grpc 1.43.1 → 1.44.0.pre2

data/src/core/lib/security/credentials/jwt/jwt_credentials.cc

@@ -41,23 +41,15 @@
 
 using grpc_core::Json;
 
-void grpc_service_account_jwt_access_credentials::reset_cache() {
-  GRPC_MDELEM_UNREF(cached_.jwt_md);
-  cached_.jwt_md = GRPC_MDNULL;
-  cached_.service_url.clear();
-  cached_.jwt_expiration = gpr_inf_past(GPR_CLOCK_REALTIME);
-}
-
 grpc_service_account_jwt_access_credentials::
     ~grpc_service_account_jwt_access_credentials() {
   grpc_auth_json_key_destruct(&key_);
-  reset_cache();
   gpr_mu_destroy(&cache_mu_);
 }
 
 bool grpc_service_account_jwt_access_credentials::get_request_metadata(
     grpc_polling_entity* /*pollent*/, grpc_auth_metadata_context context,
-    grpc_credentials_mdelem_array* md_array,
+    grpc_core::CredentialsMetadataArray* md_array,
     grpc_closure* /*on_request_metadata*/, grpc_error_handle* error) {
   gpr_timespec refresh_threshold = gpr_time_from_seconds(
       GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, GPR_TIMESPAN);
@@ -71,42 +63,38 @@ bool grpc_service_account_jwt_access_credentials::get_request_metadata(
     return true;
   }
   /* See if we can return a cached jwt. */
-  grpc_mdelem jwt_md = GRPC_MDNULL;
+  absl::optional<grpc_core::Slice> jwt_value;
   {
     gpr_mu_lock(&cache_mu_);
-    if (!cached_.service_url.empty() && cached_.service_url == *uri &&
-        !GRPC_MDISNULL(cached_.jwt_md) &&
+    if (cached_.has_value() && cached_->service_url == *uri &&
         (gpr_time_cmp(
-             gpr_time_sub(cached_.jwt_expiration, gpr_now(GPR_CLOCK_REALTIME)),
+             gpr_time_sub(cached_->jwt_expiration, gpr_now(GPR_CLOCK_REALTIME)),
              refresh_threshold) > 0)) {
-      jwt_md = GRPC_MDELEM_REF(cached_.jwt_md);
+      jwt_value = cached_->jwt_value.Ref();
     }
     gpr_mu_unlock(&cache_mu_);
   }
 
-  if (GRPC_MDISNULL(jwt_md)) {
+  if (!jwt_value.has_value()) {
     char* jwt = nullptr;
     /* Generate a new jwt. */
     gpr_mu_lock(&cache_mu_);
-    reset_cache();
+    cached_.reset();
     jwt = grpc_jwt_encode_and_sign(&key_, uri->c_str(), jwt_lifetime_, nullptr);
     if (jwt != nullptr) {
       std::string md_value = absl::StrCat("Bearer ", jwt);
       gpr_free(jwt);
-      cached_.jwt_expiration =
-          gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), jwt_lifetime_);
-      cached_.service_url = std::move(*uri);
-      cached_.jwt_md = grpc_mdelem_from_slices(
-          grpc_slice_from_static_string(GRPC_AUTHORIZATION_METADATA_KEY),
-          grpc_slice_from_cpp_string(std::move(md_value)));
-      jwt_md = GRPC_MDELEM_REF(cached_.jwt_md);
+      jwt_value = grpc_core::Slice::FromCopiedString(md_value);
+      cached_ = {jwt_value->Ref(), std::move(*uri),
+                 gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), jwt_lifetime_)};
     }
     gpr_mu_unlock(&cache_mu_);
   }
 
