grpc 1.78.1 → 1.80.0

data/src/core/credentials/transport/tls/grpc_tls_certificate_provider.cc

@@ -23,8 +23,10 @@
 #include <stdint.h>
 #include <time.h>
 
-#include <algorithm>
+#include <memory>
+#include <optional>
 #include <utility>
+#include <variant>
 #include <vector>
 
 #include "src/core/credentials/transport/tls/spiffe_utils.h"
@@ -33,13 +35,12 @@
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/iomgr/exec_ctx.h"
 #include "src/core/lib/slice/slice.h"
-#include "src/core/lib/slice/slice_internal.h"
 #include "src/core/tsi/ssl_transport_security_utils.h"
+#include "src/core/util/down_cast.h"
 #include "src/core/util/grpc_check.h"
 #include "src/core/util/load_file.h"
 #include "src/core/util/match.h"
 #include "src/core/util/stat.h"
-#include "src/core/util/status_helper.h"
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/strings/string_view.h"
@@ -47,14 +48,14 @@
 namespace grpc_core {
 namespace {
 
-absl::Status ValidateRootCertificates(const RootCertInfo* root_cert_info) {
+absl::Status ValidateRootCertificates(const tsi::RootCertInfo* root_cert_info) {
   if (root_cert_info == nullptr) return absl::OkStatus();
   return Match(
       *root_cert_info,
       [&](const std::string& root_certificates) {
         if (root_certificates.empty()) return absl::OkStatus();
         absl::StatusOr<std::vector<X509*>> parsed_roots =
-            ParsePemCertificateChain(root_certificates);
+            tsi::ParsePemCertificateChain(root_certificates);
         if (!parsed_roots.ok()) {
           return absl::Status(
               parsed_roots.status().code(),
@@ -74,11 +75,13 @@ absl::Status ValidateRootCertificates(const RootCertInfo* root_cert_info) {
 }
 
 absl::Status ValidatePemKeyCertPair(absl::string_view cert_chain,
-                                    absl::string_view private_key) {
-  if (cert_chain.empty() && private_key.empty()) return absl::OkStatus();
+                                    const PrivateKey& private_key) {
+  if (cert_chain.empty() && IsPrivateKeyEmpty(private_key)) {
+    return absl::OkStatus();
+  }
   // Check that the cert chain consists of valid PEM blocks.
   absl::StatusOr<std::vector<X509*>> parsed_certs =
-      ParsePemCertificateChain(cert_chain);
+      tsi::ParsePemCertificateChain(cert_chain);
   if (!parsed_certs.ok()) {
     return absl::Status(
         parsed_certs.status().code(),
@@ -88,9 +91,12 @@ absl::Status ValidatePemKeyCertPair(absl::string_view cert_chain,
   for (X509* x509 : *parsed_certs) {
     X509_free(x509);
   }
+  const std::string* private_key_string =
+      std::get_if<std::string>(&private_key);
+  if (private_key_string == nullptr) return absl::OkStatus();
   // Check that the private key consists of valid PEM blocks.
   absl::StatusOr<EVP_PKEY*> parsed_private_key =
-      ParsePemPrivateKey(private_key);
+      tsi::ParsePemPrivateKey(*private_key_string);
   if (!parsed_private_key.ok()) {
     return absl::Status(parsed_private_key.status().code(),
                         absl::StrCat("Failed to parse private key as PEM: ",
@@ -101,8 +107,8 @@ absl::Status ValidatePemKeyCertPair(absl::string_view cert_chain,
 }
 
 bool HasRootCertInfoChanged(
-    const absl::StatusOr<std::shared_ptr<RootCertInfo>>& old,
-    const absl::StatusOr<std::shared_ptr<RootCertInfo>>& updated) {
+    const absl::StatusOr<std::shared_ptr<tsi::RootCertInfo>>& old,
+    const absl::StatusOr<std::shared_ptr<tsi::RootCertInfo>>& updated) {
   if (old.status() != updated.status()) return true;  // Status changed.
   if (!old.ok()) return false;  // Both have same non-OK status.
   // Both have OK status.
@@ -112,84 +118,6 @@ bool HasRootCertInfoChanged(
   return **old != **updated;
 }
 
