grpc 1.59.2 → 1.59.5

data/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc

@@ -0,0 +1,238 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h"
+
+#include <limits.h>
+// IWYU pragma: no_include <openssl/mem.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>  // IWYU pragma: keep
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+
+#include <grpc/support/log.h>
+// IWYU pragma: no_include <ratio>
+#include <algorithm>
+#include <memory>
+#include <type_traits>
+#include <utility>
+#include <vector>
+
+#include "absl/container/flat_hash_map.h"
+#include "absl/meta/type_traits.h"
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/str_cat.h"
+#include "absl/strings/str_join.h"
+#include "absl/types/span.h"
+
+#include "src/core/lib/event_engine/default_event_engine.h"
+#include "src/core/lib/gprpp/directory_reader.h"
+#include "src/core/lib/gprpp/load_file.h"
+#include "src/core/lib/iomgr/exec_ctx.h"
+#include "src/core/lib/slice/slice.h"
+
+namespace grpc_core {
+namespace experimental {
+
+namespace {
+std::string IssuerFromCrl(X509_CRL* crl) {
+  if (crl == nullptr) {
+    return "";
+  }
+  char* buf = X509_NAME_oneline(X509_CRL_get_issuer(crl), nullptr, 0);
+  std::string ret;
+  if (buf != nullptr) {
+    ret = buf;
+  }
+  OPENSSL_free(buf);
+  return ret;
+}
+
+absl::StatusOr<std::shared_ptr<Crl>> ReadCrlFromFile(
+    const std::string& crl_path) {
+  absl::StatusOr<Slice> crl_slice = LoadFile(crl_path, false);
+  if (!crl_slice.ok()) {
+    return crl_slice.status();
+  }
+  absl::StatusOr<std::unique_ptr<Crl>> crl =
+      Crl::Parse(crl_slice->as_string_view());
+  if (!crl.ok()) {
+    return crl.status();
+  }
+  return crl;
+}
+
+}  // namespace
+
+absl::StatusOr<std::unique_ptr<Crl>> Crl::Parse(absl::string_view crl_string) {
+  if (crl_string.size() >= INT_MAX) {
+    return absl::InvalidArgumentError("crl_string cannot be of size INT_MAX");
+  }
+  BIO* crl_bio =
+      BIO_new_mem_buf(crl_string.data(), static_cast<int>(crl_string.size()));
+  // Errors on BIO
+  if (crl_bio == nullptr) {
+    return absl::InvalidArgumentError(
+        "Conversion from crl string to BIO failed.");
+  }
+  X509_CRL* crl = PEM_read_bio_X509_CRL(crl_bio, nullptr, nullptr, nullptr);
+  BIO_free(crl_bio);
+  if (crl == nullptr) {
+    return absl::InvalidArgumentError(
+        "Conversion from PEM string to X509 CRL failed.");
+  }
+  return CrlImpl::Create(crl);
+}
+
+absl::StatusOr<std::unique_ptr<CrlImpl>> CrlImpl::Create(X509_CRL* crl) {
+  std::string issuer = IssuerFromCrl(crl);
+  if (issuer.empty()) {
+    return absl::InvalidArgumentError("Issuer of crl cannot be empty");
+  }
+  return std::make_unique<CrlImpl>(crl, issuer);
+}
+
+CrlImpl::~CrlImpl() { X509_CRL_free(crl_); }
+
+absl::StatusOr<std::shared_ptr<CrlProvider>> CreateStaticCrlProvider(
+    absl::Span<const std::string> crls) {
+  absl::flat_hash_map<std::string, std::shared_ptr<Crl>> crl_map;
+  for (const auto& raw_crl : crls) {
+    absl::StatusOr<std::unique_ptr<Crl>> crl = Crl::Parse(raw_crl);
+    if (!crl.ok()) {
+      return absl::InvalidArgumentError(absl::StrCat(
+          "Parsing crl string failed with result ", crl.status().ToString()));
+    }
+    bool inserted = crl_map.emplace((*crl)->Issuer(), std::move(*crl)).second;
+    if (!inserted) {
+      gpr_log(GPR_ERROR,
+              "StaticCrlProvider received multiple CRLs with the same issuer. "
+              "The first one in the span will be used.");
+    }
+  }
+  StaticCrlProvider provider = StaticCrlProvider(std::move(crl_map));
+  return std::make_shared<StaticCrlProvider>(std::move(provider));
+}
+
+std::shared_ptr<Crl> StaticCrlProvider::GetCrl(
+    const CertificateInfo& certificate_info) {
+  auto it = crls_.find(certificate_info.Issuer());
