Merge pull request #12809 from justinburke/convert_cert_pairs

Expose conversion of grpc to tsi cert pairs
reviewable/pr12644/r10^2
Justin Burke 7 years ago committed by GitHub
commit 80eee985f4
  1. 31
      CMakeLists.txt
  2. 36
      Makefile
  3. 10
      build.yaml
  4. 60
      src/core/lib/security/credentials/ssl/ssl_credentials.cc
  5. 15
      src/core/lib/security/credentials/ssl/ssl_credentials.h
  6. 7
      src/core/lib/security/transport/security_connector.cc
  7. 2
      src/core/lib/security/transport/security_connector.h
  8. 12
      test/core/security/BUILD
  9. 66
      test/core/security/ssl_credentials_test.c
  10. 17
      tools/run_tests/generated/sources_and_headers.json
  11. 24
      tools/run_tests/generated/tests.json

@ -459,6 +459,7 @@ add_dependencies(buildtests_c grpc_json_token_test)
endif() endif()
add_dependencies(buildtests_c grpc_jwt_verifier_test) add_dependencies(buildtests_c grpc_jwt_verifier_test)
add_dependencies(buildtests_c grpc_security_connector_test) add_dependencies(buildtests_c grpc_security_connector_test)
add_dependencies(buildtests_c grpc_ssl_credentials_test)
if(_gRPC_PLATFORM_LINUX) if(_gRPC_PLATFORM_LINUX)
add_dependencies(buildtests_c handshake_client) add_dependencies(buildtests_c handshake_client)
endif() endif()
@ -7290,6 +7291,36 @@ target_link_libraries(grpc_security_connector_test
gpr gpr
) )
endif (gRPC_BUILD_TESTS)
if (gRPC_BUILD_TESTS)
add_executable(grpc_ssl_credentials_test
test/core/security/ssl_credentials_test.c
)
target_include_directories(grpc_ssl_credentials_test
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
PRIVATE ${BORINGSSL_ROOT_DIR}/include
PRIVATE ${PROTOBUF_ROOT_DIR}/src
PRIVATE ${BENCHMARK_ROOT_DIR}/include
PRIVATE ${ZLIB_ROOT_DIR}
PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/third_party/zlib
PRIVATE ${CARES_INCLUDE_DIR}
PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/third_party/cares/cares
PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/third_party/gflags/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/third_party/abseil-cpp
)
target_link_libraries(grpc_ssl_credentials_test
${_gRPC_ALLTARGETS_LIBRARIES}
grpc_test_util
grpc
gpr_test_util
gpr
)
endif (gRPC_BUILD_TESTS) endif (gRPC_BUILD_TESTS)
add_executable(grpc_verify_jwt add_executable(grpc_verify_jwt