-}  // namespace
-
-StaticDataCertificateProvider::StaticDataCertificateProvider(
-    std::string root_certificate, PemKeyCertPairList pem_key_cert_pairs)
-    : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()),
-      root_cert_info_(std::make_shared<RootCertInfo>(root_certificate)),
-      pem_key_cert_pairs_(std::move(pem_key_cert_pairs)) {
-  distributor_->SetWatchStatusCallback([this](std::string cert_name,
-                                              bool root_being_watched,
-                                              bool identity_being_watched) {
-    MutexLock lock(&mu_);
-    std::shared_ptr<RootCertInfo> root_cert_info;
-    std::optional<PemKeyCertPairList> pem_key_cert_pairs;
-    StaticDataCertificateProvider::WatcherInfo& info = watcher_info_[cert_name];
-    if (!info.root_being_watched && root_being_watched &&
-        !IsRootCertInfoEmpty(root_cert_info_.get())) {
-      root_cert_info = root_cert_info_;
-    }
-    info.root_being_watched = root_being_watched;
-    if (!info.identity_being_watched && identity_being_watched &&
-        !pem_key_cert_pairs_.empty()) {
-      pem_key_cert_pairs = pem_key_cert_pairs_;
-    }
-    info.identity_being_watched = identity_being_watched;
-    if (!info.root_being_watched && !info.identity_being_watched) {
-      watcher_info_.erase(cert_name);
-    }
-    const bool root_has_update = root_cert_info != nullptr;
-    const bool identity_has_update = pem_key_cert_pairs.has_value();
-    if (root_has_update || identity_has_update) {
-      distributor_->SetKeyMaterials(cert_name, std::move(root_cert_info),
-                                    std::move(pem_key_cert_pairs));
-    }
-    grpc_error_handle root_cert_error;
-    grpc_error_handle identity_cert_error;
-    if (root_being_watched && !root_has_update) {
-      root_cert_error =
-          GRPC_ERROR_CREATE("Unable to get latest root certificates.");
-    }
-    if (identity_being_watched && !identity_has_update) {
-      identity_cert_error =
-          GRPC_ERROR_CREATE("Unable to get latest identity certificates.");
-    }
-    if (!root_cert_error.ok() || !identity_cert_error.ok()) {
-      distributor_->SetErrorForCert(cert_name, root_cert_error,
-                                    identity_cert_error);
-    }
-  });
-}
-
-StaticDataCertificateProvider::~StaticDataCertificateProvider() {
-  // Reset distributor's callback to make sure the callback won't be invoked
-  // again after this object(provider) is destroyed.
-  distributor_->SetWatchStatusCallback(nullptr);
-}
-
-UniqueTypeName StaticDataCertificateProvider::type() const {
-  static UniqueTypeName::Factory kFactory("StaticData");
-  return kFactory.Create();
-}
-
-absl::Status StaticDataCertificateProvider::ValidateCredentials() const {
-  absl::Status status = ValidateRootCertificates(root_cert_info_.get());
-  if (!status.ok()) {
-    return status;
-  }
-  for (const PemKeyCertPair& pair : pem_key_cert_pairs_) {
-    absl::Status status =
-        ValidatePemKeyCertPair(pair.cert_chain(), pair.private_key());
-    if (!status.ok()) {
-      return status;
-    }
-  }
-  return absl::OkStatus();
-}
-
-namespace {
-
 gpr_timespec TimeoutSecondsToDeadline(int64_t seconds) {
   return gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC),
                       gpr_time_from_seconds(seconds, GPR_TIMESPAN));
@@ -244,7 +172,7 @@ FileWatcherCertificateProvider::FileWatcherCertificateProvider(
                                               bool root_being_watched,
                                               bool identity_being_watched) {
     MutexLock lock(&mu_);
-    absl::StatusOr<std::shared_ptr<RootCertInfo>> roots = nullptr;
+    absl::StatusOr<std::shared_ptr<tsi::RootCertInfo>> roots = nullptr;
     std::optional<PemKeyCertPairList> pem_key_cert_pairs;
     FileWatcherCertificateProvider::WatcherInfo& info =
         watcher_info_[cert_name];
@@ -316,12 +244,12 @@ absl::Status FileWatcherCertificateProvider::ValidateCredentials() const {
 }
 
