grpc 1.45.0 → 1.46.2

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc

@@ -30,6 +30,10 @@
 
 namespace grpc_core {
 
+//
+// ExternalCertificateVerifier
+//
+
 bool ExternalCertificateVerifier::Verify(
     grpc_tls_custom_verification_check_request* request,
     std::function<void(absl::Status)> callback, absl::Status* sync_status) {
@@ -80,6 +84,10 @@ void ExternalCertificateVerifier::OnVerifyDone(
   }
 }
 
+//
+// HostNameCertificateVerifier
+//
+
 bool HostNameCertificateVerifier::Verify(
     grpc_tls_custom_verification_check_request* request,
     std::function<void(absl::Status)>, absl::Status* sync_status) {

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h

@@ -25,6 +25,7 @@
 
 #include <grpc/grpc_security.h>
 
+#include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/gprpp/thd.h"
@@ -37,8 +38,6 @@
 struct grpc_tls_certificate_verifier
     : public grpc_core::RefCounted<grpc_tls_certificate_verifier> {
  public:
-  grpc_tls_certificate_verifier() = default;
-
   ~grpc_tls_certificate_verifier() override = default;
   // Verifies the specific request. It can be processed in sync or async mode.
   // If the caller want it to be processed asynchronously, return false
@@ -52,6 +51,28 @@ struct grpc_tls_certificate_verifier
   // Operations that will be performed when a request is cancelled.
   // This is only needed when in async mode.
   virtual void Cancel(grpc_tls_custom_verification_check_request* request) = 0;
+
+  // Compares this grpc_tls_certificate_verifier object with \a other.
+  // If this method returns 0, it means that gRPC can treat the two certificate
+  // verifiers as effectively the same.
+  int Compare(const grpc_tls_certificate_verifier* other) const {
+    GPR_ASSERT(other != nullptr);
+    int r = grpc_core::QsortCompare(type(), other->type());
+    if (r != 0) return r;
+    return CompareImpl(other);
+  }
+
+  // The pointer value \a type is used to uniquely identify a verifier
+  // implementation for down-casting purposes. Every verifier implementation
+  // should use a unique string instance, which should be returned by all
+  // instances of that verifier implementation.
+  virtual const char* type() const = 0;
+
+ private:
+  // Implementation for `Compare` method intended to be overridden by
+  // subclasses. Only invoked if `type()` and `other->type()` point to the same
+  // string.
+  virtual int CompareImpl(const grpc_tls_certificate_verifier* other) const = 0;
 };
 
 namespace grpc_core {
@@ -78,12 +99,20 @@ class ExternalCertificateVerifier : public grpc_tls_certificate_verifier {
     external_verifier_->cancel(external_verifier_->user_data, request);
   }
 
+  const char* type() const override { return "External"; }
+
  private:
-  grpc_tls_certificate_verifier_external* external_verifier_;
+  int CompareImpl(const grpc_tls_certificate_verifier* other) const override {
+    const auto* o = static_cast<const ExternalCertificateVerifier*>(other);
+    return QsortCompare(external_verifier_, o->external_verifier_);
+  }
 
   static void OnVerifyDone(grpc_tls_custom_verification_check_request* request,
                            void* callback_arg, grpc_status_code status,
                            const char* error_details);
+
+  grpc_tls_certificate_verifier_external* external_verifier_;
+
   // Guards members below.
   Mutex mu_;
   // stores each check request and its corresponding callback function.
@@ -99,6 +128,16 @@ class HostNameCertificateVerifier : public grpc_tls_certificate_verifier {
               std::function<void(absl::Status)> callback,
               absl::Status* sync_status) override;
   void Cancel(grpc_tls_custom_verification_check_request*) override {}
+
+  const char* type() const override { return "Hostname"; }
+
+ private:
+  int CompareImpl(
+      const grpc_tls_certificate_verifier* /* other */) const override {
+    // No differentiating factor between different HostNameCertificateVerifier
+    // objects.
+    return 0;
+  }
 };
 
