grpc 1.78.1 → 1.80.0

data/src/core/credentials/transport/tls/grpc_tls_credentials_options.h

@@ -52,20 +52,24 @@ struct grpc_tls_credentials_options
     return certificate_verifier_.get();
   }
   bool check_call_host() const { return check_call_host_; }
-  // Returns the distributor from certificate_provider_ if it is set, nullptr otherwise.
-  grpc_tls_certificate_distributor* certificate_distributor() {
-    if (certificate_provider_ != nullptr) { return certificate_provider_->distributor().get(); }
-    return nullptr;
-  }
-  bool watch_root_cert() const { return watch_root_cert_; }
   const std::string& root_cert_name() const { return root_cert_name_; }
-  bool watch_identity_pair() const { return watch_identity_pair_; }
   const std::string& identity_cert_name() const { return identity_cert_name_; }
   const std::string& tls_session_key_log_file_path() const { return tls_session_key_log_file_path_; }
   const std::string& crl_directory() const { return crl_directory_; }
   // Returns the CRL Provider
   std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider() const { return crl_provider_; }
   bool send_client_ca_list() const { return send_client_ca_list_; }
+  // Returns the distributor from identity_certificate_provider_ if it is set, nullptr otherwise.
+  grpc_tls_certificate_distributor* identity_certificate_distributor() {
+    if (identity_certificate_provider_ != nullptr) { return identity_certificate_provider_->distributor().get(); }
+    return nullptr;
+  }
+  // Returns the distributor from root_certificate_provider_ if it is set, nullptr otherwise.
+  grpc_tls_certificate_distributor* root_certificate_distributor() {
+    if (root_certificate_provider_ != nullptr) { return root_certificate_provider_->distributor().get(); }
+    return nullptr;
+  }
+  const std::optional<std::string>& sni_override() const { return sni_override_; }
 
   // Setters for member fields.
   void set_cert_request_type(grpc_ssl_client_certificate_request_type cert_request_type) { cert_request_type_ = cert_request_type; }
@@ -74,13 +78,8 @@ struct grpc_tls_credentials_options
   void set_max_tls_version(grpc_tls_version max_tls_version) { max_tls_version_ = max_tls_version; }
   void set_certificate_verifier(grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> certificate_verifier) { certificate_verifier_ = std::move(certificate_verifier); }
   void set_check_call_host(bool check_call_host) { check_call_host_ = check_call_host; }
-  void set_certificate_provider(grpc_core::RefCountedPtr<grpc_tls_certificate_provider> certificate_provider) { certificate_provider_ = std::move(certificate_provider); }
-  // If need to watch the updates of root certificates with name |root_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the root certificates are not needed.
-  void set_watch_root_cert(bool watch_root_cert) { watch_root_cert_ = watch_root_cert; }
   // Sets the name of root certificates being watched, if |set_watch_root_cert| is called. If not set, an empty string will be used as the name.
   void set_root_cert_name(std::string root_cert_name) { root_cert_name_ = std::move(root_cert_name); }
-  // If need to watch the updates of identity certificates with name |identity_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the identity key-cert pairs are not needed.
-  void set_watch_identity_pair(bool watch_identity_pair) { watch_identity_pair_ = watch_identity_pair; }
   // Sets the name of identity key-cert pairs being watched, if |set_watch_identity_pair| is called. If not set, an empty string will be used as the name.
   void set_identity_cert_name(std::string identity_cert_name) { identity_cert_name_ = std::move(identity_cert_name); }
   void set_tls_session_key_log_file_path(std::string tls_session_key_log_file_path) { tls_session_key_log_file_path_ = std::move(tls_session_key_log_file_path); }
@@ -88,6 +87,10 @@ struct grpc_tls_credentials_options
   void set_crl_directory(std::string crl_directory) { crl_directory_ = std::move(crl_directory); }
   void set_crl_provider(std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider) { crl_provider_ = std::move(crl_provider); }
   void set_send_client_ca_list(bool send_client_ca_list) { send_client_ca_list_ = send_client_ca_list; }
+  void set_identity_certificate_provider(grpc_core::RefCountedPtr<grpc_tls_certificate_provider> identity_certificate_provider) { identity_certificate_provider_ = std::move(identity_certificate_provider); }
+  void set_root_certificate_provider(grpc_core::RefCountedPtr<grpc_tls_certificate_provider> root_certificate_provider) { root_certificate_provider_ = std::move(root_certificate_provider); }
+  // If set to nullopt, do not override. If set to empty string, disable sending SNI. Otherwise, override SNI
+  void set_sni_override(std::optional<std::string> sni_override) { sni_override_ = std::move(sni_override); }
 