+  if (it == crls_.end()) {
+    return nullptr;
+  }
+  return it->second;
+}
+
+absl::StatusOr<std::shared_ptr<CrlProvider>> CreateDirectoryReloaderCrlProvider(
+    absl::string_view directory, std::chrono::seconds refresh_duration,
+    std::function<void(absl::Status)> reload_error_callback) {
+  if (refresh_duration < std::chrono::seconds(60)) {
+    return absl::InvalidArgumentError("Refresh duration minimum is 60 seconds");
+  }
+  auto provider = std::make_shared<DirectoryReloaderCrlProvider>(
+      refresh_duration, reload_error_callback,
+      grpc_event_engine::experimental::GetDefaultEventEngine(),
+      MakeDirectoryReader(directory));
+  // This could be slow to do at startup, but we want to
+  // make sure it's done before the provider is used.
+  provider->UpdateAndStartTimer();
+  return provider;
+}
+
+DirectoryReloaderCrlProvider::~DirectoryReloaderCrlProvider() {
+  if (refresh_handle_.has_value()) {
+    event_engine_->Cancel(refresh_handle_.value());
+  }
+}
+
+void DirectoryReloaderCrlProvider::UpdateAndStartTimer() {
+  absl::Status status = Update();
+  if (!status.ok() && reload_error_callback_ != nullptr) {
+    reload_error_callback_(status);
+  }
+  std::weak_ptr<DirectoryReloaderCrlProvider> self = shared_from_this();
+  refresh_handle_ =
+      event_engine_->RunAfter(refresh_duration_, [self = std::move(self)]() {
+        ApplicationCallbackExecCtx callback_exec_ctx;
+        ExecCtx exec_ctx;
+        if (std::shared_ptr<DirectoryReloaderCrlProvider> valid_ptr =
+                self.lock()) {
+          valid_ptr->UpdateAndStartTimer();
+        }
+      });
+}
+
+absl::Status DirectoryReloaderCrlProvider::Update() {
+  absl::flat_hash_map<std::string, std::shared_ptr<Crl>> new_crls;
+  std::vector<std::string> files_with_errors;
+  absl::Status status = crl_directory_->ForEach([&](absl::string_view file) {
+    std::string file_path = absl::StrCat(crl_directory_->Name(), "/", file);
+    // Build a map of new_crls to update to. If all files successful, do a
+    // full swap of the map. Otherwise update in place.
+    absl::StatusOr<std::shared_ptr<Crl>> crl = ReadCrlFromFile(file_path);
+    if (!crl.ok()) {
+      files_with_errors.push_back(
+          absl::StrCat(file_path, ": ", crl.status().ToString()));
+      return;
+    }
+    // Now we have a good CRL to update in our map.
+    // It's not safe to say crl->Issuer() on the LHS and std::move(crl) on the
+    // RHS, because C++ does not guarantee which of those will be executed
+    // first.
+    std::string issuer((*crl)->Issuer());
+    new_crls[std::move(issuer)] = std::move(*crl);
+  });
+  if (!status.ok()) {
+    return status;
+  }
+  MutexLock lock(&mu_);
+  if (!files_with_errors.empty()) {
+    // Need to make sure CRLs we read successfully into new_crls are still
+    // in-place updated in crls_.
+    for (auto& kv : new_crls) {
+      std::shared_ptr<Crl>& crl = kv.second;
+      // It's not safe to say crl->Issuer() on the LHS and std::move(crl) on the
+      // RHS, because C++ does not guarantee which of those will be executed
+      // first.
+      std::string issuer(crl->Issuer());
+      crls_[std::move(issuer)] = std::move(crl);
+    }
+    return absl::UnknownError(absl::StrCat(
+        "Errors reading the following files in the CRL directory: [",
+        absl::StrJoin(files_with_errors, "; "), "]"));
+  } else {
+    crls_ = std::move(new_crls);
+  }
+  return absl::OkStatus();
+}
+
+std::shared_ptr<Crl> DirectoryReloaderCrlProvider::GetCrl(
+    const CertificateInfo& certificate_info) {
+  MutexLock lock(&mu_);
+  auto it = crls_.find(certificate_info.Issuer());
+  if (it == crls_.end()) {
+    return nullptr;
+  }
+  return it->second;
+}
+
+}  // namespace experimental
+}  // namespace grpc_core

