From a3d997cbdc4dcf8f4aff7e380f9efdd041cf09d0 Mon Sep 17 00:00:00 2001
From: Yihua Zhang <yihuaz@google.com>
Date: Tue, 29 Jan 2019 10:04:28 -0800
Subject: [PATCH] Add a TLS credential surface API (experimental)
---
BUILD | 2 +
CMakeLists.txt | 2 +
Makefile | 3 +
build.yaml | 2 +
config.m4 | 2 +
config.w32 | 2 +
gRPC-C++.podspec | 1 +
gRPC-Core.podspec | 3 +
grpc.def | 9 +
grpc.gemspec | 2 +
grpc.gyp | 1 +
include/grpc/grpc_security.h | 195 ++++++++++++++++
package.xml | 2 +
.../tls/grpc_tls_credentials_options.cc | 192 ++++++++++++++++
.../tls/grpc_tls_credentials_options.h | 213 ++++++++++++++++++
.../security/security_connector/ssl_utils.h | 33 +++
src/python/grpcio/grpc_core_dependencies.py | 1 +
src/ruby/ext/grpc/rb_grpc_imports.generated.c | 18 ++
src/ruby/ext/grpc/rb_grpc_imports.generated.h | 27 +++
.../core/surface/public_headers_must_be_c89.c | 9 +
tools/doxygen/Doxyfile.core.internal | 2 +
.../generated/sources_and_headers.json | 3 +
22 files changed, 724 insertions(+)
create mode 100644 src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
create mode 100644 src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
diff --git a/BUILD b/BUILD
index 81272e27e97..ff066edaeaf 100644
--- a/BUILD
+++ b/BUILD
@@ -1614,6 +1614,7 @@ grpc_cc_library(
"src/core/lib/security/credentials/oauth2/oauth2_credentials.cc",
"src/core/lib/security/credentials/plugin/plugin_credentials.cc",
"src/core/lib/security/credentials/ssl/ssl_credentials.cc",
+ "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc",
"src/core/lib/security/security_connector/alts/alts_security_connector.cc",
"src/core/lib/security/security_connector/fake/fake_security_connector.cc",
"src/core/lib/security/security_connector/load_system_roots_fallback.cc",
@@ -1648,6 +1649,7 @@ grpc_cc_library(
"src/core/lib/security/credentials/oauth2/oauth2_credentials.h",
"src/core/lib/security/credentials/plugin/plugin_credentials.h",
"src/core/lib/security/credentials/ssl/ssl_credentials.h",
+ "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h",
"src/core/lib/security/security_connector/alts/alts_security_connector.h",
"src/core/lib/security/security_connector/fake/fake_security_connector.h",
"src/core/lib/security/security_connector/load_system_roots.h",
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a36d06a703c..9813eec7062 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1151,6 +1151,7 @@ add_library(grpc
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
src/core/lib/security/credentials/plugin/plugin_credentials.cc
src/core/lib/security/credentials/ssl/ssl_credentials.cc
+ src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
src/core/lib/security/security_connector/alts/alts_security_connector.cc
src/core/lib/security/security_connector/fake/fake_security_connector.cc
src/core/lib/security/security_connector/load_system_roots_fallback.cc
@@ -1609,6 +1610,7 @@ add_library(grpc_cronet
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
src/core/lib/security/credentials/plugin/plugin_credentials.cc
src/core/lib/security/credentials/ssl/ssl_credentials.cc
+ src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
src/core/lib/security/security_connector/alts/alts_security_connector.cc
src/core/lib/security/security_connector/fake/fake_security_connector.cc
src/core/lib/security/security_connector/load_system_roots_fallback.cc
diff --git a/Makefile b/Makefile
index fd76e8b7d72..b9b7ab4c254 100644
--- a/Makefile
+++ b/Makefile
@@ -3672,6 +3672,7 @@ LIBGRPC_SRC = \
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc \
src/core/lib/security/credentials/plugin/plugin_credentials.cc \
src/core/lib/security/credentials/ssl/ssl_credentials.cc \
+ src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
src/core/lib/security/security_connector/alts/alts_security_connector.cc \
src/core/lib/security/security_connector/fake/fake_security_connector.cc \
src/core/lib/security/security_connector/load_system_roots_fallback.cc \
@@ -4124,6 +4125,7 @@ LIBGRPC_CRONET_SRC = \
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc \
src/core/lib/security/credentials/plugin/plugin_credentials.cc \
src/core/lib/security/credentials/ssl/ssl_credentials.cc \
+ src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
src/core/lib/security/security_connector/alts/alts_security_connector.cc \
src/core/lib/security/security_connector/fake/fake_security_connector.cc \
src/core/lib/security/security_connector/load_system_roots_fallback.cc \
@@ -25370,6 +25372,7 @@ src/core/lib/security/credentials/local/local_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/plugin/plugin_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/ssl/ssl_credentials.cc: $(OPENSSL_DEP)
+src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/alts/alts_security_connector.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/fake/fake_security_connector.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/load_system_roots_fallback.cc: $(OPENSSL_DEP)
diff --git a/build.yaml b/build.yaml
index 3afe4a3e9ce..0946e853d1b 100644
--- a/build.yaml
+++ b/build.yaml
@@ -837,6 +837,7 @@ filegroups:
- src/core/lib/security/credentials/oauth2/oauth2_credentials.h
- src/core/lib/security/credentials/plugin/plugin_credentials.h
- src/core/lib/security/credentials/ssl/ssl_credentials.h
+ - src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
- src/core/lib/security/security_connector/alts/alts_security_connector.h
- src/core/lib/security/security_connector/fake/fake_security_connector.h
- src/core/lib/security/security_connector/load_system_roots.h
@@ -869,6 +870,7 @@ filegroups:
- src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
- src/core/lib/security/credentials/plugin/plugin_credentials.cc
- src/core/lib/security/credentials/ssl/ssl_credentials.cc
+ - src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
- src/core/lib/security/security_connector/alts/alts_security_connector.cc
- src/core/lib/security/security_connector/fake/fake_security_connector.cc
- src/core/lib/security/security_connector/load_system_roots_fallback.cc
diff --git a/config.m4 b/config.m4
index 46597e6f0e3..1874f3ba1b0 100644
--- a/config.m4
+++ b/config.m4
@@ -283,6 +283,7 @@ if test "$PHP_GRPC" != "no"; then
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc \
src/core/lib/security/credentials/plugin/plugin_credentials.cc \
src/core/lib/security/credentials/ssl/ssl_credentials.cc \
+ src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
src/core/lib/security/security_connector/alts/alts_security_connector.cc \
src/core/lib/security/security_connector/fake/fake_security_connector.cc \
src/core/lib/security/security_connector/load_system_roots_fallback.cc \
@@ -728,6 +729,7 @@ if test "$PHP_GRPC" != "no"; then
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/oauth2)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/plugin)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/ssl)
+ PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/tls)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/alts)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/fake)