   bool operator==(const grpc_tls_credentials_options& other) const {
     return cert_request_type_ == other.cert_request_type_ &&
@@ -96,15 +99,15 @@ struct grpc_tls_credentials_options
       max_tls_version_ == other.max_tls_version_ &&
       (certificate_verifier_ == other.certificate_verifier_ || (certificate_verifier_ != nullptr && other.certificate_verifier_ != nullptr && certificate_verifier_->Compare(other.certificate_verifier_.get()) == 0)) &&
       check_call_host_ == other.check_call_host_ &&
-      (certificate_provider_ == other.certificate_provider_ || (certificate_provider_ != nullptr && other.certificate_provider_ != nullptr && certificate_provider_->Compare(other.certificate_provider_.get()) == 0)) &&
-      watch_root_cert_ == other.watch_root_cert_ &&
       root_cert_name_ == other.root_cert_name_ &&
-      watch_identity_pair_ == other.watch_identity_pair_ &&
       identity_cert_name_ == other.identity_cert_name_ &&
       tls_session_key_log_file_path_ == other.tls_session_key_log_file_path_ &&
       crl_directory_ == other.crl_directory_ &&
       (crl_provider_ == other.crl_provider_) &&
-      send_client_ca_list_ == other.send_client_ca_list_;
+      send_client_ca_list_ == other.send_client_ca_list_ &&
+      (identity_certificate_provider_ == other.identity_certificate_provider_ || (identity_certificate_provider_ != nullptr && other.identity_certificate_provider_ != nullptr && identity_certificate_provider_->Compare(other.identity_certificate_provider_.get()) == 0)) &&
+      (root_certificate_provider_ == other.root_certificate_provider_ || (root_certificate_provider_ != nullptr && other.root_certificate_provider_ != nullptr && root_certificate_provider_->Compare(other.root_certificate_provider_.get()) == 0)) &&
+      sni_override_ == other.sni_override_;
   }
 
   grpc_tls_credentials_options(grpc_tls_credentials_options& other) :
@@ -114,15 +117,15 @@ struct grpc_tls_credentials_options
       max_tls_version_(other.max_tls_version_),
       certificate_verifier_(other.certificate_verifier_),
       check_call_host_(other.check_call_host_),
-      certificate_provider_(other.certificate_provider_),
-      watch_root_cert_(other.watch_root_cert_),
       root_cert_name_(other.root_cert_name_),
-      watch_identity_pair_(other.watch_identity_pair_),
       identity_cert_name_(other.identity_cert_name_),
       tls_session_key_log_file_path_(other.tls_session_key_log_file_path_),
       crl_directory_(other.crl_directory_),
       crl_provider_(other.crl_provider_),
-      send_client_ca_list_(other.send_client_ca_list_)  {}
+      send_client_ca_list_(other.send_client_ca_list_),
+      identity_certificate_provider_(other.identity_certificate_provider_),
+      root_certificate_provider_(other.root_certificate_provider_),
+      sni_override_(other.sni_override_)  {}
 
  private:
   grpc_ssl_client_certificate_request_type cert_request_type_ = GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
@@ -131,15 +134,15 @@ struct grpc_tls_credentials_options
   grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3;
   grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> certificate_verifier_;
   bool check_call_host_ = true;
-  grpc_core::RefCountedPtr<grpc_tls_certificate_provider> certificate_provider_;
-  bool watch_root_cert_ = false;
   std::string root_cert_name_;
-  bool watch_identity_pair_ = false;
   std::string identity_cert_name_;
   std::string tls_session_key_log_file_path_;
   std::string crl_directory_;
   std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider_;
   bool send_client_ca_list_ = false;
+  grpc_core::RefCountedPtr<grpc_tls_certificate_provider> identity_certificate_provider_;
+  grpc_core::RefCountedPtr<grpc_tls_certificate_provider> root_certificate_provider_;
+  std::optional<std::string> sni_override_;
 };
 
