grpc 1.74.1 → 1.75.0.pre1

data/src/core/credentials/transport/tls/spiffe_utils.cc

@@ -0,0 +1,371 @@
+//
+//
+// Copyright 2025 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include "src/core/credentials/transport/tls/spiffe_utils.h"
+
+#include <openssl/x509.h>
+
+#include <string>
+
+#include "absl/strings/match.h"
+#include "absl/strings/str_cat.h"
+#include "absl/strings/str_format.h"
+#include "absl/strings/str_split.h"
+#include "src/core/tsi/ssl_transport_security_utils.h"
+#include "src/core/util/json/json_object_loader.h"
+#include "src/core/util/json/json_reader.h"
+#include "src/core/util/load_file.h"
+#include "src/core/util/status_helper.h"
+
+namespace grpc_core {
+namespace {
+constexpr absl::string_view kAllowedUse = "x509-svid";
+constexpr absl::string_view kAllowedKty = "RSA";
+constexpr absl::string_view kCertificatePrefix =
+    "-----BEGIN CERTIFICATE-----\n";
+constexpr absl::string_view kCertificateSuffix = "\n-----END CERTIFICATE-----";
+constexpr int kMaxTrustDomainLength = 255;
+constexpr absl::string_view kSpiffePrefix = "spiffe://";
+constexpr int kX5cSize = 1;
+
+// Checks broad conditions on the whole input before splitting into the
+// pieces of a SPIFFE ID
+absl::Status DoInitialUriValidation(absl::string_view uri) {
+  if (uri.empty()) {
+    return absl::InvalidArgumentError(
+        "SPIFFE ID cannot be parsed from empty URI");
+  }
+  if (uri.length() > 2048) {
+    return absl::InvalidArgumentError(absl::StrFormat(
+        "URI length is %d, maximum allowed for SPIFFE ID is 2048",
+        uri.length()));
+  }
+  if (absl::StrContains(uri, "#")) {
+    return absl::InvalidArgumentError(
+        "SPIFFE ID cannot contain query fragments");
+  }
+  if (absl::StrContains(uri, "?")) {
+    return absl::InvalidArgumentError(
+        "SPIFFE ID cannot contain query parameters");
+  }
+  for (char ch : uri) {
+    if (!absl::ascii_isascii(ch)) {
+      return absl::InvalidArgumentError(absl::StrFormat(
+          "SPIFFE ID URI cannot contain non-ascii characters. Contains %#x",
+          ch));
+    }
+  }
+  return absl::OkStatus();
+}
+
+absl::Status ValidateTrustDomain(absl::string_view trust_domain) {
+  if (trust_domain.empty()) {
+    return absl::InvalidArgumentError("Trust domain cannot be empty");
+  }
+  if (trust_domain.size() > kMaxTrustDomainLength) {
+    return absl::InvalidArgumentError(absl::StrFormat(
+        "Trust domain maximum length is %i characters", kMaxTrustDomainLength));
+  }
+  for (auto c : trust_domain) {
+    if (c >= 'a' && c <= 'z') continue;
+    if (c >= '0' && c <= '9') continue;
+    if (c == '.') continue;
+    if (c == '-') continue;
+    if (c == '_') continue;
+    return absl::InvalidArgumentError(absl::StrFormat(
+        "Trust domain contains invalid character '%c'. MUST contain only "
+        "lowercase letters, numbers, dots, dashes, and underscores",
+        c));
+  }
+  return absl::OkStatus();
+}
+
+absl::Status ValidatePathSegment(absl::string_view path_segment) {
+  if (path_segment.empty()) {
+    return absl::InvalidArgumentError("Path segment cannot be empty");
+  }