 }  // namespace grpc_core

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h

@@ -1,20 +1,22 @@
-/*
- *
- * Copyright 2018 gRPC authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
+//
+//
+// Copyright 2018 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+// Generated by tools/codegen/core/gen_grpc_tls_credentials_options.py
 
 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
@@ -38,103 +40,72 @@ struct grpc_tls_credentials_options
     : public grpc_core::RefCounted<grpc_tls_credentials_options> {
  public:
   ~grpc_tls_credentials_options() override = default;
+
   // Getters for member fields.
-  grpc_ssl_client_certificate_request_type cert_request_type() const {
-    return cert_request_type_;
-  }
+  grpc_ssl_client_certificate_request_type cert_request_type() const { return cert_request_type_; }
   bool verify_server_cert() const { return verify_server_cert_; }
   grpc_tls_version min_tls_version() const { return min_tls_version_; }
   grpc_tls_version max_tls_version() const { return max_tls_version_; }
-  // Returns the verifier set in the options.
   grpc_tls_certificate_verifier* certificate_verifier() {
-    return verifier_.get();
+    return certificate_verifier_.get();
   }
   bool check_call_host() const { return check_call_host_; }
-  // Returns the distributor from provider_ if it is set, nullptr otherwise.
+  // Returns the distributor from certificate_provider_ if it is set, nullptr otherwise.
   grpc_tls_certificate_distributor* certificate_distributor() {
-    if (provider_ != nullptr) return provider_->distributor().get();
+    if (certificate_provider_ != nullptr) { return certificate_provider_->distributor().get(); }
     return nullptr;
   }
-  bool watch_root_cert() { return watch_root_cert_; }
-  const std::string& root_cert_name() { return root_cert_name_; }
-  bool watch_identity_pair() { return watch_identity_pair_; }
-  const std::string& identity_cert_name() { return identity_cert_name_; }
-  // Returns the previously set tls session key log file path.
-  const std::string& tls_session_key_log_file_path() {
-    return tls_session_key_log_file_path_;
-  }
-  const std::string& crl_directory() { return crl_directory_; }
+  bool watch_root_cert() const { return watch_root_cert_; }
+  const std::string& root_cert_name() const { return root_cert_name_; }
+  bool watch_identity_pair() const { return watch_identity_pair_; }
+  const std::string& identity_cert_name() const { return identity_cert_name_; }
+  const std::string& tls_session_key_log_file_path() const { return tls_session_key_log_file_path_; }
+  const std::string& crl_directory() const { return crl_directory_; }
 
