added option to authenticate client using root cert chain

pull/2645/head
Jan Tattermusch 9 years ago
parent 062c329cf8
commit 88a9b32936
  1. 48
      src/csharp/Grpc.Core/Credentials.cs
  2. 1
      src/csharp/Grpc.Core/Grpc.Core.csproj
  3. 9
      src/csharp/Grpc.Core/Internal/CredentialsSafeHandle.cs
  4. 4
      src/csharp/Grpc.Core/Internal/ServerCredentialsSafeHandle.cs
  5. 84
      src/csharp/Grpc.Core/KeyCertificatePair.cs
  6. 61
      src/csharp/Grpc.Core/ServerCredentials.cs

@ -53,27 +53,63 @@ namespace Grpc.Core
/// </summary> /// </summary>
public class SslCredentials : Credentials public class SslCredentials : Credentials
{ {
string pemRootCerts; readonly string rootCertificates;
readonly KeyCertificatePair keyCertificatePair;
public SslCredentials(string pemRootCerts) /// <summary>
/// Creates client-side SSL credentials loaded from
/// disk file pointed to by the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable.
/// If that fails, gets the roots certificates from a well known place on disk.
/// </summary>
public SslCredentials() : this(null, null)
{
}
/// <summary>
/// Creates client-side SSL credentials from
/// a string containing PEM encoded root certificates.
/// </summary>
public SslCredentials(string rootCertificates) : this(rootCertificates, null)
{
}
/// <summary>
/// Creates client-side SSL credentials.
/// </summary>
/// <param name="rootCertificates">string containing PEM encoded server root certificates.</param>
/// <param name="keyCertificatePair">a key certificate pair.</param>
public SslCredentials(string rootCertificates, KeyCertificatePair keyCertificatePair)
{ {
this.pemRootCerts = pemRootCerts; this.rootCertificates = rootCertificates;
this.keyCertificatePair = keyCertificatePair;
} }
/// <summary> /// <summary>
/// PEM encoding of the server root certificates. /// PEM encoding of the server root certificates.
/// </summary> /// </summary>
public string RootCerts public string RootCertificates
{
get
{
return this.rootCertificates;
}
}
/// <summary>
/// Client side key and certificate pair.
/// If null, client will not use key and certificate pair.
/// </summary>
public KeyCertificatePair KeyCertificatePair
{ {
get get
{ {
return this.pemRootCerts; return this.keyCertificatePair;
} }
} }
internal override CredentialsSafeHandle ToNativeCredentials() internal override CredentialsSafeHandle ToNativeCredentials()
{ {
return CredentialsSafeHandle.CreateSslCredentials(pemRootCerts); return CredentialsSafeHandle.CreateSslCredentials(rootCertificates, keyCertificatePair);
} }
} }
} }

@ -104,6 +104,7 @@
<Compile Include="AsyncUnaryCall.cs" /> <Compile Include="AsyncUnaryCall.cs" />
<Compile Include="VersionInfo.cs" /> <Compile Include="VersionInfo.cs" />
<Compile Include="Internal\CStringSafeHandle.cs" /> <Compile Include="Internal\CStringSafeHandle.cs" />
<Compile Include="KeyCertificatePair.cs" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<None Include="Grpc.Core.nuspec" /> <None Include="Grpc.Core.nuspec" />

@ -50,10 +50,17 @@ namespace Grpc.Core.Internal
{ {
} }
public static CredentialsSafeHandle CreateSslCredentials(string pemRootCerts) public static CredentialsSafeHandle CreateSslCredentials(string pemRootCerts, KeyCertificatePair keyCertPair)
{
if (keyCertPair != null)
{
return grpcsharp_ssl_credentials_create(pemRootCerts, keyCertPair.CertificateChain, keyCertPair.PrivateKey);
}
else
{ {
return grpcsharp_ssl_credentials_create(pemRootCerts, null, null); return grpcsharp_ssl_credentials_create(pemRootCerts, null, null);
} }
}
protected override bool ReleaseHandle() protected override bool ReleaseHandle()
{ {

@ -51,10 +51,10 @@ namespace Grpc.Core.Internal
{ {
} }
public static ServerCredentialsSafeHandle CreateSslCredentials(string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray) public static ServerCredentialsSafeHandle CreateSslCredentials(string pemRootCerts, string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray)
{ {
Preconditions.CheckArgument(keyCertPairCertChainArray.Length == keyCertPairPrivateKeyArray.Length); Preconditions.CheckArgument(keyCertPairCertChainArray.Length == keyCertPairPrivateKeyArray.Length);
return grpcsharp_ssl_server_credentials_create(null, return grpcsharp_ssl_server_credentials_create(pemRootCerts,
keyCertPairCertChainArray, keyCertPairPrivateKeyArray, keyCertPairCertChainArray, keyCertPairPrivateKeyArray,
new UIntPtr((ulong)keyCertPairCertChainArray.Length)); new UIntPtr((ulong)keyCertPairCertChainArray.Length));
} }