 #endif  // GRPC_SRC_CORE_CREDENTIALS_TRANSPORT_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H

data/src/core/credentials/transport/tls/spiffe_utils.cc

@@ -210,7 +210,7 @@ void SpiffeBundleKey::JsonPostLoad(const Json& json, const JsonArgs& args,
     if (!x5c->empty()) {
       ValidationErrors::ScopedField field(errors, "[0]");
       std::string pem_cert = AddPemBlockWrapping((*x5c)[0]);
-      auto certs = ParsePemCertificateChain(pem_cert);
+      auto certs = tsi::ParsePemCertificateChain(pem_cert);
       if (!certs.ok()) {
         errors->AddError(certs.status().ToString());
       } else {
@@ -310,7 +310,7 @@ absl::Status SpiffeBundle::CreateX509Stack() {
   root_stack_ = std::make_unique<STACK_OF(X509)*>(sk_X509_new_null());
   absl::Status status = absl::OkStatus();
   for (const auto& pem_cert : roots_) {
-    auto cert = ParsePemCertificateChain(AddPemBlockWrapping(pem_cert));
+    auto cert = tsi::ParsePemCertificateChain(AddPemBlockWrapping(pem_cert));
     if (!cert.status().ok()) {
       status = cert.status();
       break;

data/src/core/credentials/transport/tls/ssl_utils.cc

@@ -43,6 +43,7 @@
 #include "src/core/util/grpc_check.h"
 #include "src/core/util/host_port.h"
 #include "src/core/util/load_file.h"
+#include "src/core/util/match.h"
 #include "src/core/util/ref_counted_ptr.h"
 #include "src/core/util/useful.h"
 #include "absl/log/log.h"
@@ -152,16 +153,6 @@ grpc_error_handle grpc_ssl_check_peer_name(absl::string_view peer_name,
   return absl::OkStatus();
 }
 
-void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
-                                             size_t num_key_cert_pairs) {
-  if (kp == nullptr) return;
-  for (size_t i = 0; i < num_key_cert_pairs; i++) {
-    gpr_free(const_cast<char*>(kp[i].private_key));
-    gpr_free(const_cast<char*>(kp[i].cert_chain));
-  }
-  gpr_free(kp);
-}
-
 namespace grpc_core {
 
 absl::Status SslCheckCallHost(absl::string_view host,
@@ -428,7 +419,7 @@ void grpc_shallow_peer_destruct(tsi_peer* peer) {
 
 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* pem_key_cert_pair,
-    std::shared_ptr<RootCertInfo> root_cert_info,
+    std::shared_ptr<tsi::RootCertInfo> root_cert_info,
     bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
     tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
@@ -450,13 +441,14 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
       return GRPC_SECURITY_ERROR;
     }
     root_store = grpc_core::DefaultSslRootStore::GetRootStore();
-    options.root_cert_info = std::make_shared<RootCertInfo>(root_certs);
+    options.root_cert_info = std::make_shared<tsi::RootCertInfo>(root_certs);
   } else {
     options.root_cert_info = std::move(root_cert_info);
   }
-  bool has_key_cert_pair = pem_key_cert_pair != nullptr &&
-                           pem_key_cert_pair->private_key != nullptr &&
-                           pem_key_cert_pair->cert_chain != nullptr;
+  bool has_key_cert_pair =
+      pem_key_cert_pair != nullptr &&
+      !grpc_core::IsPrivateKeyEmpty(pem_key_cert_pair->private_key) &&
+      !pem_key_cert_pair->cert_chain.empty();
   options.root_store = root_store;
   options.alpn_protocols =
       grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
@@ -485,8 +477,8 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
 }
 