-  if (!GRPC_MDISNULL(jwt_md)) {
-    grpc_credentials_mdelem_array_add(md_array, jwt_md);
-    GRPC_MDELEM_UNREF(jwt_md);
+  if (jwt_value.has_value()) {
+    md_array->emplace_back(
+        grpc_core::Slice::FromStaticString(GRPC_AUTHORIZATION_METADATA_KEY),
+        std::move(*jwt_value));
   } else {
     *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("Could not generate JWT.");
   }
@@ -114,7 +102,8 @@ bool grpc_service_account_jwt_access_credentials::get_request_metadata(
 }
 
 void grpc_service_account_jwt_access_credentials::cancel_get_request_metadata(
-    grpc_credentials_mdelem_array* /*md_array*/, grpc_error_handle error) {
+    grpc_core::CredentialsMetadataArray* /*md_array*/,
+    grpc_error_handle error) {
   GRPC_ERROR_UNREF(error);
 }
 
@@ -131,7 +120,6 @@ grpc_service_account_jwt_access_credentials::
   }
   jwt_lifetime_ = token_lifetime;
   gpr_mu_init(&cache_mu_);
-  reset_cache();
 }
 
 grpc_core::RefCountedPtr<grpc_call_credentials>

data/src/core/lib/security/credentials/jwt/jwt_credentials.h

@@ -40,12 +40,13 @@ class grpc_service_account_jwt_access_credentials
 
   bool get_request_metadata(grpc_polling_entity* pollent,
                             grpc_auth_metadata_context context,
-                            grpc_credentials_mdelem_array* md_array,
+                            grpc_core::CredentialsMetadataArray* md_array,
                             grpc_closure* on_request_metadata,
                             grpc_error_handle* error) override;
 
-  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
-                                   grpc_error_handle error) override;
+  void cancel_get_request_metadata(
+      grpc_core::CredentialsMetadataArray* md_array,
+      grpc_error_handle error) override;
 
   const gpr_timespec& jwt_lifetime() const { return jwt_lifetime_; }
   const grpc_auth_json_key& key() const { return key_; }
@@ -58,16 +59,15 @@ class grpc_service_account_jwt_access_credentials
   };
 
  private:
-  void reset_cache();
-
   // Have a simple cache for now with just 1 entry. We could have a map based on
   // the service_url for a more sophisticated one.
   gpr_mu cache_mu_;
-  struct {
-    grpc_mdelem jwt_md = GRPC_MDNULL;
+  struct Cache {
+    grpc_core::Slice jwt_value;
     std::string service_url;
     gpr_timespec jwt_expiration;
-  } cached_;
+  };
+  absl::optional<Cache> cached_;
 
   grpc_auth_json_key key_;
   gpr_timespec jwt_lifetime_;

data/src/core/lib/security/credentials/jwt/jwt_verifier.cc

@@ -23,17 +23,15 @@
 #include <limits.h>
 #include <string.h>
 
+#include <openssl/bn.h>
+#include <openssl/pem.h>
+#include <openssl/rsa.h>
+
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
 
-extern "C" {
-#include <openssl/bn.h>
-#include <openssl/pem.h>
-#include <openssl/rsa.h>
-}
-
 #include "src/core/lib/gpr/string.h"
 #include "src/core/lib/gprpp/manual_constructor.h"
 #include "src/core/lib/http/httpcli.h"
@@ -397,7 +395,6 @@ struct grpc_jwt_verifier {
   email_key_mapping* mappings;
   size_t num_mappings; /* Should be very few, linear search ok. */
   size_t allocated_mappings;
-  grpc_httpcli_context http_ctx;
 };
 