diff --git a/config.w32 b/config.w32
index 00b92e88a05..452e8fd18b1 100644
--- a/config.w32
+++ b/config.w32
@@ -258,6 +258,7 @@ if (PHP_GRPC != "no") {
"src\\core\\lib\\security\\credentials\\oauth2\\oauth2_credentials.cc " +
"src\\core\\lib\\security\\credentials\\plugin\\plugin_credentials.cc " +
"src\\core\\lib\\security\\credentials\\ssl\\ssl_credentials.cc " +
+ "src\\core\\lib\\security\\credentials\\tls\\grpc_tls_credentials_options.cc " +
"src\\core\\lib\\security\\security_connector\\alts\\alts_security_connector.cc " +
"src\\core\\lib\\security\\security_connector\\fake\\fake_security_connector.cc " +
"src\\core\\lib\\security\\security_connector\\load_system_roots_fallback.cc " +
@@ -743,6 +744,7 @@ if (PHP_GRPC != "no") {
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\oauth2");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\plugin");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\ssl");
+ FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\tls");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\alts");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\fake");
diff --git a/gRPC-C++.podspec b/gRPC-C++.podspec
index d0544011e6e..e1b1cf1564e 100644
--- a/gRPC-C++.podspec
+++ b/gRPC-C++.podspec
@@ -300,6 +300,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/oauth2/oauth2_credentials.h',
'src/core/lib/security/credentials/plugin/plugin_credentials.h',
'src/core/lib/security/credentials/ssl/ssl_credentials.h',
+ 'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
'src/core/lib/security/security_connector/alts/alts_security_connector.h',
'src/core/lib/security/security_connector/fake/fake_security_connector.h',
'src/core/lib/security/security_connector/load_system_roots.h',
diff --git a/gRPC-Core.podspec b/gRPC-Core.podspec
index a13612250fa..da48fe7e953 100644
--- a/gRPC-Core.podspec
+++ b/gRPC-Core.podspec
@@ -294,6 +294,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/oauth2/oauth2_credentials.h',
'src/core/lib/security/credentials/plugin/plugin_credentials.h',
'src/core/lib/security/credentials/ssl/ssl_credentials.h',
+ 'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
'src/core/lib/security/security_connector/alts/alts_security_connector.h',
'src/core/lib/security/security_connector/fake/fake_security_connector.h',
'src/core/lib/security/security_connector/load_system_roots.h',
@@ -731,6 +732,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/oauth2/oauth2_credentials.cc',
'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
+ 'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
@@ -923,6 +925,7 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/oauth2/oauth2_credentials.h',
'src/core/lib/security/credentials/plugin/plugin_credentials.h',
'src/core/lib/security/credentials/ssl/ssl_credentials.h',
+ 'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
'src/core/lib/security/security_connector/alts/alts_security_connector.h',
'src/core/lib/security/security_connector/fake/fake_security_connector.h',
'src/core/lib/security/security_connector/load_system_roots.h',
diff --git a/grpc.def b/grpc.def
index b3466c004d8..59e29e0d168 100644
--- a/grpc.def
+++ b/grpc.def
@@ -131,6 +131,15 @@ EXPORTS
grpc_alts_server_credentials_create
grpc_local_credentials_create
grpc_local_server_credentials_create
+ grpc_tls_credentials_options_create
+ grpc_tls_credentials_options_set_cert_request_type
+ grpc_tls_credentials_options_set_key_materials_config
+ grpc_tls_credentials_options_set_credential_reload_config
+ grpc_tls_credentials_options_set_server_authorization_check_config
+ grpc_tls_key_materials_config_create
+ grpc_tls_key_materials_config_set_key_materials
+ grpc_tls_credential_reload_config_create
+ grpc_tls_server_authorization_check_config_create
grpc_raw_byte_buffer_create
grpc_raw_compressed_byte_buffer_create
grpc_byte_buffer_copy
diff --git a/grpc.gemspec b/grpc.gemspec
index 5cefb524333..9a3c657cc85 100644
--- a/grpc.gemspec
+++ b/grpc.gemspec
@@ -224,6 +224,7 @@ Gem::Specification.new do |s|
s.files += %w( src/core/lib/security/credentials/oauth2/oauth2_credentials.h )
s.files += %w( src/core/lib/security/credentials/plugin/plugin_credentials.h )
s.files += %w( src/core/lib/security/credentials/ssl/ssl_credentials.h )
+ s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h )
s.files += %w( src/core/lib/security/security_connector/alts/alts_security_connector.h )
s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.h )
s.files += %w( src/core/lib/security/security_connector/load_system_roots.h )
@@ -665,6 +666,7 @@ Gem::Specification.new do |s|
s.files += %w( src/core/lib/security/credentials/oauth2/oauth2_credentials.cc )
s.files += %w( src/core/lib/security/credentials/plugin/plugin_credentials.cc )
s.files += %w( src/core/lib/security/credentials/ssl/ssl_credentials.cc )
+ s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc )
s.files += %w( src/core/lib/security/security_connector/alts/alts_security_connector.cc )
s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.cc )
s.files += %w( src/core/lib/security/security_connector/load_system_roots_fallback.cc )
diff --git a/grpc.gyp b/grpc.gyp
index b925d63fbdf..6a0a2718c8e 100644
--- a/grpc.gyp
+++ b/grpc.gyp
@@ -465,6 +465,7 @@
'src/core/lib/security/credentials/oauth2/oauth2_credentials.cc',
'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
+ 'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h
index de90971cc55..f0323eb16a1 100644
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@@ -609,6 +609,201 @@ GRPCAPI grpc_channel_credentials* grpc_local_credentials_create(
GRPCAPI grpc_server_credentials* grpc_local_server_credentials_create(
grpc_local_connect_type type);
+/** --- SPIFFE and HTTPS-based TLS channel/server credentials ---
+ * It is used for experimental purpose for now and subject to change. */
+
+/** Config for TLS key materials. It is used for
+ * experimental purpose for now and subject to change. */
+typedef struct grpc_tls_key_materials_config grpc_tls_key_materials_config;
+
+/** Config for TLS credential reload. It is used for
+ * experimental purpose for now and subject to change. */
+typedef struct grpc_tls_credential_reload_config
+ grpc_tls_credential_reload_config;
+
+/** Config for TLS server authorization check. It is used for
+ * experimental purpose for now and subject to change. */
+typedef struct grpc_tls_server_authorization_check_config
+ grpc_tls_server_authorization_check_config;
+
+/** TLS credentials options. It is used for
+ * experimental purpose for now and subject to change. */
+typedef struct grpc_tls_credentials_options grpc_tls_credentials_options;
+
+/** Create an empty TLS credentials options. It is used for
+ * experimental purpose for now and subject to change. */
+GRPCAPI grpc_tls_credentials_options* grpc_tls_credentials_options_create();
+
+/** Set grpc_ssl_client_certificate_request_type field in credentials options
+ with the provided type. options should not be NULL.