 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
-    tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs,
-    std::shared_ptr<RootCertInfo> root_cert_info,
+    std::vector<tsi_ssl_pem_key_cert_pair> pem_key_cert_pairs,
+    std::shared_ptr<tsi::RootCertInfo> root_cert_info,
     grpc_ssl_client_certificate_request_type client_certificate_request,
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
@@ -498,7 +490,6 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
       grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
   tsi_ssl_server_handshaker_options options;
   options.pem_key_cert_pairs = pem_key_cert_pairs;
-  options.num_key_cert_pairs = num_key_cert_pairs;
   options.client_certificate_request =
       grpc_get_tsi_client_certificate_request_type(client_certificate_request);
   options.cipher_suites = grpc_get_ssl_cipher_suites();
@@ -569,6 +560,15 @@ grpc_arg grpc_ssl_session_cache_create_channel_arg(
 
 namespace grpc_core {
 
+bool IsPrivateKeyEmpty(const PrivateKey& private_key) {
+  return Match(
+      private_key,
+      [&](const std::string& pem_root_certs) { return pem_root_certs.empty(); },
+      [&](const std::shared_ptr<PrivateKeySigner> key_signer) {
+        return key_signer == nullptr;
+      });
+}
+
 tsi_ssl_root_certs_store* DefaultSslRootStore::default_root_store_;
 grpc_slice DefaultSslRootStore::default_pem_root_certs_;
 

data/src/core/credentials/transport/tls/ssl_utils.h

@@ -24,11 +24,13 @@
 #include <grpc/grpc_security_constants.h>
 #include <grpc/slice.h>
 #include <grpc/support/port_platform.h>
+#include <openssl/x509.h>
 #include <stddef.h>
 
 #include <memory>
 #include <string>
 #include <utility>
+#include <variant>
 #include <vector>
 
 #include "src/core/credentials/transport/security_connector.h"
@@ -86,7 +88,7 @@ const char** ParseAlpnStringIntoArray(absl::string_view preferred_protocols,
 // Initialize TSI SSL server/client handshaker factory.
 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* key_cert_pair,
-    std::shared_ptr<RootCertInfo> root_cert_info,
+    std::shared_ptr<tsi::RootCertInfo> root_cert_info,
     bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
     tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
@@ -95,8 +97,8 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_ssl_client_handshaker_factory** handshaker_factory);
 
 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
-    tsi_ssl_pem_key_cert_pair* key_cert_pairs, size_t num_key_cert_pairs,
-    std::shared_ptr<RootCertInfo> root_cert_info,
+    std::vector<tsi_ssl_pem_key_cert_pair> key_cert_pairs,
+    std::shared_ptr<tsi::RootCertInfo> root_cert_info,
     grpc_ssl_client_certificate_request_type client_certificate_request,
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
@@ -104,9 +106,6 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
     tsi_ssl_server_handshaker_factory** handshaker_factory);
 
-// Free the memory occupied by key cert pairs.
-void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
-                                             size_t num_key_cert_pairs);
 // Exposed for testing only.
 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
     const tsi_peer* peer, const char* transport_security_type);
@@ -118,6 +117,9 @@ int grpc_ssl_host_matches_name(const tsi_peer* peer,
 
 // --- Default SSL Root Store. ---
 namespace grpc_core {
+using tsi::PrivateKey;
+
+bool IsPrivateKeyEmpty(const PrivateKey& private_key);
 
 // The class implements default SSL root store.
 class DefaultSslRootStore {
@@ -152,8 +154,8 @@ class DefaultSslRootStore {
 
 class PemKeyCertPair {
  public:
-  PemKeyCertPair(absl::string_view private_key, absl::string_view cert_chain)
-      : private_key_(private_key), cert_chain_(cert_chain) {}
+  PemKeyCertPair(PrivateKey private_key, absl::string_view cert_chain)
+      : private_key_(std::move(private_key)), cert_chain_(cert_chain) {}
 
