grpc 1.78.0 → 1.80.0.pre1

data/src/core/credentials/transport/ssl/ssl_credentials.cc

@@ -18,16 +18,22 @@
 
 #include "src/core/credentials/transport/ssl/ssl_credentials.h"
 
+#include <grpc/credentials.h>
+#include <grpc/grpc_security.h>
+#include <grpc/grpc_security_constants.h>
 #include <grpc/impl/channel_arg_names.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/port_platform.h>
 #include <grpc/support/string_util.h>
 #include <string.h>
 
+#include <memory>
 #include <optional>
 #include <string>
 #include <utility>
 
+#include "src/core/credentials/transport/security_connector.h"
+#include "src/core/credentials/transport/ssl/ssl_security_connector.h"
 #include "src/core/credentials/transport/tls/ssl_utils.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/debug/trace.h"
@@ -35,6 +41,8 @@
 #include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/tsi/transport_security_interface.h"
 #include "src/core/util/grpc_check.h"
+#include "src/core/util/ref_counted_ptr.h"
+#include "src/core/util/unique_type_name.h"
 #include "absl/log/log.h"
 
 //
@@ -68,7 +76,6 @@ grpc_ssl_credentials::grpc_ssl_credentials(
 
 grpc_ssl_credentials::~grpc_ssl_credentials() {
   gpr_free(config_.pem_root_certs);
-  grpc_tsi_ssl_pem_key_cert_pairs_destroy(config_.pem_key_cert_pair, 1);
   if (config_.verify_options.verify_peer_destruct != nullptr) {
     config_.verify_options.verify_peer_destruct(
         config_.verify_options.verify_peer_callback_userdata);
@@ -145,14 +152,8 @@ void grpc_ssl_credentials::build_config(
   if (pem_key_cert_pair != nullptr) {
     GRPC_CHECK_NE(pem_key_cert_pair->private_key, nullptr);
     GRPC_CHECK_NE(pem_key_cert_pair->cert_chain, nullptr);
-    config_.pem_key_cert_pair = static_cast<tsi_ssl_pem_key_cert_pair*>(
-        gpr_zalloc(sizeof(tsi_ssl_pem_key_cert_pair)));
-    config_.pem_key_cert_pair->cert_chain =
-        gpr_strdup(pem_key_cert_pair->cert_chain);
-    config_.pem_key_cert_pair->private_key =
-        gpr_strdup(pem_key_cert_pair->private_key);
-  } else {
-    config_.pem_key_cert_pair = nullptr;
+    config_.pem_key_cert_pair.cert_chain = pem_key_cert_pair->cert_chain;
+    config_.pem_key_cert_pair.private_key = pem_key_cert_pair->private_key;
   }
   if (verify_options != nullptr) {
     memcpy(&config_.verify_options, verify_options,
@@ -184,21 +185,21 @@ grpc_security_status grpc_ssl_credentials::InitializeClientHandshakerFactory(
     return GRPC_SECURITY_OK;
   }
 
-  bool has_key_cert_pair = config->pem_key_cert_pair != nullptr &&
-                           config->pem_key_cert_pair->private_key != nullptr &&
-                           config->pem_key_cert_pair->cert_chain != nullptr;
+  bool has_key_cert_pair =
+      !grpc_core::IsPrivateKeyEmpty(config->pem_key_cert_pair.private_key) &&
+      !config->pem_key_cert_pair.cert_chain.empty();
   tsi_ssl_client_handshaker_options options;
   if (pem_root_certs == nullptr) {
     LOG(ERROR) << "Handshaker factory creation failed. pem_root_certs cannot "
                   "be nullptr";
     return GRPC_SECURITY_ERROR;
   }
-  options.root_cert_info = std::make_shared<RootCertInfo>(pem_root_certs);
+  options.root_cert_info = std::make_shared<tsi::RootCertInfo>(pem_root_certs);
   options.root_store = root_store;
   options.alpn_protocols =
       grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
   if (has_key_cert_pair) {
-    options.pem_key_cert_pair = config->pem_key_cert_pair;
+    options.pem_key_cert_pair = &config->pem_key_cert_pair;
   }
   options.cipher_suites = grpc_get_ssl_cipher_suites();
   options.session_cache = ssl_session_cache;
@@ -271,8 +272,6 @@ grpc_ssl_server_credentials::grpc_ssl_server_credentials(
 }
 
 grpc_ssl_server_credentials::~grpc_ssl_server_credentials() {
-  grpc_tsi_ssl_pem_key_cert_pairs_destroy(config_.pem_key_cert_pairs,
-                                          config_.num_key_cert_pairs);
   gpr_free(config_.pem_root_certs);
 }
 grpc_core::RefCountedPtr<grpc_server_security_connector>
@@ -286,20 +285,18 @@ grpc_core::UniqueTypeName grpc_ssl_server_credentials::Type() {
   return kFactory.Create();
 }
 