data/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h

@@ -0,0 +1,132 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_SRC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CRL_PROVIDER_H
+#define GRPC_SRC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CRL_PROVIDER_H
+
+#include <grpc/support/port_platform.h>
+
+#include <chrono>
+#include <functional>
+#include <memory>
+#include <string>
+#include <utility>
+
+#include <openssl/crypto.h>
+
+#include "absl/base/thread_annotations.h"
+#include "absl/container/flat_hash_map.h"
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
+
+#include <grpc/event_engine/event_engine.h>
+#include <grpc/grpc_crl_provider.h>
+
+#include "src/core/lib/gprpp/directory_reader.h"
+#include "src/core/lib/gprpp/sync.h"
+#include "src/core/lib/gprpp/time.h"
+
+namespace grpc_core {
+namespace experimental {
+
+class StaticCrlProvider : public CrlProvider {
+ public:
+  // Each element of the input vector is expected to be the raw contents of a
+  // CRL file.
+  explicit StaticCrlProvider(
+      absl::flat_hash_map<std::string, std::shared_ptr<Crl>> crls)
+      : crls_(std::move(crls)) {}
+  std::shared_ptr<Crl> GetCrl(const CertificateInfo& certificate_info) override;
+
+ private:
+  const absl::flat_hash_map<std::string, std::shared_ptr<Crl>> crls_;
+};
+
+class CrlImpl : public Crl {
+ public:
+  static absl::StatusOr<std::unique_ptr<CrlImpl>> Create(X509_CRL* crl);
+  // Takes ownership of the X509_CRL pointer.
+  CrlImpl(X509_CRL* crl, absl::string_view issuer)
+      : crl_(crl), issuer_(issuer) {}
+  ~CrlImpl() override;
+  // Returns a string view representation of the issuer pulled from the CRL.
+  absl::string_view Issuer() override { return issuer_; }
+  // The caller should not take ownership of the returned pointer.
+  X509_CRL* crl() const { return crl_; }
+
+ private:
+  X509_CRL* crl_;
+  const std::string issuer_;
+};
+
+class CertificateInfoImpl : public CertificateInfo {
+ public:
+  explicit CertificateInfoImpl(absl::string_view issuer) : issuer_(issuer) {}
+  // Returns a string representation of the issuer pulled from the
+  // certificate.
+  absl::string_view Issuer() const override { return issuer_; }
+
+ private:
+  const std::string issuer_;
+};
+
+// Defining this here lets us hide implementation details (and includes) from
+// the header in include
+class DirectoryReloaderCrlProvider
+    : public CrlProvider,
+      public std::enable_shared_from_this<DirectoryReloaderCrlProvider> {
+ public:
+  DirectoryReloaderCrlProvider(
+      std::chrono::seconds duration, std::function<void(absl::Status)> callback,
+      std::shared_ptr<grpc_event_engine::experimental::EventEngine>
+          event_engine,
+      std::shared_ptr<DirectoryReader> directory_impl)
+      : refresh_duration_(Duration::FromSecondsAsDouble(duration.count())),
+        reload_error_callback_(std::move(callback)),
+        event_engine_(std::move(event_engine)),
+        crl_directory_(std::move(directory_impl)) {}
+
+  ~DirectoryReloaderCrlProvider() override;
+  std::shared_ptr<Crl> GetCrl(const CertificateInfo& certificate_info) override;
+  // Reads the configured directory and updates the internal crls_ map, called
+  // asynchronously by event engine then schedules the timer for the next
+  // update.
+  void UpdateAndStartTimer();
+
+ private:
+  // Reads the configured directory and updates the internal crls_ map, called
+  // asynchronously by event engine.
+  absl::Status Update();
+  Duration refresh_duration_;
+  std::function<void(::absl::Status)> reload_error_callback_;
+  std::shared_ptr<grpc_event_engine::experimental::EventEngine> event_engine_;
+  std::shared_ptr<DirectoryReader> crl_directory_;
+  // guards the crls_ map
+  Mutex mu_;
+  absl::flat_hash_map<::std::string, ::std::shared_ptr<Crl>> crls_
+      ABSL_GUARDED_BY(mu_);
+  absl::optional<grpc_event_engine::experimental::EventEngine::TaskHandle>
+      refresh_handle_;
+};
+
+}  // namespace experimental
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CRL_PROVIDER_H