   // Movable.
   PemKeyCertPair(PemKeyCertPair&& other) noexcept {
@@ -180,11 +182,11 @@ class PemKeyCertPair {
            this->cert_chain() == other.cert_chain();
   }
 
-  const std::string& private_key() const { return private_key_; }
+  const PrivateKey& private_key() const { return private_key_; }
   const std::string& cert_chain() const { return cert_chain_; }
 
  private:
-  std::string private_key_;
+  PrivateKey private_key_;
   std::string cert_chain_;
 };
 

data/src/core/credentials/transport/tls/tls_security_connector.cc

@@ -25,7 +25,9 @@
 #include <grpc/support/string_util.h>
 #include <string.h>
 
+#include <cstddef>
 #include <memory>
+#include <optional>
 #include <utility>
 #include <vector>
 
@@ -213,22 +215,14 @@ void PendingVerifierRequestDestroy(
   }
 }
 
-tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
+std::vector<tsi_ssl_pem_key_cert_pair> ConvertToTsiPemKeyCertPair(
     const PemKeyCertPairList& cert_pair_list) {
-  tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
-  size_t num_key_cert_pairs = cert_pair_list.size();
-  if (num_key_cert_pairs > 0) {
-    GRPC_CHECK_NE(cert_pair_list.data(), nullptr);
-    tsi_pairs = static_cast<tsi_ssl_pem_key_cert_pair*>(
-        gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair)));
-  }
-  for (size_t i = 0; i < num_key_cert_pairs; i++) {
-    GRPC_CHECK(!cert_pair_list[i].private_key().empty());
+  std::vector<tsi_ssl_pem_key_cert_pair> tsi_pairs;
+  for (size_t i = 0; i < cert_pair_list.size(); i++) {
+    GRPC_CHECK(!IsPrivateKeyEmpty(cert_pair_list[i].private_key()));
     GRPC_CHECK(!cert_pair_list[i].cert_chain().empty());
-    tsi_pairs[i].cert_chain =
-        gpr_strdup(cert_pair_list[i].cert_chain().c_str());
-    tsi_pairs[i].private_key =
-        gpr_strdup(cert_pair_list[i].private_key().c_str());
+    tsi_pairs.emplace_back(cert_pair_list[i].private_key(),
+                           cert_pair_list[i].cert_chain());
   }
   return tsi_pairs;
 }
@@ -291,17 +285,20 @@ TlsChannelSecurityConnector::TlsChannelSecurityConnector(
   SplitHostPort(target_name, &host, &port);
   target_name_ = std::string(host);
   // Create a watcher.
-  auto watcher_ptr = std::make_unique<TlsChannelCertificateWatcher>(this);
-  certificate_watcher_ = watcher_ptr.get();
-  // Register the watcher with the distributor.
-  grpc_tls_certificate_distributor* distributor =
-      options_->certificate_distributor();
+  auto identity_watcher_ptr =
+      std::make_unique<TlsChannelCertificateWatcher>(this);
+  auto root_watcher_ptr = std::make_unique<TlsChannelCertificateWatcher>(this);
+  root_certificate_watcher_ = root_watcher_ptr.get();
+  identity_certificate_watcher_ = identity_watcher_ptr.get();
+  bool watch_root_cert = options_->root_certificate_distributor() != nullptr;
+  bool watch_identity_cert =
+      options_->identity_certificate_distributor() != nullptr;
   std::optional<std::string> watched_root_cert_name;
-  if (options_->watch_root_cert()) {
+  if (watch_root_cert) {
     watched_root_cert_name = options_->root_cert_name();
   }
   std::optional<std::string> watched_identity_cert_name;
-  if (options_->watch_identity_pair()) {
+  if (watch_identity_cert) {
     watched_identity_cert_name = options_->identity_cert_name();
   }
   // We will use the root certs stored in system default locations if not
@@ -310,13 +307,19 @@ TlsChannelSecurityConnector::TlsChannelSecurityConnector(
   // certs" is a valid case(and hence we will need to call
   // OnCertificatesChanged), but it requires nothing from the provider, and
   // hence no need to register the watcher.
-  bool use_default_roots = !options_->watch_root_cert();
-  if (use_default_roots && !options_->watch_identity_pair()) {
-    watcher_ptr->OnCertificatesChanged(nullptr, std::nullopt);
+  if (!watch_root_cert && !watch_identity_cert) {
+    root_certificate_watcher_->OnCertificatesChanged(nullptr, std::nullopt);
   } else {
-    distributor->WatchTlsCertificates(std::move(watcher_ptr),
-                                      watched_root_cert_name,
-                                      watched_identity_cert_name);
+    if (watch_root_cert) {
+      options_->root_certificate_distributor()->WatchTlsCertificates(
+          std::move(root_watcher_ptr), watched_root_cert_name,
+          watched_identity_cert_name);
+    }
+    if (watch_identity_cert) {
+      options_->identity_certificate_distributor()->WatchTlsCertificates(
+          std::move(identity_watcher_ptr), watched_root_cert_name,
+          watched_identity_cert_name);
+    }
   }
 }
 