+  if (path_segment == "." || path_segment == "..") {
+    return absl::InvalidArgumentError(
+        "Path segment cannot be a relative modifier (. or ..)");
+  }
+  for (auto c : path_segment) {
+    if (c >= 'a' && c <= 'z') continue;
+    if (c >= 'A' && c <= 'Z') continue;
+    if (c >= '0' && c <= '9') continue;
+    if (c == '.') continue;
+    if (c == '-') continue;
+    if (c == '_') continue;
+    return absl::InvalidArgumentError(absl::StrFormat(
+        "Path segment contains invalid character '%c'. MUST contain only "
+        "letters, numbers, dots, dashes, and underscores",
+        c));
+  }
+  return absl::OkStatus();
+}
+
+absl::Status ValidatePath(absl::string_view path) {
+  if (path.empty()) {
+    return absl::OkStatus();
+  }
+  for (absl::string_view segment : absl::StrSplit(path, '/')) {
+    GRPC_RETURN_IF_ERROR(ValidatePathSegment(segment));
+  }
+  return absl::OkStatus();
+}
+
+}  // namespace
+
+std::string AddPemBlockWrapping(absl::string_view spiffe_bundle_root) {
+  return absl::StrCat(kCertificatePrefix, spiffe_bundle_root,
+                      kCertificateSuffix);
+}
+
+absl::StatusOr<SpiffeId> SpiffeId::FromString(absl::string_view input) {
+  GRPC_RETURN_IF_ERROR(DoInitialUriValidation(input));
+  if (!absl::StartsWithIgnoreCase(input, kSpiffePrefix)) {
+    return absl::InvalidArgumentError("SPIFFE ID must start with spiffe://");
+  }
+  if (absl::EndsWith(input, /*suffix=*/"/")) {
+    return absl::InvalidArgumentError("SPIFFE ID cannot end with a /");
+  }
+  // The input definitely starts with spiffe://
+  absl::string_view trust_domain_and_path =
+      input.substr(kSpiffePrefix.length());
+  absl::string_view trust_domain;
+  absl::string_view path;
+  if (absl::StartsWith(trust_domain_and_path, "/")) {
+    // To be here the SPIFFE ID must look like spiffe:///path, which means the
+    // trust domain is empty, which is invalid
+    return absl::InvalidArgumentError("The trust domain cannot be empty");
+  }
+  // It's valid to have no path, e.g. spiffe://foo.bar.com - handle those two
+  // cases
+  if (absl::StrContains(trust_domain_and_path, "/")) {
+    std::vector<absl::string_view> split =
+        absl::StrSplit(trust_domain_and_path, absl::MaxSplits('/', 1));
+    trust_domain = split[0];
+    path = split[1];
+  } else {
+    trust_domain = trust_domain_and_path;
+  }
+  GRPC_RETURN_IF_ERROR(ValidateTrustDomain(trust_domain));
+  GRPC_RETURN_IF_ERROR(ValidatePath(path));
+  // If we have a path re-add the prepending `/`, otherwise leave it empty
+  if (path.empty()) {
+    return SpiffeId(trust_domain, "");
+  }
+  return SpiffeId(trust_domain, absl::StrCat("/", path));
+}
+
+const JsonLoaderInterface* SpiffeBundleKey::JsonLoader(const JsonArgs&) {
+  static const auto* kLoader = JsonObjectLoader<SpiffeBundleKey>().Finish();
+  return kLoader;
+}
+
+void SpiffeBundleKey::JsonPostLoad(const Json& json, const JsonArgs& args,
+                                   ValidationErrors* errors) {
+  auto use =
+      LoadJsonObjectField<std::string>(json.object(), args, "use", errors);
+  {
+    ValidationErrors::ScopedField field(errors, ".use");
