diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h index 46e493b347a..c588ec3f1ce 100644 --- a/include/grpc/grpc_security.h +++ b/include/grpc/grpc_security.h @@ -143,15 +143,14 @@ grpc_channel_credentials *grpc_google_default_credentials_create(void); #define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \ "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH" -/* Overrides the default path for TLS/SSL roots. - The path must point to a PEM encoded file with all the roots such as the one - that can be downloaded from https://pki.google.com/roots.pem. +/* Overrides the default TLS/SSL roots. + The roots must be encoded as PEM and NULL-terminated. This function is not thread-safe and must be called at initialization time before any ssl credentials are created to have the desired side effect. - It also does not do any checks about the validity or contents of the path. - If the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is set, it will override - the roots_path specified in this function. */ -void grpc_override_ssl_default_roots_file_path(const char *roots_path); + It also does not do any checks about the validity of the encoding. + If the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is set to a valid path, + it will override the roots specified in this function. */ +void grpc_override_ssl_default_roots(const char *roots_pem); /* Object that holds a private key / certificate chain pair in PEM format. */ typedef struct { @@ -169,10 +168,9 @@ typedef struct { of the server root certificates. If this parameter is NULL, the implementation will first try to dereference the file pointed by the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable, and if that fails, - try to get the roots from the path specified in the function - grpc_override_ssl_default_roots_file_path. Eventually, if all these fail, - it will try to get the roots from a well-known place on disk (in the grpc - install directory). + try to get the roots set by grpc_override_ssl_default_roots. Eventually, + if all these fail, it will try to get the roots from a well-known place on + disk (in the grpc install directory). - pem_key_cert_pair is a pointer on the object containing client's private key and certificate chain. This parameter can be NULL if the client does not have such a key/cert pair. */ diff --git a/src/core/security/security_connector.c b/src/core/security/security_connector.c index 7e5cb67146b..8a67243a18f 100644 --- a/src/core/security/security_connector.c +++ b/src/core/security/security_connector.c @@ -61,12 +61,12 @@ static const char *installed_roots_path = INSTALL_PREFIX "/share/grpc/roots.pem"; #endif -/* -- Overridden default roots file path. -- */ +/* -- Overridden default roots. -- */ -static const char *overridden_default_roots_file_path = NULL; +static gpr_slice overridden_default_roots; -void grpc_override_ssl_default_roots_file_path(const char *roots_path) { - overridden_default_roots_file_path = roots_path; +void grpc_override_ssl_default_roots(const char *roots_pem) { + overridden_default_roots = gpr_slice_from_copied_string(roots_pem); } /* -- Cipher suites. -- */ @@ -616,8 +616,8 @@ static gpr_slice compute_default_pem_root_certs_once(void) { /* Try overridden roots path if needed. */ if (GPR_SLICE_IS_EMPTY(result) && - overridden_default_roots_file_path != NULL) { - result = gpr_load_file(overridden_default_roots_file_path, 0, NULL); + !GPR_SLICE_IS_EMPTY(overridden_default_roots)) { + result = gpr_slice_ref(overridden_default_roots); } /* Fall back to installed certs if needed. */ diff --git a/test/core/security/security_connector_test.c b/test/core/security/security_connector_test.c index ed9f87dccc0..6cf7e61c0a7 100644 --- a/test/core/security/security_connector_test.c +++ b/test/core/security/security_connector_test.c @@ -304,13 +304,6 @@ static void test_default_ssl_roots(void) { const char *roots_for_override_api = "roots for override api"; const char *roots_for_env_var = "roots for env var"; - char *roots_api_file_path; - FILE *roots_api_file = - gpr_tmpfile("test_roots_for_api_override", &roots_api_file_path); - fwrite(roots_for_override_api, 1, strlen(roots_for_override_api), - roots_api_file); - fclose(roots_api_file); - char *roots_env_var_file_path; FILE *roots_env_var_file = gpr_tmpfile("test_roots_for_env_var", &roots_env_var_file_path); @@ -318,7 +311,7 @@ static void test_default_ssl_roots(void) { fclose(roots_env_var_file); /* First let's get the root through the override (no env are set). */ - grpc_override_ssl_default_roots_file_path(roots_api_file_path); + grpc_override_ssl_default_roots(roots_for_override_api); gpr_slice roots = grpc_get_default_ssl_roots_for_testing(); char *roots_contents = gpr_dump_slice(roots, GPR_DUMP_ASCII); gpr_slice_unref(roots); @@ -344,15 +337,10 @@ static void test_default_ssl_roots(void) { gpr_free(roots_contents); /* Cleanup. */ - remove(roots_api_file_path); remove(roots_env_var_file_path); - gpr_free(roots_api_file_path); gpr_free(roots_env_var_file_path); - } -/* TODO(jboeuf): Unit-test tsi_shallow_peer_from_auth_context. */ - int main(int argc, char **argv) { grpc_test_init(argc, argv); grpc_init();