TlsCredentials: Comparator implementation (#28940)

* TlsCredentials: Comparator implementation

* Update tests

* Redundant namespace qualifiers

* clang-tidy

* Reviewer comments

* Reviewer comments

* Reviewer comments

* Reviewer comments

* Reviewer comments

* Add generator for grpc_tls_credentials_options.h

* Generator script modifications for tests

* Sanity

* Reviewer comments

* Reviewer comments

* Add a common place to look-up known types

* Formatting

* Script fix

* Reviewer comments

* Add test mode to script

* Add to sanitize.sh

* clang-tidy

* Fix

* Fix

* Reviewer comments

* Clang-format

.gitattributes

@@ -20,6 +20,7 @@ src/python/grpcio/grpc_core_dependencies.py linguist-generated=true
 src/ruby/ext/grpc/rb_grpc_imports.generated.h linguist-generated=true
 src/ruby/ext/grpc/rb_grpc_imports.generated.c linguist-generated=true
 test/core/end2end/end2end_tests.cc linguist-generated=true
+test/core/security/grpc_tls_credentials_options_comparator_test.cc linguist-generated=true
 test/core/surface/public_headers_must_be_c89.c linguist-generated=true
 tools/doxygen/Doxyfile.c++.internal linguist-generated=true
 tools/doxygen/Doxyfile.core.internal linguist-generated=true
@@ -27,5 +28,6 @@ tools/run_tests/sources_and_headers.json linguist-generated=true
 tools/run_tests/tests.json linguist-generated=true
 tools/run_tests/generated/tests.json linguist-generated=true
 tools/run_tests/generated/sources_and_headers.json linguist-generated=true
+src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h linguist-generated=true
 src/core/lib/transport/static_metadata.h linguist-generated=true
 src/core/lib/transport/static_metadata.cc linguist-generated=true

BUILD

@@ -3797,6 +3797,7 @@ grpc_cc_library(
         "src/core/lib/security/security_connector/insecure/insecure_security_connector.cc",
     ],
     hdrs = [
+        "src/core/lib/security/credentials/insecure/insecure_credentials.h",
         "src/core/lib/security/security_connector/insecure/insecure_security_connector.h",
     ],
     language = "c++",
@@ -4627,6 +4628,7 @@ grpc_cc_library(
         "gpr_base",
         "grpc_base",
         "grpc_client_channel",
+        "grpc_insecure_credentials",
         "grpc_resolver",
         "grpc_security_base",
         "grpc_transport_chttp2",
@@ -4655,6 +4657,7 @@ grpc_cc_library(
         "grpc_base",
         "grpc_codegen",
         "grpc_http_filters",
+        "grpc_insecure_credentials",
         "grpc_security_base",
         "grpc_transport_chttp2",
         "memory_quota",

CMakeLists.txt

@@ -875,6 +875,7 @@ if(gRPC_BUILD_TESTS)
   add_dependencies(buildtests_cxx grpc_tls_certificate_distributor_test)
   add_dependencies(buildtests_cxx grpc_tls_certificate_provider_test)
   add_dependencies(buildtests_cxx grpc_tls_certificate_verifier_test)
+  add_dependencies(buildtests_cxx grpc_tls_credentials_options_comparator_test)
   add_dependencies(buildtests_cxx grpc_tls_credentials_options_test)
   if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_POSIX)
     add_dependencies(buildtests_cxx grpc_tool_test)
@@ -2621,9 +2622,11 @@ add_library(grpc_unsecure
   src/core/lib/security/credentials/composite/composite_credentials.cc
   src/core/lib/security/credentials/credentials.cc
   src/core/lib/security/credentials/fake/fake_credentials.cc
+  src/core/lib/security/credentials/insecure/insecure_credentials.cc
   src/core/lib/security/credentials/plugin/plugin_credentials.cc
   src/core/lib/security/credentials/tls/tls_utils.cc
   src/core/lib/security/security_connector/fake/fake_security_connector.cc
+  src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
   src/core/lib/security/security_connector/load_system_roots_fallback.cc
   src/core/lib/security/security_connector/load_system_roots_linux.cc
   src/core/lib/security/security_connector/security_connector.cc
@@ -2677,6 +2680,7 @@ add_library(grpc_unsecure
   src/core/plugin_registry/grpc_plugin_registry.cc
   src/core/plugin_registry/grpc_plugin_registry_noextra.cc
   src/core/tsi/fake_transport_security.cc
+  src/core/tsi/local_transport_security.cc
   src/core/tsi/transport_security.cc
   src/core/tsi/transport_security_grpc.cc
 )
@@ -3524,9 +3528,6 @@ target_link_libraries(grpc++_test_util
 endif()
 
 add_library(grpc++_unsecure
-  src/core/lib/security/credentials/insecure/insecure_credentials.cc
-  src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
-  src/core/tsi/local_transport_security.cc
   src/cpp/client/channel_cc.cc
   src/cpp/client/client_callback.cc
   src/cpp/client/client_context.cc
@@ -11307,6 +11308,41 @@ target_link_libraries(grpc_tls_certificate_verifier_test
 )
 
 
+endif()
+if(gRPC_BUILD_TESTS)
+
+add_executable(grpc_tls_credentials_options_comparator_test
+  test/core/security/grpc_tls_credentials_options_comparator_test.cc
+  third_party/googletest/googletest/src/gtest-all.cc
+  third_party/googletest/googlemock/src/gmock-all.cc
+)
+
+target_include_directories(grpc_tls_credentials_options_comparator_test
+  PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_SOURCE_DIR}/include
+    ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
+    ${_gRPC_RE2_INCLUDE_DIR}
+    ${_gRPC_SSL_INCLUDE_DIR}
+    ${_gRPC_UPB_GENERATED_DIR}
+    ${_gRPC_UPB_GRPC_GENERATED_DIR}
+    ${_gRPC_UPB_INCLUDE_DIR}
+    ${_gRPC_XXHASH_INCLUDE_DIR}
+    ${_gRPC_ZLIB_INCLUDE_DIR}
+    third_party/googletest/googletest/include
+    third_party/googletest/googletest
+    third_party/googletest/googlemock/include
+    third_party/googletest/googlemock
+    ${_gRPC_PROTO_GENS_DIR}
+)
+
+target_link_libraries(grpc_tls_credentials_options_comparator_test
+  ${_gRPC_PROTOBUF_LIBRARIES}
+  ${_gRPC_ALLTARGETS_LIBRARIES}
+  grpc_test_util
+)
+
+
 endif()
 if(gRPC_BUILD_TESTS)
 

Makefile

@@ -2056,9 +2056,11 @@ LIBGRPC_UNSECURE_SRC = \
     src/core/lib/security/credentials/composite/composite_credentials.cc \
     src/core/lib/security/credentials/credentials.cc \
     src/core/lib/security/credentials/fake/fake_credentials.cc \
+    src/core/lib/security/credentials/insecure/insecure_credentials.cc \
     src/core/lib/security/credentials/plugin/plugin_credentials.cc \
     src/core/lib/security/credentials/tls/tls_utils.cc \
     src/core/lib/security/security_connector/fake/fake_security_connector.cc \
+    src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
     src/core/lib/security/security_connector/load_system_roots_fallback.cc \
     src/core/lib/security/security_connector/load_system_roots_linux.cc \
     src/core/lib/security/security_connector/security_connector.cc \
@@ -2112,6 +2114,7 @@ LIBGRPC_UNSECURE_SRC = \
     src/core/plugin_registry/grpc_plugin_registry.cc \
     src/core/plugin_registry/grpc_plugin_registry_noextra.cc \
     src/core/tsi/fake_transport_security.cc \
+    src/core/tsi/local_transport_security.cc \
     src/core/tsi/transport_security.cc \
     src/core/tsi/transport_security_grpc.cc \
 
@@ -3139,7 +3142,6 @@ src/core/lib/security/credentials/external/url_external_account_credentials.cc:
 src/core/lib/security/credentials/google_default/credentials_generic.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/google_default/google_default_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/iam/iam_credentials.cc: $(OPENSSL_DEP)
-src/core/lib/security/credentials/insecure/insecure_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/jwt/json_token.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/jwt/jwt_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/jwt/jwt_verifier.cc: $(OPENSSL_DEP)
@@ -3153,7 +3155,6 @@ src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc: $(OPENSSL
 src/core/lib/security/credentials/tls/tls_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/xds/xds_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/alts/alts_security_connector.cc: $(OPENSSL_DEP)
-src/core/lib/security/security_connector/insecure/insecure_security_connector.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/local/local_security_connector.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/ssl/ssl_security_connector.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/ssl_utils.cc: $(OPENSSL_DEP)
@@ -3179,7 +3180,6 @@ src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_privacy_integrity_record_p
 src/core/tsi/alts/zero_copy_frame_protector/alts_grpc_record_protocol_common.cc: $(OPENSSL_DEP)
 src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.cc: $(OPENSSL_DEP)
 src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc: $(OPENSSL_DEP)
-src/core/tsi/local_transport_security.cc: $(OPENSSL_DEP)
 src/core/tsi/ssl/key_logging/ssl_key_logging.cc: $(OPENSSL_DEP)
 src/core/tsi/ssl/session_cache/ssl_session_boringssl.cc: $(OPENSSL_DEP)
 src/core/tsi/ssl/session_cache/ssl_session_cache.cc: $(OPENSSL_DEP)

build_autogenerated.yaml

@@ -868,6 +868,7 @@ libs:
   - src/core/lib/security/credentials/fake/fake_credentials.h
   - src/core/lib/security/credentials/google_default/google_default_credentials.h
   - src/core/lib/security/credentials/iam/iam_credentials.h
+  - src/core/lib/security/credentials/insecure/insecure_credentials.h
   - src/core/lib/security/credentials/jwt/json_token.h
   - src/core/lib/security/credentials/jwt/jwt_credentials.h
   - src/core/lib/security/credentials/jwt/jwt_verifier.h
@@ -2034,9 +2035,11 @@ libs:
   - src/core/lib/security/credentials/composite/composite_credentials.h
   - src/core/lib/security/credentials/credentials.h
   - src/core/lib/security/credentials/fake/fake_credentials.h
+  - src/core/lib/security/credentials/insecure/insecure_credentials.h
   - src/core/lib/security/credentials/plugin/plugin_credentials.h
   - src/core/lib/security/credentials/tls/tls_utils.h
   - src/core/lib/security/security_connector/fake/fake_security_connector.h
+  - src/core/lib/security/security_connector/insecure/insecure_security_connector.h
   - src/core/lib/security/security_connector/load_system_roots.h
   - src/core/lib/security/security_connector/load_system_roots_linux.h
   - src/core/lib/security/security_connector/security_connector.h
@@ -2085,6 +2088,7 @@ libs:
   - src/core/lib/transport/transport_impl.h
   - src/core/lib/uri/uri_parser.h
   - src/core/tsi/fake_transport_security.h
+  - src/core/tsi/local_transport_security.h
   - src/core/tsi/transport_security.h
   - src/core/tsi/transport_security_grpc.h
   - src/core/tsi/transport_security_interface.h
@@ -2340,9 +2344,11 @@ libs:
   - src/core/lib/security/credentials/composite/composite_credentials.cc
   - src/core/lib/security/credentials/credentials.cc
   - src/core/lib/security/credentials/fake/fake_credentials.cc
+  - src/core/lib/security/credentials/insecure/insecure_credentials.cc
   - src/core/lib/security/credentials/plugin/plugin_credentials.cc
   - src/core/lib/security/credentials/tls/tls_utils.cc
   - src/core/lib/security/security_connector/fake/fake_security_connector.cc
+  - src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
   - src/core/lib/security/security_connector/load_system_roots_fallback.cc
   - src/core/lib/security/security_connector/load_system_roots_linux.cc
   - src/core/lib/security/security_connector/security_connector.cc
@@ -2396,6 +2402,7 @@ libs:
   - src/core/plugin_registry/grpc_plugin_registry.cc
   - src/core/plugin_registry/grpc_plugin_registry_noextra.cc
   - src/core/tsi/fake_transport_security.cc
+  - src/core/tsi/local_transport_security.cc
   - src/core/tsi/transport_security.cc
   - src/core/tsi/transport_security_grpc.cc
   deps:
@@ -3007,8 +3014,6 @@ libs:
   - include/grpcpp/support/time.h
   - include/grpcpp/support/validate_service_config.h
   headers:
-  - src/core/lib/security/security_connector/insecure/insecure_security_connector.h
-  - src/core/tsi/local_transport_security.h
   - src/cpp/client/create_channel_internal.h
   - src/cpp/common/channel_filter.h
   - src/cpp/server/dynamic_thread_pool.h
@@ -3017,9 +3022,6 @@ libs:
   - src/cpp/server/thread_pool_interface.h
   - src/cpp/thread_manager/thread_manager.h
   src:
-  - src/core/lib/security/credentials/insecure/insecure_credentials.cc
-  - src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
-  - src/core/tsi/local_transport_security.cc
   - src/cpp/client/channel_cc.cc
   - src/cpp/client/client_callback.cc
   - src/cpp/client/client_context.cc
@@ -5995,6 +5997,15 @@ targets:
   - test/core/security/grpc_tls_certificate_verifier_test.cc
   deps:
   - grpc_test_util
+- name: grpc_tls_credentials_options_comparator_test
+  gtest: true
+  build: test
+  language: c++
+  headers: []
+  src:
+  - test/core/security/grpc_tls_credentials_options_comparator_test.cc
+  deps:
+  - grpc_test_util
 - name: grpc_tls_credentials_options_test
   gtest: true
   build: test

gRPC-C++.podspec

@@ -836,6 +836,7 @@ Pod::Spec.new do |s|
                       'src/core/lib/security/credentials/fake/fake_credentials.h',
                       'src/core/lib/security/credentials/google_default/google_default_credentials.h',
                       'src/core/lib/security/credentials/iam/iam_credentials.h',
+                      'src/core/lib/security/credentials/insecure/insecure_credentials.h',
                       'src/core/lib/security/credentials/jwt/json_token.h',
                       'src/core/lib/security/credentials/jwt/jwt_credentials.h',
                       'src/core/lib/security/credentials/jwt/jwt_verifier.h',
@@ -1643,6 +1644,7 @@ Pod::Spec.new do |s|
                               'src/core/lib/security/credentials/fake/fake_credentials.h',
                               'src/core/lib/security/credentials/google_default/google_default_credentials.h',
                               'src/core/lib/security/credentials/iam/iam_credentials.h',
+                              'src/core/lib/security/credentials/insecure/insecure_credentials.h',
                               'src/core/lib/security/credentials/jwt/json_token.h',
                               'src/core/lib/security/credentials/jwt/jwt_credentials.h',
                               'src/core/lib/security/credentials/jwt/jwt_verifier.h',