-tsi_ssl_pem_key_cert_pair* grpc_convert_grpc_to_tsi_cert_pairs(
+std::vector<tsi_ssl_pem_key_cert_pair> grpc_convert_grpc_to_tsi_cert_pairs(
     const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
     size_t num_key_cert_pairs) {
-  tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
+  std::vector<tsi_ssl_pem_key_cert_pair> tsi_pairs;
   if (num_key_cert_pairs > 0) {
     GRPC_CHECK_NE(pem_key_cert_pairs, nullptr);
-    tsi_pairs = static_cast<tsi_ssl_pem_key_cert_pair*>(
-        gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair)));
   }
   for (size_t i = 0; i < num_key_cert_pairs; i++) {
     GRPC_CHECK_NE(pem_key_cert_pairs[i].private_key, nullptr);
     GRPC_CHECK_NE(pem_key_cert_pairs[i].cert_chain, nullptr);
-    tsi_pairs[i].cert_chain = gpr_strdup(pem_key_cert_pairs[i].cert_chain);
-    tsi_pairs[i].private_key = gpr_strdup(pem_key_cert_pairs[i].private_key);
+    tsi_pairs.emplace_back(pem_key_cert_pairs[i].private_key,
+                           pem_key_cert_pairs[i].cert_chain);
   }
   return tsi_pairs;
 }
@@ -312,7 +309,6 @@ void grpc_ssl_server_credentials::build_config(
   config_.pem_root_certs = gpr_strdup(pem_root_certs);
   config_.pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
       pem_key_cert_pairs, num_key_cert_pairs);
-  config_.num_key_cert_pairs = num_key_cert_pairs;
 }
 
 void grpc_ssl_server_credentials::set_min_tls_version(
@@ -422,7 +418,7 @@ grpc_server_credentials* grpc_ssl_server_credentials_create_ex(
   GRPC_TRACE_LOG(api, INFO)
       << "grpc_ssl_server_credentials_create_ex(pem_root_certs="
       << pem_root_certs << ", pem_key_cert_pairs=" << pem_key_cert_pairs
-      << ", num_key_cert_pairs=" << (unsigned long)num_key_cert_pairs
+      << ", num_key_cert_pairs=" << num_key_cert_pairs
       << ", client_certificate_request=" << client_certificate_request
       << ", reserved=" << reserved << ")";
   GRPC_CHECK_EQ(reserved, nullptr);
@@ -471,3 +467,26 @@ void grpc_ssl_server_credentials_options_destroy(
   grpc_ssl_server_certificate_config_destroy(o->certificate_config);
   gpr_free(o);
 }
+
+namespace {
+
+std::string GetLeafCert(const grpc_auth_context* ctx) {
+  if (ctx == nullptr) return "";
+  grpc_auth_property_iterator it = grpc_auth_context_find_properties_by_name(
+      ctx, GRPC_X509_PEM_CERT_PROPERTY_NAME);
+  const grpc_auth_property* prop = grpc_auth_property_iterator_next(&it);
+  if (prop == nullptr) return "";
+  return std::string(prop->value, prop->value_length);
+}
+
+}  // namespace
+
+bool SslLeafHashComparator(const grpc_auth_context* ctx1,
+                           const grpc_auth_context* ctx2) {
+  std::string cert1 = GetLeafCert(ctx1);
+  std::string cert2 = GetLeafCert(ctx2);
+  // If either cert is empty, we consider them not matching (or not
+  // authenticated). This is a safe default for now.
+  if (cert1.empty() || cert2.empty()) return false;
+  return cert1 == cert2;
+}

data/src/core/credentials/transport/ssl/ssl_credentials.h

@@ -137,8 +137,14 @@ class grpc_ssl_server_credentials final : public grpc_server_credentials {
   grpc_ssl_server_certificate_config_fetcher certificate_config_fetcher_;
 };
 
-tsi_ssl_pem_key_cert_pair* grpc_convert_grpc_to_tsi_cert_pairs(
+std::vector<tsi_ssl_pem_key_cert_pair> grpc_convert_grpc_to_tsi_cert_pairs(
     const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
     size_t num_key_cert_pairs);
 