+    if (use.has_value() && *use != kAllowedUse) {
+      errors->AddError(absl::StrFormat("value must be \"%s\", got \"%s\"",
+                                       kAllowedUse, *use));
+    }
+  }
+  auto kty =
+      LoadJsonObjectField<std::string>(json.object(), args, "kty", errors);
+  {
+    ValidationErrors::ScopedField field(errors, ".kty");
+    if (kty.has_value() && *kty != kAllowedKty) {
+      errors->AddError(absl::StrFormat("value must be \"%s\", got \"%s\"",
+                                       kAllowedKty, *kty));
+    }
+  }
+  auto x5c = LoadJsonObjectField<std::vector<std::string>>(json.object(), args,
+                                                           "x5c", errors);
+  if (x5c.has_value()) {
+    ValidationErrors::ScopedField field(errors, ".x5c");
+    if (x5c->size() != kX5cSize) {
+      errors->AddError(
+          absl::StrCat("array length must be 1, got ", x5c->size()));
+    }
+    if (!x5c->empty()) {
+      ValidationErrors::ScopedField field(errors, "[0]");
+      std::string pem_cert = AddPemBlockWrapping((*x5c)[0]);
+      auto certs = ParsePemCertificateChain(pem_cert);
+      if (!certs.ok()) {
+        errors->AddError(certs.status().ToString());
+      } else {
+        root_ = std::move((*x5c)[0]);
+        for (X509* cert : *certs) {
+          X509_free(cert);
+        }
+      }
+    }
+  }
+}
+
+absl::string_view SpiffeBundleKey::GetRoot() { return root_; }
+
+const JsonLoaderInterface* SpiffeBundle::JsonLoader(const JsonArgs&) {
+  static const auto* kLoader = JsonObjectLoader<SpiffeBundle>().Finish();
+  return kLoader;
+}
+
+void SpiffeBundle::JsonPostLoad(const Json& json, const JsonArgs& args,
+                                ValidationErrors* errors) {
+  auto keys = LoadJsonObjectField<std::vector<SpiffeBundleKey>>(
+      json.object(), args, "keys", errors);
+  if (!keys.has_value()) {
+    return;
+  }
+  for (size_t i = 0; i < keys->size(); ++i) {
+    roots_.emplace_back((*keys)[i].GetRoot());
+  }
+  ValidationErrors::ScopedField field(errors, "keys");
+  absl::Status status = CreateX509Stack();
+  if (!status.ok()) {
+    errors->AddError(status.ToString());
+  }
+}
+
+SpiffeBundle::~SpiffeBundle() {
+  if (root_stack_ != nullptr) {
+    sk_X509_pop_free(*root_stack_, X509_free);
+  }
+}
+
+SpiffeBundle::SpiffeBundle(const SpiffeBundle& other) {
+  roots_ = other.roots_;
+  if (other.root_stack_ != nullptr) {
+    root_stack_ =
+        std::make_unique<STACK_OF(X509)*>(sk_X509_dup(*other.root_stack_));
+    for (size_t i = 0; i < sk_X509_num(*root_stack_); i++) {
+      X509* x = sk_X509_value(*root_stack_, i);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      CHECK(X509_up_ref(x));
+#else
+      CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+#endif
+    }
+  }
+}
+
+SpiffeBundle& SpiffeBundle::operator=(const SpiffeBundle& other) {
+  if (this != &other) {
+    roots_ = other.roots_;
+    if (other.root_stack_ != nullptr) {
+      root_stack_ =
+          std::make_unique<STACK_OF(X509)*>(sk_X509_dup(*other.root_stack_));
+      for (size_t i = 0; i < sk_X509_num(*root_stack_); i++) {