+ It returns 1 on success and 0 on failure. It is used for
+ experimental purpose for now and subject to change. */
+GRPCAPI int grpc_tls_credentials_options_set_cert_request_type(
+ grpc_tls_credentials_options* options,
+ grpc_ssl_client_certificate_request_type type);
+
+/** Set grpc_tls_key_materials_config field in credentials options
+ with the provided config struct whose ownership is transferred.
+ Both parameters should not be NULL.
+ It returns 1 on success and 0 on failure. It is used for
+ experimental purpose for now and subject to change. */
+GRPCAPI int grpc_tls_credentials_options_set_key_materials_config(
+ grpc_tls_credentials_options* options,
+ grpc_tls_key_materials_config* config);
+
+/** Set grpc_tls_credential_reload_config field in credentials options
+ with the provided config struct whose ownership is transferred.
+ Both parameters should not be NULL.
+ It returns 1 on success and 0 on failure. It is used for
+ experimental purpose for now and subject to change. */
+GRPCAPI int grpc_tls_credentials_options_set_credential_reload_config(
+ grpc_tls_credentials_options* options,
+ grpc_tls_credential_reload_config* config);
+
+/** Set grpc_tls_server_authorization_check_config field in credentials options
+ with the provided config struct whose ownership is transferred.
+ Both parameters should not be NULL.
+ It returns 1 on success and 0 on failure. It is used for
+ experimental purpose for now and subject to change. */
+GRPCAPI int grpc_tls_credentials_options_set_server_authorization_check_config(
+ grpc_tls_credentials_options* options,
+ grpc_tls_server_authorization_check_config* config);
+
+/** --- TLS key materials config. ---
+ It is used for experimental purpose for now and subject to change. */
+
+/** Create an empty grpc_tls_key_materials_config instance.
+ * It is used for experimental purpose for now and subject to change. */
+GRPCAPI grpc_tls_key_materials_config* grpc_tls_key_materials_config_create();
+
+/** Set grpc_tls_key_materials_config instance with provided a TLS certificate.
+ config will take the ownership of pem_root_certs and pem_key_cert_pairs.
+ It's valid for the caller to provide nullptr pem_root_certs, in which case
+ the gRPC-provided root cert will be used. pem_key_cert_pairs should not be
+ NULL. It returns 1 on success and 0 on failure. It is used for
+ experimental purpose for now and subject to change.
+ */
+GRPCAPI int grpc_tls_key_materials_config_set_key_materials(
+ grpc_tls_key_materials_config* config, const char* pem_root_certs,
+ const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs,
+ size_t num_key_cert_pairs);
+
+/** --- TLS credential reload config. ---
+ It is used for experimental purpose for now and subject to change.*/
+
+typedef struct grpc_tls_credential_reload_arg grpc_tls_credential_reload_arg;
+
+/** A callback function provided by gRPC to handle the result of credential
+ reload. It is used when schedule API is implemented asynchronously and
+ serves to bring the control back to grpc C core. It is used for
+ experimental purpose for now and subject to change. */
+typedef void (*grpc_tls_on_credential_reload_done_cb)(
+ grpc_tls_credential_reload_arg* arg);
+
+/** A struct containing all information necessary to schedule/cancel
+ a credential reload request. cb and cb_user_data represent a gRPC-provided
+ callback and an argument passed to it. key_materials is an in/output
+ parameter containing currently used/newly reloaded credentials. status and
+ error_details are used to hold information about errors occurred when a
+ credential reload request is scheduled/cancelled. It is used for
+ experimental purpose for now and subject to change. */
+struct grpc_tls_credential_reload_arg {
+ grpc_tls_on_credential_reload_done_cb cb;
+ void* cb_user_data;
+ grpc_tls_key_materials_config* key_materials_config;
+ grpc_status_code status;
+ const char* error_details;
+};
+
+/** Create a grpc_tls_credential_reload_config instance.
+ - config_user_data is config-specific, read-only user data
+ that works for all channels created with a credential using the config.
+ - schedule is a pointer to an application-provided callback used to invoke
+ credential reload API. The implementation of this method has to be
+ non-blocking, but can be performed synchronously or asynchronously.
+ 1) If processing occurs synchronously, it populates arg->key_materials,
+ arg->status, and arg->error_details and returns zero.
+ 2) If processing occurs asynchronously, it returns a non-zero value.
+ The application then invokes arg->cb when processing is completed. Note
+ that arg->cb cannot be invoked before schedule API returns.
+ - cancel is a pointer to an application-provided callback used to cancel
+ a credential reload request scheduled via an asynchronous schedule API.
+ arg is used to pinpoint an exact reloading request to be cancelled.
+ The operation may not have any effect if the request has already been
+ processed.
+ - destruct is a pointer to an application-provided callback used to clean up
+ any data associated with the config.
+ It is used for experimental purpose for now and subject to change.
+*/
+GRPCAPI grpc_tls_credential_reload_config*
+grpc_tls_credential_reload_config_create(
+ const void* config_user_data,
+ int (*schedule)(void* config_user_data,
+ grpc_tls_credential_reload_arg* arg),
+ void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg),
+ void (*destruct)(void* config_user_data));
+
+/** --- TLS server authorization check config. ---
+ * It is used for experimental purpose for now and subject to change. */
+
+typedef struct grpc_tls_server_authorization_check_arg
+ grpc_tls_server_authorization_check_arg;
+
+/** callback function provided by gRPC used to handle the result of server
+ authorization check. It is used when schedule API is implemented
+ asynchronously, and serves to bring the control back to gRPC C core. It is
+ used for experimental purpose for now and subject to change. */
+typedef void (*grpc_tls_on_server_authorization_check_done_cb)(
+ grpc_tls_server_authorization_check_arg* arg);
+
+/** A struct containing all information necessary to schedule/cancel a server
+ authorization check request. cb and cb_user_data represent a gRPC-provided
+ callback and an argument passed to it. result will store the result of
+ server authorization check. target_name is the name of an endpoint the
+ channel is connecting to and certificate represents a complete certificate
+ chain including both signing and leaf certificates. status and error_details
+ contain information about errors occurred when a server authorization check
+ request is scheduled/cancelled. It is used for experimental purpose for now
+ and subject to change.*/
+struct grpc_tls_server_authorization_check_arg {
+ grpc_tls_on_server_authorization_check_done_cb cb;
+ void* cb_user_data;
+ int result;
+ const char* target_name;
+ const char* peer_cert;
+ grpc_status_code status;
+ const char* error_details;
+};
+
+/** Create a grpc_tls_server_authorization_check_config instance.