+// Compares the leaf certificate of the peer in two auth contexts.
+// Returns true if both contexts have the same leaf certificate (PEM).
+// Returns false otherwise.
+bool SslLeafHashComparator(const grpc_auth_context* ctx1,
+                           const grpc_auth_context* ctx2);
+
 #endif  // GRPC_SRC_CORE_CREDENTIALS_TRANSPORT_SSL_SSL_CREDENTIALS_H

data/src/core/credentials/transport/ssl/ssl_security_connector.cc

@@ -241,10 +241,8 @@ class grpc_ssl_server_security_connector
       tsi_ssl_server_handshaker_options options;
       options.pem_key_cert_pairs =
           server_credentials->config().pem_key_cert_pairs;
-      options.num_key_cert_pairs =
-          server_credentials->config().num_key_cert_pairs;
       if (server_credentials->config().pem_root_certs != nullptr) {
-        options.root_cert_info = std::make_shared<RootCertInfo>(
+        options.root_cert_info = std::make_shared<tsi::RootCertInfo>(
             server_credentials->config().pem_root_certs);
       }
       options.client_certificate_request =
@@ -361,10 +359,9 @@ class grpc_ssl_server_security_connector
     tsi_ssl_server_handshaker_options options;
     options.pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
         config->pem_key_cert_pairs, config->num_key_cert_pairs);
-    options.num_key_cert_pairs = config->num_key_cert_pairs;
     if (config->pem_root_certs != nullptr) {
       options.root_cert_info =
-          std::make_shared<RootCertInfo>(config->pem_root_certs);
+          std::make_shared<tsi::RootCertInfo>(config->pem_root_certs);
     }
     options.client_certificate_request =
         grpc_get_tsi_client_certificate_request_type(
@@ -374,9 +371,6 @@ class grpc_ssl_server_security_connector
     options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
     tsi_result result = tsi_create_ssl_server_handshaker_factory_with_options(
         &options, &new_handshaker_factory);
-    grpc_tsi_ssl_pem_key_cert_pairs_destroy(
-        const_cast<tsi_ssl_pem_key_cert_pair*>(options.pem_key_cert_pairs),
-        options.num_key_cert_pairs);
     gpr_free(alpn_protocol_strings);
 
     if (result != TSI_OK) {

data/src/core/credentials/transport/ssl/ssl_security_connector.h

@@ -25,12 +25,14 @@
 #include <grpc/support/port_platform.h>
 #include <stddef.h>
 
+#include <vector>
+
 #include "src/core/credentials/transport/security_connector.h"
 #include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/util/ref_counted_ptr.h"
 
 struct grpc_ssl_config {
-  tsi_ssl_pem_key_cert_pair* pem_key_cert_pair;
+  tsi_ssl_pem_key_cert_pair pem_key_cert_pair;
   char* pem_root_certs;
   verify_peer_options verify_options;
   grpc_tls_version min_tls_version = grpc_tls_version::TLS1_2;
@@ -60,8 +62,7 @@ grpc_ssl_channel_security_connector_create(
 
 // Config for ssl servers.
 struct grpc_ssl_server_config {
-  tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = nullptr;
-  size_t num_key_cert_pairs = 0;
+  std::vector<tsi_ssl_pem_key_cert_pair> pem_key_cert_pairs;
   char* pem_root_certs = nullptr;
   grpc_ssl_client_certificate_request_type client_certificate_request =
       GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;

data/src/core/credentials/transport/tls/grpc_tls_certificate_distributor.cc

@@ -20,17 +20,16 @@
 #include <grpc/grpc_security.h>
 #include <grpc/support/port_platform.h>
 
-#include "src/core/credentials/transport/tls/spiffe_utils.h"
 #include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/util/grpc_check.h"
 #include "absl/status/status.h"
 
 bool grpc_tls_certificate_distributor::CertificateInfo::AreRootsEmpty() {
-  return IsRootCertInfoEmpty(roots.get());
+  return tsi::IsRootCertInfoEmpty(roots.get());
 }
 
