Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Revert "[TLS - Revocation] Crl Provider (#33786)" (#34713)

Browse Source 
This reverts commit 0f0396ae92.
pull/34726/head
apolcyn 1 year ago committed by GitHub
parent 975184f04b
commit 7af5efcfd3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
51 changed files with 199 additions and 1426 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      BUILD
  2. 91
      CMakeLists.txt
  3. 4
      Makefile
  4. 3
      Package.swift
  5. 33
      build_autogenerated.yaml
  6. 1
      config.m4
  7. 1
      config.w32
  8. 3
      gRPC-C++.podspec
  9. 4
      gRPC-Core.podspec
  10. 3
      grpc.gemspec
  11. 1
      grpc.gyp
  12. 85
      include/grpc/grpc_crl_provider.h
  13. 1
      include/grpc/module.modulemap
  14. 3
      include/grpcpp/security/tls_credentials_options.h
  15. 39
      include/grpcpp/security/tls_crl_provider.h
  16. 3
      package.xml
  17. 23
      src/core/BUILD
  18. 8
      src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
  19. 5
      src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
  20. 118
      src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc
  21. 83
      src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h
  22. 9
      src/core/lib/security/credentials/tls/tls_credentials.cc
  23. 5
      src/core/lib/security/security_connector/ssl_utils.cc
  24. 4
      src/core/lib/security/security_connector/ssl_utils.h
  25. 5
      src/core/lib/security/security_connector/tls/tls_security_connector.cc
  26. 122
      src/core/tsi/ssl_transport_security.cc
  27. 20
      src/core/tsi/ssl_transport_security.h
  28. 8
      src/cpp/common/tls_credentials_options.cc
  29. 9
      src/cpp/server/secure_server_credentials.cc
  30. 1
      src/python/grpcio/grpc_core_dependencies.py
  31. 16
      test/core/security/BUILD
  32. 10
      test/core/security/grpc_tls_credentials_options_comparator_test.cc
  33. 38
      test/core/security/grpc_tls_credentials_options_test.cc
  34. 95
      test/core/security/grpc_tls_crl_provider_test.cc
  35. 2
      test/core/tsi/BUILD
  36. 384
      test/core/tsi/crl_ssl_transport_security_test.cc
  37. 2
      test/core/tsi/test_creds/crl_data/crls/BUILD
  38. 5
      test/core/util/tls_utils.cc
  39. 1
      test/cpp/client/BUILD
  40. 25
      test/cpp/client/credentials_test.cc
  41. 27
      test/cpp/end2end/BUILD
  42. 221
      test/cpp/end2end/crl_provider_test.cc
  43. 1
      test/cpp/server/BUILD
  44. 30
      test/cpp/server/credentials_test.cc
  45. 10
      tools/codegen/core/gen_grpc_tls_credentials_options.py
  46. 1
      tools/distrib/fix_build_deps.py
  47. 2
      tools/doxygen/Doxyfile.c++
  48. 4
      tools/doxygen/Doxyfile.c++.internal
  49. 1
      tools/doxygen/Doxyfile.core
  50. 3
      tools/doxygen/Doxyfile.core.internal
  51. 48
      tools/run_tests/generated/tests.json

4
BUILD
Unescape View File

@ -254,7 +254,6 @@ GPR_PUBLIC_HDRS = [
GRPC_PUBLIC_HDRS = [
"include/grpc/grpc_audit_logging.h",
"include/grpc/grpc_crl_provider.h",
"include/grpc/byte_buffer.h",
"include/grpc/byte_buffer_reader.h",
"include/grpc/compression.h",
@ -422,7 +421,6 @@ GRPCXX_PUBLIC_HDRS = [
"include/grpcpp/impl/sync.h",
"include/grpcpp/resource_quota.h",
"include/grpcpp/security/audit_logging.h",
"include/grpcpp/security/tls_crl_provider.h",
"include/grpcpp/security/auth_context.h",
"include/grpcpp/security/auth_metadata_processor.h",
"include/grpcpp/security/credentials.h",
@ -1968,7 +1966,6 @@ grpc_cc_library(
"//src/core:gpr_manual_constructor",
"//src/core:grpc_audit_logging",
"//src/core:grpc_backend_metric_provider",
"//src/core:grpc_crl_provider",
"//src/core:grpc_service_config",
"//src/core:grpc_transport_inproc",
"//src/core:json",
@ -3558,7 +3555,6 @@ grpc_cc_library(
"tsi_ssl_session_cache",
"//src/core:channel_args",
"//src/core:error",
"//src/core:grpc_crl_provider",
"//src/core:grpc_transport_chttp2_alpn",
"//src/core:ref_counted",
"//src/core:slice",

91
CMakeLists.txt generated
Unescape View File

@ -969,7 +969,6 @@ if(gRPC_BUILD_TESTS)
add_dependencies(buildtests_cxx core_configuration_test)
add_dependencies(buildtests_cxx cpp_impl_of_test)
add_dependencies(buildtests_cxx cpu_test)
add_dependencies(buildtests_cxx crl_provider_test)
if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
add_dependencies(buildtests_cxx crl_ssl_transport_security_test)
endif()
@ -1057,7 +1056,6 @@ if(gRPC_BUILD_TESTS)
add_dependencies(buildtests_cxx grpc_tls_certificate_verifier_test)
add_dependencies(buildtests_cxx grpc_tls_credentials_options_comparator_test)
add_dependencies(buildtests_cxx grpc_tls_credentials_options_test)
add_dependencies(buildtests_cxx grpc_tls_crl_provider_test)
if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_POSIX)
add_dependencies(buildtests_cxx grpc_tool_test)
endif()
@ -2422,7 +2420,6 @@ add_library(grpc
src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc
src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc
src/core/lib/security/credentials/tls/tls_credentials.cc
src/core/lib/security/credentials/tls/tls_utils.cc
src/core/lib/security/credentials/xds/xds_credentials.cc
@ -2602,7 +2599,6 @@ foreach(_hdr
include/grpc/fork.h
include/grpc/grpc.h
include/grpc/grpc_audit_logging.h
include/grpc/grpc_crl_provider.h
include/grpc/grpc_posix.h
include/grpc/grpc_security.h
include/grpc/grpc_security_constants.h
@ -3268,7 +3264,6 @@ foreach(_hdr
include/grpc/fork.h
include/grpc/grpc.h
include/grpc/grpc_audit_logging.h
include/grpc/grpc_crl_provider.h
include/grpc/grpc_posix.h
include/grpc/grpc_security.h
include/grpc/grpc_security_constants.h
@ -4123,7 +4118,6 @@ foreach(_hdr
include/grpcpp/security/tls_certificate_provider.h
include/grpcpp/security/tls_certificate_verifier.h
include/grpcpp/security/tls_credentials_options.h
include/grpcpp/security/tls_crl_provider.h
include/grpcpp/server.h
include/grpcpp/server_builder.h
include/grpcpp/server_context.h
@ -4815,7 +4809,6 @@ foreach(_hdr
include/grpcpp/security/tls_certificate_provider.h
include/grpcpp/security/tls_certificate_verifier.h
include/grpcpp/security/tls_credentials_options.h
include/grpcpp/security/tls_crl_provider.h
include/grpcpp/server.h
include/grpcpp/server_builder.h
include/grpcpp/server_context.h
@ -5200,7 +5193,6 @@ foreach(_hdr
include/grpc/fork.h
include/grpc/grpc.h
include/grpc/grpc_audit_logging.h
include/grpc/grpc_crl_provider.h
include/grpc/grpc_posix.h
include/grpc/grpc_security.h
include/grpc/grpc_security_constants.h
@ -10048,56 +10040,6 @@ target_link_libraries(cpu_test
)
endif()
if(gRPC_BUILD_TESTS)
add_executable(crl_provider_test
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo.grpc.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/echo_messages.grpc.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/orca_load_report.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/orca_load_report.grpc.pb.cc
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/orca_load_report.pb.h
${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/orca_load_report.grpc.pb.h
test/cpp/end2end/crl_provider_test.cc
test/cpp/end2end/test_service_impl.cc
)
target_compile_features(crl_provider_test PUBLIC cxx_std_14)
target_include_directories(crl_provider_test
PRIVATE
${CMAKE_CURRENT_SOURCE_DIR}
${CMAKE_CURRENT_SOURCE_DIR}/include
${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
${_gRPC_RE2_INCLUDE_DIR}
${_gRPC_SSL_INCLUDE_DIR}
${_gRPC_UPB_GENERATED_DIR}
${_gRPC_UPB_GRPC_GENERATED_DIR}
${_gRPC_UPB_INCLUDE_DIR}
${_gRPC_XXHASH_INCLUDE_DIR}
${_gRPC_ZLIB_INCLUDE_DIR}
third_party/googletest/googletest/include
third_party/googletest/googletest
third_party/googletest/googlemock/include
third_party/googletest/googlemock
${_gRPC_PROTO_GENS_DIR}
)
target_link_libraries(crl_provider_test
${_gRPC_ALLTARGETS_LIBRARIES}
gtest
grpc++_test_util
)
endif()
if(gRPC_BUILD_TESTS)
if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
@ -13419,39 +13361,6 @@ target_link_libraries(grpc_tls_credentials_options_test
)
endif()
if(gRPC_BUILD_TESTS)
add_executable(grpc_tls_crl_provider_test
test/core/security/grpc_tls_crl_provider_test.cc
)
target_compile_features(grpc_tls_crl_provider_test PUBLIC cxx_std_14)
target_include_directories(grpc_tls_crl_provider_test
PRIVATE
${CMAKE_CURRENT_SOURCE_DIR}
${CMAKE_CURRENT_SOURCE_DIR}/include
${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
${_gRPC_RE2_INCLUDE_DIR}
${_gRPC_SSL_INCLUDE_DIR}
${_gRPC_UPB_GENERATED_DIR}
${_gRPC_UPB_GRPC_GENERATED_DIR}
${_gRPC_UPB_INCLUDE_DIR}
${_gRPC_XXHASH_INCLUDE_DIR}
${_gRPC_ZLIB_INCLUDE_DIR}
third_party/googletest/googletest/include
third_party/googletest/googletest
third_party/googletest/googlemock/include
third_party/googletest/googlemock
${_gRPC_PROTO_GENS_DIR}
)
target_link_libraries(grpc_tls_crl_provider_test
${_gRPC_ALLTARGETS_LIBRARIES}
gtest
grpc_test_util
)
endif()
if(gRPC_BUILD_TESTS)
if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_POSIX)

4
Makefile generated
Unescape View File

@ -1638,7 +1638,6 @@ LIBGRPC_SRC = \
src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc \
src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc \
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc \
src/core/lib/security/credentials/tls/tls_credentials.cc \
src/core/lib/security/credentials/tls/tls_utils.cc \
src/core/lib/security/credentials/xds/xds_credentials.cc \
@ -1753,7 +1752,6 @@ PUBLIC_HEADERS_C += \
include/grpc/fork.h \
include/grpc/grpc.h \
include/grpc/grpc_audit_logging.h \
include/grpc/grpc_crl_provider.h \
include/grpc/grpc_posix.h \
include/grpc/grpc_security.h \
include/grpc/grpc_security_constants.h \
@ -2272,7 +2270,6 @@ PUBLIC_HEADERS_C += \
include/grpc/fork.h \
include/grpc/grpc.h \
include/grpc/grpc_audit_logging.h \
include/grpc/grpc_crl_provider.h \
include/grpc/grpc_posix.h \
include/grpc/grpc_security.h \
include/grpc/grpc_security_constants.h \
@ -3692,7 +3689,6 @@ src/core/lib/security/credentials/tls/grpc_tls_certificate_match.cc: $(OPENSSL_D
src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/tls/tls_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/xds/xds_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/alts/alts_security_connector.cc: $(OPENSSL_DEP)

3
Package.swift generated
Unescape View File

@ -57,7 +57,6 @@ let package = Package(
"include/grpc/fork.h",
"include/grpc/grpc.h",
"include/grpc/grpc_audit_logging.h",
"include/grpc/grpc_crl_provider.h",
"include/grpc/grpc_posix.h",
"include/grpc/grpc_security.h",
"include/grpc/grpc_security_constants.h",
@ -1595,8 +1594,6 @@ let package = Package(
"src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h",
"src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc",
"src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h",
"src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc",
"src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h",
"src/core/lib/security/credentials/tls/tls_credentials.cc",
"src/core/lib/security/credentials/tls/tls_credentials.h",
"src/core/lib/security/credentials/tls/tls_utils.cc",