 void FileWatcherCertificateProvider::ForceUpdate() {
-  absl::StatusOr<std::shared_ptr<RootCertInfo>> root_cert_info = nullptr;
+  absl::StatusOr<std::shared_ptr<tsi::RootCertInfo>> root_cert_info = nullptr;
   std::optional<PemKeyCertPairList> pem_key_cert_pairs;
   if (!spiffe_bundle_map_path_.empty()) {
     auto map = SpiffeBundleMap::FromFile(spiffe_bundle_map_path_);
     if (map.ok()) {
-      root_cert_info = std::make_shared<RootCertInfo>(std::move(*map));
+      root_cert_info = std::make_shared<tsi::RootCertInfo>(std::move(*map));
     } else {
       root_cert_info = absl::InvalidArgumentError(
           absl::StrFormat("spiffe bundle map file %s failed to load: %s",
@@ -332,7 +260,7 @@ void FileWatcherCertificateProvider::ForceUpdate() {
         ReadRootCertificatesFromFile(root_cert_path_);
     if (root_certificate.has_value()) {
       root_cert_info =
-          std::make_shared<RootCertInfo>(std::move(*root_certificate));
+          std::make_shared<tsi::RootCertInfo>(std::move(*root_certificate));
     }
   }
   if (!private_key_path_.empty()) {
@@ -365,7 +293,7 @@ void FileWatcherCertificateProvider::ForceUpdate() {
     for (const auto& p : watcher_info_) {
       const std::string& cert_name = p.first;
       const WatcherInfo& info = p.second;
-      std::shared_ptr<RootCertInfo> root_to_report;
+      std::shared_ptr<tsi::RootCertInfo> root_to_report;
       std::optional<PemKeyCertPairList> identity_to_report;
       // Set key materials to the distributor if their contents changed.
       if (info.root_being_watched && root_changed) {
@@ -488,27 +416,140 @@ int64_t FileWatcherCertificateProvider::TestOnlyGetRefreshIntervalSecond()
   return refresh_interval_sec_;
 }
 
-}  // namespace grpc_core
+InMemoryCertificateProvider::InMemoryCertificateProvider()
+    : distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()) {
+  distributor_->SetWatchStatusCallback([this](std::string cert_name,
+                                              bool root_being_watched,
+                                              bool identity_being_watched) {
+    MutexLock lock(&mu_);
+    std::shared_ptr<tsi::RootCertInfo> roots;
+    std::optional<PemKeyCertPairList> pem_key_cert_pairs;
+    WatcherInfo& info = watcher_info_[cert_name];
+    if (!info.root_being_watched && root_being_watched &&
+        root_certificates_.ok() && *root_certificates_ != nullptr) {
+      roots = *root_certificates_;
+    }
+    info.root_being_watched = root_being_watched;
+    if (!info.identity_being_watched && identity_being_watched &&
+        !pem_key_cert_pairs_.empty()) {
+      pem_key_cert_pairs = pem_key_cert_pairs_;
+    }
+    info.identity_being_watched = identity_being_watched;
+    if (!info.root_being_watched && !info.identity_being_watched) {
+      watcher_info_.erase(cert_name);
+    }
+    if (roots != nullptr || pem_key_cert_pairs.has_value()) {
+      distributor_->SetKeyMaterials(cert_name, roots, pem_key_cert_pairs);
+    }
+    grpc_error_handle root_cert_error;
+    grpc_error_handle identity_cert_error;
+    if (root_being_watched && roots == nullptr) {
+      root_cert_error =
+          GRPC_ERROR_CREATE("Unable to get latest root certificates.");
+    }
+    if (identity_being_watched && !pem_key_cert_pairs.has_value()) {
+      identity_cert_error =
+          GRPC_ERROR_CREATE("Unable to get latest identity certificates.");
+    }
+    if (!root_cert_error.ok() || !identity_cert_error.ok()) {
+      distributor_->SetErrorForCert(cert_name, root_cert_error,
+                                    identity_cert_error);
+    }
+  });
+}
 