   // Setters for member fields.
-  void set_cert_request_type(
-      const grpc_ssl_client_certificate_request_type type) {
-    cert_request_type_ = type;
-  }
-  void set_verify_server_cert(bool verify_server_cert) {
-    verify_server_cert_ = verify_server_cert;
-  }
-  void set_min_tls_version(grpc_tls_version min_tls_version) {
-    min_tls_version_ = min_tls_version;
-  }
-  void set_max_tls_version(grpc_tls_version max_tls_version) {
-    max_tls_version_ = max_tls_version;
-  }
-  // Sets the verifier in the options.
-  void set_certificate_verifier(
-      grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> verifier) {
-    verifier_ = std::move(verifier);
-  }
-  // Sets the verifier in the options.
-  void set_check_call_host(bool check_call_host) {
-    check_call_host_ = check_call_host;
-  }
-  // Sets the provider in the options.
-  void set_certificate_provider(
-      grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider) {
-    provider_ = std::move(provider);
-  }
-  // If need to watch the updates of root certificates with name
-  // |root_cert_name|. The default value is false. If used in tls_credentials,
-  // it should always be set to true unless the root certificates are not
-  // needed.
-  void set_watch_root_cert(bool watch) { watch_root_cert_ = watch; }
-  // Sets the name of root certificates being watched, if |set_watch_root_cert|
-  // is called. If not set, an empty string will be used as the name.
-  void set_root_cert_name(std::string root_cert_name) {
-    root_cert_name_ = std::move(root_cert_name);
-  }
-  // If need to watch the updates of identity certificates with name
-  // |identity_cert_name|.
-  // The default value is false.
-  // If used in tls_credentials, it should always be set to true
-  // unless the identity key-cert pairs are not needed.
-  void set_watch_identity_pair(bool watch) { watch_identity_pair_ = watch; }
-  // Sets the name of identity key-cert pairs being watched, if
-  // |set_watch_identity_pair| is called. If not set, an empty string will
-  // be used as the name.
-  void set_identity_cert_name(std::string identity_cert_name) {
-    identity_cert_name_ = std::move(identity_cert_name);
-  }
-  // Sets the tls session key log file path.
-  void set_tls_session_key_log_file_path(
-      std::string tls_session_key_log_file_path) {
-    tls_session_key_log_file_path_ = std::move(tls_session_key_log_file_path);
-  }
+  void set_cert_request_type(grpc_ssl_client_certificate_request_type cert_request_type) { cert_request_type_ = cert_request_type; }
+  void set_verify_server_cert(bool verify_server_cert) { verify_server_cert_ = verify_server_cert; }
+  void set_min_tls_version(grpc_tls_version min_tls_version) { min_tls_version_ = min_tls_version; }
+  void set_max_tls_version(grpc_tls_version max_tls_version) { max_tls_version_ = max_tls_version; }
+  void set_certificate_verifier(grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> certificate_verifier) { certificate_verifier_ = std::move(certificate_verifier); }
+  void set_check_call_host(bool check_call_host) { check_call_host_ = check_call_host; }
+  void set_certificate_provider(grpc_core::RefCountedPtr<grpc_tls_certificate_provider> certificate_provider) { certificate_provider_ = std::move(certificate_provider); }
+  // If need to watch the updates of root certificates with name |root_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the root certificates are not needed.
+  void set_watch_root_cert(bool watch_root_cert) { watch_root_cert_ = watch_root_cert; }
+  // Sets the name of root certificates being watched, if |set_watch_root_cert| is called. If not set, an empty string will be used as the name.
+  void set_root_cert_name(std::string root_cert_name) { root_cert_name_ = std::move(root_cert_name); }
+  // If need to watch the updates of identity certificates with name |identity_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the identity key-cert pairs are not needed.
+  void set_watch_identity_pair(bool watch_identity_pair) { watch_identity_pair_ = watch_identity_pair; }
+  // Sets the name of identity key-cert pairs being watched, if |set_watch_identity_pair| is called. If not set, an empty string will be used as the name.
+  void set_identity_cert_name(std::string identity_cert_name) { identity_cert_name_ = std::move(identity_cert_name); }
+  void set_tls_session_key_log_file_path(std::string tls_session_key_log_file_path) { tls_session_key_log_file_path_ = std::move(tls_session_key_log_file_path); }
+  //  gRPC will enforce CRLs on all handshakes from all hashed CRL files inside of the crl_directory. If not set, an empty string will be used, which will not enable CRL checking. Only supported for OpenSSL version > 1.1.
+  void set_crl_directory(std::string crl_directory) { crl_directory_ = std::move(crl_directory); }
 