33
build_autogenerated.yaml generated
Unescape View File

@ -158,7 +158,6 @@ libs:
- include/grpc/fork.h
- include/grpc/grpc.h
- include/grpc/grpc_audit_logging.h
- include/grpc/grpc_crl_provider.h
- include/grpc/grpc_posix.h
- include/grpc/grpc_security.h
- include/grpc/grpc_security_constants.h
@ -937,7 +936,6 @@ libs:
- src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h
- src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h
- src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
- src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h
- src/core/lib/security/credentials/tls/tls_credentials.h
- src/core/lib/security/credentials/tls/tls_utils.h
- src/core/lib/security/credentials/xds/xds_credentials.h
@ -1723,7 +1721,6 @@ libs:
- src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc
- src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc
- src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
- src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc
- src/core/lib/security/credentials/tls/tls_credentials.cc
- src/core/lib/security/credentials/tls/tls_utils.cc
- src/core/lib/security/credentials/xds/xds_credentials.cc
@ -1923,7 +1920,6 @@ libs:
- include/grpc/fork.h
- include/grpc/grpc.h
- include/grpc/grpc_audit_logging.h
- include/grpc/grpc_crl_provider.h
- include/grpc/grpc_posix.h
- include/grpc/grpc_security.h
- include/grpc/grpc_security_constants.h
@ -3533,7 +3529,6 @@ libs:
- include/grpcpp/security/tls_certificate_provider.h
- include/grpcpp/security/tls_certificate_verifier.h
- include/grpcpp/security/tls_credentials_options.h
- include/grpcpp/security/tls_crl_provider.h
- include/grpcpp/server.h
- include/grpcpp/server_builder.h
- include/grpcpp/server_context.h
@ -3957,7 +3952,6 @@ libs:
- include/grpcpp/security/tls_certificate_provider.h
- include/grpcpp/security/tls_certificate_verifier.h
- include/grpcpp/security/tls_credentials_options.h
- include/grpcpp/security/tls_crl_provider.h
- include/grpcpp/server.h
- include/grpcpp/server_builder.h
- include/grpcpp/server_context.h
@ -4056,7 +4050,6 @@ libs:
- include/grpc/fork.h
- include/grpc/grpc.h
- include/grpc/grpc_audit_logging.h
- include/grpc/grpc_crl_provider.h
- include/grpc/grpc_posix.h
- include/grpc/grpc_security.h
- include/grpc/grpc_security_constants.h
@ -7420,22 +7413,6 @@ targets:
- gtest
- grpc_test_util
uses_polling: false
- name: crl_provider_test
gtest: true
build: test
language: c++
headers:
- test/cpp/end2end/test_service_impl.h
src:
- src/proto/grpc/testing/echo.proto
- src/proto/grpc/testing/echo_messages.proto
- src/proto/grpc/testing/simple_messages.proto
- src/proto/grpc/testing/xds/v3/orca_load_report.proto
- test/cpp/end2end/crl_provider_test.cc
- test/cpp/end2end/test_service_impl.cc
deps:
- gtest
- grpc++_test_util
- name: crl_ssl_transport_security_test
gtest: true
build: test
@ -9460,16 +9437,6 @@ targets:
deps:
- gtest
- grpc_test_util
- name: grpc_tls_crl_provider_test
gtest: true
build: test
language: c++
headers: []
src:
- test/core/security/grpc_tls_crl_provider_test.cc
deps:
- gtest
- grpc_test_util
- name: grpc_tool_test
gtest: true
build: test

1
config.m4 generated
Unescape View File

@ -771,7 +771,6 @@ if test "$PHP_GRPC" != "no"; then
src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc \
src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc \
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc \
src/core/lib/security/credentials/tls/tls_credentials.cc \
src/core/lib/security/credentials/tls/tls_utils.cc \
src/core/lib/security/credentials/xds/xds_credentials.cc \

1
config.w32 generated
Unescape View File

@ -736,7 +736,6 @@ if (PHP_GRPC != "no") {
"src\\core\\lib\\security\\credentials\\tls\\grpc_tls_certificate_provider.cc " +
"src\\core\\lib\\security\\credentials\\tls\\grpc_tls_certificate_verifier.cc " +
"src\\core\\lib\\security\\credentials\\tls\\grpc_tls_credentials_options.cc " +
"src\\core\\lib\\security\\credentials\\tls\\grpc_tls_crl_provider.cc " +
"src\\core\\lib\\security\\credentials\\tls\\tls_credentials.cc " +
"src\\core\\lib\\security\\credentials\\tls\\tls_utils.cc " +
"src\\core\\lib\\security\\credentials\\xds\\xds_credentials.cc " +

3
gRPC-C++.podspec generated
Unescape View File

@ -179,7 +179,6 @@ Pod::Spec.new do |s|
'include/grpcpp/security/tls_certificate_provider.h',
'include/grpcpp/security/tls_certificate_verifier.h',
'include/grpcpp/security/tls_credentials_options.h',
'include/grpcpp/security/tls_crl_provider.h',
'include/grpcpp/server.h',
'include/grpcpp/server_builder.h',
'include/grpcpp/server_context.h',
@ -1034,7 +1033,6 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h',
'src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h',
'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
'src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h',
'src/core/lib/security/credentials/tls/tls_credentials.h',
'src/core/lib/security/credentials/tls/tls_utils.h',
'src/core/lib/security/credentials/xds/xds_credentials.h',
@ -2109,7 +2107,6 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h',
'src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h',
'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
'src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h',
'src/core/lib/security/credentials/tls/tls_credentials.h',
'src/core/lib/security/credentials/tls/tls_utils.h',
'src/core/lib/security/credentials/xds/xds_credentials.h',

4
gRPC-Core.podspec generated
Unescape View File

@ -123,7 +123,6 @@ Pod::Spec.new do |s|
'include/grpc/fork.h',
'include/grpc/grpc.h',
'include/grpc/grpc_audit_logging.h',
'include/grpc/grpc_crl_provider.h',
'include/grpc/grpc_posix.h',
'include/grpc/grpc_security.h',
'include/grpc/grpc_security_constants.h',
@ -1694,8 +1693,6 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h',
'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
'src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc',
'src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h',
'src/core/lib/security/credentials/tls/tls_credentials.cc',
'src/core/lib/security/credentials/tls/tls_credentials.h',
'src/core/lib/security/credentials/tls/tls_utils.cc',
@ -2868,7 +2865,6 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h',
'src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h',
'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
'src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h',
'src/core/lib/security/credentials/tls/tls_credentials.h',
'src/core/lib/security/credentials/tls/tls_utils.h',
'src/core/lib/security/credentials/xds/xds_credentials.h',

3
grpc.gemspec generated
Unescape View File

@ -63,7 +63,6 @@ Gem::Specification.new do |s|
s.files += %w( include/grpc/fork.h )
s.files += %w( include/grpc/grpc.h )
s.files += %w( include/grpc/grpc_audit_logging.h )
s.files += %w( include/grpc/grpc_crl_provider.h )
s.files += %w( include/grpc/grpc_posix.h )
s.files += %w( include/grpc/grpc_security.h )
s.files += %w( include/grpc/grpc_security_constants.h )
@ -1597,8 +1596,6 @@ Gem::Specification.new do |s|
s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h )
s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc )
s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h )
s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc )
s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h )
s.files += %w( src/core/lib/security/credentials/tls/tls_credentials.cc )
s.files += %w( src/core/lib/security/credentials/tls/tls_credentials.h )
s.files += %w( src/core/lib/security/credentials/tls/tls_utils.cc )

1
grpc.gyp generated
Unescape View File

@ -956,7 +956,6 @@
'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc',
'src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc',
'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
'src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc',
'src/core/lib/security/credentials/tls/tls_credentials.cc',
'src/core/lib/security/credentials/tls/tls_utils.cc',
'src/core/lib/security/credentials/xds/xds_credentials.cc',

85
include/grpc/grpc_crl_provider.h
Unescape View File

@ -1,85 +0,0 @@
//
//
// Copyright 2023 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//
#ifndef GRPC_GRPC_CRL_PROVIDER_H
#define GRPC_GRPC_CRL_PROVIDER_H
#include <grpc/support/port_platform.h>
#include <memory>
#include <string>
#include "absl/status/statusor.h"
#include "absl/strings/string_view.h"
#include <grpc/grpc_security.h>
#include <grpc/support/sync.h>
namespace grpc_core {
namespace experimental {
// Opaque representation of a CRL. Must be thread safe.
class Crl {
public:
static absl::StatusOr<std::unique_ptr<Crl>> Parse(
absl::string_view crl_string);
virtual ~Crl() = default;
virtual absl::string_view Issuer() = 0;
};
// Information about a certificate to be used to fetch its associated CRL. Must
// be thread safe.
class CertificateInfo {
public:
virtual ~CertificateInfo() = default;
virtual absl::string_view Issuer() const = 0;
};
// The base class for CRL Provider implementations.
// CrlProviders can be passed in as a way to supply CRLs during handshakes.
// CrlProviders must be thread safe. They are on the critical path of gRPC
// creating a connection and doing a handshake, so the implementation of
// `GetCrl` should be very fast. It is suggested to have an in-memory map of
// CRLs for quick lookup and return, and doing expensive updates to this map
// asynchronously.
class CrlProvider {
public:
virtual ~CrlProvider() = default;
// Get the CRL associated with a certificate. Read-only.
virtual std::shared_ptr<Crl> GetCrl(
const CertificateInfo& certificate_info) = 0;
};
absl::StatusOr<std::shared_ptr<CrlProvider>> CreateStaticCrlProvider(
absl::Span<const std::string> crls);
} // namespace experimental
} // namespace grpc_core
// TODO(gtcooke94) - Mark with api macro when all wrapped langauges support C++
// in core APIs
/**
* EXPERIMENTAL API - Subject to change
*
* Sets the crl provider in the options.
*/
void grpc_tls_credentials_options_set_crl_provider(
grpc_tls_credentials_options* options,
std::shared_ptr<grpc_core::experimental::CrlProvider> provider);
#endif /* GRPC_GRPC_CRL_PROVIDER_H */

1
include/grpc/module.modulemap generated
Unescape View File

@ -9,7 +9,6 @@ header "byte_buffer.h"
header "fork.h"
header "grpc.h"
header "grpc_audit_logging.h"
header "grpc_crl_provider.h"
header "grpc_posix.h"
header "grpc_security.h"
header "grpc_security_constants.h"

3
include/grpcpp/security/tls_credentials_options.h
Unescape View File

@ -28,7 +28,6 @@
#include <grpc/support/log.h>
#include <grpcpp/security/tls_certificate_provider.h>
#include <grpcpp/security/tls_certificate_verifier.h>
#include <grpcpp/security/tls_crl_provider.h>
#include <grpcpp/support/config.h>
namespace grpc {
@ -105,8 +104,6 @@ class TlsCredentialsOptions {
// version > 1.1.
void set_crl_directory(const std::string& path);
void set_crl_provider(std::shared_ptr<CrlProvider> crl_provider);
// ----- Getters for member fields ----
// Get the internal c options. This function shall be used only internally.
grpc_tls_credentials_options* c_credentials_options() const {

39
include/grpcpp/security/tls_crl_provider.h
Unescape View File

@ -1,39 +0,0 @@
//
//
// Copyright 2023 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//
#ifndef GRPCPP_SECURITY_TLS_CRL_PROVIDER_H
#define GRPCPP_SECURITY_TLS_CRL_PROVIDER_H
#include <grpc/grpc_crl_provider.h>
#include <grpcpp/impl/sync.h>
#include <grpcpp/support/string_ref.h>
namespace grpc {
namespace experimental {
using grpc_core::experimental::
CertificateInfo; // NOLINT(misc-unused-using-decls)
using grpc_core::experimental::
CreateStaticCrlProvider; // NOLINT(misc-unused-using-decls)
using grpc_core::experimental::Crl; // NOLINT(misc-unused-using-decls)
using grpc_core::experimental::CrlProvider; // NOLINT(misc-unused-using-decls)
} // namespace experimental
} // namespace grpc
#endif // GRPCPP_SECURITY_TLS_CRL_PROVIDER_H

3
package.xml generated
Unescape View File

@ -45,7 +45,6 @@
<file baseinstalldir="/" name="include/grpc/fork.h" role="src" />
<file baseinstalldir="/" name="include/grpc/grpc.h" role="src" />
<file baseinstalldir="/" name="include/grpc/grpc_audit_logging.h" role="src" />
<file baseinstalldir="/" name="include/grpc/grpc_crl_provider.h" role="src" />
<file baseinstalldir="/" name="include/grpc/grpc_posix.h" role="src" />
<file baseinstalldir="/" name="include/grpc/grpc_security.h" role="src" />
<file baseinstalldir="/" name="include/grpc/grpc_security_constants.h" role="src" />
@ -1579,8 +1578,6 @@
<file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/tls/tls_credentials.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/tls/tls_credentials.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/tls/tls_utils.cc" role="src" />