 static Json json_from_http(const grpc_httpcli_response* response) {
@@ -700,8 +697,7 @@ static void on_openid_config_retrieved(void* user_data,
      channel. This would allow us to cancel an authentication query when under
      extreme memory pressure. */
   grpc_httpcli_get(
-      &ctx->verifier->http_ctx, &ctx->pollent,
-      grpc_core::ResourceQuota::Default(), &req,
+      &ctx->pollent, grpc_core::ResourceQuota::Default(), &req,
       grpc_core::ExecCtx::Get()->Now() + grpc_jwt_verifier_max_delay,
       GRPC_CLOSURE_CREATE(on_keys_retrieved, ctx, grpc_schedule_on_exec_ctx),
       &ctx->responses[HTTP_RESPONSE_KEYS]);
@@ -824,8 +820,7 @@ static void retrieve_key_and_verify(verifier_cb_ctx* ctx) {
      channel. This would allow us to cancel an authentication query when under
      extreme memory pressure. */
   grpc_httpcli_get(
-      &ctx->verifier->http_ctx, &ctx->pollent,
-      grpc_core::ResourceQuota::Default(), &req,
+      &ctx->pollent, grpc_core::ResourceQuota::Default(), &req,
       grpc_core::ExecCtx::Get()->Now() + grpc_jwt_verifier_max_delay, http_cb,
       &ctx->responses[rsp_idx]);
   gpr_free(req.host);
@@ -886,7 +881,6 @@ grpc_jwt_verifier* grpc_jwt_verifier_create(
     const grpc_jwt_verifier_email_domain_key_url_mapping* mappings,
     size_t num_mappings) {
   grpc_jwt_verifier* v = grpc_core::Zalloc<grpc_jwt_verifier>();
-  grpc_httpcli_context_init(&v->http_ctx);
 
   /* We know at least of one mapping. */
   v->allocated_mappings = 1 + num_mappings;
@@ -908,7 +902,6 @@ grpc_jwt_verifier* grpc_jwt_verifier_create(
 void grpc_jwt_verifier_destroy(grpc_jwt_verifier* v) {
   size_t i;
   if (v == nullptr) return;
-  grpc_httpcli_context_destroy(&v->http_ctx);
   if (v->mappings != nullptr) {
     for (i = 0; i < v->num_mappings; i++) {
       gpr_free(v->mappings[i].email_domain);

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc

@@ -127,15 +127,14 @@ void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token* refresh_token) {
 
 grpc_oauth2_token_fetcher_credentials::
     ~grpc_oauth2_token_fetcher_credentials() {
-  GRPC_MDELEM_UNREF(access_token_md_);
   gpr_mu_destroy(&mu_);
   grpc_pollset_set_destroy(grpc_polling_entity_pollset_set(&pollent_));
-  grpc_httpcli_context_destroy(&httpcli_context_);
 }
 
 grpc_credentials_status
 grpc_oauth2_token_fetcher_credentials_parse_server_response(
-    const grpc_http_response* response, grpc_mdelem* token_md,
+    const grpc_http_response* response,
+    absl::optional<grpc_core::Slice>* token_value,
     grpc_millis* token_lifetime) {
   char* null_terminated_body = nullptr;
   grpc_credentials_status status = GRPC_CREDENTIALS_OK;
@@ -204,19 +203,13 @@ grpc_oauth2_token_fetcher_credentials_parse_server_response(
     }
     expires_in = it->second.string_value().c_str();
     *token_lifetime = strtol(expires_in, nullptr, 10) * GPR_MS_PER_SEC;
-    if (!GRPC_MDISNULL(*token_md)) GRPC_MDELEM_UNREF(*token_md);
-    *token_md = grpc_mdelem_from_slices(
-        grpc_core::ExternallyManagedSlice(GRPC_AUTHORIZATION_METADATA_KEY),
-        grpc_slice_from_cpp_string(
-            absl::StrCat(token_type, " ", access_token)));
+    *token_value = grpc_core::Slice::FromCopiedString(
+        absl::StrCat(token_type, " ", access_token));
     status = GRPC_CREDENTIALS_OK;
   }
 
 end:
-  if (status != GRPC_CREDENTIALS_OK && !GRPC_MDISNULL(*token_md)) {
-    GRPC_MDELEM_UNREF(*token_md);
-    *token_md = GRPC_MDNULL;
-  }
+  if (status != GRPC_CREDENTIALS_OK) *token_value = absl::nullopt;
   gpr_free(null_terminated_body);
   return status;
 }
@@ -233,17 +226,21 @@ static void on_oauth2_token_fetcher_http_response(void* user_data,
 