@ -1019,6 +1019,7 @@ grpc_json_token_test: $(BINDIR)/$(CONFIG)/grpc_json_token_test
grpc_jwt_verifier_test: $(BINDIR)/$(CONFIG)/grpc_jwt_verifier_test grpc_jwt_verifier_test: $(BINDIR)/$(CONFIG)/grpc_jwt_verifier_test
grpc_print_google_default_creds_token: $(BINDIR)/$(CONFIG)/grpc_print_google_default_creds_token grpc_print_google_default_creds_token: $(BINDIR)/$(CONFIG)/grpc_print_google_default_creds_token
grpc_security_connector_test: $(BINDIR)/$(CONFIG)/grpc_security_connector_test grpc_security_connector_test: $(BINDIR)/$(CONFIG)/grpc_security_connector_test
grpc_ssl_credentials_test: $(BINDIR)/$(CONFIG)/grpc_ssl_credentials_test
grpc_verify_jwt: $(BINDIR)/$(CONFIG)/grpc_verify_jwt grpc_verify_jwt: $(BINDIR)/$(CONFIG)/grpc_verify_jwt
handshake_client: $(BINDIR)/$(CONFIG)/handshake_client handshake_client: $(BINDIR)/$(CONFIG)/handshake_client
handshake_server: $(BINDIR)/$(CONFIG)/handshake_server handshake_server: $(BINDIR)/$(CONFIG)/handshake_server
@ -1413,6 +1414,7 @@ buildtests_c: privatelibs_c \
$(BINDIR)/$(CONFIG)/grpc_json_token_test \ $(BINDIR)/$(CONFIG)/grpc_json_token_test \
$(BINDIR)/$(CONFIG)/grpc_jwt_verifier_test \ $(BINDIR)/$(CONFIG)/grpc_jwt_verifier_test \
$(BINDIR)/$(CONFIG)/grpc_security_connector_test \ $(BINDIR)/$(CONFIG)/grpc_security_connector_test \
$(BINDIR)/$(CONFIG)/grpc_ssl_credentials_test \
$(BINDIR)/$(CONFIG)/handshake_client \ $(BINDIR)/$(CONFIG)/handshake_client \
$(BINDIR)/$(CONFIG)/handshake_server \ $(BINDIR)/$(CONFIG)/handshake_server \
$(BINDIR)/$(CONFIG)/hpack_parser_test \ $(BINDIR)/$(CONFIG)/hpack_parser_test \
@ -1886,6 +1888,8 @@ test_c: buildtests_c
$(Q) $(BINDIR)/$(CONFIG)/grpc_jwt_verifier_test || ( echo test grpc_jwt_verifier_test failed ; exit 1 ) $(Q) $(BINDIR)/$(CONFIG)/grpc_jwt_verifier_test || ( echo test grpc_jwt_verifier_test failed ; exit 1 )
$(E) "[RUN] Testing grpc_security_connector_test" $(E) "[RUN] Testing grpc_security_connector_test"
$(Q) $(BINDIR)/$(CONFIG)/grpc_security_connector_test || ( echo test grpc_security_connector_test failed ; exit 1 ) $(Q) $(BINDIR)/$(CONFIG)/grpc_security_connector_test || ( echo test grpc_security_connector_test failed ; exit 1 )
$(E) "[RUN] Testing grpc_ssl_credentials_test"
$(Q) $(BINDIR)/$(CONFIG)/grpc_ssl_credentials_test || ( echo test grpc_ssl_credentials_test failed ; exit 1 )
$(E) "[RUN] Testing handshake_client" $(E) "[RUN] Testing handshake_client"
$(Q) $(BINDIR)/$(CONFIG)/handshake_client || ( echo test handshake_client failed ; exit 1 ) $(Q) $(BINDIR)/$(CONFIG)/handshake_client || ( echo test handshake_client failed ; exit 1 )
$(E) "[RUN] Testing handshake_server" $(E) "[RUN] Testing handshake_server"
@ -11119,6 +11123,38 @@ endif
endif endif
GRPC_SSL_CREDENTIALS_TEST_SRC = \
test/core/security/ssl_credentials_test.c \
GRPC_SSL_CREDENTIALS_TEST_OBJS = $(addprefix $(OBJDIR)/$(CONFIG)/, $(addsuffix .o, $(basename $(GRPC_SSL_CREDENTIALS_TEST_SRC))))
ifeq ($(NO_SECURE),true)
# You can't build secure targets if you don't have OpenSSL.
$(BINDIR)/$(CONFIG)/grpc_ssl_credentials_test: openssl_dep_error
else
$(BINDIR)/$(CONFIG)/grpc_ssl_credentials_test: $(GRPC_SSL_CREDENTIALS_TEST_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
$(E) "[LD] Linking $@"
$(Q) mkdir -p `dirname $@`
$(Q) $(LD) $(LDFLAGS) $(GRPC_SSL_CREDENTIALS_TEST_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a $(LDLIBS) $(LDLIBS_SECURE) -o $(BINDIR)/$(CONFIG)/grpc_ssl_credentials_test
endif
$(OBJDIR)/$(CONFIG)/test/core/security/ssl_credentials_test.o: $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
deps_grpc_ssl_credentials_test: $(GRPC_SSL_CREDENTIALS_TEST_OBJS:.o=.dep)
ifneq ($(NO_SECURE),true)
ifneq ($(NO_DEPS),true)
-include $(GRPC_SSL_CREDENTIALS_TEST_OBJS:.o=.dep)
endif
endif
GRPC_VERIFY_JWT_SRC = \ GRPC_VERIFY_JWT_SRC = \
test/core/security/verify_jwt.c \ test/core/security/verify_jwt.c \