23
src/core/BUILD
Unescape View File

@ -3072,29 +3072,6 @@ grpc_cc_library(
],
)
grpc_cc_library(
name = "grpc_crl_provider",
srcs = [
"lib/security/credentials/tls/grpc_tls_crl_provider.cc",
],
hdrs = [
"lib/security/credentials/tls/grpc_tls_crl_provider.h",
],
external_deps = [
"absl/container:flat_hash_map",
"absl/status",
"absl/status:statusor",
"absl/strings",
"absl/types:span",
"libcrypto",
"libssl",
],
deps = [
"//:gpr",
"//:grpc_base",
],
)
grpc_cc_library(
name = "grpc_fake_credentials",
srcs = [

8
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
Unescape View File

@ -22,7 +22,6 @@
#include <memory>
#include <grpc/grpc_crl_provider.h>
#include <grpc/support/log.h>
#include "src/core/lib/debug/trace.h"
@ -131,10 +130,3 @@ void grpc_tls_credentials_options_set_send_client_ca_list(
}
options->set_send_client_ca_list(send_client_ca_list);
}
void grpc_tls_credentials_options_set_crl_provider(
grpc_tls_credentials_options* options,
std::shared_ptr<grpc_core::experimental::CrlProvider> provider) {
GPR_ASSERT(options != nullptr);
options->set_crl_provider(std::move(provider));
}

5
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h generated
Unescape View File

@ -61,8 +61,6 @@ struct grpc_tls_credentials_options
const std::string& identity_cert_name() const { return identity_cert_name_; }
const std::string& tls_session_key_log_file_path() const { return tls_session_key_log_file_path_; }
const std::string& crl_directory() const { return crl_directory_; }
// Returns the CRL Provider
std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider() const { return crl_provider_; }
bool send_client_ca_list() const { return send_client_ca_list_; }
// Setters for member fields.
@ -84,7 +82,6 @@ struct grpc_tls_credentials_options
void set_tls_session_key_log_file_path(std::string tls_session_key_log_file_path) { tls_session_key_log_file_path_ = std::move(tls_session_key_log_file_path); }
// gRPC will enforce CRLs on all handshakes from all hashed CRL files inside of the crl_directory. If not set, an empty string will be used, which will not enable CRL checking. Only supported for OpenSSL version > 1.1.
void set_crl_directory(std::string crl_directory) { crl_directory_ = std::move(crl_directory); }
void set_crl_provider(std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider) { crl_provider_ = std::move(crl_provider); }
void set_send_client_ca_list(bool send_client_ca_list) { send_client_ca_list_ = send_client_ca_list; }
bool operator==(const grpc_tls_credentials_options& other) const {
@ -101,7 +98,6 @@ struct grpc_tls_credentials_options
identity_cert_name_ == other.identity_cert_name_ &&
tls_session_key_log_file_path_ == other.tls_session_key_log_file_path_ &&
crl_directory_ == other.crl_directory_ &&
(crl_provider_ == other.crl_provider_) &&
send_client_ca_list_ == other.send_client_ca_list_;
}
@ -119,7 +115,6 @@ struct grpc_tls_credentials_options
std::string identity_cert_name_;
std::string tls_session_key_log_file_path_;
std::string crl_directory_;
std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider_;
bool send_client_ca_list_ = false;
};

118
src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc
Unescape View File

@ -1,118 +0,0 @@
//
//
// Copyright 2023 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//
#include <grpc/support/port_platform.h>
#include "src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h"
#include <limits.h>
#include <memory>
#include <utility>
// IWYU pragma: no_include <openssl/mem.h>
#include <openssl/bio.h>
#include <openssl/crypto.h> // IWYU pragma: keep
#include <openssl/pem.h>
#include <openssl/x509.h>
#include "absl/container/flat_hash_map.h"
#include "absl/status/status.h"
#include "absl/status/statusor.h"
#include "absl/strings/str_cat.h"
#include "absl/types/span.h"
#include <grpc/support/log.h>
namespace grpc_core {
namespace experimental {
namespace {
std::string IssuerFromCrl(X509_CRL* crl) {
char* buf = X509_NAME_oneline(X509_CRL_get_issuer(crl), nullptr, 0);
std::string ret;
if (buf != nullptr) {
ret = buf;
}
OPENSSL_free(buf);
return ret;
}
} // namespace
absl::StatusOr<std::unique_ptr<Crl>> Crl::Parse(absl::string_view crl_string) {
if (crl_string.size() >= INT_MAX) {
return absl::InvalidArgumentError("crl_string cannot be of size INT_MAX");
}
BIO* crl_bio =
BIO_new_mem_buf(crl_string.data(), static_cast<int>(crl_string.size()));
// Errors on BIO
if (crl_bio == nullptr) {
return absl::InvalidArgumentError(
"Conversion from crl string to BIO failed.");
}
X509_CRL* crl = PEM_read_bio_X509_CRL(crl_bio, nullptr, nullptr, nullptr);
BIO_free(crl_bio);
if (crl == nullptr) {
return absl::InvalidArgumentError(
"Conversion from PEM string to X509 CRL failed.");
}
return CrlImpl::Create(crl);
}
absl::StatusOr<std::unique_ptr<CrlImpl>> CrlImpl::Create(X509_CRL* crl) {
std::string issuer = IssuerFromCrl(crl);
if (issuer.empty()) {
return absl::InvalidArgumentError("Issuer of crl cannot be empty");
}
return std::make_unique<CrlImpl>(crl, issuer);
}
CrlImpl::~CrlImpl() { X509_CRL_free(crl_); }
absl::StatusOr<std::shared_ptr<CrlProvider>> CreateStaticCrlProvider(
absl::Span<const std::string> crls) {
absl::flat_hash_map<std::string, std::shared_ptr<Crl>> crl_map;
for (const auto& raw_crl : crls) {
absl::StatusOr<std::unique_ptr<Crl>> crl = Crl::Parse(raw_crl);
if (!crl.ok()) {
return absl::InvalidArgumentError(absl::StrCat(
"Parsing crl string failed with result ", crl.status().ToString()));
}
bool inserted = crl_map.emplace((*crl)->Issuer(), std::move(*crl)).second;
if (!inserted) {
gpr_log(GPR_ERROR,
"StaticCrlProvider received multiple CRLs with the same issuer. "
"The first one in the span will be used.");
}
}
StaticCrlProvider provider = StaticCrlProvider(std::move(crl_map));
return std::make_shared<StaticCrlProvider>(std::move(provider));
}
std::shared_ptr<Crl> StaticCrlProvider::GetCrl(
const CertificateInfo& certificate_info) {
auto it = crls_.find(certificate_info.Issuer());
if (it == crls_.end()) {
return nullptr;
}
return it->second;
}
} // namespace experimental
} // namespace grpc_core

83
src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h
Unescape View File

@ -1,83 +0,0 @@
//
//
// Copyright 2023 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//
#ifndef GRPC_SRC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CRL_PROVIDER_H
#define GRPC_SRC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CRL_PROVIDER_H
#include <grpc/support/port_platform.h>
#include <memory>
#include <string>
#include <utility>
#include <openssl/crypto.h>
#include "absl/container/flat_hash_map.h"
#include "absl/status/statusor.h"
#include "absl/strings/string_view.h"
#include <grpc/grpc_crl_provider.h>
namespace grpc_core {
namespace experimental {
class StaticCrlProvider : public CrlProvider {
public:
// Each element of the input vector is expected to be the raw contents of a
// CRL file.
explicit StaticCrlProvider(
absl::flat_hash_map<std::string, std::shared_ptr<Crl>> crls)
: crls_(std::move(crls)) {}
std::shared_ptr<Crl> GetCrl(const CertificateInfo& certificate_info) override;
private:
const absl::flat_hash_map<std::string, std::shared_ptr<Crl>> crls_;
};
class CrlImpl : public Crl {
public:
static absl::StatusOr<std::unique_ptr<CrlImpl>> Create(X509_CRL* crl);
// Takes ownership of the X509_CRL pointer.
CrlImpl(X509_CRL* crl, absl::string_view issuer)
: crl_(crl), issuer_(issuer) {}
~CrlImpl() override;
// Returns a string view representation of the issuer pulled from the CRL.
absl::string_view Issuer() override { return issuer_; }
// The caller should not take ownership of the returned pointer.
X509_CRL* crl() const { return crl_; }
private:
X509_CRL* crl_;
const std::string issuer_;
};
class CertificateInfoImpl : public CertificateInfo {
public:
explicit CertificateInfoImpl(absl::string_view issuer) : issuer_(issuer) {}
// Returns a string representation of the issuer pulled from the
// certificate.
absl::string_view Issuer() const override { return issuer_; }
private:
const std::string issuer_;
};
} // namespace experimental
} // namespace grpc_core
#endif // GRPC_SRC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CRL_PROVIDER_H

9
src/core/lib/security/credentials/tls/tls_credentials.cc
Unescape View File

@ -20,7 +20,6 @@
#include "src/core/lib/security/credentials/tls/tls_credentials.h"
#include <memory>
#include <string>
#include <utility>
@ -46,14 +45,6 @@ bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
gpr_log(GPR_ERROR, "TLS credentials options is nullptr.");
return false;
}
if (!options->crl_directory().empty() && options->crl_provider() != nullptr) {
gpr_log(GPR_ERROR,
"Setting crl_directory and crl_provider not supported. Using the "
"crl_provider.");
// TODO(gtcooke94) - Maybe return false here. Right now object lifetime of
// this options struct is leaky if false is returned and represents a more
// complex fix to handle in another PR.
}
// In the following conditions, there won't be any issues, but it might
// indicate callers are doing something wrong with the API.
if (is_client && options->cert_request_type() !=

5
src/core/lib/security/security_connector/ssl_utils.cc
Unescape View File

@ -23,7 +23,6 @@
#include <stdint.h>
#include <string.h>
#include <memory>
#include <vector>
#include "absl/strings/match.h"
@ -411,7 +410,6 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
const char* crl_directory,
std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
tsi_ssl_client_handshaker_factory** handshaker_factory) {
const char* root_certs;
const tsi_ssl_root_certs_store* root_store;
@ -450,7 +448,6 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
options.min_tls_version = min_tls_version;
options.max_tls_version = max_tls_version;
options.crl_directory = crl_directory;
options.crl_provider = std::move(crl_provider);
const tsi_result result =
tsi_create_ssl_client_handshaker_factory_with_options(&options,
handshaker_factory);
@ -470,7 +467,6 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
const char* crl_directory, bool send_client_ca_list,
std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
tsi_ssl_server_handshaker_factory** handshaker_factory) {
size_t num_alpn_protocols = 0;
const char** alpn_protocol_strings =
@ -488,7 +484,6 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
options.max_tls_version = max_tls_version;
options.key_logger = tls_session_key_logger;
options.crl_directory = crl_directory;
options.crl_provider = std::move(crl_provider);
options.send_client_ca_list = send_client_ca_list;
const tsi_result result =
tsi_create_ssl_server_handshaker_factory_with_options(&options,

4
src/core/lib/security/security_connector/ssl_utils.h
Unescape View File

@ -23,7 +23,6 @@
#include <stddef.h>
#include <memory>
#include <string>
#include <utility>
#include <vector>
@ -31,7 +30,6 @@
#include "absl/status/status.h"
#include "absl/strings/string_view.h"
#include <grpc/grpc_crl_provider.h>
#include <grpc/grpc_security.h>
#include <grpc/grpc_security_constants.h>
#include <grpc/slice.h>
@ -87,7 +85,6 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
const char* crl_directory,
std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
tsi_ssl_client_handshaker_factory** handshaker_factory);
grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
@ -97,7 +94,6 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
const char* crl_directory, bool send_client_ca_list,
std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
tsi_ssl_server_handshaker_factory** handshaker_factory);
// Free the memory occupied by key cert pairs.