gRPC-Core.podspec

@@ -1380,6 +1380,7 @@ Pod::Spec.new do |s|
                       'src/core/lib/security/credentials/iam/iam_credentials.cc',
                       'src/core/lib/security/credentials/iam/iam_credentials.h',
                       'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
+                      'src/core/lib/security/credentials/insecure/insecure_credentials.h',
                       'src/core/lib/security/credentials/jwt/json_token.cc',
                       'src/core/lib/security/credentials/jwt/json_token.h',
                       'src/core/lib/security/credentials/jwt/jwt_credentials.cc',
@@ -2243,6 +2244,7 @@ Pod::Spec.new do |s|
                               'src/core/lib/security/credentials/fake/fake_credentials.h',
                               'src/core/lib/security/credentials/google_default/google_default_credentials.h',
                               'src/core/lib/security/credentials/iam/iam_credentials.h',
+                              'src/core/lib/security/credentials/insecure/insecure_credentials.h',
                               'src/core/lib/security/credentials/jwt/json_token.h',
                               'src/core/lib/security/credentials/jwt/jwt_credentials.h',
                               'src/core/lib/security/credentials/jwt/jwt_verifier.h',

grpc.gemspec

@@ -1299,6 +1299,7 @@ Gem::Specification.new do |s|
   s.files += %w( src/core/lib/security/credentials/iam/iam_credentials.cc )
   s.files += %w( src/core/lib/security/credentials/iam/iam_credentials.h )
   s.files += %w( src/core/lib/security/credentials/insecure/insecure_credentials.cc )
+  s.files += %w( src/core/lib/security/credentials/insecure/insecure_credentials.h )
   s.files += %w( src/core/lib/security/credentials/jwt/json_token.cc )
   s.files += %w( src/core/lib/security/credentials/jwt/json_token.h )
   s.files += %w( src/core/lib/security/credentials/jwt/jwt_credentials.cc )

grpc.gyp

@@ -1375,9 +1375,11 @@
         'src/core/lib/security/credentials/composite/composite_credentials.cc',
         'src/core/lib/security/credentials/credentials.cc',
         'src/core/lib/security/credentials/fake/fake_credentials.cc',
+        'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
         'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
         'src/core/lib/security/credentials/tls/tls_utils.cc',
         'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
+        'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
         'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
         'src/core/lib/security/security_connector/load_system_roots_linux.cc',
         'src/core/lib/security/security_connector/security_connector.cc',
@@ -1431,6 +1433,7 @@
         'src/core/plugin_registry/grpc_plugin_registry.cc',
         'src/core/plugin_registry/grpc_plugin_registry_noextra.cc',
         'src/core/tsi/fake_transport_security.cc',
+        'src/core/tsi/local_transport_security.cc',
         'src/core/tsi/transport_security.cc',
         'src/core/tsi/transport_security_grpc.cc',
       ],
@@ -1609,9 +1612,6 @@
         'grpc_unsecure',
       ],
       'sources': [
-        'src/core/lib/security/credentials/insecure/insecure_credentials.cc',
-        'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
-        'src/core/tsi/local_transport_security.cc',
         'src/cpp/client/channel_cc.cc',
         'src/cpp/client/client_callback.cc',
         'src/cpp/client/client_context.cc',

package.xml

@@ -1279,6 +1279,7 @@
     <file baseinstalldir="/" name="src/core/lib/security/credentials/iam/iam_credentials.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/iam/iam_credentials.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/insecure/insecure_credentials.cc" role="src" />
+    <file baseinstalldir="/" name="src/core/lib/security/credentials/insecure/insecure_credentials.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/json_token.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/json_token.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/jwt/jwt_credentials.cc" role="src" />

src/core/ext/filters/client_channel/lb_policy/xds/cds.cc

@@ -523,7 +523,7 @@ grpc_error_handle CdsLb::UpdateXdsCertificateProvider(
   grpc_channel_credentials* channel_credentials =
       grpc_channel_credentials_find_in_args(args_);
   if (channel_credentials == nullptr ||
-      channel_credentials->type() != kCredentialsTypeXds) {
+      channel_credentials->type() != XdsCredentials::Type()) {
     xds_certificate_provider_ = nullptr;
     return GRPC_ERROR_NONE;
   }

src/core/ext/transport/chttp2/client/chttp2_connector.cc

@@ -41,6 +41,7 @@
 #include "src/core/lib/resolver/resolver_registry.h"
 #include "src/core/lib/resource_quota/api.h"
 #include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/credentials/insecure/insecure_credentials.h"
 #include "src/core/lib/security/security_connector/security_connector.h"
 #include "src/core/lib/slice/slice_internal.h"
 #include "src/core/lib/surface/api_trace.h"
@@ -438,7 +439,7 @@ grpc_channel* grpc_channel_create_from_fd(const char* target, int fd,
       (target, fd, creds, args));
   // For now, we only support insecure channel credentials.
   if (creds == nullptr ||
-      strcmp(creds->type(), GRPC_CREDENTIALS_TYPE_INSECURE) != 0) {
+      creds->type() != grpc_core::InsecureServerCredentials::Type()) {
     return grpc_lame_client_channel_create(
         target, GRPC_STATUS_INTERNAL,
         "Failed to create client channel due to invalid creds");

src/core/ext/transport/chttp2/server/chttp2_server.cc

@@ -55,6 +55,7 @@
 #include "src/core/lib/resource_quota/memory_quota.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/credentials/insecure/insecure_credentials.h"
 #include "src/core/lib/slice/slice_internal.h"
 #include "src/core/lib/surface/api_trace.h"
 #include "src/core/lib/surface/server.h"
@@ -1059,7 +1060,7 @@ void grpc_server_add_channel_from_fd(grpc_server* server, int fd,
                                      grpc_server_credentials* creds) {
   // For now, we only support insecure server credentials
   if (creds == nullptr ||
-      strcmp(creds->type(), GRPC_CREDENTIALS_TYPE_INSECURE) != 0) {
+      creds->type() != grpc_core::InsecureServerCredentials::Type()) {
     gpr_log(GPR_ERROR, "Failed to create channel due to invalid creds");
     return;
   }

src/core/ext/xds/certificate_provider_store.cc

@@ -24,6 +24,14 @@
 
 namespace grpc_core {
 
+//
+// CertificateProviderStore::CertificateProviderWrapper
+//
+
+const char* CertificateProviderStore::CertificateProviderWrapper::type() const {
+  return "Wrapper";
+}
+
 // If a certificate provider is created, the CertificateProviderStore
 // maintains a raw pointer to the created CertificateProviderWrapper so that
 // future calls to `CreateOrGetCertificateProvider()` with the same key result

src/core/ext/xds/certificate_provider_store.h

@@ -83,6 +83,15 @@ class CertificateProviderStore
       return certificate_provider_->interested_parties();
     }
 
+    int CompareImpl(const grpc_tls_certificate_provider* other) const override {
+      // TODO(yashykt): This should probably delegate to the `Compare` method of
+      // the wrapped certificate_provider_ object.
+      return QsortCompare(
+          static_cast<const grpc_tls_certificate_provider*>(this), other);
+    }
+
+    const char* type() const override;
+
     absl::string_view key() const { return key_; }
 
    private:

src/core/ext/xds/xds_certificate_provider.cc

@@ -263,6 +263,8 @@ XdsCertificateProvider::~XdsCertificateProvider() {
   distributor_->SetWatchStatusCallback(nullptr);
 }
 
+const char* XdsCertificateProvider::type() const { return "Xds"; }
+
 bool XdsCertificateProvider::ProvidesRootCerts(const std::string& cert_name) {
   MutexLock lock(&mu_);
   auto it = certificate_state_map_.find(cert_name);

src/core/ext/xds/xds_certificate_provider.h

@@ -39,6 +39,8 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
     return distributor_;
   }
 
+  const char* type() const override;
+
   bool ProvidesRootCerts(const std::string& cert_name);
   void UpdateRootCertNameAndDistributor(
       const std::string& cert_name, absl::string_view root_cert_name,
@@ -124,6 +126,12 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider {
     bool require_client_certificate_ = false;
   };
 
+  int CompareImpl(const grpc_tls_certificate_provider* other) const override {
+    // TODO(yashykt): Maybe do something better here.
+    return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
+                        other);
+  }
+
   void WatchStatusCallback(std::string cert_name, bool root_being_watched,
                            bool identity_being_watched);
 

src/core/ext/xds/xds_server_config_fetcher.cc

@@ -1051,7 +1051,8 @@ absl::StatusOr<grpc_channel_args*> XdsServerConfigFetcher::ListenerWatcher::
   // Add XdsCertificateProvider if credentials are xDS.
   grpc_server_credentials* server_creds =
       grpc_find_server_credentials_in_args(args);
-  if (server_creds != nullptr && server_creds->type() == kCredentialsTypeXds) {
+  if (server_creds != nullptr &&
+      server_creds->type() == XdsServerCredentials::Type()) {
     absl::StatusOr<RefCountedPtr<XdsCertificateProvider>> result =
         CreateOrGetXdsCertificateProviderFromFilterChainData(filter_chain);
     if (!result.ok()) {

src/core/lib/http/httpcli_security_connector.cc

@@ -152,9 +152,6 @@ httpcli_ssl_channel_security_connector_create(
 
 class HttpRequestSSLCredentials : public grpc_channel_credentials {
  public:
-  HttpRequestSSLCredentials() : grpc_channel_credentials("HttpRequestSSL") {}
-  ~HttpRequestSSLCredentials() override {}
-
   RefCountedPtr<grpc_channel_security_connector> create_security_connector(
       RefCountedPtr<grpc_call_credentials> /*call_creds*/, const char* target,
       const grpc_channel_args* args,
@@ -184,6 +181,8 @@ class HttpRequestSSLCredentials : public grpc_channel_credentials {
     return args;
   }
 
+  const char* type() const override { return "HttpRequestSSL"; }
+
  private:
   int cmp_impl(const grpc_channel_credentials* /* other */) const override {
     // There's no differentiating factor between two HttpRequestSSLCredentials

src/core/lib/security/credentials/alts/alts_credentials.cc

@@ -30,14 +30,12 @@
 #include "src/core/lib/security/credentials/alts/check_gcp_environment.h"
 #include "src/core/lib/security/security_connector/alts/alts_security_connector.h"
 
-#define GRPC_CREDENTIALS_TYPE_ALTS "Alts"
 #define GRPC_ALTS_HANDSHAKER_SERVICE_URL "metadata.google.internal.:8080"
 
 grpc_alts_credentials::grpc_alts_credentials(
     const grpc_alts_credentials_options* options,
     const char* handshaker_service_url)
-    : grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_ALTS),
+    : options_(grpc_alts_credentials_options_copy(options)),
-      options_(grpc_alts_credentials_options_copy(options)),
       handshaker_service_url_(handshaker_service_url == nullptr
                                   ? gpr_strdup(GRPC_ALTS_HANDSHAKER_SERVICE_URL)
                                   : gpr_strdup(handshaker_service_url)) {
@@ -58,11 +56,12 @@ grpc_alts_credentials::create_security_connector(
       this->Ref(), std::move(call_creds), target_name);
 }
 
+const char* grpc_alts_credentials::type() const { return "Alts"; }
+
 grpc_alts_server_credentials::grpc_alts_server_credentials(
     const grpc_alts_credentials_options* options,
     const char* handshaker_service_url)
-    : grpc_server_credentials(GRPC_CREDENTIALS_TYPE_ALTS),
+    : options_(grpc_alts_credentials_options_copy(options)),
-      options_(grpc_alts_credentials_options_copy(options)),
       handshaker_service_url_(handshaker_service_url == nullptr
                                   ? gpr_strdup(GRPC_ALTS_HANDSHAKER_SERVICE_URL)
                                   : gpr_strdup(handshaker_service_url)) {
@@ -80,6 +79,8 @@ grpc_alts_server_credentials::~grpc_alts_server_credentials() {
   gpr_free(handshaker_service_url_);
 }
 
+const char* grpc_alts_server_credentials::type() const { return "Alts"; }
+
 grpc_channel_credentials* grpc_alts_credentials_create_customized(
     const grpc_alts_credentials_options* options,
     const char* handshaker_service_url, bool enable_untrusted_alts) {

src/core/lib/security/credentials/alts/alts_credentials.h

@@ -39,6 +39,8 @@ class grpc_alts_credentials final : public grpc_channel_credentials {
       const char* target_name, const grpc_channel_args* args,
       grpc_channel_args** new_args) override;
 
+  const char* type() const override;
+
   const grpc_alts_credentials_options* options() const { return options_; }
   grpc_alts_credentials_options* mutable_options() { return options_; }
   const char* handshaker_service_url() const { return handshaker_service_url_; }
@@ -64,6 +66,8 @@ class grpc_alts_server_credentials final : public grpc_server_credentials {
   grpc_core::RefCountedPtr<grpc_server_security_connector>
   create_security_connector(const grpc_channel_args* /* args */) override;
 
+  const char* type() const override;
+
   const grpc_alts_credentials_options* options() const { return options_; }
   grpc_alts_credentials_options* mutable_options() { return options_; }
   const char* handshaker_service_url() const { return handshaker_service_url_; }

src/core/lib/security/credentials/composite/composite_credentials.cc

@@ -37,9 +37,13 @@
 #include "src/core/lib/surface/api_trace.h"
 #include "src/core/lib/transport/transport.h"
 
-namespace grpc_core {
+//
-const char kCredentialsTypeComposite[] = "composite";
+// grpc_composite_channel_credentials
-}  // namespace grpc_core
+//
+
+const char* grpc_composite_channel_credentials::type() const {
+  return "Composite";
+}
 
 /* -- Composite call credentials. -- */
 
@@ -56,6 +60,8 @@ grpc_composite_call_credentials::GetRequestMetadata(
       });
 }
 
+const char* grpc_composite_call_credentials::Type() { return "Composite"; }
+
 std::string grpc_composite_call_credentials::debug_string() {
   std::vector<std::string> outputs;
   for (auto& inner_cred : inner_) {
@@ -89,12 +95,11 @@ void grpc_composite_call_credentials::push_to_inner(
 
 grpc_composite_call_credentials::grpc_composite_call_credentials(
     grpc_core::RefCountedPtr<grpc_call_credentials> creds1,
-    grpc_core::RefCountedPtr<grpc_call_credentials> creds2)
+    grpc_core::RefCountedPtr<grpc_call_credentials> creds2) {
-    : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) {
   const bool creds1_is_composite =
-      strcmp(creds1->type(), GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) == 0;
+      creds1->type() == grpc_composite_call_credentials::Type();
   const bool creds2_is_composite =
-      strcmp(creds2->type(), GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) == 0;
+      creds2->type() == grpc_composite_call_credentials::Type();
   const size_t size = get_creds_array_size(creds1.get(), creds1_is_composite) +
                       get_creds_array_size(creds2.get(), creds2_is_composite);
   inner_.reserve(size);

src/core/lib/security/credentials/composite/composite_credentials.h

@@ -30,17 +30,12 @@
 
 /* -- Composite channel credentials. -- */
 
-namespace grpc_core {
-extern const char kCredentialsTypeComposite[];
-}
-
 class grpc_composite_channel_credentials : public grpc_channel_credentials {
  public:
   grpc_composite_channel_credentials(
       grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
       grpc_core::RefCountedPtr<grpc_call_credentials> call_creds)
-      : grpc_channel_credentials(grpc_core::kCredentialsTypeComposite),
+      : inner_creds_(std::move(channel_creds)),
-        inner_creds_(std::move(channel_creds)),
         call_creds_(std::move(call_creds)) {}
 