@ -0,0 +1,84 @@
#region Copyright notice and license
// Copyright 2015, Google Inc.
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#endregion
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using Grpc.Core.Internal;
using Grpc.Core.Utils;
namespace Grpc.Core
{
/// <summary>
/// Key certificate pair (in PEM encoding).
/// </summary>
public sealed class KeyCertificatePair
{
readonly string certificateChain;
readonly string privateKey;
/// <summary>
/// Creates a new certificate chain - private key pair.
/// </summary>
/// <param name="certificateChain">PEM encoded certificate chain.</param>
/// <param name="privateKey">PEM encoded private key.</param>
public KeyCertificatePair(string certificateChain, string privateKey)
{
this.certificateChain = Preconditions.CheckNotNull(certificateChain);
this.privateKey = Preconditions.CheckNotNull(privateKey);
}
/// <summary>
/// PEM encoded certificate chain.
/// </summary>
public string CertificateChain
{
get
{
return certificateChain;
}
}
/// <summary>
/// PEM encoded private key.
/// </summary>
public string PrivateKey
{
get
{
return privateKey;
}
}
}
}

@ -35,6 +35,7 @@ using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.Collections.Immutable; using System.Collections.Immutable;
using Grpc.Core.Internal; using Grpc.Core.Internal;
using Grpc.Core.Utils;
namespace Grpc.Core namespace Grpc.Core
{ {
@ -51,59 +52,69 @@ namespace Grpc.Core
} }
/// <summary> /// <summary>
/// Key certificate pair (in PEM encoding). /// Server-side SSL credentials.
/// </summary> /// </summary>
public class KeyCertificatePair public class SslServerCredentials : ServerCredentials
{ {
readonly string certChain; readonly IList<KeyCertificatePair> keyCertificatePairs;
readonly string privateKey; readonly string rootCertificates;
public KeyCertificatePair(string certChain, string privateKey) /// <summary>
/// Creates server-side SSL credentials.
/// </summary>
/// <param name="rootCertificates">PEM encoded client root certificates used to authenticate client.</param>
/// <param name="keyCertificatePairs">Key-certificates to use.</param>
public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs, string rootCertificates)
{ {
this.certChain = certChain; this.rootCertificates = rootCertificates;
this.privateKey = privateKey; this.keyCertificatePairs = new List<KeyCertificatePair>(keyCertificatePairs).AsReadOnly();
Preconditions.CheckArgument(this.keyCertificatePairs.Count == 0,
"At least one KeyCertificatePair needs to be provided");
} }
public string CertChain /// <summary>
{ /// Creates server-side SSL credentials.
get /// This constructor should be use if you do not wish to autheticate client
/// using client root certificates.
/// </summary>
/// <param name="keyCertificatePairs">Key-certificates to use.</param>
public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs) : this(keyCertificatePairs, null)
{ {
return certChain;
}
} }
public string PrivateKey /// <summary>
/// Key-certificate pairs.
/// </summary>
public IList<KeyCertificatePair> KeyCertificatePairs
{ {
get get
{ {
return privateKey; return this.keyCertificatePairs;
}
} }
} }
/// <summary> /// <summary>
/// Server-side SSL credentials. /// PEM encoded client root certificates.
/// </summary> /// </summary>
public class SslServerCredentials : ServerCredentials public string RootCertificates
{ {
ImmutableList<KeyCertificatePair> keyCertPairs; get
public SslServerCredentials(ImmutableList<KeyCertificatePair> keyCertPairs)
{ {
this.keyCertPairs = keyCertPairs; return this.rootCertificates;
}
} }
internal override ServerCredentialsSafeHandle ToNativeCredentials() internal override ServerCredentialsSafeHandle ToNativeCredentials()
{ {
int count = keyCertPairs.Count; int count = keyCertificatePairs.Count;
string[] certChains = new string[count]; string[] certChains = new string[count];
string[] keys = new string[count]; string[] keys = new string[count];
for (int i = 0; i < count; i++) for (int i = 0; i < count; i++)
{ {
certChains[i] = keyCertPairs[i].CertChain; certChains[i] = keyCertificatePairs[i].CertificateChain;
keys[i] = keyCertPairs[i].PrivateKey; keys[i] = keyCertificatePairs[i].PrivateKey;
} }
return ServerCredentialsSafeHandle.CreateSslCredentials(certChains, keys); return ServerCredentialsSafeHandle.CreateSslCredentials(rootCertificates, certChains, keys);
} }
} }
} }

Loading…
Cancel
Save