-  // gRPC will enforce CRLs on all handshakes from all hashed CRL files inside
-  // of the crl_directory. If not set, an empty string will be used, which will
-  // not enable CRL checking. Only supported for OpenSSL version > 1.1.
-  void set_crl_directory(std::string path) { crl_directory_ = std::move(path); }
+  bool operator==(const grpc_tls_credentials_options& other) const {
+    return cert_request_type_ == other.cert_request_type_ &&
+      verify_server_cert_ == other.verify_server_cert_ &&
+      min_tls_version_ == other.min_tls_version_ &&
+      max_tls_version_ == other.max_tls_version_ &&
+      (certificate_verifier_ == other.certificate_verifier_ || (certificate_verifier_ != nullptr && other.certificate_verifier_ != nullptr && certificate_verifier_->Compare(other.certificate_verifier_.get()) == 0)) &&
+      check_call_host_ == other.check_call_host_ &&
+      (certificate_provider_ == other.certificate_provider_ || (certificate_provider_ != nullptr && other.certificate_provider_ != nullptr && certificate_provider_->Compare(other.certificate_provider_.get()) == 0)) &&
+      watch_root_cert_ == other.watch_root_cert_ &&
+      root_cert_name_ == other.root_cert_name_ &&
+      watch_identity_pair_ == other.watch_identity_pair_ &&
+      identity_cert_name_ == other.identity_cert_name_ &&
+      tls_session_key_log_file_path_ == other.tls_session_key_log_file_path_ &&
+      crl_directory_ == other.crl_directory_;
+  }
 
  private:
-  grpc_ssl_client_certificate_request_type cert_request_type_ =
-      GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
+  grpc_ssl_client_certificate_request_type cert_request_type_ = GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
   bool verify_server_cert_ = true;
   grpc_tls_version min_tls_version_ = grpc_tls_version::TLS1_2;
   grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3;
-  grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> verifier_;
+  grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> certificate_verifier_;
   bool check_call_host_ = true;
-  grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider_;
+  grpc_core::RefCountedPtr<grpc_tls_certificate_provider> certificate_provider_;
   bool watch_root_cert_ = false;
   std::string root_cert_name_;
   bool watch_identity_pair_ = false;

data/src/core/lib/security/credentials/tls/tls_credentials.cc

@@ -31,8 +31,6 @@
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
 
-#define GRPC_CREDENTIALS_TYPE_TLS "Tls"
-
 namespace {
 
 bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
@@ -70,8 +68,7 @@ bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
 
 TlsCredentials::TlsCredentials(
     grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
-    : grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_TLS),
-      options_(std::move(options)) {}
+    : options_(std::move(options)) {}
 
 TlsCredentials::~TlsCredentials() {}
 
@@ -109,10 +106,16 @@ TlsCredentials::create_security_connector(
   return sc;
 }
 
+int TlsCredentials::cmp_impl(const grpc_channel_credentials* other) const {
+  const TlsCredentials* o = static_cast<const TlsCredentials*>(other);
+  if (*options_ == *o->options_) return 0;
+  return grpc_core::QsortCompare(
+      static_cast<const grpc_channel_credentials*>(this), other);
+}
+
 TlsServerCredentials::TlsServerCredentials(
     grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
-    : grpc_server_credentials(GRPC_CREDENTIALS_TYPE_TLS),
-      options_(std::move(options)) {}
+    : options_(std::move(options)) {}
 
 TlsServerCredentials::~TlsServerCredentials() {}
 

data/src/core/lib/security/credentials/tls/tls_credentials.h

@@ -38,14 +38,12 @@ class TlsCredentials final : public grpc_channel_credentials {
       const char* target_name, const grpc_channel_args* args,
       grpc_channel_args** new_args) override;
 
+  const char* type() const override { return "Tls"; }
+
   grpc_tls_credentials_options* options() const { return options_.get(); }
 
  private:
-  int cmp_impl(const grpc_channel_credentials* other) const override {
-    // TODO(yashykt): Check if we can do something better here
-    return grpc_core::QsortCompare(
-        static_cast<const grpc_channel_credentials*>(this), other);
-  }
+  int cmp_impl(const grpc_channel_credentials* other) const override;
 
   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
 };
@@ -59,6 +57,8 @@ class TlsServerCredentials final : public grpc_server_credentials {
   grpc_core::RefCountedPtr<grpc_server_security_connector>
   create_security_connector(const grpc_channel_args* /* args */) override;
 