   ~grpc_composite_channel_credentials() override = default;
@@ -60,6 +55,8 @@ class grpc_composite_channel_credentials : public grpc_channel_credentials {
     return inner_creds_->update_arguments(args);
   }
 
+  const char* type() const override;
+
   const grpc_channel_credentials* inner_creds() const {
     return inner_creds_.get();
   }
@@ -101,6 +98,10 @@ class grpc_composite_call_credentials : public grpc_call_credentials {
   const CallCredentialsList& inner() const { return inner_; }
   std::string debug_string() override;
 
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+
  private:
   int cmp_impl(const grpc_call_credentials* other) const override {
     // TODO(yashykt): Check if we can do something better here

src/core/lib/security/credentials/credentials.h

@@ -48,17 +48,6 @@ typedef enum {
 
 #define GRPC_FAKE_TRANSPORT_SECURITY_TYPE "fake"
 
-#define GRPC_CHANNEL_CREDENTIALS_TYPE_SSL "Ssl"
-#define GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY \
-  "FakeTransportSecurity"
-#define GRPC_CHANNEL_CREDENTIALS_TYPE_GOOGLE_DEFAULT "GoogleDefault"
-#define GRPC_CREDENTIALS_TYPE_INSECURE "insecure"
-
-#define GRPC_CALL_CREDENTIALS_TYPE_OAUTH2 "Oauth2"
-#define GRPC_CALL_CREDENTIALS_TYPE_JWT "Jwt"
-#define GRPC_CALL_CREDENTIALS_TYPE_IAM "Iam"
-#define GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE "Composite"
-
 #define GRPC_AUTHORIZATION_METADATA_KEY "authorization"
 #define GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY \
   "x-goog-iam-authorization-token"
@@ -103,13 +92,6 @@ void grpc_override_well_known_credentials_path_getter(
 struct grpc_channel_credentials
     : grpc_core::RefCounted<grpc_channel_credentials> {
  public:
-  // The pointer value \a type is used to uniquely identify a creds
-  // implementation for down-casting purposes. Every creds implementation should
-  // use a unique string instance, which should be returned by all instances of
-  // that creds implementation.
-  explicit grpc_channel_credentials(const char* type) : type_(type) {}
-  ~grpc_channel_credentials() override = default;
-
   // Creates a security connector for the channel. May also create new channel
   // args for the channel to be used in place of the passed in const args if
   // returned non NULL. In that case the caller is responsible for destroying
@@ -154,14 +136,16 @@ struct grpc_channel_credentials
     return cmp_impl(other);
   }
 
-  const char* type() const { return type_; }
+  // The pointer value \a type is used to uniquely identify a creds
+  // implementation for down-casting purposes. Every creds implementation should
+  // use a unique string instance, which should be returned by all instances of
+  // that creds implementation.
+  virtual const char* type() const = 0;
 
  private:
   // Implementation for `cmp` method intended to be overridden by subclasses.
-  // Only invoked if `type()` and `other->type()` compare equal as strings.
+  // Only invoked if `type()` and `other->type()` point to the same string.
   virtual int cmp_impl(const grpc_channel_credentials* other) const = 0;
-
-  const char* type_;
 };
 
 // TODO(roth): Once we eliminate insecure builds, find a better way to
@@ -209,9 +193,8 @@ struct grpc_call_credentials
   // use a unique string instance, which should be returned by all instances of
   // that creds implementation.
   explicit grpc_call_credentials(
-      const char* type,
       grpc_security_level min_security_level = GRPC_PRIVACY_AND_INTEGRITY)
-      : type_(type), min_security_level_(min_security_level) {}
+      : min_security_level_(min_security_level) {}
 
   ~grpc_call_credentials() override = default;
 
@@ -240,14 +223,17 @@ struct grpc_call_credentials
     return "grpc_call_credentials did not provide debug string";
   }
 
-  const char* type() const { return type_; }
+  // The pointer value \a type is used to uniquely identify a creds
+  // implementation for down-casting purposes. Every creds implementation should
+  // use a unique string instance, which should be returned by all instances of
+  // that creds implementation.
+  virtual const char* type() const = 0;
 
  private:
   // Implementation for `cmp` method intended to be overridden by subclasses.
-  // Only invoked if `type()` and `other->type()` compare equal as strings.
+  // Only invoked if `type()` and `other->type()` point to the same string.
   virtual int cmp_impl(const grpc_call_credentials* other) const = 0;
 
-  const char* type_;
   const grpc_security_level min_security_level_;
 };
 
@@ -264,15 +250,13 @@ grpc_call_credentials* grpc_md_only_test_credentials_create(
 struct grpc_server_credentials
     : public grpc_core::RefCounted<grpc_server_credentials> {
  public:
-  explicit grpc_server_credentials(const char* type) : type_(type) {}
-
   ~grpc_server_credentials() override { DestroyProcessor(); }
 
   // Ownership of \a args is not passed.
   virtual grpc_core::RefCountedPtr<grpc_server_security_connector>
   create_security_connector(const grpc_channel_args* args) = 0;
 
-  const char* type() const { return type_; }
+  virtual const char* type() const = 0;
 
   const grpc_auth_metadata_processor& auth_metadata_processor() const {
     return processor_;
@@ -287,7 +271,6 @@ struct grpc_server_credentials
     }
   }
 
-  const char* type_;
   grpc_auth_metadata_processor processor_ =
       grpc_auth_metadata_processor();  // Zero-initialize the C struct.
 };

src/core/lib/security/credentials/fake/fake_credentials.cc

@@ -37,11 +37,6 @@
 namespace {
 class grpc_fake_channel_credentials final : public grpc_channel_credentials {
  public:
-  grpc_fake_channel_credentials()
-      : grpc_channel_credentials(
-            GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY) {}
-  ~grpc_fake_channel_credentials() override = default;
-
   grpc_core::RefCountedPtr<grpc_channel_security_connector>
   create_security_connector(
       grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
@@ -51,6 +46,8 @@ class grpc_fake_channel_credentials final : public grpc_channel_credentials {
         this->Ref(), std::move(call_creds), target, args);
   }
 
+  const char* type() const override { return "Fake"; }
+
  private:
   int cmp_impl(const grpc_channel_credentials* other) const override {
     // TODO(yashykt): Check if we can do something better here
@@ -61,15 +58,12 @@ class grpc_fake_channel_credentials final : public grpc_channel_credentials {
 
 class grpc_fake_server_credentials final : public grpc_server_credentials {
  public:
-  grpc_fake_server_credentials()
-      : grpc_server_credentials(
-            GRPC_CHANNEL_CREDENTIALS_TYPE_FAKE_TRANSPORT_SECURITY) {}
-  ~grpc_fake_server_credentials() override = default;
-
   grpc_core::RefCountedPtr<grpc_server_security_connector>
   create_security_connector(const grpc_channel_args* /*args*/) override {
     return grpc_fake_server_security_connector_create(this->Ref());
   }
+
+  const char* type() const override { return "Fake"; }
 };
 }  // namespace
 
@@ -107,6 +101,8 @@ grpc_md_only_test_credentials::GetRequestMetadata(
   return grpc_core::Immediate(std::move(initial_metadata));
 }
 
+const char* grpc_md_only_test_credentials::Type() { return "MdOnlyTest"; }
+
 grpc_call_credentials* grpc_md_only_test_credentials_create(
     const char* md_key, const char* md_value) {
   return new grpc_md_only_test_credentials(md_key, md_value);

src/core/lib/security/credentials/fake/fake_credentials.h

@@ -60,8 +60,7 @@ const char* grpc_fake_transport_get_expected_targets(
 class grpc_md_only_test_credentials : public grpc_call_credentials {
  public:
   grpc_md_only_test_credentials(const char* md_key, const char* md_value)
-      : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2,
+      : grpc_call_credentials(GRPC_SECURITY_NONE),
-                              GRPC_SECURITY_NONE),
         key_(grpc_core::Slice::FromCopiedString(md_key)),
         value_(grpc_core::Slice::FromCopiedString(md_value)) {}
 
@@ -69,7 +68,11 @@ class grpc_md_only_test_credentials : public grpc_call_credentials {
   GetRequestMetadata(grpc_core::ClientMetadataHandle initial_metadata,
                      const GetRequestMetadataArgs* args) override;
 
-  std::string debug_string() override { return "MD only Test Credentials"; };
+  std::string debug_string() override { return "MD only Test Credentials"; }
+
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
 
  private:
   int cmp_impl(const grpc_call_credentials* other) const override {

src/core/lib/security/credentials/google_default/google_default_credentials.cc

@@ -138,6 +138,10 @@ grpc_channel_args* grpc_google_default_channel_credentials::update_arguments(
   return updated;
 }
 
+const char* grpc_google_default_channel_credentials::type() const {
+  return "GoogleDefault";
+}
+
 static void on_metadata_server_detection_http_response(
     void* user_data, grpc_error_handle error) {
   metadata_server_detector* detector =

src/core/lib/security/credentials/google_default/google_default_credentials.h

@@ -46,9 +46,7 @@ class grpc_google_default_channel_credentials
   grpc_google_default_channel_credentials(
       grpc_core::RefCountedPtr<grpc_channel_credentials> alts_creds,
       grpc_core::RefCountedPtr<grpc_channel_credentials> ssl_creds)
-      : grpc_channel_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_GOOGLE_DEFAULT),
+      : alts_creds_(std::move(alts_creds)), ssl_creds_(std::move(ssl_creds)) {}
-        alts_creds_(std::move(alts_creds)),
-        ssl_creds_(std::move(ssl_creds)) {}
 
   ~grpc_google_default_channel_credentials() override = default;
 
@@ -60,6 +58,8 @@ class grpc_google_default_channel_credentials
 
   grpc_channel_args* update_arguments(grpc_channel_args* args) override;
 
+  const char* type() const override;
+
   const grpc_channel_credentials* alts_creds() const {
     return alts_creds_.get();
   }

src/core/lib/security/credentials/iam/iam_credentials.cc

@@ -48,8 +48,7 @@ grpc_google_iam_credentials::GetRequestMetadata(
 
 grpc_google_iam_credentials::grpc_google_iam_credentials(
     const char* token, const char* authority_selector)
-    : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_IAM),
+    : token_(token == nullptr ? absl::optional<grpc_core::Slice>()
-      token_(token == nullptr ? absl::optional<grpc_core::Slice>()
                               : grpc_core::Slice::FromCopiedString(token)),
       authority_selector_(
           grpc_core::Slice::FromCopiedString(authority_selector)),
@@ -57,6 +56,8 @@ grpc_google_iam_credentials::grpc_google_iam_credentials(
           "GoogleIAMCredentials{Token:%s,AuthoritySelector:%s}",
           token != nullptr ? "present" : "absent", authority_selector)) {}
 
+const char* grpc_google_iam_credentials::Type() { return "Iam"; }
+
 grpc_call_credentials* grpc_google_iam_credentials_create(
     const char* token, const char* authority_selector, void* reserved) {
   grpc_core::ExecCtx exec_ctx;

src/core/lib/security/credentials/iam/iam_credentials.h

@@ -36,6 +36,10 @@ class grpc_google_iam_credentials : public grpc_call_credentials {
 
   std::string debug_string() override { return debug_string_; }
 
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+
  private:
   int cmp_impl(const grpc_call_credentials* other) const override {
     // TODO(yashykt): Check if we can do something better here

src/core/lib/security/credentials/insecure/insecure_credentials.cc

@@ -18,44 +18,37 @@
 
 #include <grpc/support/port_platform.h>
 
-#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/credentials/insecure/insecure_credentials.h"
+
 #include "src/core/lib/security/security_connector/insecure/insecure_security_connector.h"
 
 namespace grpc_core {
-namespace {
-
-class InsecureCredentials final : public grpc_channel_credentials {
- public:
-  InsecureCredentials()
-      : grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_INSECURE) {}
 
-  RefCountedPtr<grpc_channel_security_connector> create_security_connector(
+RefCountedPtr<grpc_channel_security_connector>
-      RefCountedPtr<grpc_call_credentials> call_creds,
+InsecureCredentials::create_security_connector(
+    RefCountedPtr<grpc_call_credentials> request_metadata_creds,
     const char* /* target_name */, const grpc_channel_args* /* args */,
-      grpc_channel_args** /* new_args */) override {
+    grpc_channel_args** /* new_args */) {
   return MakeRefCounted<InsecureChannelSecurityConnector>(
-        Ref(), std::move(call_creds));
+      Ref(), std::move(request_metadata_creds));
 }
 
- private:
+const char* InsecureCredentials::Type() { return "Insecure"; }
-  int cmp_impl(const grpc_channel_credentials* /* other */) const override {
+
+int InsecureCredentials::cmp_impl(
+    const grpc_channel_credentials* /* other */) const {
   // All insecure credentials objects should compare equal.
   return 0;
 }
-};
 
-class InsecureServerCredentials final : public grpc_server_credentials {
+RefCountedPtr<grpc_server_security_connector>
- public:
+InsecureServerCredentials::create_security_connector(
-  InsecureServerCredentials()
+    const grpc_channel_args* /* args */) {
-      : grpc_server_credentials(GRPC_CREDENTIALS_TYPE_INSECURE) {}
-
-  RefCountedPtr<grpc_server_security_connector> create_security_connector(
-      const grpc_channel_args* /* args */) override {
   return MakeRefCounted<InsecureServerSecurityConnector>(Ref());
 }
-};
 
-}  // namespace
+const char* InsecureServerCredentials::Type() { return "Insecure"; }
+
 }  // namespace grpc_core
 
 grpc_channel_credentials* grpc_insecure_credentials_create() {

src/core/lib/security/credentials/insecure/insecure_credentials.h

@@ -0,0 +1,57 @@
+//
+//
+// Copyright 2022 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_INSECURE_INSECURE_CREDENTIALS_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_INSECURE_INSECURE_CREDENTIALS_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/security/credentials/credentials.h"
+
+namespace grpc_core {
+
+class InsecureCredentials final : public grpc_channel_credentials {
+ public:
+  RefCountedPtr<grpc_channel_security_connector> create_security_connector(
+      RefCountedPtr<grpc_call_credentials> request_metadata_creds,
+      const char* /* target_name */, const grpc_channel_args* /* args */,
+      grpc_channel_args** /* new_args */) override;
+
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+
+ private:
+  int cmp_impl(const grpc_channel_credentials* other) const override;
+};
+
+class InsecureServerCredentials final : public grpc_server_credentials {
+ public:
+  RefCountedPtr<grpc_server_security_connector> create_security_connector(
+      const grpc_channel_args* /* args */) override;
+
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_INSECURE_INSECURE_CREDENTIALS_H

src/core/lib/security/credentials/jwt/jwt_credentials.cc

@@ -106,7 +106,7 @@ grpc_service_account_jwt_access_credentials::GetRequestMetadata(
 grpc_service_account_jwt_access_credentials::
     grpc_service_account_jwt_access_credentials(grpc_auth_json_key key,
                                                 gpr_timespec token_lifetime)
-    : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_JWT), key_(key) {
+    : key_(key) {
   gpr_timespec max_token_lifetime = grpc_max_auth_token_lifetime();
   if (gpr_time_cmp(token_lifetime, max_token_lifetime) > 0) {
     gpr_log(GPR_INFO,
@@ -118,6 +118,10 @@ grpc_service_account_jwt_access_credentials::
   gpr_mu_init(&cache_mu_);
 }
 
