Add experimental API for CRL checking support to gRPC C++ TlsCredentials (#28407)

include/grpcpp/security/tls_credentials_options.h

@@ -106,6 +106,13 @@ class TlsCredentialsOptions {
   // verifiers other than the host name verifier is used.
   void set_check_call_host(bool check_call_host);
 
+  // TODO(zhenlian): This is an experimental API is likely to change in the
+  // future. Before de-experiementalizing, verify the API is up to date.
+  // If set, gRPC will read all hashed x.509 CRL files in the directory and
+  // enforce the CRL files on all TLS handshakes. Only supported for OpenSSL
+  // version > 1.1.
+  void set_crl_directory(const std::string& path);
+
   // ----- Getters for member fields ----
   // Get the internal c options. This function shall be used only internally.
   grpc_tls_credentials_options* c_credentials_options() const {

src/cpp/common/tls_credentials_options.cc

@@ -59,6 +59,11 @@ void TlsCredentialsOptions::set_identity_cert_name(
       c_credentials_options_, identity_cert_name.c_str());
 }
 
+void TlsCredentialsOptions::set_crl_directory(const std::string& path) {
+  grpc_tls_credentials_options_set_crl_directory(c_credentials_options_,
+                                                 path.c_str());
+}
+
 void TlsCredentialsOptions::set_tls_session_key_log_file_path(
     const std::string& tls_session_key_log_file_path) {
   grpc_tls_credentials_options_set_tls_session_key_log_file_path(

test/cpp/client/credentials_test.cc

@@ -36,6 +36,7 @@
 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
 #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
 #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
+#define CRL_DIR_PATH "test/core/tsi/test_creds/crl_data"
 
 namespace {
 
@@ -381,6 +382,20 @@ TEST(CredentialsTest, TlsChannelCredentialsWithAsyncExternalVerifier) {
   GPR_ASSERT(channel_credentials.get() != nullptr);
 }
 
+TEST(CredentialsTest, TlsChannelCredentialsWithCrlDirectory) {
+  auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
+      SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
+  grpc::experimental::TlsChannelCredentialsOptions options;
+  options.set_certificate_provider(certificate_provider);
+  options.watch_root_certs();
+  options.set_root_cert_name(kRootCertName);
+  options.watch_identity_key_cert_pairs();
+  options.set_identity_cert_name(kIdentityCertName);
+  options.set_crl_directory(CRL_DIR_PATH);
+  auto channel_credentials = grpc::experimental::TlsCredentials(options);
+  GPR_ASSERT(channel_credentials.get() != nullptr);
+}
+
 }  // namespace
 }  // namespace testing
 }  // namespace grpc

test/cpp/server/credentials_test.cc

@@ -32,6 +32,7 @@
 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
 #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
 #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
+#define CRL_DIR_PATH "test/core/tsi/test_creds/crl_data"
 
 namespace {
 
@@ -110,6 +111,21 @@ TEST(
   GPR_ASSERT(server_credentials.get() != nullptr);
 }
 
+TEST(CredentialsTest, TlsServerCredentialsWithCrlChecking) {
+  auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
+      SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
+  grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
+  options.watch_root_certs();
+  options.set_root_cert_name(kRootCertName);
+  options.watch_identity_key_cert_pairs();
+  options.set_identity_cert_name(kIdentityCertName);
+  options.set_cert_request_type(
+      GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
+  options.set_crl_directory(CRL_DIR_PATH);
+  auto server_credentials = grpc::experimental::TlsServerCredentials(options);
+  GPR_ASSERT(server_credentials.get() != nullptr);
+}
+
 // ServerCredentials should always have identity credential presented.
 // Otherwise gRPC stack will fail.
 TEST(