added option to authenticate client using root cert chain

pull/2645/head
Jan Tattermusch 9 years ago
parent 062c329cf8
commit 88a9b32936
  1. 48
      src/csharp/Grpc.Core/Credentials.cs
  2. 1
      src/csharp/Grpc.Core/Grpc.Core.csproj
  3. 11
      src/csharp/Grpc.Core/Internal/CredentialsSafeHandle.cs
  4. 4
      src/csharp/Grpc.Core/Internal/ServerCredentialsSafeHandle.cs
  5. 84
      src/csharp/Grpc.Core/KeyCertificatePair.cs
  6. 67
      src/csharp/Grpc.Core/ServerCredentials.cs

@ -53,27 +53,63 @@ namespace Grpc.Core
/// </summary>
public class SslCredentials : Credentials
{
string pemRootCerts;
readonly string rootCertificates;
readonly KeyCertificatePair keyCertificatePair;
public SslCredentials(string pemRootCerts)
/// <summary>
/// Creates client-side SSL credentials loaded from
/// disk file pointed to by the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable.
/// If that fails, gets the roots certificates from a well known place on disk.
/// </summary>
public SslCredentials() : this(null, null)
{
this.pemRootCerts = pemRootCerts;
}
/// <summary>
/// Creates client-side SSL credentials from
/// a string containing PEM encoded root certificates.
/// </summary>
public SslCredentials(string rootCertificates) : this(rootCertificates, null)
{
}
/// <summary>
/// Creates client-side SSL credentials.
/// </summary>
/// <param name="rootCertificates">string containing PEM encoded server root certificates.</param>
/// <param name="keyCertificatePair">a key certificate pair.</param>
public SslCredentials(string rootCertificates, KeyCertificatePair keyCertificatePair)
{
this.rootCertificates = rootCertificates;
this.keyCertificatePair = keyCertificatePair;
}
/// <summary>
/// PEM encoding of the server root certificates.
/// </summary>
public string RootCerts
public string RootCertificates
{
get
{
return this.rootCertificates;
}
}
/// <summary>
/// Client side key and certificate pair.
/// If null, client will not use key and certificate pair.
/// </summary>
public KeyCertificatePair KeyCertificatePair
{
get
{
return this.pemRootCerts;
return this.keyCertificatePair;
}
}
internal override CredentialsSafeHandle ToNativeCredentials()
{
return CredentialsSafeHandle.CreateSslCredentials(pemRootCerts);
return CredentialsSafeHandle.CreateSslCredentials(rootCertificates, keyCertificatePair);
}
}
}

@ -104,6 +104,7 @@
<Compile Include="AsyncUnaryCall.cs" />
<Compile Include="VersionInfo.cs" />
<Compile Include="Internal\CStringSafeHandle.cs" />
<Compile Include="KeyCertificatePair.cs" />
</ItemGroup>
<ItemGroup>
<None Include="Grpc.Core.nuspec" />

@ -50,9 +50,16 @@ namespace Grpc.Core.Internal
{
}
public static CredentialsSafeHandle CreateSslCredentials(string pemRootCerts)
public static CredentialsSafeHandle CreateSslCredentials(string pemRootCerts, KeyCertificatePair keyCertPair)
{
return grpcsharp_ssl_credentials_create(pemRootCerts, null, null);
if (keyCertPair != null)
{
return grpcsharp_ssl_credentials_create(pemRootCerts, keyCertPair.CertificateChain, keyCertPair.PrivateKey);
}
else
{
return grpcsharp_ssl_credentials_create(pemRootCerts, null, null);
}
}
protected override bool ReleaseHandle()

@ -51,10 +51,10 @@ namespace Grpc.Core.Internal
{
}
public static ServerCredentialsSafeHandle CreateSslCredentials(string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray)
public static ServerCredentialsSafeHandle CreateSslCredentials(string pemRootCerts, string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray)
{
Preconditions.CheckArgument(keyCertPairCertChainArray.Length == keyCertPairPrivateKeyArray.Length);
return grpcsharp_ssl_server_credentials_create(null,
return grpcsharp_ssl_server_credentials_create(pemRootCerts,
keyCertPairCertChainArray, keyCertPairPrivateKeyArray,
new UIntPtr((ulong)keyCertPairCertChainArray.Length));
}