 void grpc_oauth2_token_fetcher_credentials::on_http_response(
     grpc_credentials_metadata_request* r, grpc_error_handle error) {
-  grpc_mdelem access_token_md = GRPC_MDNULL;
+  absl::optional<grpc_core::Slice> access_token_value;
   grpc_millis token_lifetime = 0;
   grpc_credentials_status status =
       error == GRPC_ERROR_NONE
           ? grpc_oauth2_token_fetcher_credentials_parse_server_response(
-                &r->response, &access_token_md, &token_lifetime)
+                &r->response, &access_token_value, &token_lifetime)
           : GRPC_CREDENTIALS_ERROR;
   // Update cache and grab list of pending requests.
   gpr_mu_lock(&mu_);
   token_fetch_pending_ = false;
-  access_token_md_ = GRPC_MDELEM_REF(access_token_md);
+  if (access_token_value.has_value()) {
+    access_token_value_ = access_token_value->Ref();
+  } else {
+    access_token_value_ = absl::nullopt;
+  }
   token_expiration_ =
       status == GRPC_CREDENTIALS_OK
           ? gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC),
@@ -256,8 +253,9 @@ void grpc_oauth2_token_fetcher_credentials::on_http_response(
   while (pending_request != nullptr) {
     grpc_error_handle new_error = GRPC_ERROR_NONE;
     if (status == GRPC_CREDENTIALS_OK) {
-      grpc_credentials_mdelem_array_add(pending_request->md_array,
-                                        access_token_md);
+      pending_request->md_array->emplace_back(
+          grpc_core::Slice::FromStaticString(GRPC_AUTHORIZATION_METADATA_KEY),
+          access_token_value->Ref());
     } else {
       new_error = GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
           "Error occurred when fetching oauth2 token.", &error, 1);
@@ -270,31 +268,31 @@ void grpc_oauth2_token_fetcher_credentials::on_http_response(
     pending_request = pending_request->next;
     gpr_free(prev);
   }
-  GRPC_MDELEM_UNREF(access_token_md);
   Unref();
   grpc_credentials_metadata_request_destroy(r);
 }
 
 bool grpc_oauth2_token_fetcher_credentials::get_request_metadata(
     grpc_polling_entity* pollent, grpc_auth_metadata_context /*context*/,
-    grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata,
-    grpc_error_handle* /*error*/) {
+    grpc_core::CredentialsMetadataArray* md_array,
+    grpc_closure* on_request_metadata, grpc_error_handle* /*error*/) {
   // Check if we can use the cached token.
   grpc_millis refresh_threshold =
       GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS * GPR_MS_PER_SEC;
-  grpc_mdelem cached_access_token_md = GRPC_MDNULL;
+  absl::optional<grpc_core::Slice> cached_access_token_value;
   gpr_mu_lock(&mu_);
-  if (!GRPC_MDISNULL(access_token_md_) &&
+  if (access_token_value_.has_value() &&
       gpr_time_cmp(
           gpr_time_sub(token_expiration_, gpr_now(GPR_CLOCK_MONOTONIC)),
           gpr_time_from_seconds(GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS,
                                 GPR_TIMESPAN)) > 0) {
-    cached_access_token_md = GRPC_MDELEM_REF(access_token_md_);
+    cached_access_token_value = access_token_value_->Ref();
   }
-  if (!GRPC_MDISNULL(cached_access_token_md)) {
+  if (cached_access_token_value.has_value()) {
     gpr_mu_unlock(&mu_);
-    grpc_credentials_mdelem_array_add(md_array, cached_access_token_md);
-    GRPC_MDELEM_UNREF(cached_access_token_md);
+    md_array->emplace_back(
+        grpc_core::Slice::FromStaticString(GRPC_AUTHORIZATION_METADATA_KEY),
+        std::move(*cached_access_token_value));
     return true;
   }
   // Couldn't get the token from the cache.
@@ -318,15 +316,14 @@ bool grpc_oauth2_token_fetcher_credentials::get_request_metadata(
   if (start_fetch) {
     Ref().release();
     fetch_oauth2(grpc_credentials_metadata_request_create(this->Ref()),
-                 &httpcli_context_, &pollent_,
-                 on_oauth2_token_fetcher_http_response,
+                 &pollent_, on_oauth2_token_fetcher_http_response,
                  grpc_core::ExecCtx::Get()->Now() + refresh_threshold);
   }
   return false;
 }
 