+ - config_user_data is config-specific, read-only user data
+ that works for all channels created with a credential using the config.
+ - schedule is a pointer to an application-provided callback used to invoke
+ server authorization check API. The implementation of this method has to
+ be non-blocking, but can be performed synchronously or asynchronously.
+ 1)If processing occurs synchronously, it populates arg->result,
+ arg->status, and arg->error_details and returns zero.
+ 2) If processing occurs asynchronously, it returns a non-zero value. The
+ application then invokes arg->cb when processing is completed. Note that
+ arg->cb cannot be invoked before schedule API returns.
+ - cancel is a pointer to an application-provided callback used to cancel a
+ server authorization check request scheduled via an asynchronous schedule
+ API. arg is used to pinpoint an exact check request to be cancelled. The
+ operation may not have any effect if the request has already been
+ processed.
+ - destruct is a pointer to an application-provided callback used to clean up
+ any data associated with the config.
+ It is used for experimental purpose for now and subject to change.
+*/
+GRPCAPI grpc_tls_server_authorization_check_config*
+grpc_tls_server_authorization_check_config_create(
+ const void* config_user_data,
+ int (*schedule)(void* config_user_data,
+ grpc_tls_server_authorization_check_arg* arg),
+ void (*cancel)(void* config_user_data,
+ grpc_tls_server_authorization_check_arg* arg),
+ void (*destruct)(void* config_user_data));
+
#ifdef __cplusplus
}
#endif
diff --git a/package.xml b/package.xml
index cb036c81daf..69b6fdfa671 100644
--- a/package.xml
+++ b/package.xml
@@ -229,6 +229,7 @@
<file baseinstalldir="/" name="src/core/lib/security/credentials/oauth2/oauth2_credentials.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/plugin/plugin_credentials.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/ssl/ssl_credentials.h" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/alts/alts_security_connector.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/fake/fake_security_connector.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots.h" role="src" />
@@ -670,6 +671,7 @@
<file baseinstalldir="/" name="src/core/lib/security/credentials/oauth2/oauth2_credentials.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/plugin/plugin_credentials.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/ssl/ssl_credentials.cc" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/alts/alts_security_connector.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/fake/fake_security_connector.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_fallback.cc" role="src" />
diff --git a/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc b/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
new file mode 100644
index 00000000000..a6169a1b586
--- /dev/null
+++ b/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
@@ -0,0 +1,192 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+/** -- gRPC TLS key materials config API implementation. -- **/
+void grpc_tls_key_materials_config::set_key_materials(
+ grpc_core::UniquePtr<char> pem_root_certs,
+ PemKeyCertPairList pem_key_cert_pair_list) {
+ pem_key_cert_pair_list_ = std::move(pem_key_cert_pair_list);
+ pem_root_certs_ = std::move(pem_root_certs);
+}
+
+/** -- gRPC TLS credential reload config API implementation. -- **/
+grpc_tls_credential_reload_config::grpc_tls_credential_reload_config(
+ const void* config_user_data,
+ int (*schedule)(void* config_user_data,
+ grpc_tls_credential_reload_arg* arg),
+ void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg),
+ void (*destruct)(void* config_user_data))
+ : config_user_data_(const_cast<void*>(config_user_data)),
+ schedule_(schedule),
+ cancel_(cancel),
+ destruct_(destruct) {}
+
+grpc_tls_credential_reload_config::~grpc_tls_credential_reload_config() {
+ if (destruct_ != nullptr) {
+ destruct_((void*)config_user_data_);
+ }
+}
+
+/** -- gRPC TLS server authorization check API implementation. -- **/
+grpc_tls_server_authorization_check_config::
+ grpc_tls_server_authorization_check_config(
+ const void* config_user_data,
+ int (*schedule)(void* config_user_data,
+ grpc_tls_server_authorization_check_arg* arg),
+ void (*cancel)(void* config_user_data,
+ grpc_tls_server_authorization_check_arg* arg),
+ void (*destruct)(void* config_user_data))
+ : config_user_data_(const_cast<void*>(config_user_data)),
+ schedule_(schedule),
+ cancel_(cancel),
+ destruct_(destruct) {}
+
+grpc_tls_server_authorization_check_config::
+ ~grpc_tls_server_authorization_check_config() {
+ if (destruct_ != nullptr) {
+ destruct_((void*)config_user_data_);
+ }
+}
+
+/** -- Wrapper APIs declared in grpc_security.h -- **/
+grpc_tls_credentials_options* grpc_tls_credentials_options_create() {
+ return grpc_core::New<grpc_tls_credentials_options>();
+}
+
+int grpc_tls_credentials_options_set_cert_request_type(
+ grpc_tls_credentials_options* options,
+ grpc_ssl_client_certificate_request_type type) {
+ if (options == nullptr) {
+ gpr_log(GPR_ERROR,
+ "Invalid nullptr arguments to "
+ "grpc_tls_credentials_options_set_cert_request_type()");
+ return 0;
+ }
+ options->set_cert_request_type(type);
+ return 1;
+}
+
+int grpc_tls_credentials_options_set_key_materials_config(
+ grpc_tls_credentials_options* options,
+ grpc_tls_key_materials_config* config) {
+ if (options == nullptr || config == nullptr) {
+ gpr_log(GPR_ERROR,
+ "Invalid nullptr arguments to "
+ "grpc_tls_credentials_options_set_key_materials_config()");
+ return 0;
+ }
+ options->set_key_materials_config(config->Ref());