5
src/core/lib/security/security_connector/tls/tls_security_connector.cc
Unescape View File

@ -550,7 +550,7 @@ TlsChannelSecurityConnector::UpdateHandshakerFactoryLocked() {
grpc_get_tsi_tls_version(options_->min_tls_version()),
grpc_get_tsi_tls_version(options_->max_tls_version()), ssl_session_cache_,
tls_session_key_logger_.get(), options_->crl_directory().c_str(),
options_->crl_provider(), &client_handshaker_factory_);
&client_handshaker_factory_);
// Free memory.
if (pem_key_cert_pair != nullptr) {
grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
@ -817,8 +817,7 @@ TlsServerSecurityConnector::UpdateHandshakerFactoryLocked() {
grpc_get_tsi_tls_version(options_->min_tls_version()),
grpc_get_tsi_tls_version(options_->max_tls_version()),
tls_session_key_logger_.get(), options_->crl_directory().c_str(),
options_->send_client_ca_list(), options_->crl_provider(),
&server_handshaker_factory_);
options_->send_client_ca_list(), &server_handshaker_factory_);
// Free memory.
grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
num_key_cert_pairs);

122
src/core/tsi/ssl_transport_security.cc
Unescape View File

@ -57,7 +57,6 @@
#include "src/core/lib/gpr/useful.h"
#include "src/core/lib/gprpp/crash.h"
#include "src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h"
#include "src/core/tsi/ssl/key_logging/ssl_key_logging.h"
#include "src/core/tsi/ssl/session_cache/ssl_session_cache.h"
#include "src/core/tsi/ssl_transport_security_utils.h"
@ -145,7 +144,6 @@ struct tsi_ssl_frame_protector {
static gpr_once g_init_openssl_once = GPR_ONCE_INIT;
static int g_ssl_ctx_ex_factory_index = -1;
static int g_ssl_ctx_ex_crl_provider_index = -1;
static const unsigned char kSslSessionIdContext[] = {'g', 'r', 'p', 'c'};
static int g_ssl_ex_verified_root_cert_index = -1;
#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_NO_ENGINE)
@ -201,10 +199,6 @@ static void init_openssl(void) {
SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
GPR_ASSERT(g_ssl_ctx_ex_factory_index != -1);
g_ssl_ctx_ex_crl_provider_index =
SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
GPR_ASSERT(g_ssl_ctx_ex_crl_provider_index != -1);
g_ssl_ex_verified_root_cert_index =
SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
GPR_ASSERT(g_ssl_ex_verified_root_cert_index != -1);
@ -882,9 +876,9 @@ static tsi_result build_alpn_protocol_name_list(
static int verify_cb(int ok, X509_STORE_CTX* ctx) {
int cert_error = X509_STORE_CTX_get_error(ctx);
if (cert_error == X509_V_ERR_UNABLE_TO_GET_CRL) {
gpr_log(GPR_INFO,
"Certificate verification failed to find relevant CRL file. "
"Ignoring error.");
gpr_log(
GPR_INFO,
"Certificate verification failed to get CRL files. Ignoring error.");
return 1;
}
if (cert_error != 0) {
@ -946,16 +940,8 @@ static int RootCertExtractCallback(int preverify_ok, X509_STORE_CTX* ctx) {
return preverify_ok;
}
ERR_clear_error();
int ssl_index = SSL_get_ex_data_X509_STORE_CTX_idx();
if (ssl_index < 0) {
char err_str[256];
ERR_error_string_n(ERR_get_error(), err_str, sizeof(err_str));
gpr_log(GPR_ERROR,
"error getting the SSL index from the X509_STORE_CTX: %s", err_str);
return preverify_ok;
}
SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, ssl_index));
SSL* ssl = static_cast<SSL*>(
X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
if (ssl == nullptr) {
return preverify_ok;
}
@ -967,69 +953,6 @@ static int RootCertExtractCallback(int preverify_ok, X509_STORE_CTX* ctx) {
return preverify_ok;
}
// X509_STORE_set_get_crl() sets the function to get the crl for a given
// certificate x. When found, the crl must be assigned to *crl. This function
// must return 0 on failure and 1 on success. If no function to get the issuer
// is provided, the internal default function will be used instead.
static int GetCrlFromProvider(X509_STORE_CTX* ctx, X509_CRL** crl_out,
X509* cert) {
ERR_clear_error();
int ssl_index = SSL_get_ex_data_X509_STORE_CTX_idx();
if (ssl_index < 0) {
char err_str[256];
ERR_error_string_n(ERR_get_error(), err_str, sizeof(err_str));
gpr_log(GPR_ERROR,
"error getting the SSL index from the X509_STORE_CTX while looking "
"up Crl: %s",
err_str);
return 0;
}
SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, ssl_index));
if (ssl == nullptr) {
gpr_log(GPR_ERROR,
"error while fetching from CrlProvider. SSL object is null");
return 0;
}
SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);
auto* provider = static_cast<grpc_core::experimental::CrlProvider*>(
SSL_CTX_get_ex_data(ssl_ctx, g_ssl_ctx_ex_crl_provider_index));
char* buf = X509_NAME_oneline(X509_get_issuer_name(cert), nullptr, 0);
if (buf == nullptr) {
gpr_log(GPR_ERROR, "Certificate has null issuer, cannot do CRL lookup");
return 0;
}
grpc_core::experimental::CertificateInfoImpl cert_impl(buf);
std::shared_ptr<grpc_core::experimental::Crl> internal_crl =
provider->GetCrl(cert_impl);
OPENSSL_free(buf);
// There wasn't a CRL found in the provider. Returning 0 will end up causing
// OpenSSL to return X509_V_ERR_UNABLE_TO_GET_CRL. We then catch that error
// and behave how we want for a missing CRL.
// It is important to treat missing CRLs and empty CRLs differently.
if (internal_crl == nullptr) {
return 0;
}
X509_CRL* crl =
std::static_pointer_cast<grpc_core::experimental::CrlImpl>(internal_crl)
->crl();
X509_CRL* copy = X509_CRL_dup(crl);
*crl_out = copy;
return 1;
}
// When using CRL Providers, this function used to override the default
// `check_crl` function in OpenSSL using `X509_STORE_set_check_crl`.
// CrlProviders put the onus on the users to provide the CRLs that they want to
// provide, and because we override default CRL fetching behavior, we can expect
// some of these verification checks to fails for custom CRL providers as well.
// Thus, we need a passthrough to indicate to OpenSSL that we've provided a CRL
// and we are good with it.
static int CheckCrlPassthrough(X509_STORE_CTX* /*ctx*/, X509_CRL* /*crl*/) {
return 1;
}
// Sets the min and max TLS version of |ssl_context| to |min_tls_version| and
// |max_tls_version|, respectively. Calling this method is a no-op when using
// OpenSSL versions < 1.1.
@ -2158,18 +2081,10 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000
if (options->crl_provider != nullptr) {
SSL_CTX_set_ex_data(impl->ssl_context, g_ssl_ctx_ex_crl_provider_index,
options->crl_provider.get());
X509_STORE* cert_store = SSL_CTX_get_cert_store(impl->ssl_context);
X509_STORE_set_get_crl(cert_store, GetCrlFromProvider);
X509_STORE_set_check_crl(cert_store, CheckCrlPassthrough);
X509_STORE_set_verify_cb(cert_store, verify_cb);
X509_VERIFY_PARAM* param = X509_STORE_get0_param(cert_store);
X509_VERIFY_PARAM_set_flags(
param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
} else if (options->crl_directory != nullptr &&
strcmp(options->crl_directory, "") != 0) {
if (options->crl_directory != nullptr &&
strcmp(options->crl_directory, "") != 0) {
gpr_log(GPR_INFO, "enabling client CRL checking with path: %s",
options->crl_directory);
X509_STORE* cert_store = SSL_CTX_get_cert_store(ssl_context);
X509_STORE_set_verify_cb(cert_store, verify_cb);
if (!X509_STORE_load_locations(cert_store, nullptr,
@ -2179,6 +2094,7 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
X509_VERIFY_PARAM* param = X509_STORE_get0_param(cert_store);
X509_VERIFY_PARAM_set_flags(
param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
gpr_log(GPR_INFO, "enabled client side CRL checking.");
}
}
#endif
@ -2353,19 +2269,10 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000
if (options->crl_provider != nullptr) {
SSL_CTX_set_ex_data(impl->ssl_contexts[i],
g_ssl_ctx_ex_crl_provider_index,
options->crl_provider.get());
X509_STORE* cert_store = SSL_CTX_get_cert_store(impl->ssl_contexts[i]);
X509_STORE_set_get_crl(cert_store, GetCrlFromProvider);
X509_STORE_set_check_crl(cert_store, CheckCrlPassthrough);
X509_STORE_set_verify_cb(cert_store, verify_cb);
X509_VERIFY_PARAM* param = X509_STORE_get0_param(cert_store);
X509_VERIFY_PARAM_set_flags(
param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
} else if (options->crl_directory != nullptr &&
strcmp(options->crl_directory, "") != 0) {
if (options->crl_directory != nullptr &&
strcmp(options->crl_directory, "") != 0) {
gpr_log(GPR_INFO, "enabling server CRL checking with path %s",
options->crl_directory);
X509_STORE* cert_store = SSL_CTX_get_cert_store(impl->ssl_contexts[i]);
X509_STORE_set_verify_cb(cert_store, verify_cb);
if (!X509_STORE_load_locations(cert_store, nullptr,
@ -2375,6 +2282,7 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
X509_VERIFY_PARAM* param = X509_STORE_get0_param(cert_store);
X509_VERIFY_PARAM_set_flags(
param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
gpr_log(GPR_INFO, "enabled server CRL checking.");
}
}
#endif

20
src/core/tsi/ssl_transport_security.h
Unescape View File

@ -21,13 +21,10 @@
#include <grpc/support/port_platform.h>
#include <memory>
#include <openssl/x509.h>
#include "absl/strings/string_view.h"
#include <grpc/grpc_crl_provider.h>
#include <grpc/grpc_security_constants.h>
#include "src/core/tsi/ssl/key_logging/ssl_key_logging.h"
@ -182,17 +179,9 @@ struct tsi_ssl_client_handshaker_options {
// The directory where all hashed CRL files enforced by the handshaker are
// located. If the directory is invalid, CRL checking will fail open and just
// log. An empty directory will not enable crl checking. Only OpenSSL version
// >= 1.1 is supported for CRL checking. Cannot be used in conjunction with
// `crl_provider`.
// > 1.1 is supported for CRL checking
const char* crl_directory;
// A provider of CRLs. If set, when doing handshakes the `CrlProvider`'s
// `GetCrl` function will be called to find CRLs when checking certificates
// for revocation. Cannot be used in conjunction with `crl_directory`.
// This provider is created and owned by the user and passed in through
// options as a shared_ptr.
std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider;
tsi_ssl_client_handshaker_options()
: pem_key_cert_pair(nullptr),
pem_root_certs(nullptr),
@ -336,13 +325,6 @@ struct tsi_ssl_server_handshaker_options {
// crl checking. Only OpenSSL version > 1.1 is supported for CRL checking
const char* crl_directory;
// A provider of CRLs. If set, when doing handshakes the `CrlProvider`'s
// `GetCrl` function will be called to find CRLs when checking certificates
// for revocation. Cannot be used in conjunction with `crl_directory`.
// This provider is created and owned by the user and passed in through
// options as a shared_ptr.
std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider;
// If true, the SSL server sends a list of CA names to the client in the
// ServerHello. This list of CA names is extracted from the server's trust
// bundle, and the client may use this lint as a hint to decide which

8
src/cpp/common/tls_credentials_options.cc
Unescape View File

@ -20,14 +20,12 @@
#include <string>
#include <utility>
#include <grpc/grpc_crl_provider.h>
#include <grpc/grpc_security.h>
#include <grpc/grpc_security_constants.h>
#include <grpc/support/log.h>
#include <grpcpp/security/tls_certificate_provider.h>
#include <grpcpp/security/tls_certificate_verifier.h>
#include <grpcpp/security/tls_credentials_options.h>
#include <grpcpp/security/tls_crl_provider.h>
namespace grpc {
namespace experimental {
@ -45,12 +43,6 @@ void TlsCredentialsOptions::set_certificate_provider(
}
}
void TlsCredentialsOptions::set_crl_provider(
std::shared_ptr<CrlProvider> crl_provider) {
grpc_tls_credentials_options_set_crl_provider(c_credentials_options_,
std::move(crl_provider));
}
void TlsCredentialsOptions::watch_root_certs() {
grpc_tls_credentials_options_watch_root_certs(c_credentials_options_);
}

9
src/cpp/server/secure_server_credentials.cc
Unescape View File

@ -151,13 +151,8 @@ std::shared_ptr<ServerCredentials> LocalServerCredentials(
std::shared_ptr<ServerCredentials> TlsServerCredentials(
const grpc::experimental::TlsServerCredentialsOptions& options) {
grpc_server_credentials* c_creds =
grpc_tls_server_credentials_create(options.c_credentials_options());
if (c_creds == nullptr) {
return nullptr;
}
return std::shared_ptr<ServerCredentials>(
new SecureServerCredentials(c_creds));
return std::shared_ptr<ServerCredentials>(new SecureServerCredentials(
grpc_tls_server_credentials_create(options.c_credentials_options())));
}
} // namespace experimental