data/src/core/lib/security/credentials/tls/tls_credentials.cc

@@ -20,6 +20,7 @@
 
 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
 
+#include <memory>
 #include <string>
 #include <utility>
 
@@ -46,6 +47,28 @@ bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
     gpr_log(GPR_ERROR, "TLS credentials options is nullptr.");
     return false;
   }
+  // In this case, there will be non-retriable handshake errors.
+  if (options->min_tls_version() == grpc_tls_version::TLS1_3 &&
+      options->max_tls_version() == grpc_tls_version::TLS1_2) {
+    gpr_log(GPR_ERROR, "TLS min version must not be higher than max version.");
+    return false;
+  }
+  if (options->max_tls_version() > grpc_tls_version::TLS1_3) {
+    gpr_log(GPR_ERROR, "TLS max version must not be higher than v1.3.");
+    return false;
+  }
+  if (options->min_tls_version() < grpc_tls_version::TLS1_2) {
+    gpr_log(GPR_ERROR, "TLS min version must not be lower than v1.2.");
+    return false;
+  }
+  if (!options->crl_directory().empty() && options->crl_provider() != nullptr) {
+    gpr_log(GPR_ERROR,
+            "Setting crl_directory and crl_provider not supported. Using the "
+            "crl_provider.");
+    // TODO(gtcooke94) - Maybe return false here. Right now object lifetime of
+    // this options struct is leaky if false is returned and represents a more
+    // complex fix to handle in another PR.
+  }
   // In the following conditions, there won't be any issues, but it might
   // indicate callers are doing something wrong with the API.
   if (is_client && options->cert_request_type() !=

data/src/core/lib/security/security_connector/ssl_utils.cc

@@ -23,6 +23,8 @@
 #include <stdint.h>
 #include <string.h>
 
+#include <memory>
+#include <utility>
 #include <vector>
 
 #include "absl/strings/match.h"
@@ -30,6 +32,7 @@
 #include "absl/strings/str_split.h"
 
 #include <grpc/grpc.h>
+#include <grpc/grpc_crl_provider.h>
 #include <grpc/impl/channel_arg_names.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
@@ -410,6 +413,7 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
     const char* crl_directory,
+    std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
     tsi_ssl_client_handshaker_factory** handshaker_factory) {
   const char* root_certs;
   const tsi_ssl_root_certs_store* root_store;
@@ -448,6 +452,7 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
   options.min_tls_version = min_tls_version;
   options.max_tls_version = max_tls_version;
   options.crl_directory = crl_directory;
+  options.crl_provider = std::move(crl_provider);
   const tsi_result result =
       tsi_create_ssl_client_handshaker_factory_with_options(&options,
                                                             handshaker_factory);
@@ -467,6 +472,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
     const char* crl_directory, bool send_client_ca_list,
+    std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
     tsi_ssl_server_handshaker_factory** handshaker_factory) {
   size_t num_alpn_protocols = 0;
   const char** alpn_protocol_strings =
@@ -484,6 +490,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
   options.max_tls_version = max_tls_version;
   options.key_logger = tls_session_key_logger;
   options.crl_directory = crl_directory;
+  options.crl_provider = std::move(crl_provider);
   options.send_client_ca_list = send_client_ca_list;
   const tsi_result result =
       tsi_create_ssl_server_handshaker_factory_with_options(&options,

data/src/core/lib/security/security_connector/ssl_utils.h

@@ -23,6 +23,7 @@
 
 #include <stddef.h>
 
+#include <memory>
 #include <string>
 #include <utility>
 #include <vector>
@@ -30,6 +31,7 @@
 #include "absl/status/status.h"
 #include "absl/strings/string_view.h"
 
+#include <grpc/grpc_crl_provider.h>
 #include <grpc/grpc_security.h>
 #include <grpc/grpc_security_constants.h>
 #include <grpc/slice.h>
@@ -85,6 +87,7 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
     const char* crl_directory,
+    std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
     tsi_ssl_client_handshaker_factory** handshaker_factory);
 
 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
@@ -94,6 +97,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
     const char* crl_directory, bool send_client_ca_list,
+    std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
     tsi_ssl_server_handshaker_factory** handshaker_factory);
 
 // Free the memory occupied by key cert pairs.

data/src/core/lib/security/security_connector/tls/tls_security_connector.cc

@@ -551,7 +551,7 @@ TlsChannelSecurityConnector::UpdateHandshakerFactoryLocked() {
       grpc_get_tsi_tls_version(options_->min_tls_version()),
       grpc_get_tsi_tls_version(options_->max_tls_version()), ssl_session_cache_,
       tls_session_key_logger_.get(), options_->crl_directory().c_str(),
-      &client_handshaker_factory_);
+      options_->crl_provider(), &client_handshaker_factory_);
   // Free memory.
   if (pem_key_cert_pair != nullptr) {
     grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
@@ -818,7 +818,8 @@ TlsServerSecurityConnector::UpdateHandshakerFactoryLocked() {
       grpc_get_tsi_tls_version(options_->min_tls_version()),
       grpc_get_tsi_tls_version(options_->max_tls_version()),
       tls_session_key_logger_.get(), options_->crl_directory().c_str(),
-      options_->send_client_ca_list(), &server_handshaker_factory_);
+      options_->send_client_ca_list(), options_->crl_provider(),
+      &server_handshaker_factory_);
   // Free memory.
   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
                                           num_key_cert_pairs);