@ -2540,6 +2540,16 @@ targets:
- grpc - grpc
- gpr_test_util - gpr_test_util
- gpr - gpr
- name: grpc_ssl_credentials_test
build: test
language: c
src:
- test/core/security/ssl_credentials_test.c
deps:
- grpc_test_util
- grpc
- gpr_test_util
- gpr
- name: grpc_verify_jwt - name: grpc_verify_jwt
build: tool build: tool
language: c language: c

@ -31,18 +31,21 @@
// SSL Channel Credentials. // SSL Channel Credentials.
// //
static void ssl_config_pem_key_cert_pair_destroy( void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair *kp,
tsi_ssl_pem_key_cert_pair *kp) { size_t num_key_cert_pairs) {
if (kp == NULL) return; if (kp == NULL) return;
gpr_free((void *)kp->private_key); for (size_t i = 0; i < num_key_cert_pairs; i++) {
gpr_free((void *)kp->cert_chain); gpr_free((void *)kp[i].private_key);
gpr_free((void *)kp[i].cert_chain);
}
gpr_free(kp);
} }
static void ssl_destruct(grpc_exec_ctx *exec_ctx, static void ssl_destruct(grpc_exec_ctx *exec_ctx,
grpc_channel_credentials *creds) { grpc_channel_credentials *creds) {
grpc_ssl_credentials *c = (grpc_ssl_credentials *)creds; grpc_ssl_credentials *c = (grpc_ssl_credentials *)creds;
gpr_free(c->config.pem_root_certs); gpr_free(c->config.pem_root_certs);
ssl_config_pem_key_cert_pair_destroy(&c->config.pem_key_cert_pair); grpc_tsi_ssl_pem_key_cert_pairs_destroy(c->config.pem_key_cert_pair, 1);
} }
static grpc_security_status ssl_create_security_connector( static grpc_security_status ssl_create_security_connector(
@ -85,9 +88,11 @@ static void ssl_build_config(const char *pem_root_certs,
if (pem_key_cert_pair != NULL) { if (pem_key_cert_pair != NULL) {
GPR_ASSERT(pem_key_cert_pair->private_key != NULL); GPR_ASSERT(pem_key_cert_pair->private_key != NULL);
GPR_ASSERT(pem_key_cert_pair->cert_chain != NULL); GPR_ASSERT(pem_key_cert_pair->cert_chain != NULL);
config->pem_key_cert_pair.cert_chain = config->pem_key_cert_pair = (tsi_ssl_pem_key_cert_pair *)gpr_zalloc(
sizeof(tsi_ssl_pem_key_cert_pair));
config->pem_key_cert_pair->cert_chain =
gpr_strdup(pem_key_cert_pair->cert_chain); gpr_strdup(pem_key_cert_pair->cert_chain);
config->pem_key_cert_pair.private_key = config->pem_key_cert_pair->private_key =
gpr_strdup(pem_key_cert_pair->private_key); gpr_strdup(pem_key_cert_pair->private_key);
} }
} }
@ -117,11 +122,8 @@ grpc_channel_credentials *grpc_ssl_credentials_create(
static void ssl_server_destruct(grpc_exec_ctx *exec_ctx, static void ssl_server_destruct(grpc_exec_ctx *exec_ctx,
grpc_server_credentials *creds) { grpc_server_credentials *creds) {
grpc_ssl_server_credentials *c = (grpc_ssl_server_credentials *)creds; grpc_ssl_server_credentials *c = (grpc_ssl_server_credentials *)creds;
size_t i; grpc_tsi_ssl_pem_key_cert_pairs_destroy(c->config.pem_key_cert_pairs,
for (i = 0; i < c->config.num_key_cert_pairs; i++) { c->config.num_key_cert_pairs);
ssl_config_pem_key_cert_pair_destroy(&c->config.pem_key_cert_pairs[i]);
}
gpr_free(c->config.pem_key_cert_pairs);
gpr_free(c->config.pem_root_certs); gpr_free(c->config.pem_root_certs);
} }
@ -136,30 +138,36 @@ static grpc_security_status ssl_server_create_security_connector(
static grpc_server_credentials_vtable ssl_server_vtable = { static grpc_server_credentials_vtable ssl_server_vtable = {
ssl_server_destruct, ssl_server_create_security_connector}; ssl_server_destruct, ssl_server_create_security_connector};
tsi_ssl_pem_key_cert_pair *grpc_convert_grpc_to_tsi_cert_pairs(
const grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs,
size_t num_key_cert_pairs) {
tsi_ssl_pem_key_cert_pair *tsi_pairs = NULL;
if (num_key_cert_pairs > 0) {
GPR_ASSERT(pem_key_cert_pairs != NULL);
tsi_pairs = (tsi_ssl_pem_key_cert_pair *)gpr_zalloc(
num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair));
}
for (size_t i = 0; i < num_key_cert_pairs; i++) {
GPR_ASSERT(pem_key_cert_pairs[i].private_key != NULL);
GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != NULL);
tsi_pairs[i].cert_chain = gpr_strdup(pem_key_cert_pairs[i].cert_chain);
tsi_pairs[i].private_key = gpr_strdup(pem_key_cert_pairs[i].private_key);
}
return tsi_pairs;
}
static void ssl_build_server_config( static void ssl_build_server_config(
const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs, const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs,
size_t num_key_cert_pairs, size_t num_key_cert_pairs,
grpc_ssl_client_certificate_request_type client_certificate_request, grpc_ssl_client_certificate_request_type client_certificate_request,
grpc_ssl_server_config *config) { grpc_ssl_server_config *config) {
size_t i;
config->client_certificate_request = client_certificate_request; config->client_certificate_request = client_certificate_request;
if (pem_root_certs != NULL) { if (pem_root_certs != NULL) {
config->pem_root_certs = gpr_strdup(pem_root_certs); config->pem_root_certs = gpr_strdup(pem_root_certs);
} }
if (num_key_cert_pairs > 0) { config->pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
GPR_ASSERT(pem_key_cert_pairs != NULL); pem_key_cert_pairs, num_key_cert_pairs);
config->pem_key_cert_pairs = (tsi_ssl_pem_key_cert_pair *)gpr_zalloc(
num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair));
}
config->num_key_cert_pairs = num_key_cert_pairs; config->num_key_cert_pairs = num_key_cert_pairs;
for (i = 0; i < num_key_cert_pairs; i++) {
GPR_ASSERT(pem_key_cert_pairs[i].private_key != NULL);
GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != NULL);
config->pem_key_cert_pairs[i].cert_chain =
gpr_strdup(pem_key_cert_pairs[i].cert_chain);
config->pem_key_cert_pairs[i].private_key =
gpr_strdup(pem_key_cert_pairs[i].private_key);
}
} }
grpc_server_credentials *grpc_ssl_server_credentials_create( grpc_server_credentials *grpc_ssl_server_credentials_create(