1
src/python/grpcio/grpc_core_dependencies.py generated
Unescape View File

@ -745,7 +745,6 @@ CORE_SOURCE_FILES = [
'src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc',
'src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc',
'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
'src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc',
'src/core/lib/security/credentials/tls/tls_credentials.cc',
'src/core/lib/security/credentials/tls/tls_utils.cc',
'src/core/lib/security/credentials/xds/xds_credentials.cc',

16
test/core/security/BUILD
Unescape View File

@ -560,19 +560,3 @@ grpc_cc_test(
"//test/core/util:grpc_test_util",
],
)
grpc_cc_test(
name = "grpc_tls_crl_provider_test",
srcs = ["grpc_tls_crl_provider_test.cc"],
data = [
"//test/core/tsi/test_creds/crl_data/crls:ab06acdd.r0",
],
external_deps = ["gtest"],
language = "C++",
deps = [
"//:gpr",
"//:grpc",
"//src/core:grpc_crl_provider",
"//test/core/util:grpc_test_util",
],
)

10
test/core/security/grpc_tls_credentials_options_comparator_test.cc generated
Unescape View File

@ -161,16 +161,6 @@ TEST(TlsCredentialsOptionsComparatorTest, DifferentCrlDirectory) {
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentCrlProvider) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();
options_1->set_crl_provider(*experimental::CreateStaticCrlProvider({}));
options_2->set_crl_provider(*experimental::CreateStaticCrlProvider({}));
EXPECT_FALSE(*options_1 == *options_2);
EXPECT_FALSE(*options_2 == *options_1);
delete options_1;
delete options_2;
}
TEST(TlsCredentialsOptionsComparatorTest, DifferentSendClientCaListValues) {
auto* options_1 = grpc_tls_credentials_options_create();
auto* options_2 = grpc_tls_credentials_options_create();

38
test/core/security/grpc_tls_credentials_options_test.cc
Unescape View File

@ -562,44 +562,6 @@ TEST_F(GrpcTlsCredentialsOptionsTest,
EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
}
TEST_F(GrpcTlsCredentialsOptionsTest, CrlProvider) {
auto options = MakeRefCounted<grpc_tls_credentials_options>();
auto provider = experimental::CreateStaticCrlProvider({});
ASSERT_TRUE(provider.ok());
options->set_crl_provider(std::move(*provider));
auto credentials = MakeRefCounted<TlsCredentials>(options);
ASSERT_NE(credentials, nullptr);
ChannelArgs new_args;
auto connector = credentials->create_security_connector(
nullptr, "random targets", &new_args);
ASSERT_NE(connector, nullptr);
TlsChannelSecurityConnector* tls_connector =
static_cast<TlsChannelSecurityConnector*>(connector.get());
EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
}
TEST_F(GrpcTlsCredentialsOptionsTest, CrlProviderWithServerCredentials) {
auto options = MakeRefCounted<grpc_tls_credentials_options>();
auto provider = MakeRefCounted<StaticDataCertificateProvider>(
root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
options->set_certificate_provider(std::move(provider));
options->set_watch_root_cert(true);
options->set_watch_identity_pair(true);
options->set_cert_request_type(
GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
auto crl_provider = experimental::CreateStaticCrlProvider({});
ASSERT_TRUE(crl_provider.ok());
options->set_crl_provider(std::move(*crl_provider));
auto credentials = MakeRefCounted<TlsServerCredentials>(options);
ASSERT_NE(credentials, nullptr);
ChannelArgs new_args;
auto connector = credentials->create_security_connector(new_args);
ASSERT_NE(connector, nullptr);
TlsServerSecurityConnector* tls_connector =
static_cast<TlsServerSecurityConnector*>(connector.get());
EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
}
} // namespace testing
} // namespace grpc_core

95
test/core/security/grpc_tls_crl_provider_test.cc
Unescape View File

@ -1,95 +0,0 @@
//
//
// Copyright 2023 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//
#include <grpc/support/port_platform.h>
#include "src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h"
#include <memory>
#include <string>
#include <vector>
#include <gtest/gtest.h>
#include "absl/status/statusor.h"
#include <grpc/grpc_audit_logging.h>
#include <grpc/grpc_crl_provider.h>
#include "test/core/util/test_config.h"
#include "test/core/util/tls_utils.h"
const char* kCrlPath = "test/core/tsi/test_creds/crl_data/crls/ab06acdd.r0";
const absl::string_view kCrlIssuer =
"/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=testca";
namespace grpc_core {
namespace testing {
using ::grpc_core::experimental::CertificateInfoImpl;
using ::grpc_core::experimental::Crl;
using ::grpc_core::experimental::CrlProvider;
TEST(CrlProviderTest, CanParseCrl) {
std::string crl_string = GetFileContents(kCrlPath);
absl::StatusOr<std::shared_ptr<Crl>> crl = Crl::Parse(crl_string);
ASSERT_TRUE(crl.ok());
ASSERT_NE(*crl, nullptr);
EXPECT_EQ((*crl)->Issuer(), kCrlIssuer);
}
TEST(CrlProviderTest, InvalidFile) {
std::string crl_string = "INVALID CRL FILE";
absl::StatusOr<std::shared_ptr<Crl>> crl = Crl::Parse(crl_string);
EXPECT_EQ(crl.status(),
absl::InvalidArgumentError(
"Conversion from PEM string to X509 CRL failed."));
}
TEST(CrlProviderTest, StaticCrlProviderLookup) {
std::vector<std::string> crl_strings = {GetFileContents(kCrlPath)};
absl::StatusOr<std::shared_ptr<CrlProvider>> provider =
experimental::CreateStaticCrlProvider(crl_strings);
ASSERT_TRUE(provider.ok()) << provider.status();
CertificateInfoImpl cert = CertificateInfoImpl(kCrlIssuer);
auto crl = (*provider)->GetCrl(cert);
ASSERT_NE(crl, nullptr);
EXPECT_EQ(crl->Issuer(), kCrlIssuer);
}
TEST(CrlProviderTest, StaticCrlProviderLookupBad) {
std::vector<std::string> crl_strings = {GetFileContents(kCrlPath)};
absl::StatusOr<std::shared_ptr<CrlProvider>> provider =
experimental::CreateStaticCrlProvider(crl_strings);
ASSERT_TRUE(provider.ok()) << provider.status();
CertificateInfoImpl bad_cert = CertificateInfoImpl("BAD CERT");
auto crl = (*provider)->GetCrl(bad_cert);
EXPECT_EQ(crl, nullptr);
}
} // namespace testing
} // namespace grpc_core
int main(int argc, char** argv) {
grpc::testing::TestEnvironment env(&argc, argv);
::testing::InitGoogleTest(&argc, argv);
grpc_init();
int ret = RUN_ALL_TESTS();
grpc_shutdown();
return ret;
}

2
test/core/tsi/BUILD
Unescape View File

@ -125,8 +125,6 @@ grpc_cc_test(
"//test/core/tsi/test_creds/crl_data:valid.pem",
"//test/core/tsi/test_creds/crl_data/crls:ab06acdd.r0",
"//test/core/tsi/test_creds/crl_data/crls:b9322cac.r0",
"//test/core/tsi/test_creds/crl_data/crls:current.crl",
"//test/core/tsi/test_creds/crl_data/crls:intermediate.crl",
"//test/core/tsi/test_creds/crl_data/crls_missing_intermediate:ab06acdd.r0",
"//test/core/tsi/test_creds/crl_data/crls_missing_root:b9322cac.r0",
],