+const char* grpc_service_account_jwt_access_credentials::Type() {
+  return "Jwt";
+}
+
 grpc_core::RefCountedPtr<grpc_call_credentials>
 grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
     grpc_auth_json_key key, gpr_timespec token_lifetime) {

src/core/lib/security/credentials/jwt/jwt_credentials.h

@@ -52,6 +52,10 @@ class grpc_service_account_jwt_access_credentials
             static_cast<int64_t>(gpr_timespec_to_micros(jwt_lifetime_)))));
   };
 
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+
  private:
   int cmp_impl(const grpc_call_credentials* other) const override {
     // TODO(yashykt): Check if we can do something better here

src/core/lib/security/credentials/local/local_credentials.cc

@@ -27,8 +27,6 @@
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/security/security_connector/local/local_security_connector.h"
 
-#define GRPC_CREDENTIALS_TYPE_LOCAL "Local"
-
 grpc_core::RefCountedPtr<grpc_channel_security_connector>
 grpc_local_credentials::create_security_connector(
     grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
@@ -38,16 +36,19 @@ grpc_local_credentials::create_security_connector(
       this->Ref(), std::move(request_metadata_creds), args, target_name);
 }
 
+const char* grpc_local_credentials::type() const { return "Local"; }
+
 grpc_core::RefCountedPtr<grpc_server_security_connector>
 grpc_local_server_credentials::create_security_connector(
     const grpc_channel_args* /* args */) {
   return grpc_local_server_security_connector_create(this->Ref());
 }
 
+const char* grpc_local_server_credentials::type() const { return "Local"; }
+
 grpc_local_credentials::grpc_local_credentials(
     grpc_local_connect_type connect_type)
-    : grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_LOCAL),
+    : connect_type_(connect_type) {}
-      connect_type_(connect_type) {}
 
 grpc_channel_credentials* grpc_local_credentials_create(
     grpc_local_connect_type connect_type) {
@@ -56,8 +57,7 @@ grpc_channel_credentials* grpc_local_credentials_create(
 
 grpc_local_server_credentials::grpc_local_server_credentials(
     grpc_local_connect_type connect_type)
-    : grpc_server_credentials(GRPC_CREDENTIALS_TYPE_LOCAL),
+    : connect_type_(connect_type) {}
-      connect_type_(connect_type) {}
 
 grpc_server_credentials* grpc_local_server_credentials_create(
     grpc_local_connect_type connect_type) {

src/core/lib/security/credentials/local/local_credentials.h

@@ -37,6 +37,8 @@ class grpc_local_credentials final : public grpc_channel_credentials {
       const char* target_name, const grpc_channel_args* args,
       grpc_channel_args** new_args) override;
 
+  const char* type() const override;
+
   grpc_local_connect_type connect_type() const { return connect_type_; }
 
  private:
@@ -58,6 +60,8 @@ class grpc_local_server_credentials final : public grpc_server_credentials {
   grpc_core::RefCountedPtr<grpc_server_security_connector>
   create_security_connector(const grpc_channel_args* /* args */) override;
 
+  const char* type() const override;
+
   grpc_local_connect_type connect_type() const { return connect_type_; }
 
  private:

src/core/lib/security/credentials/oauth2/oauth2_credentials.cc

@@ -337,8 +337,7 @@ grpc_oauth2_token_fetcher_credentials::GetRequestMetadata(
 }
 
 grpc_oauth2_token_fetcher_credentials::grpc_oauth2_token_fetcher_credentials()
-    : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2),
+    : token_expiration_(gpr_inf_past(GPR_CLOCK_MONOTONIC)),
-      token_expiration_(gpr_inf_past(GPR_CLOCK_MONOTONIC)),
       pollent_(grpc_polling_entity_create_from_pollset_set(
           grpc_pollset_set_create())) {
   gpr_mu_init(&mu_);
@@ -348,6 +347,10 @@ std::string grpc_oauth2_token_fetcher_credentials::debug_string() {
   return "OAuth2TokenFetcherCredentials";
 }
 
+const char* grpc_oauth2_token_fetcher_credentials::type() const {
+  return "Oauth2";
+}
+
 //
 //  Google Compute Engine credentials.
 //
@@ -473,6 +476,10 @@ std::string grpc_google_refresh_token_credentials::debug_string() {
                          grpc_oauth2_token_fetcher_credentials::debug_string());
 }
 
+const char* grpc_google_refresh_token_credentials::type() const {
+  return "GoogleRefreshToken";
+}
+
 static std::string create_loggable_refresh_token(
     grpc_auth_refresh_token* token) {
   if (strcmp(token->type, GRPC_AUTH_JSON_TYPE_INVALID) == 0) {
@@ -706,10 +713,11 @@ grpc_access_token_credentials::GetRequestMetadata(
   return grpc_core::Immediate(std::move(initial_metadata));
 }
 
+const char* grpc_access_token_credentials::Type() { return "AccessToken"; }
+
 grpc_access_token_credentials::grpc_access_token_credentials(
     const char* access_token)
-    : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2),
+    : access_token_value_(grpc_core::Slice::FromCopiedString(
-      access_token_value_(grpc_core::Slice::FromCopiedString(
           absl::StrCat("Bearer ", access_token))) {}
 
 std::string grpc_access_token_credentials::debug_string() {

src/core/lib/security/credentials/oauth2/oauth2_credentials.h

@@ -102,6 +102,8 @@ class grpc_oauth2_token_fetcher_credentials : public grpc_call_credentials {
                         grpc_error_handle error);
   std::string debug_string() override;
 
+  const char* type() const override;
+
  protected:
   virtual void fetch_oauth2(grpc_credentials_metadata_request* req,
                             grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
@@ -136,6 +138,8 @@ class grpc_google_refresh_token_credentials final
 
   std::string debug_string() override;
 
+  const char* type() const override;
+
  protected:
   void fetch_oauth2(grpc_credentials_metadata_request* req,
                     grpc_polling_entity* pollent, grpc_iomgr_cb_func cb,
@@ -158,6 +162,10 @@ class grpc_access_token_credentials final : public grpc_call_credentials {
 
   std::string debug_string() override;
 
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+
  private:
   int cmp_impl(const grpc_call_credentials* other) const override {
     // TODO(yashykt): Check if we can do something better here

src/core/lib/security/credentials/plugin/plugin_credentials.cc

@@ -60,6 +60,8 @@ std::string grpc_plugin_credentials::debug_string() {
   return debug_str;
 }
 
+const char* grpc_plugin_credentials::type() const { return "Plugin"; }
+
 absl::StatusOr<grpc_core::ClientMetadataHandle>
 grpc_plugin_credentials::PendingRequest::ProcessPluginResult(
     const grpc_metadata* md, size_t num_md, grpc_status_code status,
@@ -197,7 +199,7 @@ grpc_plugin_credentials::GetRequestMetadata(
 grpc_plugin_credentials::grpc_plugin_credentials(
     grpc_metadata_credentials_plugin plugin,
     grpc_security_level min_security_level)
-    : grpc_call_credentials(plugin.type, min_security_level), plugin_(plugin) {}
+    : grpc_call_credentials(min_security_level), plugin_(plugin) {}
 
 grpc_call_credentials* grpc_metadata_credentials_create_from_plugin(
     grpc_metadata_credentials_plugin plugin,

src/core/lib/security/credentials/plugin/plugin_credentials.h

@@ -41,6 +41,8 @@ struct grpc_plugin_credentials final : public grpc_call_credentials {
 
   std::string debug_string() override;
 
+  const char* type() const override;
+
  private:
   class PendingRequest : public grpc_core::RefCounted<PendingRequest> {
    public:

src/core/lib/security/credentials/ssl/ssl_credentials.cc

@@ -37,8 +37,7 @@
 
 grpc_ssl_credentials::grpc_ssl_credentials(
     const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
-    const grpc_ssl_verify_peer_options* verify_options)
+    const grpc_ssl_verify_peer_options* verify_options) {
-    : grpc_channel_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) {
   build_config(pem_root_certs, pem_key_cert_pair, verify_options);
 }
 
@@ -83,6 +82,8 @@ grpc_ssl_credentials::create_security_connector(
   return sc;
 }
 
+const char* grpc_ssl_credentials::Type() { return "Ssl"; }
+
 void grpc_ssl_credentials::build_config(
     const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
     const grpc_ssl_verify_peer_options* verify_options) {
@@ -162,8 +163,7 @@ struct grpc_ssl_server_credentials_options {
 };
 
 grpc_ssl_server_credentials::grpc_ssl_server_credentials(
-    const grpc_ssl_server_credentials_options& options)
+    const grpc_ssl_server_credentials_options& options) {
-    : grpc_server_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) {
   if (options.certificate_config_fetcher != nullptr) {
     config_.client_certificate_request = options.client_certificate_request;
     certificate_config_fetcher_ = *options.certificate_config_fetcher;
@@ -186,6 +186,8 @@ grpc_ssl_server_credentials::create_security_connector(
   return grpc_ssl_server_security_connector_create(this->Ref());
 }
 
+const char* grpc_ssl_server_credentials::Type() { return "Ssl"; }
+
 tsi_ssl_pem_key_cert_pair* grpc_convert_grpc_to_tsi_cert_pairs(
     const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
     size_t num_key_cert_pairs) {

src/core/lib/security/credentials/ssl/ssl_credentials.h

@@ -37,6 +37,10 @@ class grpc_ssl_credentials : public grpc_channel_credentials {
       const char* target, const grpc_channel_args* args,
       grpc_channel_args** new_args) override;
 
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+
   // TODO(mattstev): Plumb to wrapped languages. Until then, setting the TLS
   // version should be done for testing purposes only.
   void set_min_tls_version(grpc_tls_version min_tls_version);
@@ -76,6 +80,10 @@ class grpc_ssl_server_credentials final : public grpc_server_credentials {
   grpc_core::RefCountedPtr<grpc_server_security_connector>
   create_security_connector(const grpc_channel_args* /* args */) override;
 
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+
   bool has_cert_config_fetcher() const {
     return certificate_config_fetcher_.cb != nullptr;
   }

src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h

@@ -26,6 +26,7 @@
 
 #include <grpc/grpc_security.h>
 
+#include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/gprpp/thd.h"
@@ -50,6 +51,36 @@ struct grpc_tls_certificate_provider
 
   virtual grpc_core::RefCountedPtr<grpc_tls_certificate_distributor>
   distributor() const = 0;
+
+  // Compares this grpc_tls_certificate_provider object with \a other.
+  // If this method returns 0, it means that gRPC can treat the two certificate
+  // providers as effectively the same. This method is used to compare
+  // `grpc_tls_certificate_provider` objects when they are present in
+  // channel_args. One important usage of this is when channel args are used in
+  // SubchannelKey, which leads to a useful property that allows subchannels to
+  // be reused when two different `grpc_tls_certificate_provider` objects are
+  // used but they compare as equal (assuming other channel args match).
+  int Compare(const grpc_tls_certificate_provider* other) const {
+    GPR_ASSERT(other != nullptr);
+    // Intentionally uses grpc_core::QsortCompare instead of strcmp as a safety
+    // against different grpc_tls_certificate_provider types using the same
+    // name.
+    int r = grpc_core::QsortCompare(type(), other->type());
+    if (r != 0) return r;
+    return CompareImpl(other);
+  }
+
+  // The pointer value \a type is used to uniquely identify a creds
+  // implementation for down-casting purposes. Every provider implementation
+  // should use a unique string instance, which should be returned by all
+  // instances of that provider implementation.
+  virtual const char* type() const = 0;
+
+ private:
+  // Implementation for `Compare` method intended to be overridden by
+  // subclasses. Only invoked if `type()` and `other->type()` point to the same
+  // string.
+  virtual int CompareImpl(const grpc_tls_certificate_provider* other) const = 0;
 };
 
 namespace grpc_core {
@@ -68,11 +99,20 @@ class StaticDataCertificateProvider final
     return distributor_;
   }
 
+  const char* type() const override { return "StaticData"; }
+
  private:
   struct WatcherInfo {
     bool root_being_watched = false;
     bool identity_being_watched = false;
   };
+
+  int CompareImpl(const grpc_tls_certificate_provider* other) const override {
+    // TODO(yashykt): Maybe do something better here.
+    return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
+                        other);
+  }
+
   RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
   std::string root_certificate_;
   PemKeyCertPairList pem_key_cert_pairs_;
@@ -98,11 +138,20 @@ class FileWatcherCertificateProvider final
     return distributor_;
   }
 
+  const char* type() const override { return "FileWatcher"; }
+
  private:
   struct WatcherInfo {
     bool root_being_watched = false;
     bool identity_being_watched = false;
   };
+
+  int CompareImpl(const grpc_tls_certificate_provider* other) const override {
+    // TODO(yashykt): Maybe do something better here.
+    return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
+                        other);
+  }
+
   // Force an update from the file system regardless of the interval.
   void ForceUpdate();
   // Read the root certificates from files and update the distributor.

src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc

@@ -30,6 +30,10 @@
 
 namespace grpc_core {
 
+//
+// ExternalCertificateVerifier
+//
+
 bool ExternalCertificateVerifier::Verify(
     grpc_tls_custom_verification_check_request* request,
     std::function<void(absl::Status)> callback, absl::Status* sync_status) {
@@ -80,6 +84,10 @@ void ExternalCertificateVerifier::OnVerifyDone(
   }
 }
 
+//
+// HostNameCertificateVerifier
+//
+
 bool HostNameCertificateVerifier::Verify(
     grpc_tls_custom_verification_check_request* request,
     std::function<void(absl::Status)>, absl::Status* sync_status) {

src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h

@@ -25,6 +25,7 @@
 
 #include <grpc/grpc_security.h>
 
+#include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/gprpp/thd.h"
@@ -37,8 +38,6 @@
 struct grpc_tls_certificate_verifier
     : public grpc_core::RefCounted<grpc_tls_certificate_verifier> {
  public:
-  grpc_tls_certificate_verifier() = default;
-
   ~grpc_tls_certificate_verifier() override = default;
   // Verifies the specific request. It can be processed in sync or async mode.
   // If the caller want it to be processed asynchronously, return false
@@ -52,6 +51,28 @@ struct grpc_tls_certificate_verifier
   // Operations that will be performed when a request is cancelled.
   // This is only needed when in async mode.
   virtual void Cancel(grpc_tls_custom_verification_check_request* request) = 0;
+
+  // Compares this grpc_tls_certificate_verifier object with \a other.
+  // If this method returns 0, it means that gRPC can treat the two certificate
+  // verifiers as effectively the same.
+  int Compare(const grpc_tls_certificate_verifier* other) const {
+    GPR_ASSERT(other != nullptr);
+    int r = grpc_core::QsortCompare(type(), other->type());
+    if (r != 0) return r;
+    return CompareImpl(other);
+  }
+
+  // The pointer value \a type is used to uniquely identify a verifier
+  // implementation for down-casting purposes. Every verifier implementation
+  // should use a unique string instance, which should be returned by all
+  // instances of that verifier implementation.
+  virtual const char* type() const = 0;
+
+ private:
+  // Implementation for `Compare` method intended to be overridden by
+  // subclasses. Only invoked if `type()` and `other->type()` point to the same
+  // string.
+  virtual int CompareImpl(const grpc_tls_certificate_verifier* other) const = 0;
 };
 
 namespace grpc_core {
@@ -78,12 +99,20 @@ class ExternalCertificateVerifier : public grpc_tls_certificate_verifier {
     external_verifier_->cancel(external_verifier_->user_data, request);
   }
 