@ -0,0 +1,84 @@
#region Copyright notice and license
// Copyright 2015, Google Inc.
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#endregion
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using Grpc.Core.Internal;
using Grpc.Core.Utils;
namespace Grpc.Core
{
/// <summary>
/// Key certificate pair (in PEM encoding).
/// </summary>
public sealed class KeyCertificatePair
{
readonly string certificateChain;
readonly string privateKey;
/// <summary>
/// Creates a new certificate chain - private key pair.
/// </summary>
/// <param name="certificateChain">PEM encoded certificate chain.</param>
/// <param name="privateKey">PEM encoded private key.</param>
public KeyCertificatePair(string certificateChain, string privateKey)
{
this.certificateChain = Preconditions.CheckNotNull(certificateChain);
this.privateKey = Preconditions.CheckNotNull(privateKey);
}
/// <summary>
/// PEM encoded certificate chain.
/// </summary>
public string CertificateChain
{
get
{
return certificateChain;
}
}
/// <summary>
/// PEM encoded private key.
/// </summary>
public string PrivateKey
{
get
{
return privateKey;
}
}
}
}

@ -35,6 +35,7 @@ using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using Grpc.Core.Internal;
using Grpc.Core.Utils;
namespace Grpc.Core
{
@ -51,59 +52,69 @@ namespace Grpc.Core
}
/// <summary>
/// Key certificate pair (in PEM encoding).
/// Server-side SSL credentials.
/// </summary>
public class KeyCertificatePair
public class SslServerCredentials : ServerCredentials
{
readonly string certChain;
readonly string privateKey;
readonly IList<KeyCertificatePair> keyCertificatePairs;
readonly string rootCertificates;
public KeyCertificatePair(string certChain, string privateKey)
/// <summary>
/// Creates server-side SSL credentials.
/// </summary>
/// <param name="rootCertificates">PEM encoded client root certificates used to authenticate client.</param>
/// <param name="keyCertificatePairs">Key-certificates to use.</param>
public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs, string rootCertificates)
{
this.certChain = certChain;
this.privateKey = privateKey;
this.rootCertificates = rootCertificates;
this.keyCertificatePairs = new List<KeyCertificatePair>(keyCertificatePairs).AsReadOnly();
Preconditions.CheckArgument(this.keyCertificatePairs.Count == 0,
"At least one KeyCertificatePair needs to be provided");
}
public string CertChain
/// <summary>
/// Creates server-side SSL credentials.
/// This constructor should be use if you do not wish to autheticate client
/// using client root certificates.
/// </summary>
/// <param name="keyCertificatePairs">Key-certificates to use.</param>
public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs) : this(keyCertificatePairs, null)
{
get
{
return certChain;
}
}
public string PrivateKey
/// <summary>
/// Key-certificate pairs.
/// </summary>
public IList<KeyCertificatePair> KeyCertificatePairs
{
get
{
return privateKey;
return this.keyCertificatePairs;
}
}
}
/// <summary>
/// Server-side SSL credentials.
/// </summary>
public class SslServerCredentials : ServerCredentials
{
ImmutableList<KeyCertificatePair> keyCertPairs;
public SslServerCredentials(ImmutableList<KeyCertificatePair> keyCertPairs)
/// <summary>
/// PEM encoded client root certificates.
/// </summary>
public string RootCertificates
{
this.keyCertPairs = keyCertPairs;
get
{
return this.rootCertificates;
}
}
internal override ServerCredentialsSafeHandle ToNativeCredentials()
{
int count = keyCertPairs.Count;
int count = keyCertificatePairs.Count;
string[] certChains = new string[count];
string[] keys = new string[count];
for (int i = 0; i < count; i++)
{
certChains[i] = keyCertPairs[i].CertChain;
keys[i] = keyCertPairs[i].PrivateKey;
certChains[i] = keyCertificatePairs[i].CertificateChain;
keys[i] = keyCertificatePairs[i].PrivateKey;
}
return ServerCredentialsSafeHandle.CreateSslCredentials(certChains, keys);
return ServerCredentialsSafeHandle.CreateSslCredentials(rootCertificates, certChains, keys);
}
}
}

Loading…
Cancel
Save