384
test/core/tsi/crl_ssl_transport_security_test.cc
Unescape View File

@ -16,8 +16,6 @@
#include <stdio.h>
#include <string.h>
#include <utility>
#include <gmock/gmock.h>
#include <gtest/gtest.h>
@ -36,7 +34,6 @@
#include "src/core/tsi/transport_security_interface.h"
#include "test/core/tsi/transport_security_test_lib.h"
#include "test/core/util/test_config.h"
#include "test/core/util/tls_utils.h"
extern "C" {
#include <openssl/crypto.h>
@ -45,6 +42,9 @@ extern "C" {
namespace {
const int kSslTsiTestRevokedKeyCertPairsNum = 1;
const int kSslTsiTestValidKeyCertPairsNum = 1;
const int kSslTsiTestRevokedIntermedidateKeyCertPairsNum = 1;
const char* kSslTsiTestCrlSupportedCredentialsDir =
"test/core/tsi/test_creds/crl_data/";
const char* kSslTsiTestCrlSupportedCrlDir =
@ -54,18 +54,6 @@ const char* kSslTsiTestCrlSupportedCrlDirMissingIntermediate =
const char* kSslTsiTestCrlSupportedCrlDirMissingRoot =
"test/core/tsi/test_creds/crl_data/crls_missing_root/";
const char* kSslTsiTestFaultyCrlsDir = "bad_path/";
const char* kRevokedKeyPath = "test/core/tsi/test_creds/crl_data/revoked.key";
const char* kRevokedCertPath = "test/core/tsi/test_creds/crl_data/revoked.pem";
const char* kValidKeyPath = "test/core/tsi/test_creds/crl_data/valid.key";
const char* kValidCertPath = "test/core/tsi/test_creds/crl_data/valid.pem";
const char* kRevokedIntermediateKeyPath =
"test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.key";
const char* kRevokedIntermediateCertPath =
"test/core/tsi/test_creds/crl_data/leaf_and_intermediate_chain.pem";
const char* kRootCrlPath = "test/core/tsi/test_creds/crl_data/crls/current.crl";
const char* kIntermediateCrlPath =
"test/core/tsi/test_creds/crl_data/crls/intermediate.crl";
class CrlSslTransportSecurityTest
: public testing::TestWithParam<tsi_tls_version> {
@ -73,40 +61,22 @@ class CrlSslTransportSecurityTest
// A tsi_test_fixture implementation.
class SslTsiTestFixture {
public:
SslTsiTestFixture(
absl::string_view server_key_path, absl::string_view server_cert_path,
absl::string_view client_key_path, absl::string_view client_cert_path,
const char* crl_directory,
std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
bool expect_server_success, bool expect_client_success_1_2,
bool expect_client_success_1_3) {
tsi_test_fixture_init(&base_);
base_.test_unused_bytes = true;
base_.vtable = &kVtable;
server_key_ = grpc_core::testing::GetFileContents(server_key_path.data());
server_cert_ =
grpc_core::testing::GetFileContents(server_cert_path.data());
client_key_ = grpc_core::testing::GetFileContents(client_key_path.data());
client_cert_ =
grpc_core::testing::GetFileContents(client_cert_path.data());
root_cert_ = grpc_core::testing::GetFileContents(
absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "ca.pem").data());
root_store_ = tsi_ssl_root_certs_store_create(root_cert_.c_str());
crl_directory_ = crl_directory;
crl_provider_ = std::move(crl_provider);
expect_server_success_ = expect_server_success;
expect_client_success_1_2_ = expect_client_success_1_2;
expect_client_success_1_3_ = expect_client_success_1_3;
server_pem_key_cert_pairs_ = static_cast<tsi_ssl_pem_key_cert_pair*>(
gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair)));
server_pem_key_cert_pairs_[0].private_key = server_key_.c_str();
server_pem_key_cert_pairs_[0].cert_chain = server_cert_.c_str();
client_pem_key_cert_pairs_ = static_cast<tsi_ssl_pem_key_cert_pair*>(
gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair)));
client_pem_key_cert_pairs_[0].private_key = client_key_.c_str();
client_pem_key_cert_pairs_[0].cert_chain = client_cert_.c_str();
GPR_ASSERT(root_store_ != nullptr);
// When use_faulty_crl_directory is set, the crl_directory of the
// client is set to a non-existant path.
static SslTsiTestFixture* Create(bool use_revoked_server_cert,
bool use_revoked_client_cert,
bool use_faulty_crl_directory) {
return new SslTsiTestFixture(
use_revoked_server_cert, use_revoked_client_cert,
use_faulty_crl_directory, false, false, false);
}
static SslTsiTestFixture* CreateWithIntermediate(
bool use_revoked_intermediate, bool use_missing_intermediate_crl,
bool use_missing_root_crl) {
return new SslTsiTestFixture(
false, false, false, use_revoked_intermediate,
use_missing_intermediate_crl, use_missing_root_crl);
}
void Run() {
@ -114,16 +84,73 @@ class CrlSslTransportSecurityTest
tsi_test_fixture_destroy(&base_);
}
~SslTsiTestFixture() {
gpr_free(server_pem_key_cert_pairs_);
gpr_free(client_pem_key_cert_pairs_);
private:
SslTsiTestFixture(bool use_revoked_server_cert,
bool use_revoked_client_cert,
bool use_faulty_crl_directory,
bool use_revoked_intermediate,
bool use_missing_intermediate_crl,
bool use_missing_root_crl)
: use_revoked_server_cert_(use_revoked_server_cert),
use_revoked_client_cert_(use_revoked_client_cert),
use_faulty_crl_directory_(use_faulty_crl_directory),
use_revoked_intermediate_(use_revoked_intermediate),
use_missing_intermediate_crl_(use_missing_intermediate_crl),
use_missing_root_crl_(use_missing_root_crl) {
tsi_test_fixture_init(&base_);
base_.test_unused_bytes = true;
base_.vtable = &kVtable;
// Load cert data.
revoked_pem_key_cert_pairs_ = static_cast<tsi_ssl_pem_key_cert_pair*>(
gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair) *
kSslTsiTestRevokedKeyCertPairsNum));
revoked_pem_key_cert_pairs_[0].private_key = LoadFile(
absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "revoked.key"));
revoked_pem_key_cert_pairs_[0].cert_chain = LoadFile(
absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "revoked.pem"));
valid_pem_key_cert_pairs_ = static_cast<tsi_ssl_pem_key_cert_pair*>(
gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair) *
kSslTsiTestValidKeyCertPairsNum));
valid_pem_key_cert_pairs_[0].private_key = LoadFile(
absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "valid.key"));
valid_pem_key_cert_pairs_[0].cert_chain = LoadFile(
absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "valid.pem"));
revoked_intermediate_pem_key_cert_pairs_ =
static_cast<tsi_ssl_pem_key_cert_pair*>(
gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair) *
kSslTsiTestRevokedIntermedidateKeyCertPairsNum));
revoked_intermediate_pem_key_cert_pairs_[0].private_key =
LoadFile(absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir,
"leaf_signed_by_intermediate.key"));
revoked_intermediate_pem_key_cert_pairs_[0].cert_chain =
LoadFile(absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir,
"leaf_and_intermediate_chain.pem"));
root_cert_ = LoadFile(
absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "ca.pem"));
root_store_ = tsi_ssl_root_certs_store_create(root_cert_);
GPR_ASSERT(root_store_ != nullptr);
}
~SslTsiTestFixture() {
for (size_t i = 0; i < kSslTsiTestValidKeyCertPairsNum; i++) {
PemKeyCertPairDestroy(valid_pem_key_cert_pairs_[i]);
}
gpr_free(valid_pem_key_cert_pairs_);
for (size_t i = 0; i < kSslTsiTestRevokedKeyCertPairsNum; i++) {
PemKeyCertPairDestroy(revoked_pem_key_cert_pairs_[i]);
}
gpr_free(revoked_pem_key_cert_pairs_);
for (size_t i = 0; i < kSslTsiTestRevokedIntermedidateKeyCertPairsNum;
i++) {
PemKeyCertPairDestroy(revoked_intermediate_pem_key_cert_pairs_[i]);
}
gpr_free(revoked_intermediate_pem_key_cert_pairs_);
gpr_free(root_cert_);
tsi_ssl_root_certs_store_destroy(root_store_);
tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
}
private:
static void SetupHandshakers(tsi_test_fixture* fixture) {
GPR_ASSERT(fixture != nullptr);
auto* self = reinterpret_cast<SslTsiTestFixture*>(fixture);
@ -133,10 +160,22 @@ class CrlSslTransportSecurityTest
void SetupHandshakers() {
// Create client handshaker factory.
tsi_ssl_client_handshaker_options client_options;
client_options.pem_root_certs = root_cert_.c_str();
client_options.pem_key_cert_pair = client_pem_key_cert_pairs_;
client_options.crl_directory = crl_directory_;
client_options.crl_provider = crl_provider_;
client_options.pem_root_certs = root_cert_;
if (use_revoked_client_cert_) {
client_options.pem_key_cert_pair = revoked_pem_key_cert_pairs_;
} else {
client_options.pem_key_cert_pair = valid_pem_key_cert_pairs_;
}
if (use_faulty_crl_directory_) {
client_options.crl_directory = kSslTsiTestFaultyCrlsDir;
} else if (use_missing_intermediate_crl_) {
client_options.crl_directory =
kSslTsiTestCrlSupportedCrlDirMissingIntermediate;
} else if (use_missing_root_crl_) {
client_options.crl_directory = kSslTsiTestCrlSupportedCrlDirMissingRoot;
} else {
client_options.crl_directory = kSslTsiTestCrlSupportedCrlDir;
}
client_options.root_store = root_store_;
client_options.min_tls_version = GetParam();
client_options.max_tls_version = GetParam();
@ -145,11 +184,27 @@ class CrlSslTransportSecurityTest
TSI_OK);
// Create server handshaker factory.
tsi_ssl_server_handshaker_options server_options;
server_options.pem_key_cert_pairs = server_pem_key_cert_pairs_;
server_options.num_key_cert_pairs = 1;
server_options.pem_client_root_certs = root_cert_.c_str();
server_options.crl_directory = crl_directory_;
server_options.crl_provider = crl_provider_;
if (use_revoked_server_cert_) {
server_options.pem_key_cert_pairs = revoked_pem_key_cert_pairs_;
server_options.num_key_cert_pairs = kSslTsiTestRevokedKeyCertPairsNum;
} else if (!use_revoked_intermediate_) {
server_options.pem_key_cert_pairs = valid_pem_key_cert_pairs_;
server_options.num_key_cert_pairs = kSslTsiTestValidKeyCertPairsNum;
} else {
server_options.pem_key_cert_pairs =
revoked_intermediate_pem_key_cert_pairs_;
server_options.num_key_cert_pairs =
kSslTsiTestRevokedIntermedidateKeyCertPairsNum;
}
server_options.pem_client_root_certs = root_cert_;
if (use_missing_intermediate_crl_) {
server_options.crl_directory =
kSslTsiTestCrlSupportedCrlDirMissingIntermediate;
} else if (use_missing_root_crl_) {
server_options.crl_directory = kSslTsiTestCrlSupportedCrlDirMissingRoot;
} else {
server_options.crl_directory = kSslTsiTestCrlSupportedCrlDir;
}
server_options.client_certificate_request =
TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
server_options.session_ticket_key = nullptr;
@ -197,17 +252,20 @@ class CrlSslTransportSecurityTest
// 3. CRL Directory without CA's CRL with but Intermediate CA's CRL ->
// Handshake succeeds because the CRL that revokes the cert is not
// present.
bool expect_server_success = expect_server_success_;
bool expect_server_success =
!(use_revoked_server_cert_ || use_revoked_client_cert_ ||
(use_revoked_intermediate_ & !use_missing_root_crl_));
#if OPENSSL_VERSION_NUMBER >= 0x10100000
bool expect_client_success = GetParam() == tsi_tls_version::TSI_TLS1_2
? expect_client_success_1_2_
: expect_client_success_1_3_;
bool expect_client_success =
GetParam() == tsi_tls_version::TSI_TLS1_2
? expect_server_success
: !(use_revoked_server_cert_ ||
(use_revoked_intermediate_ & !use_missing_root_crl_));
#else
// If using OpenSSL version < 1.1, the CRL revocation won't
// be enabled anyways, so we always expect the connection to
// be successful.
// If using OpenSSL version < 1.1, the CRL revocation won't be enabled
// anyways, so we always expect the connection to be successful.
expect_server_success = true;
expect_client_success = expect_server_success;
bool expect_client_success = expect_server_success;
#endif
tsi_peer peer;
if (expect_client_success) {
@ -228,30 +286,41 @@ class CrlSslTransportSecurityTest
}
}
static void PemKeyCertPairDestroy(tsi_ssl_pem_key_cert_pair kp) {
gpr_free(const_cast<char*>(kp.private_key));
gpr_free(const_cast<char*>(kp.cert_chain));
}
static void Destruct(tsi_test_fixture* fixture) {
auto* self = reinterpret_cast<SslTsiTestFixture*>(fixture);
delete self;
}
static char* LoadFile(absl::string_view file_path) {
grpc_slice slice;
GPR_ASSERT(grpc_load_file(file_path.data(), 1, &slice) ==
absl::OkStatus());
char* data = grpc_slice_to_c_string(slice);
grpc_slice_unref(slice);
return data;
}
static struct tsi_test_fixture_vtable kVtable;
tsi_test_fixture base_;
std::string root_cert_;
bool use_revoked_server_cert_;
bool use_revoked_client_cert_;
bool use_faulty_crl_directory_;
bool use_revoked_intermediate_;
bool use_missing_intermediate_crl_;
bool use_missing_root_crl_;
char* root_cert_;
tsi_ssl_root_certs_store* root_store_;
tsi_ssl_pem_key_cert_pair* revoked_pem_key_cert_pairs_;
tsi_ssl_pem_key_cert_pair* valid_pem_key_cert_pairs_;
tsi_ssl_pem_key_cert_pair* revoked_intermediate_pem_key_cert_pairs_;
tsi_ssl_server_handshaker_factory* server_handshaker_factory_;
tsi_ssl_client_handshaker_factory* client_handshaker_factory_;
std::string server_key_;
std::string server_cert_;
std::string client_key_;
std::string client_cert_;
const char* crl_directory_;
bool expect_server_success_;
bool expect_client_success_1_2_;
bool expect_client_success_1_3_;
tsi_ssl_pem_key_cert_pair* client_pem_key_cert_pairs_;
tsi_ssl_pem_key_cert_pair* server_pem_key_cert_pairs_;
std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider_;
};
};
@ -262,149 +331,55 @@ struct tsi_test_fixture_vtable
&CrlSslTransportSecurityTest::SslTsiTestFixture::Destruct};
TEST_P(CrlSslTransportSecurityTest, RevokedServerCert) {
auto* fixture = new SslTsiTestFixture(
kRevokedKeyPath, kRevokedCertPath, kValidKeyPath, kValidCertPath,
kSslTsiTestCrlSupportedCrlDir, nullptr, false, false, false);
auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/true,
/*use_revoked_client_cert=*/false,
/*use_faulty_crl_directory=*/false);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest, RevokedClientCert) {
auto* fixture = new SslTsiTestFixture(
kValidKeyPath, kValidCertPath, kRevokedKeyPath, kRevokedCertPath,
kSslTsiTestCrlSupportedCrlDir, nullptr, false, false, true);
auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/false,
/*use_revoked_client_cert=*/true,
/*use_faulty_crl_directory=*/false);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest, ValidCerts) {
auto* fixture = new SslTsiTestFixture(
kValidKeyPath, kValidCertPath, kValidKeyPath, kValidCertPath,
kSslTsiTestCrlSupportedCrlDir, nullptr, true, true, true);
auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/false,
/*use_revoked_client_cert=*/false,
/*use_faulty_crl_directory=*/false);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest, UseFaultyCrlDirectory) {
auto* fixture = new SslTsiTestFixture(
kRevokedKeyPath, kRevokedCertPath, kValidKeyPath, kValidCertPath,
kSslTsiTestFaultyCrlsDir, nullptr, true, true, true);
auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/false,
/*use_revoked_client_cert=*/false,
/*use_faulty_crl_directory=*/true);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest, UseRevokedIntermediateValidCrl) {
auto* fixture = new SslTsiTestFixture(
kRevokedIntermediateKeyPath, kRevokedIntermediateCertPath, kValidKeyPath,
kValidCertPath, kSslTsiTestCrlSupportedCrlDir, nullptr, false, false,
false);
TEST_P(CrlSslTransportSecurityTest, UseRevokedIntermediate) {
auto* fixture = SslTsiTestFixture::CreateWithIntermediate(
/*use_revoked_intermediate=*/true,
/*use_missing_intermediate_crl=*/false,
/*use_missing_root_crl=*/false);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest,
UseRevokedIntermediateWithMissingIntermediateCrl) {
auto* fixture = new SslTsiTestFixture(
kRevokedIntermediateKeyPath, kRevokedIntermediateCertPath, kValidKeyPath,
kValidCertPath, kSslTsiTestCrlSupportedCrlDirMissingIntermediate, nullptr,
false, false, false);
auto* fixture = SslTsiTestFixture::CreateWithIntermediate(
/*use_revoked_intermediate=*/true,
/*use_missing_intermediate_crl=*/true,
/*use_missing_root_crl=*/false);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest, UseRevokedIntermediateWithMissingRootCrl) {
auto* fixture = new SslTsiTestFixture(
kRevokedIntermediateKeyPath, kRevokedIntermediateCertPath, kValidKeyPath,
kValidCertPath, kSslTsiTestCrlSupportedCrlDirMissingRoot, nullptr, true,
true, true);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest, CrlProviderValidCerts) {
std::string root_crl = grpc_core::testing::GetFileContents(kRootCrlPath);
std::string intermediate_crl =
grpc_core::testing::GetFileContents(kIntermediateCrlPath);
absl::StatusOr<std::shared_ptr<grpc_core::experimental::CrlProvider>>
provider = grpc_core::experimental::CreateStaticCrlProvider(
{root_crl, intermediate_crl});
ASSERT_TRUE(provider.ok());
auto* fixture = new SslTsiTestFixture(kValidKeyPath, kValidCertPath,
kValidKeyPath, kValidCertPath, nullptr,
*provider, true, true, true);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest, CrlProviderRevokedServer) {
std::string root_crl = grpc_core::testing::GetFileContents(kRootCrlPath);
std::string intermediate_crl =
grpc_core::testing::GetFileContents(kIntermediateCrlPath);
absl::StatusOr<std::shared_ptr<grpc_core::experimental::CrlProvider>>
provider = grpc_core::experimental::CreateStaticCrlProvider(
{root_crl, intermediate_crl});
ASSERT_TRUE(provider.ok());
auto* fixture = new SslTsiTestFixture(kRevokedKeyPath, kRevokedCertPath,
kValidKeyPath, kValidCertPath, nullptr,
*provider, false, false, false);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest, CrlProviderRevokedClient) {
std::string root_crl = grpc_core::testing::GetFileContents(kRootCrlPath);
std::string intermediate_crl =
grpc_core::testing::GetFileContents(kIntermediateCrlPath);
absl::StatusOr<std::shared_ptr<grpc_core::experimental::CrlProvider>>
provider = grpc_core::experimental::CreateStaticCrlProvider(
{root_crl, intermediate_crl});
ASSERT_TRUE(provider.ok());
auto* fixture = new SslTsiTestFixture(kValidKeyPath, kValidCertPath,
kRevokedKeyPath, kRevokedCertPath,
nullptr, *provider, false, false, true);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest, CrlProviderRevokedIntermediateValidCrl) {
std::string root_crl = grpc_core::testing::GetFileContents(kRootCrlPath);
std::string intermediate_crl =
grpc_core::testing::GetFileContents(kIntermediateCrlPath);
absl::StatusOr<std::shared_ptr<grpc_core::experimental::CrlProvider>>
provider = grpc_core::experimental::CreateStaticCrlProvider(
{root_crl, intermediate_crl});
ASSERT_TRUE(provider.ok());
auto* fixture = new SslTsiTestFixture(
kRevokedIntermediateKeyPath, kRevokedIntermediateCertPath, kValidKeyPath,
kValidCertPath, nullptr, *provider, false, false, false);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest,
CrlProviderRevokedIntermediateMissingIntermediateCrl) {
std::string root_crl = grpc_core::testing::GetFileContents(kRootCrlPath);
absl::StatusOr<std::shared_ptr<grpc_core::experimental::CrlProvider>>
provider = grpc_core::experimental::CreateStaticCrlProvider({root_crl});
ASSERT_TRUE(provider.ok());
auto* fixture = new SslTsiTestFixture(
kRevokedIntermediateKeyPath, kRevokedIntermediateCertPath, kValidKeyPath,
kValidCertPath, nullptr, *provider, false, false, false);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest,
CrlProviderRevokedIntermediateMissingRootCrl) {
std::string intermediate_crl =
grpc_core::testing::GetFileContents(kIntermediateCrlPath);
absl::StatusOr<std::shared_ptr<grpc_core::experimental::CrlProvider>>
provider =
grpc_core::experimental::CreateStaticCrlProvider({intermediate_crl});
ASSERT_TRUE(provider.ok());
auto* fixture = new SslTsiTestFixture(
kRevokedIntermediateKeyPath, kRevokedIntermediateCertPath, kValidKeyPath,
kValidCertPath, nullptr, *provider, true, true, true);
auto* fixture = SslTsiTestFixture::CreateWithIntermediate(
/*use_revoked_intermediate=*/true,
/*use_missing_intermediate_crl=*/false,
/*use_missing_root_crl=*/true);
fixture->Run();
}
@ -415,11 +390,6 @@ std::string TestNameSuffix(
return "TLS_1_3";
}
// TODO(gtcooke94) Add nullptr issuer test cases - this is not simple to test
// the way the code is currently designed - we plan to refactor ways the OpenSSL
// callback functions are written to have more easily testable chunks in
// ssl_transport_security_utils and will add nullptr issuer tests at that time.
INSTANTIATE_TEST_SUITE_P(TLSVersionsTest, CrlSslTransportSecurityTest,
testing::Values(tsi_tls_version::TSI_TLS1_2,
tsi_tls_version::TSI_TLS1_3),