 void grpc_oauth2_token_fetcher_credentials::cancel_get_request_metadata(
-    grpc_credentials_mdelem_array* md_array, grpc_error_handle error) {
+    grpc_core::CredentialsMetadataArray* md_array, grpc_error_handle error) {
   gpr_mu_lock(&mu_);
   grpc_oauth2_pending_get_request_metadata* prev = nullptr;
   grpc_oauth2_pending_get_request_metadata* pending_request = pending_requests_;
@@ -358,7 +355,6 @@ grpc_oauth2_token_fetcher_credentials::grpc_oauth2_token_fetcher_credentials()
       pollent_(grpc_polling_entity_create_from_pollset_set(
           grpc_pollset_set_create())) {
   gpr_mu_init(&mu_);
-  grpc_httpcli_context_init(&httpcli_context_);
 }
 
 std::string grpc_oauth2_token_fetcher_credentials::debug_string() {
@@ -379,7 +375,6 @@ class grpc_compute_engine_token_fetcher_credentials
 
  protected:
   void fetch_oauth2(grpc_credentials_metadata_request* metadata_req,
-                    grpc_httpcli_context* http_context,
                     grpc_polling_entity* pollent,
                     grpc_iomgr_cb_func response_cb,
                     grpc_millis deadline) override {
@@ -395,8 +390,8 @@ class grpc_compute_engine_token_fetcher_credentials
     /* TODO(ctiller): Carry the memory quota in ctx and share it with the host
        channel. This would allow us to cancel an authentication query when under
        extreme memory pressure. */
-    grpc_httpcli_get(http_context, pollent, grpc_core::ResourceQuota::Default(),
-                     &request, deadline,
+    grpc_httpcli_get(pollent, grpc_core::ResourceQuota::Default(), &request,
+                     deadline,
                      GRPC_CLOSURE_INIT(&http_get_cb_closure_, response_cb,
                                        metadata_req, grpc_schedule_on_exec_ctx),
                      &metadata_req->response);
@@ -435,8 +430,8 @@ grpc_google_refresh_token_credentials::
 
 void grpc_google_refresh_token_credentials::fetch_oauth2(
     grpc_credentials_metadata_request* metadata_req,
-    grpc_httpcli_context* httpcli_context, grpc_polling_entity* pollent,
-    grpc_iomgr_cb_func response_cb, grpc_millis deadline) {
+    grpc_polling_entity* pollent, grpc_iomgr_cb_func response_cb,
+    grpc_millis deadline) {
   grpc_http_header header = {
       const_cast<char*>("Content-Type"),
       const_cast<char*>("application/x-www-form-urlencoded")};
@@ -453,9 +448,8 @@ void grpc_google_refresh_token_credentials::fetch_oauth2(
   /* TODO(ctiller): Carry the memory quota in ctx and share it with the host
      channel. This would allow us to cancel an authentication query when under
      extreme memory pressure. */
-  grpc_httpcli_post(httpcli_context, pollent,
-                    grpc_core::ResourceQuota::Default(), &request, body.c_str(),
-                    body.size(), deadline,
+  grpc_httpcli_post(pollent, grpc_core::ResourceQuota::Default(), &request,
+                    body.c_str(), body.size(), deadline,
                     GRPC_CLOSURE_INIT(&http_post_cb_closure_, response_cb,
                                       metadata_req, grpc_schedule_on_exec_ctx),
                     &metadata_req->response);
@@ -556,7 +550,6 @@ class StsTokenFetcherCredentials
 