@ -20,6 +20,10 @@
#include "src/core/lib/security/credentials/credentials.h" #include "src/core/lib/security/credentials/credentials.h"
#ifdef __cplusplus
extern "C" {
#endif
typedef struct { typedef struct {
grpc_channel_credentials base; grpc_channel_credentials base;
grpc_ssl_config config; grpc_ssl_config config;
@ -30,4 +34,15 @@ typedef struct {
grpc_ssl_server_config config; grpc_ssl_server_config config;
} grpc_ssl_server_credentials; } grpc_ssl_server_credentials;
tsi_ssl_pem_key_cert_pair *grpc_convert_grpc_to_tsi_cert_pairs(
const grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs,
size_t num_key_cert_pairs);
void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair *kp,
size_t num_key_cert_pairs);
#ifdef __cplusplus
}
#endif
#endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_SSL_SSL_CREDENTIALS_H */ #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_SSL_SSL_CREDENTIALS_H */

@ -942,10 +942,11 @@ grpc_security_status grpc_ssl_channel_security_connector_create(
c->overridden_target_name = gpr_strdup(overridden_target_name); c->overridden_target_name = gpr_strdup(overridden_target_name);
} }
has_key_cert_pair = config->pem_key_cert_pair.private_key != NULL && has_key_cert_pair = config->pem_key_cert_pair != NULL &&
config->pem_key_cert_pair.cert_chain != NULL; config->pem_key_cert_pair->private_key != NULL &&
config->pem_key_cert_pair->cert_chain != NULL;
result = tsi_create_ssl_client_handshaker_factory( result = tsi_create_ssl_client_handshaker_factory(
has_key_cert_pair ? &config->pem_key_cert_pair : NULL, pem_root_certs, has_key_cert_pair ? config->pem_key_cert_pair : NULL, pem_root_certs,
ssl_cipher_suites(), alpn_protocol_strings, (uint16_t)num_alpn_protocols, ssl_cipher_suites(), alpn_protocol_strings, (uint16_t)num_alpn_protocols,
&c->client_handshaker_factory); &c->client_handshaker_factory);
if (result != TSI_OK) { if (result != TSI_OK) {