+        X509* x = sk_X509_value(*root_stack_, i);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+        CHECK(X509_up_ref(x));
+#else
+        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+#endif
+      }
+    }
+  }
+  return *this;
+}
+
+const JsonLoaderInterface* SpiffeBundleMap::JsonLoader(const JsonArgs&) {
+  static const auto* kLoader =
+      JsonObjectLoader<SpiffeBundleMap>()
+          .Field("trust_domains", &SpiffeBundleMap::bundles_)
+          .Finish();
+  return kLoader;
+}
+
+absl::Span<const std::string> SpiffeBundle::GetRoots() { return roots_; }
+
+absl::StatusOr<STACK_OF(X509) *> SpiffeBundle::GetRootStack() {
+  if (root_stack_ == nullptr) {
+    return absl::FailedPreconditionError(
+        "root_stack_ has not been initialized");
+  }
+  return *root_stack_;
+}
+
+absl::Status SpiffeBundle::CreateX509Stack() {
+  root_stack_ = std::make_unique<STACK_OF(X509)*>(sk_X509_new_null());
+  absl::Status status = absl::OkStatus();
+  for (const auto& pem_cert : roots_) {
+    auto cert = ParsePemCertificateChain(AddPemBlockWrapping(pem_cert));
+    if (!cert.status().ok()) {
+      status = cert.status();
+      break;
+    }
+    if (cert->size() != 1) {
+      status = absl::InvalidArgumentError("Got a malformed root certificate.");
+      break;
+    }
+    sk_X509_push(*root_stack_, (*cert)[0]);
+  }
+  // If there was an error parsing we don't want a partially filled root stack.
+  if (!status.ok()) {
+    sk_X509_pop_free(*root_stack_, X509_free);
+  }
+  return status;
+}
+
+void SpiffeBundleMap::JsonPostLoad(const Json&, const JsonArgs&,
+                                   ValidationErrors* errors) {
+  {
+    for (auto const& [k, _] : bundles_) {
+      ValidationErrors::ScopedField field(
+          errors, absl::StrCat(".trust_domains[\"", k, "\"]"));
+      absl::Status status = ValidateTrustDomain(k);
+      if (!status.ok()) {
+        errors->AddError(
+            absl::StrCat("invalid trust domain: ", status.ToString()));
+      }
+    }
+  }
+}
+
+absl::StatusOr<SpiffeBundleMap> SpiffeBundleMap::FromFile(
+    absl::string_view file_path) {
+  auto slice = LoadFile(file_path.data(), /*add_null_terminator=*/false);
+  GRPC_RETURN_IF_ERROR(slice.status());
+  auto json = JsonParse(slice->as_string_view());
+  GRPC_RETURN_IF_ERROR(json.status());
+  return LoadFromJson<SpiffeBundleMap>(*json);
+}
+
+absl::StatusOr<absl::Span<const std::string>> SpiffeBundleMap::GetRoots(
+    const absl::string_view trust_domain) {
+  if (auto it = bundles_.find(trust_domain); it != bundles_.end()) {
+    return it->second.GetRoots();
+  }
+  return absl::NotFoundError(absl::StrFormat(
+      "No spiffe bundle found for trust domain %s", trust_domain));
+}
+
+absl::StatusOr<STACK_OF(X509) *> SpiffeBundleMap::GetRootStack(
+    absl::string_view trust_domain) {
+  if (auto it = bundles_.find(trust_domain); it != bundles_.end()) {
+    return it->second.GetRootStack();
+  }
+  return absl::NotFoundError(absl::StrFormat(
+      "No spiffe bundle found for trust domain %s", trust_domain));
+}
+
+}  // namespace grpc_core