+  const char* type() const override { return "Tls"; }
+
   grpc_tls_credentials_options* options() const { return options_.get(); }
 
  private:

data/src/core/lib/security/credentials/xds/xds_credentials.cc

@@ -29,8 +29,6 @@
 
 namespace grpc_core {
 
-const char kCredentialsTypeXds[] = "Xds";
-
 namespace {
 
 bool XdsVerifySubjectAlternativeNames(
@@ -61,44 +59,53 @@ bool XdsVerifySubjectAlternativeNames(
   return false;
 }
 
-class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
- public:
-  XdsCertificateVerifier(
-      RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
-      std::string cluster_name)
-      : xds_certificate_provider_(std::move(xds_certificate_provider)),
-        cluster_name_(std::move(cluster_name)) {}
-
-  bool Verify(grpc_tls_custom_verification_check_request* request,
-              std::function<void(absl::Status)>,
-              absl::Status* sync_status) override {
-    GPR_ASSERT(request != nullptr);
-    if (!XdsVerifySubjectAlternativeNames(
-            request->peer_info.san_names.uri_names,
-            request->peer_info.san_names.uri_names_size,
-            xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
-        !XdsVerifySubjectAlternativeNames(
-            request->peer_info.san_names.ip_names,
-            request->peer_info.san_names.ip_names_size,
-            xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
-        !XdsVerifySubjectAlternativeNames(
-            request->peer_info.san_names.dns_names,
-            request->peer_info.san_names.dns_names_size,
-            xds_certificate_provider_->GetSanMatchers(cluster_name_))) {
-      *sync_status = absl::Status(
-          absl::StatusCode::kUnauthenticated,
-          "SANs from certificate did not match SANs from xDS control plane");
-    }
-    return true; /* synchronous check */
+}  // namespace
+
+//
+// XdsCertificateVerifier
+//
+
+XdsCertificateVerifier::XdsCertificateVerifier(
+    RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
+    std::string cluster_name)
+    : xds_certificate_provider_(std::move(xds_certificate_provider)),
+      cluster_name_(std::move(cluster_name)) {}
+
+bool XdsCertificateVerifier::Verify(
+    grpc_tls_custom_verification_check_request* request,
+    std::function<void(absl::Status)>, absl::Status* sync_status) {
+  GPR_ASSERT(request != nullptr);
+  if (!XdsVerifySubjectAlternativeNames(
+          request->peer_info.san_names.uri_names,
+          request->peer_info.san_names.uri_names_size,
+          xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
+      !XdsVerifySubjectAlternativeNames(
+          request->peer_info.san_names.ip_names,
+          request->peer_info.san_names.ip_names_size,
+          xds_certificate_provider_->GetSanMatchers(cluster_name_)) &&
+      !XdsVerifySubjectAlternativeNames(
+          request->peer_info.san_names.dns_names,
+          request->peer_info.san_names.dns_names_size,
+          xds_certificate_provider_->GetSanMatchers(cluster_name_))) {
+    *sync_status = absl::Status(
+        absl::StatusCode::kUnauthenticated,
+        "SANs from certificate did not match SANs from xDS control plane");
   }
-  void Cancel(grpc_tls_custom_verification_check_request*) override {}
+  return true; /* synchronous check */
+}
 
- private:
-  RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
-  std::string cluster_name_;
-};
+void XdsCertificateVerifier::Cancel(
+    grpc_tls_custom_verification_check_request*) {}
 
-}  // namespace
+int XdsCertificateVerifier::CompareImpl(
+    const grpc_tls_certificate_verifier* other) const {
+  auto* o = static_cast<const XdsCertificateVerifier*>(other);
+  int r = QsortCompare(xds_certificate_provider_, o->xds_certificate_provider_);
+  if (r != 0) return r;
+  return cluster_name_.compare(o->cluster_name_);
+}
+
+const char* XdsCertificateVerifier::type() const { return "Xds"; }
 