  private:
   void fetch_oauth2(grpc_credentials_metadata_request* metadata_req,
-                    grpc_httpcli_context* http_context,
                     grpc_polling_entity* pollent,
                     grpc_iomgr_cb_func response_cb,
                     grpc_millis deadline) override {
@@ -584,8 +577,8 @@ class StsTokenFetcherCredentials
        channel. This would allow us to cancel an authentication query when under
        extreme memory pressure. */
     grpc_httpcli_post(
-        http_context, pollent, ResourceQuota::Default(), &request, body,
-        body_length, deadline,
+        pollent, ResourceQuota::Default(), &request, body, body_length,
+        deadline,
         GRPC_CLOSURE_INIT(&http_post_cb_closure_, response_cb, metadata_req,
                           grpc_schedule_on_exec_ctx),
         &metadata_req->response);
@@ -705,36 +698,30 @@ grpc_call_credentials* grpc_sts_credentials_create(
 // Oauth2 Access Token credentials.
 //
 
-grpc_access_token_credentials::~grpc_access_token_credentials() {
-  GRPC_MDELEM_UNREF(access_token_md_);
-}
-
 bool grpc_access_token_credentials::get_request_metadata(
     grpc_polling_entity* /*pollent*/, grpc_auth_metadata_context /*context*/,
-    grpc_credentials_mdelem_array* md_array,
+    grpc_core::CredentialsMetadataArray* md_array,
     grpc_closure* /*on_request_metadata*/, grpc_error_handle* /*error*/) {
-  grpc_credentials_mdelem_array_add(md_array, access_token_md_);
+  md_array->emplace_back(
+      grpc_core::Slice::FromStaticString(GRPC_AUTHORIZATION_METADATA_KEY),
+      access_token_value_.Ref());
   return true;
 }
 
 void grpc_access_token_credentials::cancel_get_request_metadata(
-    grpc_credentials_mdelem_array* /*md_array*/, grpc_error_handle error) {
+    grpc_core::CredentialsMetadataArray* /*md_array*/,
+    grpc_error_handle error) {
   GRPC_ERROR_UNREF(error);
 }
 
 grpc_access_token_credentials::grpc_access_token_credentials(
     const char* access_token)
-    : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2) {
-  grpc_core::ExecCtx exec_ctx;
-  access_token_md_ = grpc_mdelem_from_slices(
-      grpc_core::ExternallyManagedSlice(GRPC_AUTHORIZATION_METADATA_KEY),
-      grpc_slice_from_cpp_string(absl::StrCat("Bearer ", access_token)));
-}
+    : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2),
+      access_token_value_(grpc_core::Slice::FromCopiedString(
+          absl::StrCat("Bearer ", access_token))) {}
 
 std::string grpc_access_token_credentials::debug_string() {
-  bool access_token_present = !GRPC_MDISNULL(access_token_md_);
-  return absl::StrFormat("AccessTokenCredentials{Token:%s}",
-                         access_token_present ? "present" : "absent");
+  return absl::StrFormat("AccessTokenCredentials{Token:present}");
 }
 
 grpc_call_credentials* grpc_access_token_credentials_create(

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h

@@ -64,7 +64,7 @@ void grpc_auth_refresh_token_destruct(grpc_auth_refresh_token* refresh_token);
 //  from an http service.
 
 struct grpc_oauth2_pending_get_request_metadata {
-  grpc_credentials_mdelem_array* md_array;
+  grpc_core::CredentialsMetadataArray* md_array;
   grpc_closure* on_request_metadata;
   grpc_polling_entity* pollent;
   struct grpc_oauth2_pending_get_request_metadata* next;
@@ -77,12 +77,13 @@ class grpc_oauth2_token_fetcher_credentials : public grpc_call_credentials {
 
   bool get_request_metadata(grpc_polling_entity* pollent,
                             grpc_auth_metadata_context context,
-                            grpc_credentials_mdelem_array* md_array,
+                            grpc_core::CredentialsMetadataArray* md_array,
                             grpc_closure* on_request_metadata,
                             grpc_error_handle* error) override;
 