+ return 1;
+}
+
+int grpc_tls_credentials_options_set_credential_reload_config(
+ grpc_tls_credentials_options* options,
+ grpc_tls_credential_reload_config* config) {
+ if (options == nullptr || config == nullptr) {
+ gpr_log(GPR_ERROR,
+ "Invalid nullptr arguments to "
+ "grpc_tls_credentials_options_set_credential_reload_config()");
+ return 0;
+ }
+ options->set_credential_reload_config(config->Ref());
+ return 1;
+}
+
+int grpc_tls_credentials_options_set_server_authorization_check_config(
+ grpc_tls_credentials_options* options,
+ grpc_tls_server_authorization_check_config* config) {
+ if (options == nullptr || config == nullptr) {
+ gpr_log(
+ GPR_ERROR,
+ "Invalid nullptr arguments to "
+ "grpc_tls_credentials_options_set_server_authorization_check_config()");
+ return 0;
+ }
+ options->set_server_authorization_check_config(config->Ref());
+ return 1;
+}
+
+grpc_tls_key_materials_config* grpc_tls_key_materials_config_create() {
+ return grpc_core::New<grpc_tls_key_materials_config>();
+}
+
+int grpc_tls_key_materials_config_set_key_materials(
+ grpc_tls_key_materials_config* config, const char* root_certs,
+ const grpc_ssl_pem_key_cert_pair** key_cert_pairs, size_t num) {
+ if (config == nullptr || key_cert_pairs == nullptr || num == 0) {
+ gpr_log(GPR_ERROR,
+ "Invalid arguments to "
+ "grpc_tls_key_materials_config_set_key_materials()");
+ return 0;
+ }
+ grpc_core::UniquePtr<char> pem_root(const_cast<char*>(root_certs));
+ grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list;
+ for (size_t i = 0; i < num; i++) {
+ grpc_core::PemKeyCertPair key_cert_pair(
+ const_cast<grpc_ssl_pem_key_cert_pair*>(key_cert_pairs[i]));
+ cert_pair_list.emplace_back(std::move(key_cert_pair));
+ }
+ config->set_key_materials(std::move(pem_root), std::move(cert_pair_list));
+ gpr_free(key_cert_pairs);
+ return 1;
+}
+
+grpc_tls_credential_reload_config* grpc_tls_credential_reload_config_create(
+ const void* config_user_data,
+ int (*schedule)(void* config_user_data,
+ grpc_tls_credential_reload_arg* arg),
+ void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg),
+ void (*destruct)(void* config_user_data)) {
+ if (schedule == nullptr) {
+ gpr_log(
+ GPR_ERROR,
+ "Schedule API is nullptr in creating TLS credential reload config.");
+ return nullptr;
+ }
+ return grpc_core::New<grpc_tls_credential_reload_config>(
+ config_user_data, schedule, cancel, destruct);
+}
+
+grpc_tls_server_authorization_check_config*
+grpc_tls_server_authorization_check_config_create(
+ const void* config_user_data,
+ int (*schedule)(void* config_user_data,
+ grpc_tls_server_authorization_check_arg* arg),
+ void (*cancel)(void* config_user_data,
+ grpc_tls_server_authorization_check_arg* arg),
+ void (*destruct)(void* config_user_data)) {
+ if (schedule == nullptr) {
+ gpr_log(GPR_ERROR,
+ "Schedule API is nullptr in creating TLS server authorization "
+ "check config.");
+ return nullptr;
+ }
+ return grpc_core::New<grpc_tls_server_authorization_check_config>(
+ config_user_data, schedule, cancel, destruct);
+}
diff --git a/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h b/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
new file mode 100644
index 00000000000..71410d20a8f
--- /dev/null
+++ b/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
@@ -0,0 +1,213 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/gprpp/inlined_vector.h"
+#include "src/core/lib/gprpp/ref_counted.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
+
+/** TLS key materials config. **/
+struct grpc_tls_key_materials_config
+ : public grpc_core::RefCounted<grpc_tls_key_materials_config> {
+ public:
+ typedef grpc_core::InlinedVector<grpc_core::PemKeyCertPair, 1>
+ PemKeyCertPairList;
+
+ /** Getters for member fields. **/
+ const char* pem_root_certs() const { return pem_root_certs_.get(); }
+ const PemKeyCertPairList& pem_key_cert_pair_list() const {
+ return pem_key_cert_pair_list_;
+ }
+
+ /** Setters for member fields. **/
+ void set_key_materials(grpc_core::UniquePtr<char> pem_root_certs,
+ PemKeyCertPairList pem_key_cert_pair_list);
+
+ private:
+ PemKeyCertPairList pem_key_cert_pair_list_;
+ grpc_core::UniquePtr<char> pem_root_certs_;
+};
+
+/** TLS credential reload config. **/
+struct grpc_tls_credential_reload_config
+ : public grpc_core::RefCounted<grpc_tls_credential_reload_config> {
+ public:
+ grpc_tls_credential_reload_config(
+ const void* config_user_data,
+ int (*schedule)(void* config_user_data,
+ grpc_tls_credential_reload_arg* arg),
+ void (*cancel)(void* config_user_data,
+ grpc_tls_credential_reload_arg* arg),
+ void (*destruct)(void* config_user_data));
+ ~grpc_tls_credential_reload_config();
+
+ int Schedule(grpc_tls_credential_reload_arg* arg) const {
+ return schedule_(config_user_data_, arg);
+ }
+ void Cancel(grpc_tls_credential_reload_arg* arg) const {
+ if (cancel_ == nullptr) {
+ gpr_log(GPR_ERROR, "cancel API is nullptr.");
+ return;
+ }
+ cancel_(config_user_data_, arg);
+ }
+
+ private:
+ /** config-specific, read-only user data that works for all channels created
+ with a credential using the config. */
+ void* config_user_data_;
+ /** callback function for invoking credential reload API. The implementation
+ of this method has to be non-blocking, but can be performed synchronously
+ or asynchronously.
+ If processing occurs synchronously, it populates \a arg->key_materials, \a
+ arg->status, and \a arg->error_details and returns zero.
+ If processing occurs asynchronously, it returns a non-zero value.
+ Application then invokes \a arg->cb when processing is completed. Note that
+ \a arg->cb cannot be invoked before \a schedule returns.