 bool TestOnlyXdsVerifySubjectAlternativeNames(
     const char* const* subject_alternative_names,
@@ -164,19 +171,6 @@ XdsCredentials::create_security_connector(
           MakeRefCounted<XdsCertificateVerifier>(xds_certificate_provider,
                                                  std::move(cluster_name)));
       tls_credentials_options->set_check_call_host(false);
-      // TODO(yashkt): Creating a new TlsCreds object each time we create a
-      // security connector means that the security connector's cmp() method
-      // returns unequal for each instance, which means that every time an LB
-      // policy updates, all the subchannels will be recreated.  This is
-      // going to lead to a lot of connection churn.  Instead, we should
-      // either (a) change the TLS security connector's cmp() method to be
-      // smarter somehow, so that it compares unequal only when the
-      // tls_credentials_options have changed, or (b) cache the TlsCreds
-      // objects in the XdsCredentials object so that we can reuse the
-      // same one when creating new security connectors, swapping out the
-      // TlsCreds object only when the tls_credentials_options change.
-      // Option (a) would probably be better, although it may require some
-      // structural changes to the security connector API.
       auto tls_credentials =
           MakeRefCounted<TlsCredentials>(std::move(tls_credentials_options));
       return tls_credentials->create_security_connector(
@@ -188,6 +182,8 @@ XdsCredentials::create_security_connector(
       std::move(call_creds), target_name, temp_args.args, new_args);
 }
 
+const char* XdsCredentials::Type() { return "Xds"; }
+
 //
 // XdsServerCredentials
 //
@@ -224,6 +220,8 @@ XdsServerCredentials::create_security_connector(const grpc_channel_args* args) {
   return fallback_credentials_->create_security_connector(args);
 }
 
+const char* XdsServerCredentials::Type() { return "Xds"; }
+
 }  // namespace grpc_core
 
 grpc_channel_credentials* grpc_xds_credentials_create(

data/src/core/lib/security/credentials/xds/xds_credentials.h

@@ -23,24 +23,47 @@
 
 #include <grpc/grpc_security.h>
 
+#include "src/core/ext/xds/xds_certificate_provider.h"
 #include "src/core/lib/matchers/matchers.h"
 #include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
 
 namespace grpc_core {
 
-extern const char kCredentialsTypeXds[];
+class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
+ public:
+  XdsCertificateVerifier(
+      RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
+      std::string cluster_name);
+
+  bool Verify(grpc_tls_custom_verification_check_request* request,
+              std::function<void(absl::Status)>,
+              absl::Status* sync_status) override;
+  void Cancel(grpc_tls_custom_verification_check_request*) override;
+
+  const char* type() const override;
+
+ private:
+  int CompareImpl(const grpc_tls_certificate_verifier* other) const override;
+
+  RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
+  std::string cluster_name_;
+};
 
 class XdsCredentials final : public grpc_channel_credentials {
  public:
   explicit XdsCredentials(
       RefCountedPtr<grpc_channel_credentials> fallback_credentials)
-      : grpc_channel_credentials(kCredentialsTypeXds),
-        fallback_credentials_(std::move(fallback_credentials)) {}
+      : fallback_credentials_(std::move(fallback_credentials)) {}
 
   RefCountedPtr<grpc_channel_security_connector> create_security_connector(
       RefCountedPtr<grpc_call_credentials> call_creds, const char* target_name,
       const grpc_channel_args* args, grpc_channel_args** new_args) override;
 
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+
  private:
   int cmp_impl(const grpc_channel_credentials* other) const override {
     auto* o = static_cast<const XdsCredentials*>(other);
@@ -54,12 +77,15 @@ class XdsServerCredentials final : public grpc_server_credentials {
  public:
   explicit XdsServerCredentials(
       RefCountedPtr<grpc_server_credentials> fallback_credentials)
-      : grpc_server_credentials(kCredentialsTypeXds),
-        fallback_credentials_(std::move(fallback_credentials)) {}
+      : fallback_credentials_(std::move(fallback_credentials)) {}
 
