1 /* 2 * 3 * Copyright 2015 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H 20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H 21 22 #include <grpc/support/port_platform.h> 23 24 #include <stdbool.h> 25 26 #include "absl/strings/str_split.h" 27 #include "absl/strings/string_view.h" 28 29 #include <grpc/grpc_security.h> 30 #include <grpc/slice_buffer.h> 31 32 #include "src/core/lib/gprpp/global_config.h" 33 #include "src/core/lib/gprpp/ref_counted_ptr.h" 34 #include "src/core/lib/iomgr/error.h" 35 #include "src/core/lib/security/security_connector/security_connector.h" 36 #include "src/core/lib/security/security_connector/ssl_utils_config.h" 37 #include "src/core/tsi/ssl_transport_security.h" 38 #include "src/core/tsi/transport_security.h" 39 #include "src/core/tsi/transport_security_interface.h" 40 41 /* --- Util --- */ 42 43 /* --- URL schemes. --- */ 44 #define GRPC_SSL_URL_SCHEME "https" 45 46 /* Check ALPN information returned from SSL handshakes. */ 47 grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer); 48 49 /* Check peer name information returned from SSL handshakes. */ 50 grpc_error* grpc_ssl_check_peer_name(absl::string_view peer_name, 51 const tsi_peer* peer); 52 /* Compare targer_name information extracted from SSL security connectors. */ 53 int grpc_ssl_cmp_target_name(absl::string_view target_name, 54 absl::string_view other_target_name, 55 absl::string_view overridden_target_name, 56 absl::string_view other_overridden_target_name); 57 /* Check the host that will be set for a call is acceptable.*/ 58 bool grpc_ssl_check_call_host(absl::string_view host, 59 absl::string_view target_name, 60 absl::string_view overridden_target_name, 61 grpc_auth_context* auth_context, 62 grpc_error** error); 63 /* Return HTTP2-compliant cipher suites that gRPC accepts by default. */ 64 const char* grpc_get_ssl_cipher_suites(void); 65 66 /* Map from grpc_ssl_client_certificate_request_type to 67 * tsi_client_certificate_request_type. */ 68 tsi_client_certificate_request_type 69 grpc_get_tsi_client_certificate_request_type( 70 grpc_ssl_client_certificate_request_type grpc_request_type); 71 72 /* Map tsi_security_level string to grpc_security_level enum. */ 73 grpc_security_level grpc_tsi_security_level_string_to_enum( 74 const char* security_level); 75 76 /* Map grpc_tls_version to tsi_tls_version. */ 77 tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version); 78 79 /* Map grpc_security_level enum to a string. */ 80 const char* grpc_security_level_to_string(grpc_security_level security_level); 81 82 /* Check security level of channel and call credential.*/ 83 bool grpc_check_security_level(grpc_security_level channel_level, 84 grpc_security_level call_cred_level); 85 86 /* Return an array of strings containing alpn protocols. */ 87 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols); 88 89 /* Initialize TSI SSL server/client handshaker factory. */ 90 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init( 91 tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs, 92 bool skip_server_certificate_verification, tsi_tls_version min_tls_version, 93 tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache, 94 tsi_ssl_client_handshaker_factory** handshaker_factory); 95 96 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init( 97 tsi_ssl_pem_key_cert_pair* key_cert_pairs, size_t num_key_cert_pairs, 98 const char* pem_root_certs, 99 grpc_ssl_client_certificate_request_type client_certificate_request, 100 tsi_tls_version min_tls_version, tsi_tls_version max_tls_version, 101 tsi_ssl_server_handshaker_factory** handshaker_factory); 102 103 /* Exposed for testing only. */ 104 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context( 105 const tsi_peer* peer, const char* transport_security_type); 106 tsi_peer grpc_shallow_peer_from_ssl_auth_context( 107 const grpc_auth_context* auth_context); 108 void grpc_shallow_peer_destruct(tsi_peer* peer); 109 int grpc_ssl_host_matches_name(const tsi_peer* peer, 110 absl::string_view peer_name); 111 112 /* --- Default SSL Root Store. --- */ 113 namespace grpc_core { 114 115 // The class implements default SSL root store. 116 class DefaultSslRootStore { 117 public: 118 // Gets the default SSL root store. Returns nullptr if not found. 119 static const tsi_ssl_root_certs_store* GetRootStore(); 120 121 // Gets the default PEM root certificate. 122 static const char* GetPemRootCerts(); 123 124 protected: 125 // Returns default PEM root certificates in nullptr terminated grpc_slice. 126 // This function is protected instead of private, so that it can be tested. 127 static grpc_slice ComputePemRootCerts(); 128 129 private: 130 // Construct me not! 131 DefaultSslRootStore(); 132 133 // Initialization of default SSL root store. 134 static void InitRootStore(); 135 136 // One-time initialization of default SSL root store. 137 static void InitRootStoreOnce(); 138 139 // SSL root store in tsi_ssl_root_certs_store object. 140 static tsi_ssl_root_certs_store* default_root_store_; 141 142 // Default PEM root certificates. 143 static grpc_slice default_pem_root_certs_; 144 }; 145 146 class PemKeyCertPair { 147 public: 148 // Construct from the C struct. We steal its members and then immediately 149 // free it. PemKeyCertPair(grpc_ssl_pem_key_cert_pair * pair)150 explicit PemKeyCertPair(grpc_ssl_pem_key_cert_pair* pair) 151 : private_key_(const_cast<char*>(pair->private_key)), 152 cert_chain_(const_cast<char*>(pair->cert_chain)) { 153 gpr_free(pair); 154 } 155 156 // Movable. PemKeyCertPair(PemKeyCertPair && other)157 PemKeyCertPair(PemKeyCertPair&& other) noexcept { 158 private_key_ = std::move(other.private_key_); 159 cert_chain_ = std::move(other.cert_chain_); 160 } 161 PemKeyCertPair& operator=(PemKeyCertPair&& other) noexcept { 162 private_key_ = std::move(other.private_key_); 163 cert_chain_ = std::move(other.cert_chain_); 164 return *this; 165 } 166 167 // Copyable. PemKeyCertPair(const PemKeyCertPair & other)168 PemKeyCertPair(const PemKeyCertPair& other) 169 : private_key_(gpr_strdup(other.private_key())), 170 cert_chain_(gpr_strdup(other.cert_chain())) {} 171 PemKeyCertPair& operator=(const PemKeyCertPair& other) { 172 private_key_ = grpc_core::UniquePtr<char>(gpr_strdup(other.private_key())); 173 cert_chain_ = grpc_core::UniquePtr<char>(gpr_strdup(other.cert_chain())); 174 return *this; 175 } 176 177 bool operator==(const PemKeyCertPair& other) const { 178 return std::strcmp(this->private_key(), other.private_key()) == 0 && 179 std::strcmp(this->cert_chain(), other.cert_chain()) == 0; 180 } 181 private_key()182 char* private_key() const { return private_key_.get(); } cert_chain()183 char* cert_chain() const { return cert_chain_.get(); } 184 185 private: 186 grpc_core::UniquePtr<char> private_key_; 187 grpc_core::UniquePtr<char> cert_chain_; 188 }; 189 190 typedef absl::InlinedVector<grpc_core::PemKeyCertPair, 1> PemKeyCertPairList; 191 192 } // namespace grpc_core 193 194 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H \ 195 */ 196