+ */
+ int (*schedule_)(void* config_user_data, grpc_tls_credential_reload_arg* arg);
+ /** callback function for cancelling a credential reload request scheduled via
+ an asynchronous \a schedule. \a arg is used to pinpoint an exact reloading
+ request to be cancelled, and the operation may not have any effect if the
+ request has already been processed. */
+ void (*cancel_)(void* config_user_data, grpc_tls_credential_reload_arg* arg);
+ /** callback function for cleaning up any data associated with credential
+ reload config. */
+ void (*destruct_)(void* config_user_data);
+};
+
+/** TLS server authorization check config. **/
+struct grpc_tls_server_authorization_check_config
+ : public grpc_core::RefCounted<grpc_tls_server_authorization_check_config> {
+ public:
+ grpc_tls_server_authorization_check_config(
+ const void* config_user_data,
+ int (*schedule)(void* config_user_data,
+ grpc_tls_server_authorization_check_arg* arg),
+ void (*cancel)(void* config_user_data,
+ grpc_tls_server_authorization_check_arg* arg),
+ void (*destruct)(void* config_user_data));
+ ~grpc_tls_server_authorization_check_config();
+
+ int Schedule(grpc_tls_server_authorization_check_arg* arg) const {
+ return schedule_(config_user_data_, arg);
+ }
+ void Cancel(grpc_tls_server_authorization_check_arg* arg) const {
+ if (cancel_ == nullptr) {
+ gpr_log(GPR_ERROR, "cancel API is nullptr.");
+ return;
+ }
+ cancel_(config_user_data_, arg);
+ }
+
+ private:
+ /** config-specific, read-only user data that works for all channels created
+ with a Credential using the config. */
+ void* config_user_data_;
+
+ /** callback function for invoking server authorization check. The
+ implementation of this method has to be non-blocking, but can be performed
+ synchronously or asynchronously.
+ If processing occurs synchronously, it populates \a arg->result, \a
+ arg->status, and \a arg->error_details, and returns zero.
+ If processing occurs asynchronously, it returns a non-zero value.
+ Application then invokes \a arg->cb when processing is completed. Note that
+ \a arg->cb cannot be invoked before \a schedule() returns.
+ */
+ int (*schedule_)(void* config_user_data,
+ grpc_tls_server_authorization_check_arg* arg);
+
+ /** callback function for canceling a server authorization check request. */
+ void (*cancel_)(void* config_user_data,
+ grpc_tls_server_authorization_check_arg* arg);
+
+ /** callback function for cleaning up any data associated with server
+ authorization check config. */
+ void (*destruct_)(void* config_user_data);
+};
+
+/* TLS credentials options. */
+struct grpc_tls_credentials_options
+ : public grpc_core::RefCounted<grpc_tls_credentials_options> {
+ public:
+ ~grpc_tls_credentials_options() {
+ if (key_materials_config_.get() != nullptr) {
+ key_materials_config_.get()->Unref();
+ }
+ if (credential_reload_config_.get() != nullptr) {
+ credential_reload_config_.get()->Unref();
+ }
+ if (server_authorization_check_config_.get() != nullptr) {
+ server_authorization_check_config_.get()->Unref();
+ }
+ }
+
+ /* Getters for member fields. */
+ grpc_ssl_client_certificate_request_type cert_request_type() const {
+ return cert_request_type_;
+ }
+ const grpc_tls_key_materials_config* key_materials_config() const {
+ return key_materials_config_.get();
+ }
+ const grpc_tls_credential_reload_config* credential_reload_config() const {
+ return credential_reload_config_.get();
+ }
+ const grpc_tls_server_authorization_check_config*
+ server_authorization_check_config() const {
+ return server_authorization_check_config_.get();
+ }
+ grpc_tls_key_materials_config* mutable_key_materials_config() {
+ return key_materials_config_.get();
+ }
+
+ /* Setters for member fields. */
+ void set_cert_request_type(
+ const grpc_ssl_client_certificate_request_type type) {
+ cert_request_type_ = type;
+ }
+ void set_key_materials_config(
+ grpc_core::RefCountedPtr<grpc_tls_key_materials_config> config) {
+ key_materials_config_ = std::move(config);
+ }
+ void set_credential_reload_config(
+ grpc_core::RefCountedPtr<grpc_tls_credential_reload_config> config) {
+ credential_reload_config_ = std::move(config);
+ }
+ void set_server_authorization_check_config(
+ grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
+ config) {
+ server_authorization_check_config_ = std::move(config);
+ }
+
+ private:
+ grpc_ssl_client_certificate_request_type cert_request_type_;
+ grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
+ grpc_core::RefCountedPtr<grpc_tls_credential_reload_config>
+ credential_reload_config_;
+ grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
+ server_authorization_check_config_;
+};
+
+#endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H \
+ */
diff --git a/src/core/lib/security/security_connector/ssl_utils.h b/src/core/lib/security/security_connector/ssl_utils.h
index c9cd1a1d9c5..972ca439dea 100644
--- a/src/core/lib/security/security_connector/ssl_utils.h
+++ b/src/core/lib/security/security_connector/ssl_utils.h
@@ -89,6 +89,39 @@ class DefaultSslRootStore {
static grpc_slice default_pem_root_certs_;
};
+class PemKeyCertPair {
+ public:
+ // Construct from the C struct. We steal its members and then immediately
+ // free it.
+ explicit PemKeyCertPair(grpc_ssl_pem_key_cert_pair* pair)
+ : private_key_(const_cast<char*>(pair->private_key)),
+ cert_chain_(const_cast<char*>(pair->cert_chain)) {
+ gpr_free(pair);
+ }
+
+ // Movable.
+ PemKeyCertPair(PemKeyCertPair&& other) {
+ private_key_ = std::move(other.private_key_);
+ cert_chain_ = std::move(other.cert_chain_);
+ }
+ PemKeyCertPair& operator=(PemKeyCertPair&& other) {
+ private_key_ = std::move(other.private_key_);
+ cert_chain_ = std::move(other.cert_chain_);
+ return *this;
+ }
+
+ // Not copyable.