+  const char* type() const override { return "External"; }
+
  private:
-  grpc_tls_certificate_verifier_external* external_verifier_;
+  int CompareImpl(const grpc_tls_certificate_verifier* other) const override {
+    const auto* o = static_cast<const ExternalCertificateVerifier*>(other);
+    return QsortCompare(external_verifier_, o->external_verifier_);
+  }
 
   static void OnVerifyDone(grpc_tls_custom_verification_check_request* request,
                            void* callback_arg, grpc_status_code status,
                            const char* error_details);
+
+  grpc_tls_certificate_verifier_external* external_verifier_;
+
   // Guards members below.
   Mutex mu_;
   // stores each check request and its corresponding callback function.
@@ -99,6 +128,16 @@ class HostNameCertificateVerifier : public grpc_tls_certificate_verifier {
               std::function<void(absl::Status)> callback,
               absl::Status* sync_status) override;
   void Cancel(grpc_tls_custom_verification_check_request*) override {}
+
+  const char* type() const override { return "Hostname"; }
+
+ private:
+  int CompareImpl(
+      const grpc_tls_certificate_verifier* /* other */) const override {
+    // No differentiating factor between different HostNameCertificateVerifier
+    // objects.
+    return 0;
+  }
 };
 
 }  // namespace grpc_core

src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h

@@ -1,20 +1,22 @@
-/*
+//
- *
+//
- * Copyright 2018 gRPC authors.
+// Copyright 2018 gRPC authors.
- *
+//
- * Licensed under the Apache License, Version 2.0 (the "License");
+// Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
+// you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+// You may obtain a copy of the License at
- *
+//
- *     http://www.apache.org/licenses/LICENSE-2.0
+//     http://www.apache.org/licenses/LICENSE-2.0
- *
+//
- * Unless required by applicable law or agreed to in writing, software
+// Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
+// distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
+// See the License for the specific language governing permissions and
- * limitations under the License.
+// limitations under the License.
- *
+//
- */
+//
+
+// Generated by tools/codegen/core/gen_grpc_tls_credentials_options.py
 
 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
@@ -38,103 +40,72 @@ struct grpc_tls_credentials_options
     : public grpc_core::RefCounted<grpc_tls_credentials_options> {
  public:
   ~grpc_tls_credentials_options() override = default;
+
   // Getters for member fields.
-  grpc_ssl_client_certificate_request_type cert_request_type() const {
+  grpc_ssl_client_certificate_request_type cert_request_type() const { return cert_request_type_; }
-    return cert_request_type_;
-  }
   bool verify_server_cert() const { return verify_server_cert_; }
   grpc_tls_version min_tls_version() const { return min_tls_version_; }
   grpc_tls_version max_tls_version() const { return max_tls_version_; }
-  // Returns the verifier set in the options.
   grpc_tls_certificate_verifier* certificate_verifier() {
-    return verifier_.get();
+    return certificate_verifier_.get();
   }
   bool check_call_host() const { return check_call_host_; }
-  // Returns the distributor from provider_ if it is set, nullptr otherwise.
+  // Returns the distributor from certificate_provider_ if it is set, nullptr otherwise.
   grpc_tls_certificate_distributor* certificate_distributor() {
-    if (provider_ != nullptr) return provider_->distributor().get();
+    if (certificate_provider_ != nullptr) { return certificate_provider_->distributor().get(); }
     return nullptr;
   }
-  bool watch_root_cert() { return watch_root_cert_; }
+  bool watch_root_cert() const { return watch_root_cert_; }
-  const std::string& root_cert_name() { return root_cert_name_; }
+  const std::string& root_cert_name() const { return root_cert_name_; }
-  bool watch_identity_pair() { return watch_identity_pair_; }
+  bool watch_identity_pair() const { return watch_identity_pair_; }
-  const std::string& identity_cert_name() { return identity_cert_name_; }
+  const std::string& identity_cert_name() const { return identity_cert_name_; }
-  // Returns the previously set tls session key log file path.
+  const std::string& tls_session_key_log_file_path() const { return tls_session_key_log_file_path_; }
-  const std::string& tls_session_key_log_file_path() {
+  const std::string& crl_directory() const { return crl_directory_; }
-    return tls_session_key_log_file_path_;
-  }
-  const std::string& crl_directory() { return crl_directory_; }
 
   // Setters for member fields.
-  void set_cert_request_type(
+  void set_cert_request_type(grpc_ssl_client_certificate_request_type cert_request_type) { cert_request_type_ = cert_request_type; }
-      const grpc_ssl_client_certificate_request_type type) {
+  void set_verify_server_cert(bool verify_server_cert) { verify_server_cert_ = verify_server_cert; }
-    cert_request_type_ = type;
+  void set_min_tls_version(grpc_tls_version min_tls_version) { min_tls_version_ = min_tls_version; }
-  }
+  void set_max_tls_version(grpc_tls_version max_tls_version) { max_tls_version_ = max_tls_version; }
-  void set_verify_server_cert(bool verify_server_cert) {
+  void set_certificate_verifier(grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> certificate_verifier) { certificate_verifier_ = std::move(certificate_verifier); }
-    verify_server_cert_ = verify_server_cert;
+  void set_check_call_host(bool check_call_host) { check_call_host_ = check_call_host; }
-  }
+  void set_certificate_provider(grpc_core::RefCountedPtr<grpc_tls_certificate_provider> certificate_provider) { certificate_provider_ = std::move(certificate_provider); }
-  void set_min_tls_version(grpc_tls_version min_tls_version) {
+  // If need to watch the updates of root certificates with name |root_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the root certificates are not needed.
-    min_tls_version_ = min_tls_version;
+  void set_watch_root_cert(bool watch_root_cert) { watch_root_cert_ = watch_root_cert; }
-  }
+  // Sets the name of root certificates being watched, if |set_watch_root_cert| is called. If not set, an empty string will be used as the name.
-  void set_max_tls_version(grpc_tls_version max_tls_version) {
+  void set_root_cert_name(std::string root_cert_name) { root_cert_name_ = std::move(root_cert_name); }
-    max_tls_version_ = max_tls_version;
+  // If need to watch the updates of identity certificates with name |identity_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the identity key-cert pairs are not needed.
-  }
+  void set_watch_identity_pair(bool watch_identity_pair) { watch_identity_pair_ = watch_identity_pair; }
-  // Sets the verifier in the options.
+  // Sets the name of identity key-cert pairs being watched, if |set_watch_identity_pair| is called. If not set, an empty string will be used as the name.
-  void set_certificate_verifier(
+  void set_identity_cert_name(std::string identity_cert_name) { identity_cert_name_ = std::move(identity_cert_name); }
-      grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> verifier) {
+  void set_tls_session_key_log_file_path(std::string tls_session_key_log_file_path) { tls_session_key_log_file_path_ = std::move(tls_session_key_log_file_path); }
-    verifier_ = std::move(verifier);
+  //  gRPC will enforce CRLs on all handshakes from all hashed CRL files inside of the crl_directory. If not set, an empty string will be used, which will not enable CRL checking. Only supported for OpenSSL version > 1.1.
-  }
+  void set_crl_directory(std::string crl_directory) { crl_directory_ = std::move(crl_directory); }
-  // Sets the verifier in the options.
-  void set_check_call_host(bool check_call_host) {
-    check_call_host_ = check_call_host;
-  }
-  // Sets the provider in the options.
-  void set_certificate_provider(
-      grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider) {
-    provider_ = std::move(provider);
-  }
-  // If need to watch the updates of root certificates with name
-  // |root_cert_name|. The default value is false. If used in tls_credentials,
-  // it should always be set to true unless the root certificates are not
-  // needed.
-  void set_watch_root_cert(bool watch) { watch_root_cert_ = watch; }
-  // Sets the name of root certificates being watched, if |set_watch_root_cert|
-  // is called. If not set, an empty string will be used as the name.
-  void set_root_cert_name(std::string root_cert_name) {
-    root_cert_name_ = std::move(root_cert_name);
-  }
-  // If need to watch the updates of identity certificates with name
-  // |identity_cert_name|.
-  // The default value is false.
-  // If used in tls_credentials, it should always be set to true
-  // unless the identity key-cert pairs are not needed.
-  void set_watch_identity_pair(bool watch) { watch_identity_pair_ = watch; }
-  // Sets the name of identity key-cert pairs being watched, if
-  // |set_watch_identity_pair| is called. If not set, an empty string will
-  // be used as the name.
-  void set_identity_cert_name(std::string identity_cert_name) {
-    identity_cert_name_ = std::move(identity_cert_name);
-  }
-  // Sets the tls session key log file path.
-  void set_tls_session_key_log_file_path(
-      std::string tls_session_key_log_file_path) {
-    tls_session_key_log_file_path_ = std::move(tls_session_key_log_file_path);
-  }
 
-  // gRPC will enforce CRLs on all handshakes from all hashed CRL files inside
+  bool operator==(const grpc_tls_credentials_options& other) const {
-  // of the crl_directory. If not set, an empty string will be used, which will
+    return cert_request_type_ == other.cert_request_type_ &&
-  // not enable CRL checking. Only supported for OpenSSL version > 1.1.
+      verify_server_cert_ == other.verify_server_cert_ &&
-  void set_crl_directory(std::string path) { crl_directory_ = std::move(path); }
+      min_tls_version_ == other.min_tls_version_ &&
+      max_tls_version_ == other.max_tls_version_ &&
+      (certificate_verifier_ == other.certificate_verifier_ || (certificate_verifier_ != nullptr && other.certificate_verifier_ != nullptr && certificate_verifier_->Compare(other.certificate_verifier_.get()) == 0)) &&
+      check_call_host_ == other.check_call_host_ &&
+      (certificate_provider_ == other.certificate_provider_ || (certificate_provider_ != nullptr && other.certificate_provider_ != nullptr && certificate_provider_->Compare(other.certificate_provider_.get()) == 0)) &&
+      watch_root_cert_ == other.watch_root_cert_ &&
+      root_cert_name_ == other.root_cert_name_ &&
+      watch_identity_pair_ == other.watch_identity_pair_ &&
+      identity_cert_name_ == other.identity_cert_name_ &&
+      tls_session_key_log_file_path_ == other.tls_session_key_log_file_path_ &&
+      crl_directory_ == other.crl_directory_;
+  }
 
  private:
-  grpc_ssl_client_certificate_request_type cert_request_type_ =
+  grpc_ssl_client_certificate_request_type cert_request_type_ = GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
-      GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
   bool verify_server_cert_ = true;
   grpc_tls_version min_tls_version_ = grpc_tls_version::TLS1_2;
   grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3;
-  grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> verifier_;
+  grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> certificate_verifier_;
   bool check_call_host_ = true;
-  grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider_;
+  grpc_core::RefCountedPtr<grpc_tls_certificate_provider> certificate_provider_;
   bool watch_root_cert_ = false;
   std::string root_cert_name_;
   bool watch_identity_pair_ = false;

src/core/lib/security/credentials/tls/tls_credentials.cc

@@ -31,8 +31,6 @@
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
 
-#define GRPC_CREDENTIALS_TYPE_TLS "Tls"
-
 namespace {
 
 bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
@@ -70,8 +68,7 @@ bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
 
 TlsCredentials::TlsCredentials(
     grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
-    : grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_TLS),
+    : options_(std::move(options)) {}
-      options_(std::move(options)) {}
 
 TlsCredentials::~TlsCredentials() {}
 
@@ -109,10 +106,16 @@ TlsCredentials::create_security_connector(
   return sc;
 }
 
+int TlsCredentials::cmp_impl(const grpc_channel_credentials* other) const {
+  const TlsCredentials* o = static_cast<const TlsCredentials*>(other);
+  if (*options_ == *o->options_) return 0;
+  return grpc_core::QsortCompare(
+      static_cast<const grpc_channel_credentials*>(this), other);
+}
+
 TlsServerCredentials::TlsServerCredentials(
     grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
-    : grpc_server_credentials(GRPC_CREDENTIALS_TYPE_TLS),
+    : options_(std::move(options)) {}
-      options_(std::move(options)) {}
 
 TlsServerCredentials::~TlsServerCredentials() {}
 

src/core/lib/security/credentials/tls/tls_credentials.h

@@ -38,14 +38,12 @@ class TlsCredentials final : public grpc_channel_credentials {
       const char* target_name, const grpc_channel_args* args,
       grpc_channel_args** new_args) override;
 
+  const char* type() const override { return "Tls"; }
+
   grpc_tls_credentials_options* options() const { return options_.get(); }
 
  private:
-  int cmp_impl(const grpc_channel_credentials* other) const override {
+  int cmp_impl(const grpc_channel_credentials* other) const override;
-    // TODO(yashykt): Check if we can do something better here
-    return grpc_core::QsortCompare(
-        static_cast<const grpc_channel_credentials*>(this), other);
-  }
 
   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
 };
@@ -59,6 +57,8 @@ class TlsServerCredentials final : public grpc_server_credentials {
   grpc_core::RefCountedPtr<grpc_server_security_connector>
   create_security_connector(const grpc_channel_args* /* args */) override;
 
+  const char* type() const override { return "Tls"; }
+
   grpc_tls_credentials_options* options() const { return options_.get(); }
 
  private:

src/core/lib/security/credentials/xds/xds_credentials.cc

@@ -29,8 +29,6 @@
 
 namespace grpc_core {
 
-const char kCredentialsTypeXds[] = "Xds";
-
 namespace {
 
 bool XdsVerifySubjectAlternativeNames(
@@ -61,17 +59,21 @@ bool XdsVerifySubjectAlternativeNames(
   return false;
 }
 
-class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
+}  // namespace
- public:
+
-  XdsCertificateVerifier(
+//
+// XdsCertificateVerifier
+//
+
+XdsCertificateVerifier::XdsCertificateVerifier(
     RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
     std::string cluster_name)
     : xds_certificate_provider_(std::move(xds_certificate_provider)),
       cluster_name_(std::move(cluster_name)) {}
 
-  bool Verify(grpc_tls_custom_verification_check_request* request,
+bool XdsCertificateVerifier::Verify(
-              std::function<void(absl::Status)>,
+    grpc_tls_custom_verification_check_request* request,
-              absl::Status* sync_status) override {
+    std::function<void(absl::Status)>, absl::Status* sync_status) {
   GPR_ASSERT(request != nullptr);
   if (!XdsVerifySubjectAlternativeNames(
           request->peer_info.san_names.uri_names,
@@ -91,14 +93,19 @@ class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
   }
   return true; /* synchronous check */
 }
-  void Cancel(grpc_tls_custom_verification_check_request*) override {}
 