@@ -325,10 +328,16 @@ TlsChannelSecurityConnector::~TlsChannelSecurityConnector() {
     tsi_ssl_session_cache_unref(ssl_session_cache_);
   }
   // Cancel all the watchers.
-  grpc_tls_certificate_distributor* distributor =
-      options_->certificate_distributor();
-  if (distributor != nullptr) {
-    distributor->CancelTlsCertificatesWatch(certificate_watcher_);
+  grpc_tls_certificate_distributor* root_distributor =
+      options_->root_certificate_distributor();
+  if (root_distributor != nullptr) {
+    root_distributor->CancelTlsCertificatesWatch(root_certificate_watcher_);
+  }
+  grpc_tls_certificate_distributor* identity_distributor =
+      options_->identity_certificate_distributor();
+  if (identity_distributor != nullptr) {
+    identity_distributor->CancelTlsCertificatesWatch(
+        identity_certificate_watcher_);
   }
   if (client_handshaker_factory_ != nullptr) {
     tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
@@ -342,10 +351,20 @@ void TlsChannelSecurityConnector::add_handshakers(
   tsi_handshaker* tsi_hs = nullptr;
   if (client_handshaker_factory_ != nullptr) {
     // Instantiate TSI handshaker.
+    const char* server_name_indication;
+    if (options_->sni_override().has_value()) {
+      if (options_->sni_override()->empty()) {
+        server_name_indication = nullptr;
+      } else {
+        server_name_indication = options_->sni_override()->c_str();
+      }
+    } else {
+      server_name_indication = overridden_target_name_.empty()
+                                   ? target_name_.c_str()
+                                   : overridden_target_name_.c_str();
+    }
     tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
-        client_handshaker_factory_,
-        overridden_target_name_.empty() ? target_name_.c_str()
-                                        : overridden_target_name_.c_str(),
+        client_handshaker_factory_, server_name_indication,
         /*network_bio_buf_size=*/0,
         /*ssl_bio_buf_size=*/0,
         args.GetOwnedString(GRPC_ARG_TRANSPORT_PROTOCOLS), &tsi_hs);
@@ -429,7 +448,7 @@ ArenaPromise<absl::Status> TlsChannelSecurityConnector::CheckCallHost(
 }
 