+ PemKeyCertPair(const PemKeyCertPair&) = delete;
+ PemKeyCertPair& operator=(const PemKeyCertPair&) = delete;
+
+ char* private_key() const { return private_key_.get(); }
+ char* cert_chain() const { return cert_chain_.get(); }
+
+ private:
+ grpc_core::UniquePtr<char> private_key_;
+ grpc_core::UniquePtr<char> cert_chain_;
+};
+
} // namespace grpc_core
#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H \
diff --git a/src/python/grpcio/grpc_core_dependencies.py b/src/python/grpcio/grpc_core_dependencies.py
index 0272aae690d..19d27412205 100644
--- a/src/python/grpcio/grpc_core_dependencies.py
+++ b/src/python/grpcio/grpc_core_dependencies.py
@@ -257,6 +257,7 @@ CORE_SOURCE_FILES = [
'src/core/lib/security/credentials/oauth2/oauth2_credentials.cc',
'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
+ 'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
diff --git a/src/ruby/ext/grpc/rb_grpc_imports.generated.c b/src/ruby/ext/grpc/rb_grpc_imports.generated.c
index 18245e91073..47250ec7141 100644
--- a/src/ruby/ext/grpc/rb_grpc_imports.generated.c
+++ b/src/ruby/ext/grpc/rb_grpc_imports.generated.c
@@ -154,6 +154,15 @@ grpc_alts_credentials_create_type grpc_alts_credentials_create_import;
grpc_alts_server_credentials_create_type grpc_alts_server_credentials_create_import;
grpc_local_credentials_create_type grpc_local_credentials_create_import;
grpc_local_server_credentials_create_type grpc_local_server_credentials_create_import;
+grpc_tls_credentials_options_create_type grpc_tls_credentials_options_create_import;
+grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_options_set_cert_request_type_import;
+grpc_tls_credentials_options_set_key_materials_config_type grpc_tls_credentials_options_set_key_materials_config_import;
+grpc_tls_credentials_options_set_credential_reload_config_type grpc_tls_credentials_options_set_credential_reload_config_import;
+grpc_tls_credentials_options_set_server_authorization_check_config_type grpc_tls_credentials_options_set_server_authorization_check_config_import;
+grpc_tls_key_materials_config_create_type grpc_tls_key_materials_config_create_import;
+grpc_tls_key_materials_config_set_key_materials_type grpc_tls_key_materials_config_set_key_materials_import;
+grpc_tls_credential_reload_config_create_type grpc_tls_credential_reload_config_create_import;
+grpc_tls_server_authorization_check_config_create_type grpc_tls_server_authorization_check_config_create_import;
grpc_raw_byte_buffer_create_type grpc_raw_byte_buffer_create_import;
grpc_raw_compressed_byte_buffer_create_type grpc_raw_compressed_byte_buffer_create_import;
grpc_byte_buffer_copy_type grpc_byte_buffer_copy_import;
@@ -412,6 +421,15 @@ void grpc_rb_load_imports(HMODULE library) {
grpc_alts_server_credentials_create_import = (grpc_alts_server_credentials_create_type) GetProcAddress(library, "grpc_alts_server_credentials_create");
grpc_local_credentials_create_import = (grpc_local_credentials_create_type) GetProcAddress(library, "grpc_local_credentials_create");
grpc_local_server_credentials_create_import = (grpc_local_server_credentials_create_type) GetProcAddress(library, "grpc_local_server_credentials_create");
+ grpc_tls_credentials_options_create_import = (grpc_tls_credentials_options_create_type) GetProcAddress(library, "grpc_tls_credentials_options_create");
+ grpc_tls_credentials_options_set_cert_request_type_import = (grpc_tls_credentials_options_set_cert_request_type_type) GetProcAddress(library, "grpc_tls_credentials_options_set_cert_request_type");
+ grpc_tls_credentials_options_set_key_materials_config_import = (grpc_tls_credentials_options_set_key_materials_config_type) GetProcAddress(library, "grpc_tls_credentials_options_set_key_materials_config");
+ grpc_tls_credentials_options_set_credential_reload_config_import = (grpc_tls_credentials_options_set_credential_reload_config_type) GetProcAddress(library, "grpc_tls_credentials_options_set_credential_reload_config");
+ grpc_tls_credentials_options_set_server_authorization_check_config_import = (grpc_tls_credentials_options_set_server_authorization_check_config_type) GetProcAddress(library, "grpc_tls_credentials_options_set_server_authorization_check_config");
+ grpc_tls_key_materials_config_create_import = (grpc_tls_key_materials_config_create_type) GetProcAddress(library, "grpc_tls_key_materials_config_create");
+ grpc_tls_key_materials_config_set_key_materials_import = (grpc_tls_key_materials_config_set_key_materials_type) GetProcAddress(library, "grpc_tls_key_materials_config_set_key_materials");
+ grpc_tls_credential_reload_config_create_import = (grpc_tls_credential_reload_config_create_type) GetProcAddress(library, "grpc_tls_credential_reload_config_create");
+ grpc_tls_server_authorization_check_config_create_import = (grpc_tls_server_authorization_check_config_create_type) GetProcAddress(library, "grpc_tls_server_authorization_check_config_create");
grpc_raw_byte_buffer_create_import = (grpc_raw_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_byte_buffer_create");
grpc_raw_compressed_byte_buffer_create_import = (grpc_raw_compressed_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_compressed_byte_buffer_create");
grpc_byte_buffer_copy_import = (grpc_byte_buffer_copy_type) GetProcAddress(library, "grpc_byte_buffer_copy");
diff --git a/src/ruby/ext/grpc/rb_grpc_imports.generated.h b/src/ruby/ext/grpc/rb_grpc_imports.generated.h
index e61a35d09fa..9437f6d3918 100644
--- a/src/ruby/ext/grpc/rb_grpc_imports.generated.h
+++ b/src/ruby/ext/grpc/rb_grpc_imports.generated.h
@@ -437,6 +437,33 @@ extern grpc_local_credentials_create_type grpc_local_credentials_create_import;
typedef grpc_server_credentials*(*grpc_local_server_credentials_create_type)(grpc_local_connect_type type);
extern grpc_local_server_credentials_create_type grpc_local_server_credentials_create_import;
#define grpc_local_server_credentials_create grpc_local_server_credentials_create_import
+typedef grpc_tls_credentials_options*(*grpc_tls_credentials_options_create_type)();
+extern grpc_tls_credentials_options_create_type grpc_tls_credentials_options_create_import;
+#define grpc_tls_credentials_options_create grpc_tls_credentials_options_create_import
+typedef int(*grpc_tls_credentials_options_set_cert_request_type_type)(grpc_tls_credentials_options* options, grpc_ssl_client_certificate_request_type type);
+extern grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_options_set_cert_request_type_import;
+#define grpc_tls_credentials_options_set_cert_request_type grpc_tls_credentials_options_set_cert_request_type_import
+typedef int(*grpc_tls_credentials_options_set_key_materials_config_type)(grpc_tls_credentials_options* options, grpc_tls_key_materials_config* config);
