pairs);
+  }
+  bool root_being_watched = security_connector_->options_->watch_root_cert();
+  bool root_has_value = security_connector_->pem_root_certs_.has_value();
+  bool identity_being_watched =
+      security_connector_->options_->watch_identity_pair();
+  bool identity_has_value =
+      security_connector_->pem_key_cert_pair_list_.has_value();
+  if ((root_being_watched && root_has_value && identity_being_watched &&
+       identity_has_value) ||
+      (root_being_watched && root_has_value && !identity_being_watched) ||
+      (!root_being_watched && identity_being_watched && identity_has_value)) {
+    if (security_connector_->UpdateHandshakerFactoryLocked() !=
+        GRPC_SECURITY_OK) {
+      gpr_log(GPR_ERROR, "Update handshaker factory failed.");
+    }
+  }
+}
+
+// TODO(ZhenLian): implement the logic to signal waiting handshakers once
+// BlockOnInitialCredentialHandshaker is implemented.
+void TlsServerSecurityConnector::TlsServerCertificateWatcher::OnError(
+    grpc_error* root_cert_error, grpc_error* identity_cert_error) {
+  if (root_cert_error != GRPC_ERROR_NONE) {
     gpr_log(GPR_ERROR,
-            "server_creds is nullptr in "
-            "TlsServerSecurityConnectorCreate()");
-    return nullptr;
+            "TlsServerCertificateWatcher getting root_cert_error: %s",
+            grpc_error_string(root_cert_error));
   }
-  grpc_core::RefCountedPtr<TlsServerSecurityConnector> c =
-      grpc_core::MakeRefCounted<TlsServerSecurityConnector>(
-          std::move(server_creds));
-  if (c->InitializeHandshakerFactory() != GRPC_SECURITY_OK) {
-    gpr_log(GPR_ERROR, "Could not initialize server handshaker factory.");
-    return nullptr;
+  if (identity_cert_error != GRPC_ERROR_NONE) {
+    gpr_log(GPR_ERROR,
+            "TlsServerCertificateWatcher getting identity_cert_error: %s",
+            grpc_error_string(identity_cert_error));
   }
-  return c;
+  GRPC_ERROR_UNREF(root_cert_error);
+  GRPC_ERROR_UNREF(identity_cert_error);
 }
 
-grpc_security_status TlsServerSecurityConnector::ReplaceHandshakerFactory() {
-  const TlsServerCredentials* creds =
-      static_cast<const TlsServerCredentials*>(server_creds());
+// TODO(ZhenLian): implement the logic to signal waiting handshakers once
+// BlockOnInitialCredentialHandshaker is implemented.
+grpc_security_status
+TlsServerSecurityConnector::UpdateHandshakerFactoryLocked() {
   /* Free the server handshaker factory if exists. */
-  if (server_handshaker_factory_) {
+  if (server_handshaker_factory_ != nullptr) {
     tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
   }
-  GPR_ASSERT(!key_materials_config_->pem_key_cert_pair_list().empty());
-  tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(
-      key_materials_config_->pem_key_cert_pair_list());
-  size_t num_key_cert_pairs =
-      key_materials_config_->pem_key_cert_pair_list().size();
+  // The identity certs on the server side shouldn't be empty.
+  GPR_ASSERT(pem_key_cert_pair_list_.has_value());
+  GPR_ASSERT(!(*pem_key_cert_pair_list_).empty());
+  std::string pem_root_certs;
+  if (pem_root_certs_.has_value()) {
+    // TODO(ZhenLian): update the underlying TSI layer to use C++ types like
+    // std::string and absl::string_view to avoid making another copy here.
+    pem_root_certs = std::string(*pem_root_certs_);
+  }
+  tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = nullptr;
+  pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(*pem_key_cert_pair_list_);
+  size_t num_key_cert_pairs = (*pem_key_cert_pair_list_).size();
   grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
       pem_key_cert_pairs, num_key_cert_pairs,
-      key_materials_config_->pem_root_certs(),
-      creds->options().cert_request_type(),
-      grpc_get_tsi_tls_version(creds->options().min_tls_version()),
-      grpc_get_tsi_tls_version(creds->options().max_tls_version()),
+      pem_root_certs.empty() ? nullptr : pem_root_certs.c_str(),
+      options_->cert_request_type(),
+      grpc_get_tsi_tls_version(options_->min_tls_version()),
+      grpc_get_tsi_tls_version(options_->max_tls_version()),
       &server_handshaker_factory_);
   /* Free memory. */
   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
@@ -554,53 +607,18 @@ grpc_security_status TlsServerSecurityConnector::ReplaceHandshakerFactory() {
   return status;
 }
 
-grpc_security_status TlsServerSecurityConnector::InitializeHandshakerFactory() {
-  grpc_core::MutexLock lock(&mu_);
-  const TlsServerCredentials* creds =
-      static_cast<const TlsServerCredentials*>(server_creds());
-  grpc_tls_key_materials_config* key_materials_config =
-      creds->options().key_materials_config();
-  if (key_materials_config != nullptr) {
-    key_materials_config_->set_key_materials(
-        key_materials_config->pem_root_certs(),
-        key_materials_config->pem_key_cert_pair_list());
-  }
-  grpc_ssl_certificate_config_reload_status reload_status =
-      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
-  /** If |creds->options()| has a credential reload config, then the call to
-   *  |TlsFetchKeyMaterials| will use it to update the root cert and
-   *  pem-key-cert-pair list stored in |key_materials_config_|. Otherwise, it
-   *  will return |GRPC_STATUS_OK| if |key_materials_config_| already has
-   *  credentials, and an error code if not. **/
-  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), true,
-                           &reload_status) != GRPC_STATUS_OK) {
-    /* Raise an error if key materials are not populated. */
-    return GRPC_SECURITY_ERROR;
-  }
-  return ReplaceHandshakerFactory();
-}
+namespace internal {
 
-grpc_security_status TlsServerSecurityConnector::RefreshHandshakerFactory() {
-  grpc_core::MutexLock lock(&mu_);
-  const TlsServerCredentials* creds =
-      static_cast<const TlsServerCredentials*>(server_creds());
-  grpc_ssl_certificate_config_reload_status reload_status =
-      GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
-  /** If |creds->options()| has a credential reload config, then the call to
-   *  |TlsFetchKeyMaterials| will use it to update the root cert and
-   *  pem-key-cert-pair list stored in |key_materials_config_|. Otherwise, it
-   *  will return |GRPC_STATUS_OK| if |key_materials_config_| already has
-   *  credentials, and an error code if not. **/
-  if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), true,
-                           &reload_status) != GRPC_STATUS_OK) {
-    return GRPC_SECURITY_ERROR;
-  }
-  if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
-    /* At this point, we should have key materials populated. */
-    return GRPC_SECURITY_OK;
-  } else {
-    return ReplaceHandshakerFactory();
+grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer) {
+  /* Check the peer name if specified. */
+  if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
+    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
+            .c_str());
   }
+  return GRPC_ERROR_NONE;
 }
 
+}  // namespace internal
+
 }  // namespace grpc_core