 void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::
-    OnCertificatesChanged(std::shared_ptr<RootCertInfo> root_certs,
+    OnCertificatesChanged(std::shared_ptr<tsi::RootCertInfo> root_certs,
                           std::optional<PemKeyCertPairList> key_cert_pairs) {
   GRPC_CHECK_NE(security_connector_, nullptr);
   MutexLock lock(&security_connector_->mu_);
@@ -439,10 +458,13 @@ void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::
   if (key_cert_pairs.has_value()) {
     security_connector_->pem_key_cert_pair_list_ = std::move(key_cert_pairs);
   }
-  const bool root_ready = !security_connector_->options_->watch_root_cert() ||
-                          security_connector_->root_cert_info_ != nullptr;
+  const bool root_ready =
+      security_connector_->options_->root_certificate_distributor() ==
+          nullptr ||
+      security_connector_->root_cert_info_ != nullptr;
   const bool identity_ready =
-      !security_connector_->options_->watch_identity_pair() ||
+      security_connector_->options_->identity_certificate_distributor() ==
+          nullptr ||
       security_connector_->pem_key_cert_pair_list_.has_value();
   if (root_ready && identity_ready) {
     if (security_connector_->UpdateHandshakerFactoryLocked() !=
@@ -525,23 +547,19 @@ TlsChannelSecurityConnector::UpdateHandshakerFactoryLocked() {
   if (client_handshaker_factory_ != nullptr) {
     tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
   }
-  tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = nullptr;
+  std::vector<tsi_ssl_pem_key_cert_pair> pem_key_cert_pair;
   if (pem_key_cert_pair_list_.has_value()) {
     pem_key_cert_pair = ConvertToTsiPemKeyCertPair(*pem_key_cert_pair_list_);
   }
-  bool use_default_roots = !options_->watch_root_cert();
-  grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
-      pem_key_cert_pair, use_default_roots ? nullptr : root_cert_info_,
+  bool use_default_roots = options_->root_certificate_distributor() == nullptr;
+  return grpc_ssl_tsi_client_handshaker_factory_init(
+      pem_key_cert_pair.empty() ? nullptr : &pem_key_cert_pair[0],
+      use_default_roots ? nullptr : root_cert_info_,
       skip_server_certificate_verification,
       grpc_get_tsi_tls_version(options_->min_tls_version()),
       grpc_get_tsi_tls_version(options_->max_tls_version()), ssl_session_cache_,
       tls_session_key_logger_.get(), options_->crl_directory().c_str(),
       options_->crl_provider(), &client_handshaker_factory_);
-  // Free memory.
-  if (pem_key_cert_pair != nullptr) {
-    grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
-  }
-  return status;
 }
 
 // -------------------server security connector-------------------
@@ -576,30 +594,48 @@ TlsServerSecurityConnector::TlsServerSecurityConnector(
         tsi::TlsSessionKeyLoggerCache::Get(tls_session_key_log_file_path);
   }
   // Create a watcher.
-  auto watcher_ptr = std::make_unique<TlsServerCertificateWatcher>(this);
-  certificate_watcher_ = watcher_ptr.get();
-  // Register the watcher with the distributor.
-  grpc_tls_certificate_distributor* distributor =
-      options_->certificate_distributor();
+  auto root_watcher_ptr = std::make_unique<TlsServerCertificateWatcher>(this);
+  auto identity_watcher_ptr =
+      std::make_unique<TlsServerCertificateWatcher>(this);
+  root_certificate_watcher_ = root_watcher_ptr.get();
+  identity_certificate_watcher_ = identity_watcher_ptr.get();
+  bool watch_root_cert = options_->root_certificate_distributor() != nullptr;
+  bool watch_identity_cert =
+      options_->identity_certificate_distributor() != nullptr;
   std::optional<std::string> watched_root_cert_name;
-  if (options_->watch_root_cert()) {
+  if (watch_root_cert) {
     watched_root_cert_name = options_->root_cert_name();
   }
   std::optional<std::string> watched_identity_cert_name;
-  if (options_->watch_identity_pair()) {
+  if (watch_identity_cert) {
     watched_identity_cert_name = options_->identity_cert_name();
   }
-  // Server side won't use default system roots at any time.
-  distributor->WatchTlsCertificates(std::move(watcher_ptr),
-                                    watched_root_cert_name,
-                                    watched_identity_cert_name);
+  // Register the watcher with the distributor.
+  if (watch_root_cert) {
+    options_->root_certificate_distributor()->WatchTlsCertificates(
+        std::move(root_watcher_ptr), watched_root_cert_name,
+        watched_identity_cert_name);
+  }
+  if (watch_identity_cert) {
+    options_->identity_certificate_distributor()->WatchTlsCertificates(
+        std::move(identity_watcher_ptr), watched_root_cert_name,
+        watched_identity_cert_name);
+  }
 }
 