- private:
+void XdsCertificateVerifier::Cancel(
-  RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
+    grpc_tls_custom_verification_check_request*) {}
-  std::string cluster_name_;
-};
 
-}  // namespace
+int XdsCertificateVerifier::CompareImpl(
+    const grpc_tls_certificate_verifier* other) const {
+  auto* o = static_cast<const XdsCertificateVerifier*>(other);
+  int r = QsortCompare(xds_certificate_provider_, o->xds_certificate_provider_);
+  if (r != 0) return r;
+  return cluster_name_.compare(o->cluster_name_);
+}
+
+const char* XdsCertificateVerifier::type() const { return "Xds"; }
 
 bool TestOnlyXdsVerifySubjectAlternativeNames(
     const char* const* subject_alternative_names,
@@ -164,19 +171,6 @@ XdsCredentials::create_security_connector(
           MakeRefCounted<XdsCertificateVerifier>(xds_certificate_provider,
                                                  std::move(cluster_name)));
       tls_credentials_options->set_check_call_host(false);
-      // TODO(yashkt): Creating a new TlsCreds object each time we create a
-      // security connector means that the security connector's cmp() method
-      // returns unequal for each instance, which means that every time an LB
-      // policy updates, all the subchannels will be recreated.  This is
-      // going to lead to a lot of connection churn.  Instead, we should
-      // either (a) change the TLS security connector's cmp() method to be
-      // smarter somehow, so that it compares unequal only when the
-      // tls_credentials_options have changed, or (b) cache the TlsCreds
-      // objects in the XdsCredentials object so that we can reuse the
-      // same one when creating new security connectors, swapping out the
-      // TlsCreds object only when the tls_credentials_options change.
-      // Option (a) would probably be better, although it may require some
-      // structural changes to the security connector API.
       auto tls_credentials =
           MakeRefCounted<TlsCredentials>(std::move(tls_credentials_options));
       return tls_credentials->create_security_connector(
@@ -188,6 +182,8 @@ XdsCredentials::create_security_connector(
       std::move(call_creds), target_name, temp_args.args, new_args);
 }
 
+const char* XdsCredentials::Type() { return "Xds"; }
+
 //
 // XdsServerCredentials
 //
@@ -224,6 +220,8 @@ XdsServerCredentials::create_security_connector(const grpc_channel_args* args) {
   return fallback_credentials_->create_security_connector(args);
 }
 
+const char* XdsServerCredentials::Type() { return "Xds"; }
+
 }  // namespace grpc_core
 
 grpc_channel_credentials* grpc_xds_credentials_create(

src/core/lib/security/credentials/xds/xds_credentials.h

@@ -23,24 +23,47 @@
 
 #include <grpc/grpc_security.h>
 
+#include "src/core/ext/xds/xds_certificate_provider.h"
 #include "src/core/lib/matchers/matchers.h"
 #include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
 
 namespace grpc_core {
 
-extern const char kCredentialsTypeXds[];
+class XdsCertificateVerifier : public grpc_tls_certificate_verifier {
+ public:
+  XdsCertificateVerifier(
+      RefCountedPtr<XdsCertificateProvider> xds_certificate_provider,
+      std::string cluster_name);
+
+  bool Verify(grpc_tls_custom_verification_check_request* request,
+              std::function<void(absl::Status)>,
+              absl::Status* sync_status) override;
+  void Cancel(grpc_tls_custom_verification_check_request*) override;
+
+  const char* type() const override;
+
+ private:
+  int CompareImpl(const grpc_tls_certificate_verifier* other) const override;
+
+  RefCountedPtr<XdsCertificateProvider> xds_certificate_provider_;
+  std::string cluster_name_;
+};
 
 class XdsCredentials final : public grpc_channel_credentials {
  public:
   explicit XdsCredentials(
       RefCountedPtr<grpc_channel_credentials> fallback_credentials)
-      : grpc_channel_credentials(kCredentialsTypeXds),
+      : fallback_credentials_(std::move(fallback_credentials)) {}
-        fallback_credentials_(std::move(fallback_credentials)) {}
 
   RefCountedPtr<grpc_channel_security_connector> create_security_connector(
       RefCountedPtr<grpc_call_credentials> call_creds, const char* target_name,
       const grpc_channel_args* args, grpc_channel_args** new_args) override;
 
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+
  private:
   int cmp_impl(const grpc_channel_credentials* other) const override {
     auto* o = static_cast<const XdsCredentials*>(other);
@@ -54,12 +77,15 @@ class XdsServerCredentials final : public grpc_server_credentials {
  public:
   explicit XdsServerCredentials(
       RefCountedPtr<grpc_server_credentials> fallback_credentials)
-      : grpc_server_credentials(kCredentialsTypeXds),
+      : fallback_credentials_(std::move(fallback_credentials)) {}
-        fallback_credentials_(std::move(fallback_credentials)) {}
 
   RefCountedPtr<grpc_server_security_connector> create_security_connector(
       const grpc_channel_args* /* args */) override;
 
+  static const char* Type();
+
+  const char* type() const override { return Type(); }
+
  private:
   RefCountedPtr<grpc_server_credentials> fallback_credentials_;
 };

test/core/security/BUILD

@@ -330,6 +330,19 @@ grpc_cc_test(
     ],
 )
 
+grpc_cc_test(
+    name = "grpc_tls_credentials_options_comparator_test",
+    srcs = ["grpc_tls_credentials_options_comparator_test.cc"],
+    external_deps = ["gtest"],
+    language = "C++",
+    deps = [
+        "//:gpr",
+        "//:grpc",
+        "//:grpc_secure",
+        "//test/core/util:grpc_test_util",
+    ],
+)
+
 grpc_cc_test(
     name = "grpc_tls_certificate_distributor_test",
     srcs = ["grpc_tls_certificate_distributor_test.cc"],

test/core/security/credentials_test.cc

@@ -59,8 +59,11 @@
 #include "src/core/lib/security/credentials/external/url_external_account_credentials.h"
 #include "src/core/lib/security/credentials/fake/fake_credentials.h"
 #include "src/core/lib/security/credentials/google_default/google_default_credentials.h"
+#include "src/core/lib/security/credentials/iam/iam_credentials.h"
 #include "src/core/lib/security/credentials/jwt/jwt_credentials.h"
 #include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
+#include "src/core/lib/security/credentials/xds/xds_credentials.h"
 #include "src/core/lib/security/transport/auth_filters.h"
 #include "src/core/lib/transport/error_utils.h"
 #include "src/core/lib/uri/uri_parser.h"
@@ -560,7 +563,7 @@ TEST(CredentialsTest, TestAccessTokenCreds) {
                                                  "authorization: Bearer blah");
   grpc_call_credentials* creds =
       grpc_access_token_credentials_create("blah", nullptr);
-  GPR_ASSERT(strcmp(creds->type(), GRPC_CALL_CREDENTIALS_TYPE_OAUTH2) == 0);
+  GPR_ASSERT(strcmp(creds->type(), grpc_access_token_credentials::Type()) == 0);
   /* Check security level. */
   GPR_ASSERT(creds->min_security_level() == GRPC_PRIVACY_AND_INTEGRITY);
   state->RunRequestMetadataTest(creds, kTestUrlScheme, kTestAuthority,
@@ -571,20 +574,18 @@ TEST(CredentialsTest, TestAccessTokenCreds) {
 namespace {
 class check_channel_oauth2 final : public grpc_channel_credentials {
  public:
-  check_channel_oauth2() : grpc_channel_credentials("mock") {}
-  ~check_channel_oauth2() override = default;
-
   RefCountedPtr<grpc_channel_security_connector> create_security_connector(
       RefCountedPtr<grpc_call_credentials> call_creds, const char* /*target*/,
       const grpc_channel_args* /*args*/,
       grpc_channel_args** /*new_args*/) override {
-    GPR_ASSERT(strcmp(type(), "mock") == 0);
+    GPR_ASSERT(strcmp(type(), "check_channel_oauth2") == 0);
     GPR_ASSERT(call_creds != nullptr);
-    GPR_ASSERT(strcmp(call_creds->type(), GRPC_CALL_CREDENTIALS_TYPE_OAUTH2) ==
+    GPR_ASSERT(call_creds->type() == grpc_access_token_credentials::Type());
-               0);
     return nullptr;
   }
 
+  const char* type() const override { return "check_channel_oauth2"; }
+
  private:
   int cmp_impl(const grpc_channel_credentials* other) const override {
     // TODO(yashykt): Check if we can do something better here
@@ -638,16 +639,14 @@ TEST(CredentialsTest, TestOauth2GoogleIamCompositeCreds) {
 
   oauth2_creds->Unref();
   google_iam_creds->Unref();
-  GPR_ASSERT(strcmp(composite_creds->type(),
+  GPR_ASSERT(composite_creds->type() ==
-                    GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) == 0);
+             grpc_composite_call_credentials::Type());
   const grpc_composite_call_credentials::CallCredentialsList& creds_list =
       static_cast<const grpc_composite_call_credentials*>(composite_creds)
           ->inner();
   GPR_ASSERT(creds_list.size() == 2);
-  GPR_ASSERT(strcmp(creds_list[0]->type(), GRPC_CALL_CREDENTIALS_TYPE_OAUTH2) ==
+  GPR_ASSERT(creds_list[0]->type() == grpc_md_only_test_credentials::Type());
-             0);
+  GPR_ASSERT(creds_list[1]->type() == grpc_google_iam_credentials::Type());
-  GPR_ASSERT(strcmp(creds_list[1]->type(), GRPC_CALL_CREDENTIALS_TYPE_IAM) ==
-             0);
   state->RunRequestMetadataTest(composite_creds, kTestUrlScheme, kTestAuthority,
                                 kTestPath);
   composite_creds->Unref();
@@ -656,27 +655,25 @@ TEST(CredentialsTest, TestOauth2GoogleIamCompositeCreds) {
 namespace {
 class check_channel_oauth2_google_iam final : public grpc_channel_credentials {
  public:
-  check_channel_oauth2_google_iam() : grpc_channel_credentials("mock") {}
-  ~check_channel_oauth2_google_iam() override = default;
-
   RefCountedPtr<grpc_channel_security_connector> create_security_connector(
       RefCountedPtr<grpc_call_credentials> call_creds, const char* /*target*/,
       const grpc_channel_args* /*args*/,
       grpc_channel_args** /*new_args*/) override {
-    GPR_ASSERT(strcmp(type(), "mock") == 0);
+    GPR_ASSERT(strcmp(type(), "check_channel_oauth2_google_iam") == 0);
     GPR_ASSERT(call_creds != nullptr);
-    GPR_ASSERT(
+    GPR_ASSERT(call_creds->type() == grpc_composite_call_credentials::Type());
-        strcmp(call_creds->type(), GRPC_CALL_CREDENTIALS_TYPE_COMPOSITE) == 0);
     const grpc_composite_call_credentials::CallCredentialsList& creds_list =
         static_cast<const grpc_composite_call_credentials*>(call_creds.get())
             ->inner();
-    GPR_ASSERT(
+    GPR_ASSERT(creds_list[0]->type() == grpc_access_token_credentials::Type());
-        strcmp(creds_list[0]->type(), GRPC_CALL_CREDENTIALS_TYPE_OAUTH2) == 0);
+    GPR_ASSERT(creds_list[1]->type() == grpc_google_iam_credentials::Type());
-    GPR_ASSERT(strcmp(creds_list[1]->type(), GRPC_CALL_CREDENTIALS_TYPE_IAM) ==
-               0);
     return nullptr;
   }
 
+  const char* type() const override {
+    return "check_channel_oauth2_google_iam";
+  }
+
  private:
   int cmp_impl(const grpc_channel_credentials* other) const override {
     // TODO(yashykt): Check if we can do something better here
@@ -1346,7 +1343,8 @@ char* encode_and_sign_jwt_should_not_be_called(
 grpc_service_account_jwt_access_credentials* creds_as_jwt(
     grpc_call_credentials* creds) {
   GPR_ASSERT(creds != nullptr);
-  GPR_ASSERT(strcmp(creds->type(), GRPC_CALL_CREDENTIALS_TYPE_JWT) == 0);
+  GPR_ASSERT(creds->type() ==
+             grpc_service_account_jwt_access_credentials::Type());
   return reinterpret_cast<grpc_service_account_jwt_access_credentials*>(creds);
 }
 
@@ -1769,8 +1767,6 @@ TEST(CredentialsTest, TestGoogleDefaultCredsCallCredsSpecified) {
 
 struct fake_call_creds : public grpc_call_credentials {
  public:
-  fake_call_creds() : grpc_call_credentials("fake") {}
-
   ArenaPromise<absl::StatusOr<ClientMetadataHandle>> GetRequestMetadata(
       ClientMetadataHandle initial_metadata,
       const grpc_call_credentials::GetRequestMetadataArgs*) override {
@@ -1779,6 +1775,8 @@ struct fake_call_creds : public grpc_call_credentials {
     return Immediate(std::move(initial_metadata));
   }
 
+  const char* type() const override { return "fake"; }
+
  private:
   int cmp_impl(const grpc_call_credentials* other) const override {
     // TODO(yashykt): Check if we can do something better here
@@ -3587,6 +3585,62 @@ TEST(CredentialsTest,
   grpc_channel_credentials_release(composite_creds_2);
 }
 