-/// -- Wrapper APIs declared in grpc_security.h -- *
+absl::Status InMemoryCertificateProvider::Update(
+    std::optional<std::shared_ptr<tsi::RootCertInfo>> root_cert_info,
+    std::optional<const PemKeyCertPairList> pem_key_cert_pairs) {
+  MutexLock lock(&mu_);
+  const bool root_changed =
+      root_cert_info.has_value() &&
+      HasRootCertInfoChanged(root_certificates_, *root_cert_info);
+  if (root_changed) {
+    root_certificates_ = std::move(*root_cert_info);
+  }
+  const bool identity_cert_changed = pem_key_cert_pairs.has_value() &&
+                                     pem_key_cert_pairs_ != pem_key_cert_pairs;
+  if (identity_cert_changed) {
+    pem_key_cert_pairs_ = *pem_key_cert_pairs;
+  }
+  if (root_changed || identity_cert_changed) {
+    grpc_error_handle root_cert_error =
+        GRPC_ERROR_CREATE("Unable to get latest root certificates.");
+    grpc_error_handle identity_cert_error =
+        GRPC_ERROR_CREATE("Unable to get latest identity certificates.");
+    for (const auto& p : watcher_info_) {
+      const std::string& cert_name = p.first;
+      const WatcherInfo& info = p.second;
+      std::shared_ptr<tsi::RootCertInfo> root_to_report;
+      std::optional<PemKeyCertPairList> identity_to_report;
+      // Set key materials to the distributor if their contents changed.
+      if (info.root_being_watched && root_changed) {
+        root_to_report =
+            root_certificates_.ok() ? *root_certificates_ : nullptr;
+      }
+      if (info.identity_being_watched && !pem_key_cert_pairs_.empty() &&
+          identity_cert_changed) {
+        identity_to_report = pem_key_cert_pairs_;
+      }
+      if (root_to_report != nullptr || identity_to_report.has_value()) {
+        distributor_->SetKeyMaterials(cert_name, std::move(root_to_report),
+                                      std::move(identity_to_report));
+      }
+      // Report errors to the distributor if the contents are empty.
+      const bool report_root_error =
+          info.root_being_watched &&
+          (!root_certificates_.ok() || *root_certificates_ == nullptr);
+      const bool report_identity_error =
+          info.identity_being_watched && pem_key_cert_pairs_.empty();
+      if (report_root_error || report_identity_error) {
+        distributor_->SetErrorForCert(
+            cert_name, report_root_error ? root_cert_error : absl::OkStatus(),
+            report_identity_error ? identity_cert_error : absl::OkStatus());
+      }
+    }
+  }
+  return absl::OkStatus();
+}
 
-grpc_tls_certificate_provider* grpc_tls_certificate_provider_static_data_create(
-    const char* root_certificate, grpc_tls_identity_pairs* pem_key_cert_pairs) {
-  GRPC_CHECK(root_certificate != nullptr || pem_key_cert_pairs != nullptr);
-  grpc_core::ExecCtx exec_ctx;
-  grpc_core::PemKeyCertPairList identity_pairs_core;
-  if (pem_key_cert_pairs != nullptr) {
-    identity_pairs_core = std::move(pem_key_cert_pairs->pem_key_cert_pairs);
-    delete pem_key_cert_pairs;
+absl::Status InMemoryCertificateProvider::ValidateCredentials() const {
+  MutexLock lock(&mu_);
+  if (!root_certificates_.ok()) {
+    return root_certificates_.status();
   }
-  std::string root_cert_core;
-  if (root_certificate != nullptr) {
-    root_cert_core = root_certificate;
+  absl::Status status = ValidateRootCertificates(root_certificates_->get());
+  if (!status.ok()) {
+    return status;
+  }
+  for (const PemKeyCertPair& pair : pem_key_cert_pairs_) {
+    absl::Status status =
+        ValidatePemKeyCertPair(pair.cert_chain(), pair.private_key());
+    if (!status.ok()) {
+      return status;
+    }
   }
-  return new grpc_core::StaticDataCertificateProvider(
-      std::move(root_cert_core), std::move(identity_pairs_core));
+  return absl::OkStatus();
 }
 