2
test/core/tsi/test_creds/crl_data/crls/BUILD
Unescape View File

@ -17,6 +17,4 @@ licenses(["notice"])
exports_files([
"ab06acdd.r0",
"b9322cac.r0",
"current.crl",
"intermediate.crl",
])

5
test/core/util/tls_utils.cc
Unescape View File

@ -13,7 +13,6 @@
// See the License for the specific language governing permissions and
// limitations under the License.
//
#include <grpc/support/port_platform.h>
#include "test/core/util/tls_utils.h"
@ -139,8 +138,8 @@ void DestroyExternalVerifier(void* arg) {
void AsyncExternalVerifier::Destruct(void* user_data) {
auto* self = static_cast<AsyncExternalVerifier*>(user_data);
// Spawn a detached thread to destroy the verifier, to make sure that we
// don't try to join the worker thread from within the worker thread.
// Spawn a detached thread to destroy the verifier, to make sure that we don't
// try to join the worker thread from within the worker thread.
Thread destroy_thread("DestroyExternalVerifier", DestroyExternalVerifier,
self, nullptr, Thread::Options().set_joinable(false));
destroy_thread.Start();

1
test/cpp/client/BUILD
Unescape View File

@ -33,7 +33,6 @@ grpc_cc_test(
"//:gpr",
"//:grpc",
"//:grpc++",
"//src/core:grpc_crl_provider",
"//test/core/util:grpc_test_util",
"//test/cpp/util:tls_test_utils",
],

25
test/cpp/client/credentials_test.cc
Unescape View File

@ -22,7 +22,6 @@
#include <gtest/gtest.h>
#include <grpc/grpc.h>
#include <grpc/grpc_crl_provider.h>
#include <grpc/grpc_security.h>
#include <grpcpp/security/credentials.h>
#include <grpcpp/security/server_credentials.h>
@ -398,30 +397,6 @@ TEST(CredentialsTest, TlsChannelCredentialsWithCrlDirectory) {
GPR_ASSERT(channel_credentials.get() != nullptr);
}
TEST(CredentialsTest, TlsChannelCredentialsWithCrlProvider) {
auto provider = experimental::CreateStaticCrlProvider({});
ASSERT_TRUE(provider.ok());
grpc::experimental::TlsChannelCredentialsOptions options;
options.set_crl_provider(*provider);
auto channel_credentials = grpc::experimental::TlsCredentials(options);
GPR_ASSERT(channel_credentials.get() != nullptr);
}
TEST(CredentialsTest, TlsChannelCredentialsWithCrlProviderAndDirectory) {
auto provider = experimental::CreateStaticCrlProvider({});
ASSERT_TRUE(provider.ok());
grpc::experimental::TlsChannelCredentialsOptions options;
options.set_crl_directory(CRL_DIR_PATH);
options.set_crl_provider(*provider);
auto channel_credentials = grpc::experimental::TlsCredentials(options);
// TODO(gtcooke94) - behavior might change to make this return nullptr in the
// future
GPR_ASSERT(channel_credentials.get() != nullptr);
}
// TODO(gtcooke94) - Add test to make sure Tls*CredentialsOptions does not leak
// when not moved into TlsCredentials
} // namespace
} // namespace testing
} // namespace grpc

27
test/cpp/end2end/BUILD
Unescape View File

@ -1037,30 +1037,3 @@ grpc_cc_test(
"//test/cpp/util:test_util",
],
)
grpc_cc_test(
name = "crl_provider_test",
srcs = ["crl_provider_test.cc"],
data = [
"//test/core/tsi/test_creds/crl_data:ca.pem",
"//test/core/tsi/test_creds/crl_data:revoked.key",
"//test/core/tsi/test_creds/crl_data:revoked.pem",
"//test/core/tsi/test_creds/crl_data:valid.key",
"//test/core/tsi/test_creds/crl_data:valid.pem",
"//test/core/tsi/test_creds/crl_data/crls:current.crl",
],
external_deps = [
"gtest",
],
tags = ["crl_provider_test"],
deps = [
":test_service_impl",
"//:gpr",
"//:grpc",
"//:grpc++",
"//src/proto/grpc/testing:echo_messages_proto",
"//src/proto/grpc/testing:echo_proto",
"//test/core/util:grpc_test_util",
"//test/cpp/util:test_util",
],
)