+extern grpc_tls_credentials_options_set_key_materials_config_type grpc_tls_credentials_options_set_key_materials_config_import;
+#define grpc_tls_credentials_options_set_key_materials_config grpc_tls_credentials_options_set_key_materials_config_import
+typedef int(*grpc_tls_credentials_options_set_credential_reload_config_type)(grpc_tls_credentials_options* options, grpc_tls_credential_reload_config* config);
+extern grpc_tls_credentials_options_set_credential_reload_config_type grpc_tls_credentials_options_set_credential_reload_config_import;
+#define grpc_tls_credentials_options_set_credential_reload_config grpc_tls_credentials_options_set_credential_reload_config_import
+typedef int(*grpc_tls_credentials_options_set_server_authorization_check_config_type)(grpc_tls_credentials_options* options, grpc_tls_server_authorization_check_config* config);
+extern grpc_tls_credentials_options_set_server_authorization_check_config_type grpc_tls_credentials_options_set_server_authorization_check_config_import;
+#define grpc_tls_credentials_options_set_server_authorization_check_config grpc_tls_credentials_options_set_server_authorization_check_config_import
+typedef grpc_tls_key_materials_config*(*grpc_tls_key_materials_config_create_type)();
+extern grpc_tls_key_materials_config_create_type grpc_tls_key_materials_config_create_import;
+#define grpc_tls_key_materials_config_create grpc_tls_key_materials_config_create_import
+typedef int(*grpc_tls_key_materials_config_set_key_materials_type)(grpc_tls_key_materials_config* config, const char* pem_root_certs, const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs, size_t num_key_cert_pairs);
+extern grpc_tls_key_materials_config_set_key_materials_type grpc_tls_key_materials_config_set_key_materials_import;
+#define grpc_tls_key_materials_config_set_key_materials grpc_tls_key_materials_config_set_key_materials_import
+typedef grpc_tls_credential_reload_config*(*grpc_tls_credential_reload_config_create_type)(const void* config_user_data, int (*schedule)(void* config_user_data, grpc_tls_credential_reload_arg* arg), void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg), void (*destruct)(void* config_user_data));
+extern grpc_tls_credential_reload_config_create_type grpc_tls_credential_reload_config_create_import;
+#define grpc_tls_credential_reload_config_create grpc_tls_credential_reload_config_create_import
+typedef grpc_tls_server_authorization_check_config*(*grpc_tls_server_authorization_check_config_create_type)(const void* config_user_data, int (*schedule)(void* config_user_data, grpc_tls_server_authorization_check_arg* arg), void (*cancel)(void* config_user_data, grpc_tls_server_authorization_check_arg* arg), void (*destruct)(void* config_user_data));
+extern grpc_tls_server_authorization_check_config_create_type grpc_tls_server_authorization_check_config_create_import;
+#define grpc_tls_server_authorization_check_config_create grpc_tls_server_authorization_check_config_create_import
typedef grpc_byte_buffer*(*grpc_raw_byte_buffer_create_type)(grpc_slice* slices, size_t nslices);
extern grpc_raw_byte_buffer_create_type grpc_raw_byte_buffer_create_import;
#define grpc_raw_byte_buffer_create grpc_raw_byte_buffer_create_import
diff --git a/test/core/surface/public_headers_must_be_c89.c b/test/core/surface/public_headers_must_be_c89.c
index 426ef1e8b13..1c9b67027c5 100644
--- a/test/core/surface/public_headers_must_be_c89.c
+++ b/test/core/surface/public_headers_must_be_c89.c
@@ -191,6 +191,15 @@ int main(int argc, char **argv) {
printf("%lx", (unsigned long) grpc_alts_server_credentials_create);
printf("%lx", (unsigned long) grpc_local_credentials_create);
printf("%lx", (unsigned long) grpc_local_server_credentials_create);
+ printf("%lx", (unsigned long) grpc_tls_credentials_options_create);
+ printf("%lx", (unsigned long) grpc_tls_credentials_options_set_cert_request_type);
+ printf("%lx", (unsigned long) grpc_tls_credentials_options_set_key_materials_config);
+ printf("%lx", (unsigned long) grpc_tls_credentials_options_set_credential_reload_config);
+ printf("%lx", (unsigned long) grpc_tls_credentials_options_set_server_authorization_check_config);
+ printf("%lx", (unsigned long) grpc_tls_key_materials_config_create);
+ printf("%lx", (unsigned long) grpc_tls_key_materials_config_set_key_materials);
+ printf("%lx", (unsigned long) grpc_tls_credential_reload_config_create);
+ printf("%lx", (unsigned long) grpc_tls_server_authorization_check_config_create);
printf("%lx", (unsigned long) grpc_raw_byte_buffer_create);
printf("%lx", (unsigned long) grpc_raw_compressed_byte_buffer_create);
printf("%lx", (unsigned long) grpc_byte_buffer_copy);
diff --git a/tools/doxygen/Doxyfile.core.internal b/tools/doxygen/Doxyfile.core.internal
index 041c7382be5..2aced414218 100644
--- a/tools/doxygen/Doxyfile.core.internal
+++ b/tools/doxygen/Doxyfile.core.internal
@@ -1384,6 +1384,8 @@ src/core/lib/security/credentials/plugin/plugin_credentials.cc \
src/core/lib/security/credentials/plugin/plugin_credentials.h \
src/core/lib/security/credentials/ssl/ssl_credentials.cc \
src/core/lib/security/credentials/ssl/ssl_credentials.h \
+src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
+src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h \
src/core/lib/security/security_connector/alts/alts_security_connector.cc \
src/core/lib/security/security_connector/alts/alts_security_connector.h \
src/core/lib/security/security_connector/fake/fake_security_connector.cc \
diff --git a/tools/run_tests/generated/sources_and_headers.json b/tools/run_tests/generated/sources_and_headers.json
index b5992c219d9..9e07c548b69 100644
--- a/tools/run_tests/generated/sources_and_headers.json
+++ b/tools/run_tests/generated/sources_and_headers.json
@@ -10381,6 +10381,7 @@
"src/core/lib/security/credentials/oauth2/oauth2_credentials.h",
"src/core/lib/security/credentials/plugin/plugin_credentials.h",
"src/core/lib/security/credentials/ssl/ssl_credentials.h",
+ "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h",
"src/core/lib/security/security_connector/alts/alts_security_connector.h",
"src/core/lib/security/security_connector/fake/fake_security_connector.h",
"src/core/lib/security/security_connector/load_system_roots.h",
@@ -10434,6 +10435,8 @@
"src/core/lib/security/credentials/plugin/plugin_credentials.h",
"src/core/lib/security/credentials/ssl/ssl_credentials.cc",
"src/core/lib/security/credentials/ssl/ssl_credentials.h",
+ "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc",
+ "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h",
"src/core/lib/security/security_connector/alts/alts_security_connector.cc",
"src/core/lib/security/security_connector/alts/alts_security_connector.h",
"src/core/lib/security/security_connector/fake/fake_security_connector.cc",