@ -204,7 +204,7 @@ grpc_server_security_connector *grpc_fake_server_security_connector_create(
/* Config for ssl clients. */ /* Config for ssl clients. */
typedef struct { typedef struct {
tsi_ssl_pem_key_cert_pair pem_key_cert_pair; tsi_ssl_pem_key_cert_pair *pem_key_cert_pair;
char *pem_root_certs; char *pem_root_certs;
} grpc_ssl_config; } grpc_ssl_config;

@ -91,6 +91,18 @@ grpc_cc_test(
], ],
) )
grpc_cc_test(
name = "ssl_credentials_test",
srcs = ["ssl_credentials_test.c"],
language = "C",
deps = [
"//:gpr",
"//:grpc",
"//test/core/util:gpr_test_util",
"//test/core/util:grpc_test_util",
]
)
grpc_cc_binary( grpc_cc_binary(
name = "create_jwt", name = "create_jwt",
srcs = ["create_jwt.c"], srcs = ["create_jwt.c"],

@ -0,0 +1,66 @@
/*
*
* Copyright 2017 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
#include <stdio.h>
#include <string.h>
#include <grpc/grpc_security.h>
#include <grpc/support/alloc.h>
#include <grpc/support/log.h>
#include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
#include "src/core/tsi/ssl_transport_security.h"
#include "test/core/util/test_config.h"
static void test_convert_grpc_to_tsi_cert_pairs() {
grpc_ssl_pem_key_cert_pair grpc_pairs[] = {{"private_key1", "cert_chain1"},
{"private_key2", "cert_chain2"},
{"private_key3", "cert_chain3"}};
const size_t num_pairs = 3;
{
tsi_ssl_pem_key_cert_pair *tsi_pairs =
grpc_convert_grpc_to_tsi_cert_pairs(grpc_pairs, 0);
GPR_ASSERT(tsi_pairs == NULL);
}
{
tsi_ssl_pem_key_cert_pair *tsi_pairs =
grpc_convert_grpc_to_tsi_cert_pairs(grpc_pairs, num_pairs);
GPR_ASSERT(tsi_pairs != NULL);
for (size_t i = 0; i < num_pairs; i++) {
GPR_ASSERT(strncmp(grpc_pairs[i].private_key, tsi_pairs[i].private_key,
strlen(grpc_pairs[i].private_key)) == 0);
GPR_ASSERT(strncmp(grpc_pairs[i].cert_chain, tsi_pairs[i].cert_chain,
strlen(grpc_pairs[i].cert_chain)) == 0);
}
grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_pairs, num_pairs);
}
}
int main(int argc, char **argv) {
grpc_test_init(argc, argv);
grpc_init();
test_convert_grpc_to_tsi_cert_pairs();
grpc_shutdown();
return 0;
}

@ -1219,6 +1219,23 @@
"third_party": false, "third_party": false,
"type": "target" "type": "target"
}, },
{
"deps": [
"gpr",
"gpr_test_util",
"grpc",
"grpc_test_util"
],
"headers": [],
"is_filegroup": false,
"language": "c",
"name": "grpc_ssl_credentials_test",
"src": [
"test/core/security/ssl_credentials_test.c"
],
"third_party": false,
"type": "target"
},
{ {
"deps": [ "deps": [
"gpr", "gpr",

@ -1535,6 +1535,30 @@
], ],
"uses_polling": true "uses_polling": true
}, },
{
"args": [],
"benchmark": false,
"ci_platforms": [
"linux",
"mac",
"posix",
"windows"
],
"cpu_cost": 1.0,
"exclude_configs": [],
"exclude_iomgrs": [],
"flaky": false,
"gtest": false,
"language": "c",
"name": "grpc_ssl_credentials_test",
"platforms": [
"linux",
"mac",
"posix",
"windows"
],
"uses_polling": true
},
{ {
"args": [], "args": [],
"benchmark": false, "benchmark": false,

Loading…
Cancel
Save