-  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
-                                   grpc_error_handle error) override;
+  void cancel_get_request_metadata(
+      grpc_core::CredentialsMetadataArray* md_array,
+      grpc_error_handle error) override;
 
   void on_http_response(grpc_credentials_metadata_request* r,
                         grpc_error_handle error);
@@ -90,17 +91,15 @@ class grpc_oauth2_token_fetcher_credentials : public grpc_call_credentials {
 
  protected:
   virtual void fetch_oauth2(grpc_credentials_metadata_request* req,
-                            grpc_httpcli_context* httpcli_context,
                             grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
                             grpc_millis deadline) = 0;
 
  private:
   gpr_mu mu_;
-  grpc_mdelem access_token_md_ = GRPC_MDNULL;
+  absl::optional<grpc_core::Slice> access_token_value_;
   gpr_timespec token_expiration_;
   bool token_fetch_pending_ = false;
   grpc_oauth2_pending_get_request_metadata* pending_requests_ = nullptr;
-  grpc_httpcli_context httpcli_context_;
   grpc_polling_entity pollent_;
 };
 
@@ -120,7 +119,6 @@ class grpc_google_refresh_token_credentials final
 
  protected:
   void fetch_oauth2(grpc_credentials_metadata_request* req,
-                    grpc_httpcli_context* httpcli_context,
                     grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
                     grpc_millis deadline) override;
 
@@ -133,21 +131,21 @@ class grpc_google_refresh_token_credentials final
 class grpc_access_token_credentials final : public grpc_call_credentials {
  public:
   explicit grpc_access_token_credentials(const char* access_token);
-  ~grpc_access_token_credentials() override;
 
   bool get_request_metadata(grpc_polling_entity* pollent,
                             grpc_auth_metadata_context context,
-                            grpc_credentials_mdelem_array* md_array,
+                            grpc_core::CredentialsMetadataArray* md_array,
                             grpc_closure* on_request_metadata,
                             grpc_error_handle* error) override;
 
-  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
-                                   grpc_error_handle error) override;
+  void cancel_get_request_metadata(
+      grpc_core::CredentialsMetadataArray* md_array,
+      grpc_error_handle error) override;
 
   std::string debug_string() override;
 
  private:
-  grpc_mdelem access_token_md_;
+  const grpc_core::Slice access_token_value_;
 };
 
 // Private constructor for refresh token credentials from an already parsed
@@ -159,8 +157,8 @@ grpc_refresh_token_credentials_create_from_auth_refresh_token(
 // Exposed for testing only.
 grpc_credentials_status
 grpc_oauth2_token_fetcher_credentials_parse_server_response(
-    const struct grpc_http_response* response, grpc_mdelem* token_md,
-    grpc_millis* token_lifetime);
+    const struct grpc_http_response* response,
+    absl::optional<grpc_core::Slice>* token_value, grpc_millis* token_lifetime);
 
 namespace grpc_core {
 // Exposed for testing only. This function validates the options, ensuring that

data/src/core/lib/security/credentials/plugin/plugin_credentials.cc

@@ -110,10 +110,9 @@ static grpc_error_handle process_plugin_result(
       error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("Illegal metadata");
     } else {
       for (size_t i = 0; i < num_md; ++i) {
-        grpc_mdelem mdelem =
-            grpc_mdelem_create(md[i].key, md[i].value, nullptr);
-        grpc_credentials_mdelem_array_add(r->md_array, mdelem);
-        GRPC_MDELEM_UNREF(mdelem);
+        r->md_array->emplace_back(
+            grpc_core::Slice(grpc_slice_ref_internal(md[i].key)),
+            grpc_core::Slice(grpc_slice_ref_internal(md[i].value)));
       }
     }
   }
@@ -155,8 +154,8 @@ static void plugin_md_request_metadata_ready(void* request,
 