 void grpc_tls_certificate_distributor::SetKeyMaterials(
-    const std::string& cert_name, std::shared_ptr<RootCertInfo> roots,
+    const std::string& cert_name, std::shared_ptr<tsi::RootCertInfo> roots,
     std::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pairs) {
   GRPC_CHECK(roots != nullptr || pem_key_cert_pairs.has_value());
   grpc_core::MutexLock lock(&mu_);
@@ -67,7 +66,7 @@ void grpc_tls_certificate_distributor::SetKeyMaterials(
       const auto watcher_it = watchers_.find(watcher_ptr);
       GRPC_CHECK(watcher_it != watchers_.end());
       GRPC_CHECK(watcher_it->second.identity_cert_name.has_value());
-      std::shared_ptr<RootCertInfo> roots_to_report;
+      std::shared_ptr<tsi::RootCertInfo> roots_to_report;
       if (roots != nullptr && watcher_it->second.root_cert_name == cert_name) {
         // In this case, We've already sent the credential updates at the time
         // when checking pem_root_certs, so we will skip here.
@@ -190,7 +189,7 @@ void grpc_tls_certificate_distributor::WatchTlsCertificates(
     GRPC_CHECK(watcher_it == watchers_.end());
     watchers_[watcher_ptr] = {std::move(watcher), root_cert_name,
                               identity_cert_name};
-    std::shared_ptr<RootCertInfo> updated_roots;
+    std::shared_ptr<tsi::RootCertInfo> updated_roots;
     std::optional<grpc_core::PemKeyCertPairList> updated_identity_pairs;
     grpc_error_handle root_error;
     grpc_error_handle identity_error;
@@ -336,6 +335,27 @@ void grpc_tls_identity_pairs_add_pair(grpc_tls_identity_pairs* pairs,
   pairs->pem_key_cert_pairs.emplace_back(private_key, cert_chain);
 }
 
+absl::Status grpc_tls_identity_pairs_add_pair_with_signer(
+    grpc_tls_identity_pairs* pairs,
+    std::shared_ptr<grpc_core::PrivateKeySigner> private_key_signer,
+    absl::string_view cert_chain) {
+#ifndef OPENSSL_IS_BORINGSSL
+  return absl::UnimplementedError(
+      "grpc_tls_identity_pairs_add_pair_with_signer is only supported with "
+      "BoringSSL.");
+#else
+  if (pairs == nullptr) {
+    return absl::InvalidArgumentError("pairs must not be null.");
+  }
+  if (private_key_signer == nullptr) {
+    return absl::InvalidArgumentError("private_key_signer must not be null.");
+  }
+  pairs->pem_key_cert_pairs.emplace_back(std::move(private_key_signer),
+                                         cert_chain);
+  return absl::OkStatus();
+#endif
+}
+
 void grpc_tls_identity_pairs_destroy(grpc_tls_identity_pairs* pairs) {
   GRPC_CHECK_NE(pairs, nullptr);
   delete pairs;

data/src/core/credentials/transport/tls/grpc_tls_certificate_distributor.h

@@ -27,20 +27,22 @@
 #include <string>
 #include <utility>
 
-#include "src/core/credentials/transport/tls/spiffe_utils.h"
 #include "src/core/credentials/transport/tls/ssl_utils.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/util/ref_counted.h"
 #include "src/core/util/sync.h"
 #include "absl/base/thread_annotations.h"
-#include "absl/strings/string_view.h"
 
 struct grpc_tls_identity_pairs {
   grpc_core::PemKeyCertPairList pem_key_cert_pairs;
 };
 
 // TLS certificate distributor.
+// TODO(anasalazar): Since there are no use-cases where we need to update root
+// and identity certs as an atomic unit, the flow of the certs through the cert
+// providers and to the TLS security connector can be greatly simplified. We may
+// even be able to remove the distributor code completely.
 struct grpc_tls_certificate_distributor
     : public grpc_core::RefCounted<grpc_tls_certificate_distributor> {
  public:
@@ -59,7 +61,7 @@ struct grpc_tls_certificate_distributor
     // @param key_cert_pairs the contents of the reloaded identity key-cert
     // pairs.
     virtual void OnCertificatesChanged(
-        std::shared_ptr<RootCertInfo> roots,
+        std::shared_ptr<tsi::RootCertInfo> roots,
         std::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) = 0;
 
     // Handles an error that occurs while attempting to fetch certificate data.
@@ -87,7 +89,7 @@ struct grpc_tls_certificate_distributor
   // the SpiffeBundleMap.
   // @param pem_key_cert_pairs The content of identity key-cert pairs.
   void SetKeyMaterials(
-      const std::string& cert_name, std::shared_ptr<RootCertInfo> roots,
+      const std::string& cert_name, std::shared_ptr<tsi::RootCertInfo> roots,
       std::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pairs);
 
   bool HasRootCerts(const std::string& root_cert_name);
@@ -174,7 +176,7 @@ struct grpc_tls_certificate_distributor
   // root certs, while pem_root_certs still contains the valid old data.
   struct CertificateInfo {
     // The contents of the root certificates.
-    std::shared_ptr<RootCertInfo> roots;
+    std::shared_ptr<tsi::RootCertInfo> roots;
     // The contents of the identity key-certificate pairs.
     grpc_core::PemKeyCertPairList pem_key_cert_pairs;
     // TODO(gtcooke94) Swap to using absl::StatusOr<>