+absl::Status InMemoryCertificateProvider::UpdateRoot(
+    std::shared_ptr<tsi::RootCertInfo> root_certificates) {
+  return Update(root_certificates, std::nullopt);
+}
+
+absl::Status InMemoryCertificateProvider::UpdateIdentityKeyCertPair(
+    const PemKeyCertPairList& pem_key_cert_pairs) {
+  return Update(std::nullopt, pem_key_cert_pairs);
+}
+
+UniqueTypeName InMemoryCertificateProvider::type() const {
+  static UniqueTypeName::Factory kFactory("InMemory");
+  return kFactory.Create();
+}
+
+}  // namespace grpc_core
+
+/// -- Wrapper APIs declared in grpc_security.h -- *
+
 grpc_tls_certificate_provider*
 grpc_tls_certificate_provider_file_watcher_create(
     const char* private_key_path, const char* identity_certificate_path,
@@ -523,6 +564,37 @@ grpc_tls_certificate_provider_file_watcher_create(
       refresh_interval_sec);
 }
 
+grpc_tls_certificate_provider*
+grpc_tls_certificate_provider_in_memory_create() {
+  grpc_core::ExecCtx exec_ctx;
+  return new grpc_core::InMemoryCertificateProvider();
+}
+
+bool grpc_tls_certificate_provider_in_memory_set_root_certificate(
+    grpc_tls_certificate_provider* provider, const char* root_cert) {
+  grpc_core::ExecCtx exec_ctx;
+  auto in_memory_provider =
+      grpc_core::DownCast<grpc_core::InMemoryCertificateProvider*>(provider);
+  return in_memory_provider
+      ->UpdateRoot(std::make_shared<tsi::RootCertInfo>(root_cert))
+      .ok();
+}
+
+bool grpc_tls_certificate_provider_in_memory_set_identity_certificate(
+    grpc_tls_certificate_provider* provider,
+    grpc_tls_identity_pairs* pem_key_cert_pairs) {
+  grpc_core::ExecCtx exec_ctx;
+  grpc_core::PemKeyCertPairList identity_pairs_core;
+  if (pem_key_cert_pairs != nullptr) {
+    identity_pairs_core = std::move(pem_key_cert_pairs->pem_key_cert_pairs);
+    delete pem_key_cert_pairs;
+  }
+  auto in_memory_provider =
+      grpc_core::DownCast<grpc_core::InMemoryCertificateProvider*>(provider);
+  return in_memory_provider->UpdateIdentityKeyCertPair(identity_pairs_core)
+      .ok();
+}
+
 void grpc_tls_certificate_provider_release(
     grpc_tls_certificate_provider* provider) {
   GRPC_TRACE_LOG(api, INFO)

data/src/core/credentials/transport/tls/grpc_tls_certificate_provider.h

@@ -27,7 +27,6 @@
 #include <string>
 
 #include "src/core/credentials/transport/tls/grpc_tls_certificate_distributor.h"
-#include "src/core/credentials/transport/tls/spiffe_utils.h"
 #include "src/core/credentials/transport/tls/ssl_utils.h"
 #include "src/core/util/grpc_check.h"
 #include "src/core/util/ref_counted.h"
@@ -91,46 +90,6 @@ struct grpc_tls_certificate_provider
 