 bool grpc_plugin_credentials::get_request_metadata(
     grpc_polling_entity* /*pollent*/, grpc_auth_metadata_context context,
-    grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata,
-    grpc_error_handle* error) {
+    grpc_core::CredentialsMetadataArray* md_array,
+    grpc_closure* on_request_metadata, grpc_error_handle* error) {
   bool retval = true;  // Synchronous return.
   if (plugin_.get_metadata != nullptr) {
     // Create pending_request object.
@@ -229,7 +228,7 @@ bool grpc_plugin_credentials::get_request_metadata(
 }
 
 void grpc_plugin_credentials::cancel_get_request_metadata(
-    grpc_credentials_mdelem_array* md_array, grpc_error_handle error) {
+    grpc_core::CredentialsMetadataArray* md_array, grpc_error_handle error) {
   gpr_mu_lock(&mu_);
   for (pending_request* pending_request = pending_requests_;
        pending_request != nullptr; pending_request = pending_request->next) {

data/src/core/lib/security/credentials/plugin/plugin_credentials.h

@@ -33,7 +33,7 @@ struct grpc_plugin_credentials final : public grpc_call_credentials {
   struct pending_request {
     bool cancelled;
     struct grpc_plugin_credentials* creds;
-    grpc_credentials_mdelem_array* md_array;
+    grpc_core::CredentialsMetadataArray* md_array;
     grpc_closure* on_request_metadata;
     struct pending_request* prev;
     struct pending_request* next;
@@ -45,12 +45,13 @@ struct grpc_plugin_credentials final : public grpc_call_credentials {
 
   bool get_request_metadata(grpc_polling_entity* pollent,
                             grpc_auth_metadata_context context,
-                            grpc_credentials_mdelem_array* md_array,
+                            grpc_core::CredentialsMetadataArray* md_array,
                             grpc_closure* on_request_metadata,
                             grpc_error_handle* error) override;
 
-  void cancel_get_request_metadata(grpc_credentials_mdelem_array* md_array,
-                                   grpc_error_handle error) override;
+  void cancel_get_request_metadata(
+      grpc_core::CredentialsMetadataArray* md_array,
+      grpc_error_handle error) override;
 
   // Checks if the request has been cancelled.
   // If not, removes it from the pending list, so that it cannot be

data/src/core/lib/security/credentials/ssl/ssl_credentials.cc

@@ -27,6 +27,7 @@
 #include <grpc/support/string_util.h>
 
 #include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
 #include "src/core/lib/surface/api_trace.h"
 #include "src/core/tsi/ssl_transport_security.h"
 
@@ -34,16 +35,6 @@
 // SSL Channel Credentials.
 //
 
-void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
-                                             size_t num_key_cert_pairs) {
-  if (kp == nullptr) return;
-  for (size_t i = 0; i < num_key_cert_pairs; i++) {
-    gpr_free(const_cast<char*>(kp[i].private_key));
-    gpr_free(const_cast<char*>(kp[i].cert_chain));
-  }
-  gpr_free(kp);
-}
-
 grpc_ssl_credentials::grpc_ssl_credentials(
     const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
     const grpc_ssl_verify_peer_options* verify_options)

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc

@@ -91,6 +91,12 @@ void grpc_tls_credentials_options_set_certificate_verifier(
   options->set_certificate_verifier(verifier->Ref());
 }
 
+void grpc_tls_credentials_options_set_crl_directory(
+    grpc_tls_credentials_options* options, const char* crl_directory) {
+  GPR_ASSERT(options != nullptr);
+  options->set_crl_directory(crl_directory);
+}
+
 void grpc_tls_credentials_options_set_check_call_host(
     grpc_tls_credentials_options* options, int check_call_host) {
   GPR_ASSERT(options != nullptr);