data/src/core/credentials/transport/tls/spiffe_utils.h

@@ -0,0 +1,171 @@
+//
+//
+// Copyright 2025 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_SRC_CORE_CREDENTIALS_TRANSPORT_TLS_SPIFFE_UTILS_H
+#define GRPC_SRC_CORE_CREDENTIALS_TRANSPORT_TLS_SPIFFE_UTILS_H
+
+#include <openssl/stack.h>
+#include <openssl/x509.h>
+
+#include <string>
+
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "src/core/util/json/json.h"
+#include "src/core/util/json/json_object_loader.h"
+
+namespace grpc_core {
+
+// Adds the leading and trailing lines expected for a PEM formatted certificate
+// around the raw base64 certificate data stored in a SPIFFE bundle map.
+std::string AddPemBlockWrapping(absl::string_view spiffe_bundle_root);
+
+// A representation of a SPIFFE ID per the spec:
+// https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#the-spiffe-identity-and-verifiable-identity-document
+class SpiffeId final {
+ public:
+  // Parses the input string as a SPIFFE ID, and returns an error status if the
+  // input string is not a valid SPIFFE ID.
+  static absl::StatusOr<SpiffeId> FromString(absl::string_view input);
+  // Returns the trust domain of the SPIFFE ID
+  absl::string_view trust_domain() { return trust_domain_; }
+  // Returns the path of the SPIFFE ID
+  absl::string_view path() { return path_; }
+
+ private:
+  SpiffeId(absl::string_view trust_domain, absl::string_view path)
+      : trust_domain_(trust_domain), path_(path) {}
+  const std::string trust_domain_;
+  const std::string path_;
+};
+
+// An entry in the Key vector of a SPIFFE Bundle following these documents:
+// https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#3-spiffe-bundles
+// https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md
+class SpiffeBundleKey final {
+ public:
+  static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
+  void JsonPostLoad(const Json& json, const JsonArgs&,
+                    ValidationErrors* errors);
+
+  // Returns the PEM x509 string for the root of trust for this SPIFFE Bundle
+  // entry.
+  absl::string_view GetRoot();
+
+ private:
+  // root_ is the X509 cert that is the root of trust. It is parsed from the x5c
+  // field per the SPIFFE Bundle Spec. In our use case, the x5c field must of of
+  // length 1 and represent a root of trust.
+  // https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#3-spiffe-bundles
+  std::string root_;
+};
+
+// A SPIFFE bundle consists of a trust domain and a set of roots for that trust
+// domain.
+// https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#3-spiffe-bundles
+// https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md
+// Not thread-safe
+class SpiffeBundle final {
+ public:
+  // Do not use - only exists to work with the JSON library.
+  // SpiffeBundles should be used by loading a SpiffeBundleMap via
+  // SpiffeBundleMap::FromFile
+  SpiffeBundle() = default;
+  ~SpiffeBundle();
+  SpiffeBundle(const SpiffeBundle& other);
+  SpiffeBundle& operator=(const SpiffeBundle& other);
+
+  static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
+  void JsonPostLoad(const Json& json, const JsonArgs&,
+                    ValidationErrors* errors);
+
+  // Returns a vector of the roots in this SPIFFE Bundle.
+  absl::Span<const std::string> GetRoots();
+
+  // The caller does not take ownership of the stack of roots.
+  // The caller MUST NOT mutate this value.
+  absl::StatusOr<STACK_OF(X509) *> GetRootStack();
+
+  bool operator==(const SpiffeBundle& other) const {
+    // For our purposes SPIFFE Bundles are equal if their roots are the same.
+    return roots_ == other.roots_;
+  }
+
+  bool operator!=(const SpiffeBundle& other) const {
+    return roots_ != other.roots_;
+  }
+
+ private:
+  // Constructs the `root_stack_` OpenSSL representation of the roots.
+  absl::Status CreateX509Stack();
+
+  std::vector<std::string> roots_;
+  std::unique_ptr<STACK_OF(X509)*> root_stack_;
+};
+
+// A map of SPIFFE bundles keyed to trust domains. This functions as a map of a
+// given trust domain to the root certificates that should be used when
+// validating certificates in this trust domain.
+// https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md
+// https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md
+// Only configuring X509 roots is supported.
+// Not thread-safe
+class SpiffeBundleMap final {
+ public:
+  static const JsonLoaderInterface* JsonLoader(const JsonArgs&);
+  void JsonPostLoad(const Json& json, const JsonArgs&,
+                    ValidationErrors* errors);
+
+  // Loads a SPIFFE Bundle Map from a json file representation. Returns a bad
+  // status if there is a problem while loading the file and parsing the JSON. A
+  // returned value represents a valid and SPIFFE Bundle Map.
+  // The only supported use is configuring X509 roots for a given trust domain -
+  // no other SPIFFE Bundle configurations are supported.
+  static absl::StatusOr<SpiffeBundleMap> FromFile(absl::string_view file_path);
+
+  // Returns the roots for a given trust domain in the SPIFFE Bundle Map.
+  absl::StatusOr<absl::Span<const std::string>> GetRoots(
+      absl::string_view trust_domain);
+
+  // The caller does not take ownership of the stack of roots.
+  absl::StatusOr<STACK_OF(X509) *> GetRootStack(
+      const absl::string_view trust_domain);
+  size_t size() const { return bundles_.size(); }
+
+  bool operator==(const SpiffeBundleMap& other) const {
+    return bundles_ == other.bundles_;
+  }
+
+  bool operator!=(const SpiffeBundleMap& other) const {
+    return bundles_ != other.bundles_;
+  }
+
+ private:
+  struct StringCmp {
+    using is_transparent = void;
+    bool operator()(absl::string_view a, absl::string_view b) const {
+      return a < b;
+    }
+  };
+
+  std::map<std::string, SpiffeBundle, StringCmp> bundles_;
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_CREDENTIALS_TRANSPORT_TLS_SPIFFE_UTILS_H