 TlsServerSecurityConnector::~TlsServerSecurityConnector() {
   // Cancel all the watchers.
-  grpc_tls_certificate_distributor* distributor =
-      options_->certificate_distributor();
-  distributor->CancelTlsCertificatesWatch(certificate_watcher_);
+  grpc_tls_certificate_distributor* root_distributor =
+      options_->root_certificate_distributor();
+  if (root_distributor != nullptr) {
+    root_distributor->CancelTlsCertificatesWatch(root_certificate_watcher_);
+  }
+  grpc_tls_certificate_distributor* identity_distributor =
+      options_->identity_certificate_distributor();
+  if (identity_distributor != nullptr) {
+    identity_distributor->CancelTlsCertificatesWatch(
+        identity_certificate_watcher_);
+  }
   if (server_handshaker_factory_ != nullptr) {
     tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
   }
@@ -681,7 +717,7 @@ int TlsServerSecurityConnector::cmp(
 }
 
 void TlsServerSecurityConnector::TlsServerCertificateWatcher::
-    OnCertificatesChanged(std::shared_ptr<RootCertInfo> roots,
+    OnCertificatesChanged(std::shared_ptr<tsi::RootCertInfo> roots,
                           std::optional<PemKeyCertPairList> key_cert_pairs) {
   GRPC_CHECK_NE(security_connector_, nullptr);
   MutexLock lock(&security_connector_->mu_);
@@ -691,10 +727,12 @@ void TlsServerSecurityConnector::TlsServerCertificateWatcher::
   if (key_cert_pairs.has_value()) {
     security_connector_->pem_key_cert_pair_list_ = std::move(key_cert_pairs);
   }
-  bool root_being_watched = security_connector_->options_->watch_root_cert();
+  bool root_being_watched =
+      security_connector_->options_->root_certificate_distributor() != nullptr;
   bool root_has_value = security_connector_->root_cert_info_ != nullptr;
   bool identity_being_watched =
-      security_connector_->options_->watch_identity_pair();
+      security_connector_->options_->identity_certificate_distributor() !=
+      nullptr;
   bool identity_has_value =
       security_connector_->pem_key_cert_pair_list_.has_value();
   if ((root_being_watched && root_has_value && identity_being_watched &&
@@ -782,21 +820,15 @@ TlsServerSecurityConnector::UpdateHandshakerFactoryLocked() {
   // The identity certs on the server side shouldn't be empty.
   GRPC_CHECK(pem_key_cert_pair_list_.has_value());
   GRPC_CHECK(!(*pem_key_cert_pair_list_).empty());
-  tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = nullptr;
-  pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(*pem_key_cert_pair_list_);
-  size_t num_key_cert_pairs = (*pem_key_cert_pair_list_).size();
-  grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
-      pem_key_cert_pairs, num_key_cert_pairs, root_cert_info_,
-      options_->cert_request_type(),
+  std::vector<tsi_ssl_pem_key_cert_pair> pem_key_cert_pairs =
+      ConvertToTsiPemKeyCertPair(*pem_key_cert_pair_list_);
+  return grpc_ssl_tsi_server_handshaker_factory_init(
+      pem_key_cert_pairs, root_cert_info_, options_->cert_request_type(),
       grpc_get_tsi_tls_version(options_->min_tls_version()),
       grpc_get_tsi_tls_version(options_->max_tls_version()),
       tls_session_key_logger_.get(), options_->crl_directory().c_str(),
       options_->send_client_ca_list(), options_->crl_provider(),
       &server_handshaker_factory_);
-  // Free memory.
-  grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
-                                          num_key_cert_pairs);
-  return status;
 }
 
 }  // namespace grpc_core