 namespace grpc_core {
 
-// A basic provider class that will get credentials from string during
-// initialization.
-class StaticDataCertificateProvider final
-    : public grpc_tls_certificate_provider {
- public:
-  StaticDataCertificateProvider(std::string root_certificate,
-                                PemKeyCertPairList pem_key_cert_pairs);
-
-  ~StaticDataCertificateProvider() override;
-
-  RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
-    return distributor_;
-  }
-
-  UniqueTypeName type() const override;
-
-  absl::Status ValidateCredentials() const;
-
- private:
-  struct WatcherInfo {
-    bool root_being_watched = false;
-    bool identity_being_watched = false;
-  };
-
-  int CompareImpl(const grpc_tls_certificate_provider* other) const override {
-    // TODO(yashykt): Maybe do something better here.
-    return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
-                        other);
-  }
-
-  RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
-  std::shared_ptr<RootCertInfo> root_cert_info_;
-  PemKeyCertPairList pem_key_cert_pairs_;
-  // Guards members below.
-  Mutex mu_;
-  // Stores each cert_name we get from the distributor callback and its watcher
-  // information.
-  std::map<std::string, WatcherInfo> watcher_info_;
-};
-
 // A provider class that will watch the credential changes on the file system.
 class FileWatcherCertificateProvider final
     : public grpc_tls_certificate_provider {
@@ -201,13 +160,67 @@ class FileWatcherCertificateProvider final
   // - Otherwise, holds either a SpiffeBundleMap or a string root cert
   // TODO(gtcooke94) - refactor the handling for string root cert files such
   // that their failure is a non-ok status rather than a nullptr
-  absl::StatusOr<std::shared_ptr<RootCertInfo>> root_cert_info_
+  absl::StatusOr<std::shared_ptr<tsi::RootCertInfo>> root_cert_info_
       ABSL_GUARDED_BY(mu_) = nullptr;
   // Stores each cert_name we get from the distributor callback and its watcher
   // information.
   std::map<std::string, WatcherInfo> watcher_info_ ABSL_GUARDED_BY(mu_);
 };
 
+// Implements a provider that uses in-memory data that can be modified in a
+// thread-safe manner.
+class InMemoryCertificateProvider final : public grpc_tls_certificate_provider {
+ public:
+  InMemoryCertificateProvider();
+  InMemoryCertificateProvider(const InMemoryCertificateProvider&) = delete;
+  InMemoryCertificateProvider(InMemoryCertificateProvider&&) = delete;
+  InMemoryCertificateProvider& operator=(const InMemoryCertificateProvider&) =
+      delete;
+  InMemoryCertificateProvider& operator=(InMemoryCertificateProvider&&) =
+      delete;
+
+  RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
+    return distributor_;
+  }
+
+  UniqueTypeName type() const override;
+  absl::Status ValidateCredentials() const;
+
+  // Update the certificate information for this provider.
+  // Users should verify the status retuned to confirm that the update was
+  // successful.
+  absl::Status UpdateRoot(std::shared_ptr<tsi::RootCertInfo> root_certificates);
+  absl::Status UpdateIdentityKeyCertPair(
+      const PemKeyCertPairList& pem_key_cert_pairs);
+
+ private:
+  struct WatcherInfo {
+    bool root_being_watched = false;
+    bool identity_being_watched = false;
+  };
+
+  int CompareImpl(const grpc_tls_certificate_provider* other) const override {
+    return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
+                        other);
+  }
+  absl::Status Update(
+      std::optional<std::shared_ptr<tsi::RootCertInfo>> root_cert_info,
+      std::optional<const PemKeyCertPairList> pem_key_cert_pairs);
+
+  RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
+
+  // Guards pem_key_cert_pairs_, root_certificates_ and watcher_info_.
+  mutable Mutex mu_;
+  // The most-recent credential data. It will be empty if the most recent read
+  // attempt failed.
+  PemKeyCertPairList pem_key_cert_pairs_ ABSL_GUARDED_BY(mu_);
+  absl::StatusOr<std::shared_ptr<tsi::RootCertInfo>> root_certificates_
+      ABSL_GUARDED_BY(mu_);
+  // Stores each cert_name we get from the distributor callback and its watcher
+  // information.
+  std::map<std::string, WatcherInfo> watcher_info_ ABSL_GUARDED_BY(mu_);
+};
+
 //  Checks if the private key matches the certificate's public key.
 //  Returns a not-OK status on failure, or a bool indicating
 //  whether the key/cert pair matches.