+TEST(CredentialsTest, TestTlsCredentialsCompareSuccess) {
+  auto* tls_creds_1 =
+      grpc_tls_credentials_create(grpc_tls_credentials_options_create());
+  auto* tls_creds_2 =
+      grpc_tls_credentials_create(grpc_tls_credentials_options_create());
+  EXPECT_EQ(tls_creds_1->cmp(tls_creds_2), 0);
+  EXPECT_EQ(tls_creds_2->cmp(tls_creds_1), 0);
+  grpc_channel_credentials_release(tls_creds_1);
+  grpc_channel_credentials_release(tls_creds_2);
+}
+
+TEST(CredentialsTest, TestTlsCredentialsWithVerifierCompareSuccess) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  options_1->set_certificate_verifier(
+      MakeRefCounted<HostNameCertificateVerifier>());
+  auto* tls_creds_1 = grpc_tls_credentials_create(options_1);
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_2->set_certificate_verifier(
+      MakeRefCounted<HostNameCertificateVerifier>());
+  auto* tls_creds_2 = grpc_tls_credentials_create(options_2);
+  EXPECT_EQ(tls_creds_1->cmp(tls_creds_2), 0);
+  EXPECT_EQ(tls_creds_2->cmp(tls_creds_1), 0);
+  grpc_channel_credentials_release(tls_creds_1);
+  grpc_channel_credentials_release(tls_creds_2);
+}
+
+TEST(CredentialsTest, TestTlsCredentialsCompareFailure) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  options_1->set_check_call_host(true);
+  auto* tls_creds_1 = grpc_tls_credentials_create(options_1);
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_2->set_check_call_host(false);
+  auto* tls_creds_2 = grpc_tls_credentials_create(options_2);
+  EXPECT_NE(tls_creds_1->cmp(tls_creds_2), 0);
+  EXPECT_NE(tls_creds_2->cmp(tls_creds_1), 0);
+  grpc_channel_credentials_release(tls_creds_1);
+  grpc_channel_credentials_release(tls_creds_2);
+}
+
+TEST(CredentialsTest, TestTlsCredentialsWithVerifierCompareFailure) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  options_1->set_certificate_verifier(
+      MakeRefCounted<HostNameCertificateVerifier>());
+  auto* tls_creds_1 = grpc_tls_credentials_create(options_1);
+  auto* options_2 = grpc_tls_credentials_options_create();
+  grpc_tls_certificate_verifier_external verifier = {nullptr, nullptr, nullptr,
+                                                     nullptr};
+  options_2->set_certificate_verifier(
+      MakeRefCounted<ExternalCertificateVerifier>(&verifier));
+  auto* tls_creds_2 = grpc_tls_credentials_create(options_2);
+  EXPECT_NE(tls_creds_1->cmp(tls_creds_2), 0);
+  EXPECT_NE(tls_creds_2->cmp(tls_creds_1), 0);
+  grpc_channel_credentials_release(tls_creds_1);
+  grpc_channel_credentials_release(tls_creds_2);
+}
+
 TEST(CredentialsTest, TestXdsCredentialsCompareSucces) {
   auto* insecure_creds = grpc_insecure_credentials_create();
   auto* xds_creds_1 = grpc_xds_credentials_create(insecure_creds);

test/core/security/grpc_tls_certificate_verifier_test.cc

@@ -251,6 +251,46 @@ TEST_F(GrpcTlsCertificateVerifierTest, HostnameVerifierCommonNameCheckFails) {
             "UNAUTHENTICATED: Hostname Verification Check failed.");
 }
 
+TEST_F(GrpcTlsCertificateVerifierTest, ComparingDifferentObjectTypesFails) {
+  grpc_tls_certificate_verifier_external verifier = {nullptr, nullptr, nullptr,
+                                                     nullptr};
+  ExternalCertificateVerifier external_verifier(&verifier);
+  HostNameCertificateVerifier hostname_certificate_verifier;
+  EXPECT_NE(external_verifier.Compare(&hostname_certificate_verifier), 0);
+  EXPECT_NE(hostname_certificate_verifier.Compare(&external_verifier), 0);
+}
+
+TEST_F(GrpcTlsCertificateVerifierTest, HostNameCertificateVerifier) {
+  HostNameCertificateVerifier hostname_certificate_verifier_1;
+  HostNameCertificateVerifier hostname_certificate_verifier_2;
+  EXPECT_EQ(
+      hostname_certificate_verifier_1.Compare(&hostname_certificate_verifier_2),
+      0);
+  EXPECT_EQ(
+      hostname_certificate_verifier_2.Compare(&hostname_certificate_verifier_1),
+      0);
+}
+
+TEST_F(GrpcTlsCertificateVerifierTest, ExternalCertificateVerifierSuccess) {
+  grpc_tls_certificate_verifier_external verifier = {nullptr, nullptr, nullptr,
+                                                     nullptr};
+  ExternalCertificateVerifier external_verifier_1(&verifier);
+  ExternalCertificateVerifier external_verifier_2(&verifier);
+  EXPECT_EQ(external_verifier_1.Compare(&external_verifier_2), 0);
+  EXPECT_EQ(external_verifier_2.Compare(&external_verifier_1), 0);
+}
+
+TEST_F(GrpcTlsCertificateVerifierTest, ExternalCertificateVerifierFailure) {
+  grpc_tls_certificate_verifier_external verifier_1 = {nullptr, nullptr,
+                                                       nullptr, nullptr};
+  ExternalCertificateVerifier external_verifier_1(&verifier_1);
+  grpc_tls_certificate_verifier_external verifier_2 = {nullptr, nullptr,
+                                                       nullptr, nullptr};
+  ExternalCertificateVerifier external_verifier_2(&verifier_2);
+  EXPECT_NE(external_verifier_1.Compare(&external_verifier_2), 0);
+  EXPECT_NE(external_verifier_2.Compare(&external_verifier_1), 0);
+}
+
 }  // namespace testing
 
 }  // namespace grpc_core

test/core/security/grpc_tls_credentials_options_comparator_test.cc

@@ -0,0 +1,175 @@
+//
+//
+// Copyright 2022 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+// Generated by tools/codegen/core/gen_grpc_tls_credentials_options.py
+
+#include <grpc/support/port_platform.h>
+
+#include <string>
+
+#include <gmock/gmock.h>
+
+#include "src/core/lib/security/credentials/xds/xds_credentials.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
+#include "test/core/util/test_config.h"
+
+namespace grpc_core {
+namespace {
+
+TEST(TlsCredentialsOptionsComparatorTest, DifferentCertRequestType) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
+  options_2->set_cert_request_type(GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY);
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentVerifyServerCert) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_verify_server_cert(false);
+  options_2->set_verify_server_cert(true);
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentMinTlsVersion) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_min_tls_version(grpc_tls_version::TLS1_2);
+  options_2->set_min_tls_version(grpc_tls_version::TLS1_3);
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentMaxTlsVersion) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_max_tls_version(grpc_tls_version::TLS1_2);
+  options_2->set_max_tls_version(grpc_tls_version::TLS1_3);
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentCertificateVerifier) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_certificate_verifier(MakeRefCounted<HostNameCertificateVerifier>());
+  options_2->set_certificate_verifier(MakeRefCounted<XdsCertificateVerifier>(nullptr, ""));
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentCheckCallHost) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_check_call_host(false);
+  options_2->set_check_call_host(true);
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentCertificateProvider) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_certificate_provider(MakeRefCounted<StaticDataCertificateProvider>("root_cert_1", PemKeyCertPairList()));
+  options_2->set_certificate_provider(MakeRefCounted<StaticDataCertificateProvider>("root_cert_2", PemKeyCertPairList()));
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentWatchRootCert) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_watch_root_cert(false);
+  options_2->set_watch_root_cert(true);
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentRootCertName) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_root_cert_name("root_cert_name_1");
+  options_2->set_root_cert_name("root_cert_name_2");
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentWatchIdentityPair) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_watch_identity_pair(false);
+  options_2->set_watch_identity_pair(true);
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentIdentityCertName) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_identity_cert_name("identity_cert_name_1");
+  options_2->set_identity_cert_name("identity_cert_name_2");
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentTlsSessionKeyLogFilePath) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_tls_session_key_log_file_path("file_path_1");
+  options_2->set_tls_session_key_log_file_path("file_path_2");
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+TEST(TlsCredentialsOptionsComparatorTest, DifferentCrlDirectory) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_crl_directory("crl_directory_1");
+  options_2->set_crl_directory("crl_directory_2");
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}
+
+} // namespace
+} // namespace grpc_core
+
+int main(int argc, char** argv) {
+  testing::InitGoogleTest(&argc, argv);
+  grpc::testing::TestEnvironment env(argc, argv);
+  grpc_init();
+  auto result = RUN_ALL_TESTS();
+  grpc_shutdown();
+  return result;
+}

test/core/security/tls_security_connector_test.cc

@@ -120,7 +120,15 @@ class TlsTestCertificateProvider : public grpc_tls_certificate_provider {
     return distributor_;
   }
 
+  const char* type() const override { return "tls_test"; }
+
  private:
+  int CompareImpl(const grpc_tls_certificate_provider* other) const override {
+    // TODO(yashykt): Maybe do something better here.
+    return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
+                        other);
+  }
+
   RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
 };
 
@@ -481,8 +489,13 @@ TEST_F(TlsSecurityConnectorTest,
   RefCountedPtr<grpc_channel_security_connector> connector =
       credential->create_security_connector(nullptr, kTargetName, nullptr,
                                             nullptr);
+  auto other_options = MakeRefCounted<grpc_tls_credentials_options>();
+  other_options->set_certificate_provider(provider);
+  other_options->set_watch_root_cert(true);
+  other_options->set_root_cert_name(kRootCertName);
+  other_options->set_watch_identity_pair(true);
   RefCountedPtr<TlsCredentials> other_credential =
-      MakeRefCounted<TlsCredentials>(options);
+      MakeRefCounted<TlsCredentials>(other_options);
   RefCountedPtr<grpc_channel_security_connector> other_connector =
       other_credential->create_security_connector(nullptr, kTargetName, nullptr,
                                                   nullptr);

test/core/security/xds_credentials_test.cc

@@ -289,6 +289,29 @@ TEST(XdsSanMatchingTest, RegexMatch) {
       sans.data(), sans.size(), {SafeRegexMatcher("(abc|xyz).example.com")}));
 }
 
+TEST(XdsCertificateVerifierTest, CompareSuccess) {
+  XdsCertificateVerifier verifier_1(nullptr, "");
+  XdsCertificateVerifier verifier_2(nullptr, "");
+  EXPECT_EQ(verifier_1.Compare(&verifier_2), 0);
+  EXPECT_EQ(verifier_2.Compare(&verifier_1), 0);
+}
+
+TEST(XdsCertificateVerifierTest, CompareFailureDifferentCertificateProviders) {
+  XdsCertificateVerifier verifier_1(MakeRefCounted<XdsCertificateProvider>(),
+                                    "");
+  XdsCertificateVerifier verifier_2(MakeRefCounted<XdsCertificateProvider>(),
+                                    "");
+  EXPECT_NE(verifier_1.Compare(&verifier_2), 0);
+  EXPECT_NE(verifier_2.Compare(&verifier_1), 0);
+}
+
+TEST(XdsCertificateVerifierTest, CompareFailureDifferentClusterNames) {
+  XdsCertificateVerifier verifier_1(nullptr, "cluster1");
+  XdsCertificateVerifier verifier_2(nullptr, "cluster2");
+  EXPECT_NE(verifier_1.Compare(&verifier_2), 0);
+  EXPECT_NE(verifier_2.Compare(&verifier_1), 0);
+}
+
 }  // namespace
 
 }  // namespace testing

test/core/xds/certificate_provider_store_test.cc

@@ -43,6 +43,15 @@ class FakeCertificateProvider : public grpc_tls_certificate_provider {
     GPR_ASSERT(0);
     return nullptr;
   }
+
+  const char* type() const override { return "fake"; }
+
+ private:
+  int CompareImpl(const grpc_tls_certificate_provider* other) const override {
+    // TODO(yashykt): Maybe do something better here.
+    return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
+                        other);
+  }
 };
 
 class FakeCertificateProviderFactory1 : public CertificateProviderFactory {

test/cpp/end2end/xds/xds_end2end_test.cc

@@ -395,7 +395,15 @@ class FakeCertificateProvider final : public grpc_tls_certificate_provider {
     return distributor_;
   }
 
+  const char* type() const override { return "fake"; }
+
  private:
+  int CompareImpl(const grpc_tls_certificate_provider* other) const override {
+    // TODO(yashykt): Maybe do something better here.
+    return grpc_core::QsortCompare(
+        static_cast<const grpc_tls_certificate_provider*>(this), other);
+  }
+
   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
   CertDataMap cert_data_map_;
 };
@@ -7562,13 +7570,11 @@ class XdsSecurityTest : public BasicTest {
     constexpr int kRetryCount = 100;
     int num_tries = 0;
     for (; num_tries < kRetryCount; num_tries++) {
-      // Give some time for the updates to propagate.
-      gpr_sleep_until(grpc_timeout_milliseconds_to_deadline(100));
-      if (test_expects_failure) {
       // Restart the servers to force a reconnection so that previously
       // connected subchannels are not used for the RPC.
       ShutdownBackend(0);
       StartBackend(0);
+      if (test_expects_failure) {
         if (SendRpc().ok()) {
           gpr_log(GPR_ERROR, "RPC succeeded. Failure expected. Trying again.");
           continue;