   RefCountedPtr<grpc_server_security_connector> create_security_connector(
       const grpc_channel_args* /* args */) override;
 
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+
  private:
   RefCountedPtr<grpc_server_credentials> fallback_credentials_;
 };

data/src/core/lib/security/security_connector/local/local_security_connector.cc

@@ -152,7 +152,7 @@ class grpc_local_channel_security_connector final
       grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
       grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
       const char* target_name)
-      : grpc_channel_security_connector(nullptr, std::move(channel_creds),
+      : grpc_channel_security_connector({}, std::move(channel_creds),
                                         std::move(request_metadata_creds)),
         target_name_(gpr_strdup(target_name)) {}
 
@@ -210,7 +210,7 @@ class grpc_local_server_security_connector final
  public:
   explicit grpc_local_server_security_connector(
       grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
-      : grpc_server_security_connector(nullptr, std::move(server_creds)) {}
+      : grpc_server_security_connector({}, std::move(server_creds)) {}
   ~grpc_local_server_security_connector() override = default;
 
   void add_handshakers(

data/src/core/lib/security/security_connector/security_connector.h

@@ -60,6 +60,10 @@ class grpc_security_connector
         url_scheme_(url_scheme) {}
   ~grpc_security_connector() override = default;
 
+  static absl::string_view ChannelArgName() {
+    return GRPC_ARG_SECURITY_CONNECTOR;
+  }
+
   // Checks the peer. Callee takes ownership of the peer object.
   // When done, sets *auth_context and invokes on_peer_checked.
   virtual void check_peer(
@@ -75,6 +79,11 @@ class grpc_security_connector
   /* Compares two security connectors. */
   virtual int cmp(const grpc_security_connector* other) const = 0;
 
+  static int ChannelArgsCompare(const grpc_security_connector* a,
+                                const grpc_security_connector* b) {
+    return a->cmp(b);
+  }
+
   absl::string_view url_scheme() const { return url_scheme_; }
 
  private:

data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc

@@ -129,7 +129,8 @@ class grpc_ssl_channel_security_connector final
         client_handshaker_factory_,
         overridden_target_name_.empty() ? target_name_.c_str()
                                         : overridden_target_name_.c_str(),
-        &tsi_hs);
+        /*network_bio_buf_size=*/0,
+        /*ssl_bio_buf_size=*/0, &tsi_hs);
     if (result != TSI_OK) {
       gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
               tsi_result_to_string(result));
@@ -272,7 +273,8 @@ class grpc_ssl_server_security_connector
     try_fetch_ssl_server_credentials();
     tsi_handshaker* tsi_hs = nullptr;
     tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
-        server_handshaker_factory_, &tsi_hs);
+        server_handshaker_factory_, /*network_bio_buf_size=*/0,
+        /*ssl_bio_buf_size=*/0, &tsi_hs);
     if (result != TSI_OK) {
       gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
               tsi_result_to_string(result));

data/src/core/lib/security/security_connector/tls/tls_security_connector.cc

@@ -332,7 +332,8 @@ void TlsChannelSecurityConnector::add_handshakers(
         client_handshaker_factory_,
         overridden_target_name_.empty() ? target_name_.c_str()
                                         : overridden_target_name_.c_str(),
-        &tsi_hs);
+        /*network_bio_buf_size=*/0,
+        /*ssl_bio_buf_size=*/0, &tsi_hs);
     if (result != TSI_OK) {
       gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
               tsi_result_to_string(result));
@@ -618,7 +619,8 @@ void TlsServerSecurityConnector::add_handshakers(
   if (server_handshaker_factory_ != nullptr) {
     // Instantiate TSI handshaker.
     tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
-        server_handshaker_factory_, &tsi_hs);
+        server_handshaker_factory_, /*network_bio_buf_size=*/0,
+        /*ssl_bio_buf_size=*/0, &tsi_hs);
     if (result != TSI_OK) {
       gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
               tsi_result_to_string(result));