data/src/core/credentials/transport/tls/ssl_utils.cc

@@ -427,16 +427,19 @@ void grpc_shallow_peer_destruct(tsi_peer* peer) {
 }
 
 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
-    tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
+    tsi_ssl_pem_key_cert_pair* pem_key_cert_pair,
+    std::shared_ptr<RootCertInfo> root_cert_info,
     bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
     tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
     const char* crl_directory,
     std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
     tsi_ssl_client_handshaker_factory** handshaker_factory) {
-  const char* root_certs;
-  const tsi_ssl_root_certs_store* root_store;
-  if (pem_root_certs == nullptr && !skip_server_certificate_verification) {
+  const char* root_certs = nullptr;
+  const tsi_ssl_root_certs_store* root_store = nullptr;
+  tsi_ssl_client_handshaker_options options;
+  bool roots_are_configured = root_cert_info != nullptr;
+  if (!roots_are_configured && !skip_server_certificate_verification) {
     GRPC_TRACE_LOG(tsi, INFO)
         << "No root certificates specified; use ones stored in system "
            "default locations instead";
@@ -447,15 +450,13 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
       return GRPC_SECURITY_ERROR;
     }
     root_store = grpc_core::DefaultSslRootStore::GetRootStore();
+    options.root_cert_info = std::make_shared<RootCertInfo>(root_certs);
   } else {
-    root_certs = pem_root_certs;
-    root_store = nullptr;
+    options.root_cert_info = std::move(root_cert_info);
   }
   bool has_key_cert_pair = pem_key_cert_pair != nullptr &&
                            pem_key_cert_pair->private_key != nullptr &&
                            pem_key_cert_pair->cert_chain != nullptr;
-  tsi_ssl_client_handshaker_options options;
-  options.pem_root_certs = root_certs;
   options.root_store = root_store;
   options.alpn_protocols =
       grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
@@ -485,7 +486,7 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
 
 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs,
-    const char* pem_root_certs,
+    std::shared_ptr<RootCertInfo> root_cert_info,
     grpc_ssl_client_certificate_request_type client_certificate_request,
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
@@ -498,7 +499,6 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
   tsi_ssl_server_handshaker_options options;
   options.pem_key_cert_pairs = pem_key_cert_pairs;
   options.num_key_cert_pairs = num_key_cert_pairs;
-  options.pem_client_root_certs = pem_root_certs;
   options.client_certificate_request =
       grpc_get_tsi_client_certificate_request_type(client_certificate_request);
   options.cipher_suites = grpc_get_ssl_cipher_suites();
@@ -510,6 +510,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
   options.crl_directory = crl_directory;
   options.crl_provider = std::move(crl_provider);
   options.send_client_ca_list = send_client_ca_list;
+  options.root_cert_info = std::move(root_cert_info);
   const tsi_result result =
       tsi_create_ssl_server_handshaker_factory_with_options(&options,
                                                             handshaker_factory);

data/src/core/credentials/transport/tls/ssl_utils.h

@@ -34,6 +34,7 @@
 #include "absl/status/status.h"
 #include "absl/strings/string_view.h"
 #include "src/core/credentials/transport/security_connector.h"
+#include "src/core/credentials/transport/tls/spiffe_utils.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/tsi/ssl/key_logging/ssl_key_logging.h"
 #include "src/core/tsi/ssl_transport_security.h"
@@ -84,7 +85,8 @@ const char** ParseAlpnStringIntoArray(absl::string_view preferred_protocols,
 
 // Initialize TSI SSL server/client handshaker factory.
 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
-    tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
+    tsi_ssl_pem_key_cert_pair* key_cert_pair,
+    std::shared_ptr<RootCertInfo> root_cert_info,
     bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
     tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
@@ -94,7 +96,7 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
 
 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* key_cert_pairs, size_t num_key_cert_pairs,
-    const char* pem_root_certs,
+    std::shared_ptr<RootCertInfo> root_cert_info,
     grpc_ssl_client_certificate_request_type client_certificate_request,
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,

data/src/core/credentials/transport/tls/tls_credentials.cc

@@ -154,6 +154,7 @@ grpc_core::UniqueTypeName TlsServerCredentials::Type() {
 grpc_channel_credentials* grpc_tls_credentials_create(
     grpc_tls_credentials_options* options) {
   if (!CredentialOptionSanityCheck(options, true /* is_client */)) {
+    LOG(ERROR) << "TLS credentials options sanity check failed.";
     return nullptr;
   }
   return new TlsCredentials(
@@ -163,6 +164,7 @@ grpc_channel_credentials* grpc_tls_credentials_create(
 grpc_server_credentials* grpc_tls_server_credentials_create(
     grpc_tls_credentials_options* options) {
   if (!CredentialOptionSanityCheck(options, false /* is_client */)) {
+    LOG(ERROR) << "TLS server credentials options sanity check failed.";
     return nullptr;
   }
   return new TlsServerCredentials(