tools/codegen/core/gen_grpc_tls_credentials_options.py

@@ -0,0 +1,394 @@
+#!/usr/bin/env python3
+
+# Copyright 2022 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Generator script for src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h and test/core/security/grpc_tls_credentials_options_comparator_test.cc
+# Should be executed from grpc's root directory.
+
+from __future__ import print_function
+
+import collections
+from dataclasses import dataclass
+import difflib
+import filecmp
+import os
+import sys
+import tempfile
+
+
+@dataclass
+class DataMember:
+    name: str  # name of the data member without the trailing '_'
+    type: str  # Type (eg. std::string, bool)
+    test_name: str  # The name to use for the associated test
+    test_value_1: str  # Test-specific value to use for comparison
+    test_value_2: str  # Test-specific value (different from test_value_1)
+    default_initializer: str = ''  # If non-empty, this will be used as the default initialization of this field
+    getter_comment: str = ''  # Comment to add before the getter for this field
+    special_getter_return_type: str = ''  # Override for the return type of getter (eg. const std::string&)
+    override_getter: str = ''  # Override for the entire getter method. Relevant for certificate_verifier and certificate_provider
+    setter_comment: str = ''  # Commend to add before the setter for this field
+    setter_move_semantics: bool = False  # Should the setter use move-semantics
+    special_comparator: str = ''  # If non-empty, this will be used in `operator==`
+
+
+_DATA_MEMBERS = [
+    DataMember(name='cert_request_type',
+               type='grpc_ssl_client_certificate_request_type',
+               default_initializer='GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE',
+               test_name="DifferentCertRequestType",
+               test_value_1="GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE",
+               test_value_2="GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY"),
+    DataMember(name='verify_server_cert',
+               type='bool',
+               default_initializer='true',
+               test_name="DifferentVerifyServerCert",
+               test_value_1="false",
+               test_value_2="true"),
+    DataMember(name='min_tls_version',
+               type='grpc_tls_version',
+               default_initializer='grpc_tls_version::TLS1_2',
+               test_name="DifferentMinTlsVersion",
+               test_value_1="grpc_tls_version::TLS1_2",
+               test_value_2="grpc_tls_version::TLS1_3"),
+    DataMember(name='max_tls_version',
+               type='grpc_tls_version',
+               default_initializer='grpc_tls_version::TLS1_3',
+               test_name="DifferentMaxTlsVersion",
+               test_value_1="grpc_tls_version::TLS1_2",
+               test_value_2="grpc_tls_version::TLS1_3"),
+    DataMember(
+        name='certificate_verifier',
+        type='grpc_core::RefCountedPtr<grpc_tls_certificate_verifier>',
+        override_getter="""grpc_tls_certificate_verifier* certificate_verifier() {
+    return certificate_verifier_.get();
+  }""",
+        setter_move_semantics=True,
+        special_comparator=
+        '(certificate_verifier_ == other.certificate_verifier_ || (certificate_verifier_ != nullptr && other.certificate_verifier_ != nullptr && certificate_verifier_->Compare(other.certificate_verifier_.get()) == 0))',
+        test_name="DifferentCertificateVerifier",
+        test_value_1="MakeRefCounted<HostNameCertificateVerifier>()",
+        test_value_2="MakeRefCounted<XdsCertificateVerifier>(nullptr, \"\")"),
+    DataMember(name='check_call_host',
+               type='bool',
+               default_initializer='true',
+               test_name="DifferentCheckCallHost",
+               test_value_1="false",
+               test_value_2="true"),
+    DataMember(
+        name='certificate_provider',
+        type='grpc_core::RefCountedPtr<grpc_tls_certificate_provider>',
+        getter_comment=
+        'Returns the distributor from certificate_provider_ if it is set, nullptr otherwise.',
+        override_getter=
+        """grpc_tls_certificate_distributor* certificate_distributor() {
+    if (certificate_provider_ != nullptr) { return certificate_provider_->distributor().get(); }
+    return nullptr;
+  }""",
+        setter_move_semantics=True,
+        special_comparator=
+        '(certificate_provider_ == other.certificate_provider_ || (certificate_provider_ != nullptr && other.certificate_provider_ != nullptr && certificate_provider_->Compare(other.certificate_provider_.get()) == 0))',
+        test_name="DifferentCertificateProvider",
+        test_value_1=
+        "MakeRefCounted<StaticDataCertificateProvider>(\"root_cert_1\", PemKeyCertPairList())",
+        test_value_2=
+        "MakeRefCounted<StaticDataCertificateProvider>(\"root_cert_2\", PemKeyCertPairList())"
+    ),
+    DataMember(
+        name='watch_root_cert',
+        type='bool',
+        default_initializer='false',
+        setter_comment=
+        'If need to watch the updates of root certificates with name |root_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the root certificates are not needed.',
+        test_name="DifferentWatchRootCert",
+        test_value_1="false",
+        test_value_2="true"),
+    DataMember(
+        name='root_cert_name',
+        type='std::string',
+        special_getter_return_type='const std::string&',
+        setter_comment=
+        'Sets the name of root certificates being watched, if |set_watch_root_cert| is called. If not set, an empty string will be used as the name.',
+        setter_move_semantics=True,
+        test_name="DifferentRootCertName",
+        test_value_1="\"root_cert_name_1\"",
+        test_value_2="\"root_cert_name_2\""),
+    DataMember(
+        name='watch_identity_pair',
+        type='bool',
+        default_initializer='false',
+        setter_comment=
+        'If need to watch the updates of identity certificates with name |identity_cert_name|. The default value is false. If used in tls_credentials, it should always be set to true unless the identity key-cert pairs are not needed.',
+        test_name="DifferentWatchIdentityPair",
+        test_value_1="false",
+        test_value_2="true"),
+    DataMember(
+        name='identity_cert_name',
+        type='std::string',
+        special_getter_return_type='const std::string&',
+        setter_comment=
+        'Sets the name of identity key-cert pairs being watched, if |set_watch_identity_pair| is called. If not set, an empty string will be used as the name.',
+        setter_move_semantics=True,
+        test_name="DifferentIdentityCertName",
+        test_value_1="\"identity_cert_name_1\"",
+        test_value_2="\"identity_cert_name_2\""),
+    DataMember(name='tls_session_key_log_file_path',
+               type='std::string',
+               special_getter_return_type='const std::string&',
+               setter_move_semantics=True,
+               test_name="DifferentTlsSessionKeyLogFilePath",
+               test_value_1="\"file_path_1\"",
+               test_value_2="\"file_path_2\""),
+    DataMember(
+        name='crl_directory',
+        type='std::string',
+        special_getter_return_type='const std::string&',
+        setter_comment=
+        ' gRPC will enforce CRLs on all handshakes from all hashed CRL files inside of the crl_directory. If not set, an empty string will be used, which will not enable CRL checking. Only supported for OpenSSL version > 1.1.',
+        setter_move_semantics=True,
+        test_name="DifferentCrlDirectory",
+        test_value_1="\"crl_directory_1\"",
+        test_value_2="\"crl_directory_2\"")
+]
+
+
+# print copyright notice from this file
+def put_copyright(f, year):
+    print("""//
+//
+// Copyright %s gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+""" % (year),
+          file=f)
+
+
+# Prints differences between two files
+def get_file_differences(file1, file2):
+    with open(file1) as f1:
+        file1_text = f1.readlines()
+    with open(file2) as f2:
+        file2_text = f2.readlines()
+    return difflib.unified_diff(file1_text,
+                                file2_text,
+                                fromfile=file1,
+                                tofile=file2)
+
+
+# Is this script executed in test mode?
+test_mode = False
+if len(sys.argv) > 1 and sys.argv[1] == "--test":
+    test_mode = True
+
+HEADER_FILE_NAME = 'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h'
+# Generate src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
+header_file_name = HEADER_FILE_NAME
+if (test_mode):
+    header_file_name = tempfile.NamedTemporaryFile(delete=False).name
+H = open(header_file_name, 'w')
+
+put_copyright(H, '2018')
+print(
+    '// Generated by tools/codegen/core/gen_grpc_tls_credentials_options.py\n',
+    file=H)
+print(
+    """#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
+
+#include <grpc/support/port_platform.h>
+
+#include "absl/container/inlined_vector.h"
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/gprpp/ref_counted.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
+
+// Contains configurable options specified by callers to configure their certain
+// security features supported in TLS.
+// TODO(ZhenLian): consider making this not ref-counted.
+struct grpc_tls_credentials_options
+    : public grpc_core::RefCounted<grpc_tls_credentials_options> {
+ public:
+  ~grpc_tls_credentials_options() override = default;
+""",
+    file=H)
+
+# Print out getters for all data members
+print("  // Getters for member fields.", file=H)
+for data_member in _DATA_MEMBERS:
+    if data_member.getter_comment != '':
+        print("  // " + data_member.getter_comment, file=H)
+    if data_member.override_getter:
+        print("  " + data_member.override_getter, file=H)
+    else:
+        print(
+            "  %s %s() const { return %s; }" %
+            (data_member.special_getter_return_type if
+             data_member.special_getter_return_type != '' else data_member.type,
+             data_member.name, data_member.name + '_'),
+            file=H)
+
+# Print out setters for all data members
+print("", file=H)
+print("  // Setters for member fields.", file=H)
+for data_member in _DATA_MEMBERS:
+    if data_member.setter_comment != '':
+        print("  // " + data_member.setter_comment, file=H)
+    if (data_member.setter_move_semantics):
+        print("  void set_%s(%s %s) { %s_ = std::move(%s); }" %
+              (data_member.name, data_member.type, data_member.name,
+               data_member.name, data_member.name),
+              file=H)
+    else:
+        print("  void set_%s(%s %s) { %s_ = %s; }" %
+              (data_member.name, data_member.type, data_member.name,
+               data_member.name, data_member.name),
+              file=H)
+
+# Write out operator==
+print("\n  bool operator==(const grpc_tls_credentials_options& other) const {",
+      file=H)
+operator_equal_content = "    return "
+for i in range(len(_DATA_MEMBERS)):
+    if (i != 0):
+        operator_equal_content += "      "
+    if (_DATA_MEMBERS[i].special_comparator != ''):
+        operator_equal_content += _DATA_MEMBERS[i].special_comparator
+    else:
+        operator_equal_content += _DATA_MEMBERS[
+            i].name + "_ == other." + _DATA_MEMBERS[i].name + "_"
+    if (i != len(_DATA_MEMBERS) - 1):
+        operator_equal_content += ' &&\n'
+print(operator_equal_content + ";\n  }", file=H)
+
+#Print out data member declarations
+print("\n private:", file=H)
+for data_member in _DATA_MEMBERS:
+    if data_member.default_initializer == '':
+        print("  %s %s_;" % (
+            data_member.type,
+            data_member.name,
+        ), file=H)
+    else:
+        print("  %s %s_ = %s;" % (data_member.type, data_member.name,
+                                  data_member.default_initializer),
+              file=H)
+
+# Print out file ending
+print("""};
+
+#endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H""",
+      file=H)
+
+H.close()
+
+# Generate test/core/security/grpc_tls_credentials_options_comparator_test.cc
+TEST_FILE_NAME = 'test/core/security/grpc_tls_credentials_options_comparator_test.cc'
+test_file_name = TEST_FILE_NAME
+if (test_mode):
+    test_file_name = tempfile.NamedTemporaryFile(delete=False).name
+T = open(test_file_name, 'w')
+
+put_copyright(T, '2022')
+print('// Generated by tools/codegen/core/gen_grpc_tls_credentials_options.py',
+      file=T)
+print("""
+#include <grpc/support/port_platform.h>
+
+#include <string>
+
+#include <gmock/gmock.h>
+
+#include "src/core/lib/security/credentials/xds/xds_credentials.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
+#include "test/core/util/test_config.h"
+
+namespace grpc_core {
+namespace {
+""",
+      file=T)
+
+# Generate negative test for each negative member
+for data_member in _DATA_MEMBERS:
+    print("""TEST(TlsCredentialsOptionsComparatorTest, %s) {
+  auto* options_1 = grpc_tls_credentials_options_create();
+  auto* options_2 = grpc_tls_credentials_options_create();
+  options_1->set_%s(%s);
+  options_2->set_%s(%s);
+  EXPECT_FALSE(*options_1 == *options_2);
+  EXPECT_FALSE(*options_2 == *options_1);
+  delete options_1;
+  delete options_2;
+}""" % (data_member.test_name, data_member.name, data_member.test_value_1,
+        data_member.name, data_member.test_value_2),
+          file=T)
+
+# Print out file ending
+print("""
+} // namespace
+} // namespace grpc_core
+
+int main(int argc, char** argv) {
+  testing::InitGoogleTest(&argc, argv);
+  grpc::testing::TestEnvironment env(argc, argv);
+  grpc_init();
+  auto result = RUN_ALL_TESTS();
+  grpc_shutdown();
+  return result;
+}""",
+      file=T)
+T.close()
+
+if (test_mode):
+    header_diff = get_file_differences(header_file_name, HEADER_FILE_NAME)
+    test_diff = get_file_differences(test_file_name, TEST_FILE_NAME)
+    os.unlink(header_file_name)
+    os.unlink(test_file_name)
+    header_error = False
+    for line in header_diff:
+        print(line)
+        header_error = True
+    if header_error:
+        print(
+            HEADER_FILE_NAME +
+            ' should not be manually modified. Please make changes to tools/distrib/gen_grpc_tls_credentials_options.py instead.'
+        )
+    test_error = False
+    for line in test_diff:
+        print(line)
+        test_error = True
+    if test_error:
+        print(
+            TEST_FILE_NAME +
+            ' should not be manually modified. Please make changes to tools/distrib/gen_grpc_tls_credentials_options.py instead.'
+        )
+    if (header_error or test_error):
+        sys.exit(1)

tools/distrib/sanitize.sh

@@ -31,3 +31,4 @@ tools/distrib/isort_code.sh
 tools/distrib/clang_format_code.sh
 tools/distrib/buildifier_format_code_strict.sh || true
 tools/distrib/check_redundant_namespace_qualifiers.py || true
+tools/codegen/core/gen_grpc_tls_credentials_options.py

tools/dockerfile/grpc_clang_format/clang_format_all_the_things.sh

@@ -32,7 +32,7 @@ for dir in $DIRS
 do
   for glob in $GLOB
   do
-    files="$files `find ${CLANG_FORMAT_ROOT}/$dir -name $glob -and -not -name '*.generated.*' -and -not -name '*.upb.h' -and -not -name '*.upb.c' -and -not -name '*.upbdefs.h' -and -not -name '*.upbdefs.c' -and -not -name '*.pb.h' -and -not -name '*.pb.c' -and -not -name '*.pb.cc' -and -not -name '*.pbobjc.h' -and -not -name '*.pbobjc.m' -and -not -name '*.pbrpc.h' -and -not -name '*.pbrpc.m' -and -not -name end2end_tests.cc -and -not -name public_headers_must_be_c89.c -and -not -name grpc_shadow_boringssl.h`"
+    files="$files `find ${CLANG_FORMAT_ROOT}/$dir -name $glob -and -not -name '*.generated.*' -and -not -name '*.upb.h' -and -not -name '*.upb.c' -and -not -name '*.upbdefs.h' -and -not -name '*.upbdefs.c' -and -not -name '*.pb.h' -and -not -name '*.pb.c' -and -not -name '*.pb.cc' -and -not -name '*.pbobjc.h' -and -not -name '*.pbobjc.m' -and -not -name '*.pbrpc.h' -and -not -name '*.pbrpc.m' -and -not -name end2end_tests.cc -and -not -name public_headers_must_be_c89.c -and -not -name grpc_shadow_boringssl.h -and -not -name grpc_tls_credentials_options.h -and -not -name grpc_tls_credentials_options_comparator_test.cc`"
   done
 done
 

tools/doxygen/Doxyfile.c++.internal

@@ -2278,6 +2278,7 @@ src/core/lib/security/credentials/google_default/google_default_credentials.h \
 src/core/lib/security/credentials/iam/iam_credentials.cc \
 src/core/lib/security/credentials/iam/iam_credentials.h \
 src/core/lib/security/credentials/insecure/insecure_credentials.cc \
+src/core/lib/security/credentials/insecure/insecure_credentials.h \
 src/core/lib/security/credentials/jwt/json_token.cc \
 src/core/lib/security/credentials/jwt/json_token.h \
 src/core/lib/security/credentials/jwt/jwt_credentials.cc \

tools/doxygen/Doxyfile.core.internal

@@ -2073,6 +2073,7 @@ src/core/lib/security/credentials/google_default/google_default_credentials.h \
 src/core/lib/security/credentials/iam/iam_credentials.cc \
 src/core/lib/security/credentials/iam/iam_credentials.h \
 src/core/lib/security/credentials/insecure/insecure_credentials.cc \
+src/core/lib/security/credentials/insecure/insecure_credentials.h \
 src/core/lib/security/credentials/jwt/json_token.cc \
 src/core/lib/security/credentials/jwt/json_token.h \
 src/core/lib/security/credentials/jwt/jwt_credentials.cc \

tools/run_tests/generated/tests.json

@@ -4593,6 +4593,30 @@
     ],
     "uses_polling": true
   },
+  {
+    "args": [],
+    "benchmark": false,
+    "ci_platforms": [
+      "linux",
+      "mac",
+      "posix",
+      "windows"
+    ],
+    "cpu_cost": 1.0,
+    "exclude_configs": [],
+    "exclude_iomgrs": [],
+    "flaky": false,
+    "gtest": true,
+    "language": "c++",
+    "name": "grpc_tls_credentials_options_comparator_test",
+    "platforms": [
+      "linux",
+      "mac",
+      "posix",
+      "windows"
+    ],
+    "uses_polling": true
+  },
   {
     "args": [],
     "benchmark": false,

tools/run_tests/sanity/sanity_tests.yaml

@@ -27,6 +27,7 @@
 - script: tools/distrib/check_trailing_newlines.sh
 - script: tools/distrib/check_upb_output.sh
 - script: tools/distrib/check_pytype.sh
+- script: tools/codegen/core/gen_grpc_tls_credentials_options.py --test
 - script: tools/distrib/clang_format_code.sh
 - script: tools/distrib/clang_tidy_code.sh
   # ClangTidy needs to run exclusively because it uses files under the bazel output