data/src/core/credentials/transport/tls/grpc_tls_credentials_options.cc

@@ -30,7 +30,7 @@
 #include "src/core/util/grpc_check.h"
 #include "absl/log/log.h"
 
-/// -- Wrapper APIs declared in grpc_security.h -- *
+/// -- Wrapper APIs declared in credentials.h -- *
 
 grpc_tls_credentials_options* grpc_tls_credentials_options_create() {
   grpc_core::ExecCtx exec_ctx;
@@ -61,34 +61,12 @@ void grpc_tls_credentials_options_set_verify_server_cert(
   options->set_verify_server_cert(verify_server_cert);
 }
 
-void grpc_tls_credentials_options_set_certificate_provider(
-    grpc_tls_credentials_options* options,
-    grpc_tls_certificate_provider* provider) {
-  GRPC_CHECK_NE(options, nullptr);
-  GRPC_CHECK_NE(provider, nullptr);
-  grpc_core::ExecCtx exec_ctx;
-  options->set_certificate_provider(
-      provider->Ref(DEBUG_LOCATION, "set_certificate_provider"));
-}
-
-void grpc_tls_credentials_options_watch_root_certs(
-    grpc_tls_credentials_options* options) {
-  GRPC_CHECK_NE(options, nullptr);
-  options->set_watch_root_cert(true);
-}
-
 void grpc_tls_credentials_options_set_root_cert_name(
     grpc_tls_credentials_options* options, const char* root_cert_name) {
   GRPC_CHECK_NE(options, nullptr);
   options->set_root_cert_name(root_cert_name);
 }
 
-void grpc_tls_credentials_options_watch_identity_key_cert_pairs(
-    grpc_tls_credentials_options* options) {
-  GRPC_CHECK_NE(options, nullptr);
-  options->set_watch_identity_pair(true);
-}
-
 void grpc_tls_credentials_options_set_identity_cert_name(
     grpc_tls_credentials_options* options, const char* identity_cert_name) {
   GRPC_CHECK_NE(options, nullptr);
@@ -159,3 +137,30 @@ void grpc_tls_credentials_options_set_max_tls_version(
   GRPC_CHECK_NE(options, nullptr);
   options->set_max_tls_version(max_tls_version);
 }
+
+void grpc_tls_credentials_options_set_identity_certificate_provider(
+    grpc_tls_credentials_options* options,
+    grpc_tls_certificate_provider* provider) {
+  GRPC_CHECK_NE(options, nullptr);
+  GRPC_CHECK_NE(provider, nullptr);
+  grpc_core::ExecCtx exec_ctx;
+  options->set_identity_certificate_provider(
+      provider->Ref(DEBUG_LOCATION, "set_identity_certificate_provider"));
+}
+
+void grpc_tls_credentials_options_set_root_certificate_provider(
+    grpc_tls_credentials_options* options,
+    grpc_tls_certificate_provider* provider) {
+  GRPC_CHECK_NE(options, nullptr);
+  GRPC_CHECK_NE(provider, nullptr);
+  grpc_core::ExecCtx exec_ctx;
+  options->set_root_certificate_provider(
+      provider->Ref(DEBUG_LOCATION, "set_root_certificate_provider"));
+}
+
+GRPCAPI void grpc_tls_credentials_options_set_sni_override(
+    grpc_tls_credentials_options* options,
+    std::optional<std::string> sni_override) {
+  GRPC_CHECK_NE(options, nullptr);
+  options->set_sni_override(sni_override);
+}