221
test/cpp/end2end/crl_provider_test.cc
Unescape View File

@ -1,221 +0,0 @@
//
//
// Copyright 2023 gRPC authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
//
#include <memory>
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include "absl/synchronization/notification.h"
#include <grpc/grpc_security.h>
#include <grpcpp/channel.h>
#include <grpcpp/client_context.h>
#include <grpcpp/create_channel.h>
#include <grpcpp/security/credentials.h>
#include <grpcpp/security/server_credentials.h>
#include <grpcpp/server.h>
#include <grpcpp/server_builder.h>
#include "src/core/lib/iomgr/load_file.h"
#include "src/cpp/client/secure_credentials.h"
#include "test/core/util/port.h"
#include "test/core/util/test_config.h"
#include "test/core/util/tls_utils.h"
#include "test/cpp/end2end/test_service_impl.h"
namespace grpc {
namespace testing {
namespace {
const char* kRootPath = "test/core/tsi/test_creds/crl_data/ca.pem";
const char* kRevokedKeyPath = "test/core/tsi/test_creds/crl_data/revoked.key";
const char* kRevokedCertPath = "test/core/tsi/test_creds/crl_data/revoked.pem";
const char* kValidKeyPath = "test/core/tsi/test_creds/crl_data/valid.key";
const char* kValidCertPath = "test/core/tsi/test_creds/crl_data/valid.pem";
const char* kRootCrlPath = "test/core/tsi/test_creds/crl_data/crls/current.crl";
constexpr char kMessage[] = "Hello";
class CrlProviderTest : public ::testing::Test {
protected:
void RunServer(absl::Notification* notification, absl::string_view server_key,
absl::string_view server_cert) {
experimental::IdentityKeyCertPair key_cert_pair;
std::string root = grpc_core::testing::GetFileContents(kRootPath);
key_cert_pair.private_key = server_key.data();
key_cert_pair.certificate_chain = server_cert.data();
std::vector<experimental::IdentityKeyCertPair> identity_key_cert_pairs;
identity_key_cert_pairs.emplace_back(key_cert_pair);
auto certificate_provider =
std::make_shared<experimental::StaticDataCertificateProvider>(
root, identity_key_cert_pairs);
grpc::experimental::TlsServerCredentialsOptions options(
certificate_provider);
options.watch_root_certs();
options.set_root_cert_name("root");
options.watch_identity_key_cert_pairs();
options.set_identity_cert_name("identity");
options.set_cert_request_type(
GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
auto server_credentials = grpc::experimental::TlsServerCredentials(options);
GPR_ASSERT(server_credentials.get() != nullptr);
grpc::ServerBuilder builder;
TestServiceImpl service_;
builder.AddListeningPort(server_addr_, server_credentials);
builder.RegisterService("foo.test.google.fr", &service_);
server_ = builder.BuildAndStart();
notification->Notify();
server_->Wait();
}
void TearDown() override {
if (server_ != nullptr) {
server_->Shutdown();
server_thread_->join();
delete server_thread_;
}
}
TestServiceImpl service_;
std::unique_ptr<Server> server_ = nullptr;
std::thread* server_thread_ = nullptr;
std::string server_addr_;
};
void DoRpc(const std::string& server_addr,
const experimental::TlsChannelCredentialsOptions& tls_options,
bool expect_success) {
ChannelArguments channel_args;
channel_args.SetSslTargetNameOverride("foo.test.google.fr");
std::shared_ptr<Channel> channel = grpc::CreateCustomChannel(
server_addr, grpc::experimental::TlsCredentials(tls_options),
channel_args);
auto stub = grpc::testing::EchoTestService::NewStub(channel);
grpc::testing::EchoRequest request;
grpc::testing::EchoResponse response;
request.set_message(kMessage);
ClientContext context;
context.set_deadline(grpc_timeout_seconds_to_deadline(/*time_s=*/10));
grpc::Status result = stub->Echo(&context, request, &response);
if (expect_success) {
EXPECT_TRUE(result.ok());
if (!result.ok()) {
gpr_log(GPR_ERROR, "%s, %s", result.error_message().c_str(),
result.error_details().c_str());
}
EXPECT_EQ(response.message(), kMessage);
} else {
EXPECT_FALSE(result.ok());
}
}
TEST_F(CrlProviderTest, CrlProviderValid) {
server_addr_ = absl::StrCat("localhost:",
std::to_string(grpc_pick_unused_port_or_die()));
absl::Notification notification;
std::string server_key = grpc_core::testing::GetFileContents(kValidKeyPath);
std::string server_cert = grpc_core::testing::GetFileContents(kValidCertPath);
server_thread_ = new std::thread(
[&]() { RunServer(&notification, server_key, server_cert); });
notification.WaitForNotification();
std::string root_cert = grpc_core::testing::GetFileContents(kRootPath);
std::string client_key = grpc_core::testing::GetFileContents(kValidKeyPath);
std::string client_cert = grpc_core::testing::GetFileContents(kValidCertPath);
experimental::IdentityKeyCertPair key_cert_pair;
key_cert_pair.private_key = client_key;
key_cert_pair.certificate_chain = client_cert;
std::vector<experimental::IdentityKeyCertPair> identity_key_cert_pairs;
identity_key_cert_pairs.emplace_back(key_cert_pair);
auto certificate_provider =
std::make_shared<experimental::StaticDataCertificateProvider>(
root_cert, identity_key_cert_pairs);
grpc::experimental::TlsChannelCredentialsOptions options;
options.set_certificate_provider(certificate_provider);
options.watch_root_certs();
options.set_root_cert_name("root");
options.watch_identity_key_cert_pairs();
options.set_identity_cert_name("identity");
std::string root_crl = grpc_core::testing::GetFileContents(kRootCrlPath);
absl::StatusOr<std::shared_ptr<grpc_core::experimental::CrlProvider>>
provider = grpc_core::experimental::CreateStaticCrlProvider({root_crl});
ASSERT_TRUE(provider.ok());
options.set_crl_provider(*provider);
options.set_check_call_host(false);
auto verifier = std::make_shared<experimental::NoOpCertificateVerifier>();
options.set_certificate_verifier(verifier);
DoRpc(server_addr_, options, true);
}
TEST_F(CrlProviderTest, CrlProviderRevokedServer) {
server_addr_ = absl::StrCat("localhost:",
std::to_string(grpc_pick_unused_port_or_die()));
absl::Notification notification;
std::string server_key = grpc_core::testing::GetFileContents(kRevokedKeyPath);
std::string server_cert =
grpc_core::testing::GetFileContents(kRevokedCertPath);
server_thread_ = new std::thread(
[&]() { RunServer(&notification, server_key, server_cert); });
notification.WaitForNotification();
std::string root_cert = grpc_core::testing::GetFileContents(kRootPath);
std::string client_key = grpc_core::testing::GetFileContents(kValidKeyPath);
std::string client_cert = grpc_core::testing::GetFileContents(kValidCertPath);
experimental::IdentityKeyCertPair key_cert_pair;
key_cert_pair.private_key = client_key;
key_cert_pair.certificate_chain = client_cert;
std::vector<experimental::IdentityKeyCertPair> identity_key_cert_pairs;
identity_key_cert_pairs.emplace_back(key_cert_pair);
auto certificate_provider =
std::make_shared<experimental::StaticDataCertificateProvider>(
root_cert, identity_key_cert_pairs);
grpc::experimental::TlsChannelCredentialsOptions options;
options.set_certificate_provider(certificate_provider);
options.watch_root_certs();
options.set_root_cert_name("root");
options.watch_identity_key_cert_pairs();
options.set_identity_cert_name("identity");
std::string root_crl = grpc_core::testing::GetFileContents(kRootCrlPath);
absl::StatusOr<std::shared_ptr<grpc_core::experimental::CrlProvider>>
provider = grpc_core::experimental::CreateStaticCrlProvider({root_crl});
ASSERT_TRUE(provider.ok());
options.set_crl_provider(*provider);
options.set_check_call_host(false);
auto verifier = std::make_shared<experimental::NoOpCertificateVerifier>();
options.set_certificate_verifier(verifier);
DoRpc(server_addr_, options, false);
}
} // namespace
} // namespace testing
} // namespace grpc
int main(int argc, char** argv) {
grpc::testing::TestEnvironment env(&argc, argv);
::testing::InitGoogleTest(&argc, argv);
int ret = RUN_ALL_TESTS();
return ret;
}

1
test/cpp/server/BUILD
Unescape View File

@ -78,7 +78,6 @@ grpc_cc_test(
"//:gpr",
"//:grpc",
"//:grpc++",
"//:grpc++_base",
"//test/core/util:grpc_test_util",
"//test/cpp/util:tls_test_utils",
],

30
test/cpp/server/credentials_test.cc
Unescape View File

@ -20,11 +20,9 @@
#include <gtest/gtest.h>
#include <grpc/grpc.h>
#include <grpc/grpc_crl_provider.h>
#include <grpc/grpc_security.h>
#include <grpcpp/security/server_credentials.h>
#include <grpcpp/security/tls_credentials_options.h>
#include <grpcpp/security/tls_crl_provider.h>
#include "src/cpp/client/secure_credentials.h"
#include "test/core/util/port.h"
@ -178,34 +176,6 @@ TEST(CredentialsTest, TlsServerCredentialsWithAsyncExternalVerifier) {
GPR_ASSERT(server_credentials.get() != nullptr);
}
TEST(CredentialsTest, TlsServerCredentialsWithCrlProvider) {
auto provider = experimental::CreateStaticCrlProvider({});
ASSERT_TRUE(provider.ok());
auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
options.set_crl_provider(*provider);
auto channel_credentials = grpc::experimental::TlsServerCredentials(options);
GPR_ASSERT(channel_credentials.get() != nullptr);
}
TEST(CredentialsTest, TlsServerCredentialsWithCrlProviderAndDirectory) {
auto provider = experimental::CreateStaticCrlProvider({});
ASSERT_TRUE(provider.ok());
auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
options.set_crl_directory(CRL_DIR_PATH);
options.set_crl_provider(*provider);
auto server_credentials = grpc::experimental::TlsServerCredentials(options);
// TODO(gtcooke94) - behavior might change to make this return nullptr in
// the future
GPR_ASSERT(server_credentials != nullptr);
}
// TODO(gtcooke94) - Add test to make sure Tls*CredentialsOptions does not leak
// when not moved into TlsCredentials
} // namespace
} // namespace testing
} // namespace grpc

10
tools/codegen/core/gen_grpc_tls_credentials_options.py
Unescape View File

@ -220,16 +220,6 @@ _DATA_MEMBERS = [
test_value_1='"crl_directory_1"',
test_value_2='"crl_directory_2"',
),
DataMember(
name="crl_provider",
type="std::shared_ptr<grpc_core::experimental::CrlProvider>",
getter_comment=("Returns the CRL Provider"),
setter_move_semantics=True,
special_comparator=("(crl_provider_ == other.crl_provider_)"),
test_name="DifferentCrlProvider",
test_value_1=("*experimental::CreateStaticCrlProvider({})"),
test_value_2=("*experimental::CreateStaticCrlProvider({})"),
),
DataMember(
name="send_client_ca_list",
type="bool",

1
tools/distrib/fix_build_deps.py
Unescape View File

@ -150,7 +150,6 @@ EXTERNAL_DEPS = {
"openssl/err.h": "libcrypto",
"openssl/evp.h": "libcrypto",
"openssl/hmac.h": "libcrypto",
"openssl/mem.h": "libcrypto",
"openssl/param_build.h": "libcrypto",
"openssl/pem.h": "libcrypto",
"openssl/rsa.h": "libcrypto",

2
tools/doxygen/Doxyfile.c++ generated
Unescape View File

@ -892,7 +892,6 @@ include/grpc/event_engine/slice_buffer.h \
include/grpc/fork.h \
include/grpc/grpc.h \
include/grpc/grpc_audit_logging.h \
include/grpc/grpc_crl_provider.h \
include/grpc/grpc_posix.h \
include/grpc/grpc_security.h \
include/grpc/grpc_security_constants.h \
@ -1048,7 +1047,6 @@ include/grpcpp/security/server_credentials.h \
include/grpcpp/security/tls_certificate_provider.h \
include/grpcpp/security/tls_certificate_verifier.h \
include/grpcpp/security/tls_credentials_options.h \
include/grpcpp/security/tls_crl_provider.h \
include/grpcpp/server.h \
include/grpcpp/server_builder.h \
include/grpcpp/server_context.h \

4
tools/doxygen/Doxyfile.c++.internal generated
Unescape View File

@ -892,7 +892,6 @@ include/grpc/event_engine/slice_buffer.h \
include/grpc/fork.h \
include/grpc/grpc.h \
include/grpc/grpc_audit_logging.h \
include/grpc/grpc_crl_provider.h \
include/grpc/grpc_posix.h \
include/grpc/grpc_security.h \
include/grpc/grpc_security_constants.h \
@ -1048,7 +1047,6 @@ include/grpcpp/security/server_credentials.h \
include/grpcpp/security/tls_certificate_provider.h \
include/grpcpp/security/tls_certificate_verifier.h \
include/grpcpp/security/tls_credentials_options.h \
include/grpcpp/security/tls_crl_provider.h \
include/grpcpp/server.h \
include/grpcpp/server_builder.h \
include/grpcpp/server_context.h \
@ -2596,8 +2594,6 @@ src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc \
src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h \
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h \
src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc \
src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h \
src/core/lib/security/credentials/tls/tls_credentials.cc \
src/core/lib/security/credentials/tls/tls_credentials.h \
src/core/lib/security/credentials/tls/tls_utils.cc \

1
tools/doxygen/Doxyfile.core generated
Unescape View File

@ -825,7 +825,6 @@ include/grpc/event_engine/slice_buffer.h \
include/grpc/fork.h \
include/grpc/grpc.h \
include/grpc/grpc_audit_logging.h \
include/grpc/grpc_crl_provider.h \
include/grpc/grpc_posix.h \
include/grpc/grpc_security.h \
include/grpc/grpc_security_constants.h \

3
tools/doxygen/Doxyfile.core.internal generated
Unescape View File

@ -825,7 +825,6 @@ include/grpc/event_engine/slice_buffer.h \
include/grpc/fork.h \
include/grpc/grpc.h \
include/grpc/grpc_audit_logging.h \
include/grpc/grpc_crl_provider.h \
include/grpc/grpc_posix.h \
include/grpc/grpc_security.h \
include/grpc/grpc_security_constants.h \
@ -2375,8 +2374,6 @@ src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc \
src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h \
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h \
src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc \
src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h \
src/core/lib/security/credentials/tls/tls_credentials.cc \
src/core/lib/security/credentials/tls/tls_credentials.h \
src/core/lib/security/credentials/tls/tls_utils.cc \

48
tools/run_tests/generated/tests.json generated
Unescape View File

@ -2615,30 +2615,6 @@
],
"uses_polling": false
},
{
"args": [],
"benchmark": false,
"ci_platforms": [
"linux",
"mac",
"posix",
"windows"
],
"cpu_cost": 1.0,
"exclude_configs": [],
"exclude_iomgrs": [],
"flaky": false,
"gtest": true,
"language": "c++",
"name": "crl_provider_test",
"platforms": [
"linux",
"mac",
"posix",
"windows"
],
"uses_polling": true
},
{
"args": [],
"benchmark": false,
@ -4231,30 +4207,6 @@
],
"uses_polling": true
},
{
"args": [],
"benchmark": false,
"ci_platforms": [
"linux",
"mac",
"posix",
"windows"
],
"cpu_cost": 1.0,
"exclude_configs": [],
"exclude_iomgrs": [],
"flaky": false,
"gtest": true,
"language": "c++",
"name": "grpc_tls_crl_provider_test",
"platforms": [
"linux",
"mac",
"posix",
"windows"
],
"uses_polling": true
},
{
"args": [],
"benchmark": false,

Write Preview
Loading…
Cancel
Save