[tls] Add ValidateCredentials API to the TLS certificate provider. (#37565)

Add a ValidateCredentials API to the TLS certificate provider interface. A user can call this API to check that the credentials currently held by the certificate provider instance are valid. The definition of "valid" depends on provider that is being used. For the static data and file watcher providers, "valid" means that the credentials consist of valid PEM. ~Currently there is no check to ensure that credentials consist of valid PEM blocks before a TLS handshake commences. This PR creates a static factory for FileWatcherCertificateProvider (and marks the constructor as deprecated) which performs this validation check. The analogous work for StaticDataCertificateProvider will be done in a follow-up PR.~ Closes #37565 COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/37565 from matthewstevenson88:filewatcher f223228023 PiperOrigin-RevId: 677847751
6 months ago · b87ed725df
parent a9114ff9e4
commit b87ed725df
13 changed files with 286 additions and 1 deletions
--- a/3
+++ b/3
@ -894,6 +894,7 @@ grpc_cc_library(
        "absl/log:log",
        "absl/log:absl_check",
        "absl/log:absl_log",
+        "absl/status:statusor",
        "absl/strings:cord",
        "absl/synchronization",
        "protobuf_headers",
@ -1247,6 +1248,7 @@ grpc_cc_library(
        "absl/log:log",
        "absl/log:absl_check",
        "absl/log:absl_log",
+        "absl/status:statusor",
        "absl/strings",
        "absl/synchronization",
    ],
@ -2491,6 +2493,7 @@ grpc_cc_library(
        "//src/core:grpc_backend_metric_provider",
        "//src/core:grpc_crl_provider",
        "//src/core:grpc_service_config",
+        "//src/core:grpc_tls_credentials",
        "//src/core:grpc_transport_chttp2_server",
        "//src/core:grpc_transport_inproc",
        "//src/core:json",
--- a/include/grpcpp/security/tls_certificate_provider.h
+++ b/include/grpcpp/security/tls_certificate_provider.h
@ -18,12 +18,16 @@
 #define GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H

 #include <memory>
+#include <string>
 #include <vector>

+#include "absl/status/statusor.h"
+
 #include <grpc/credentials.h>
 #include <grpc/grpc_security.h>
 #include <grpc/grpc_security_constants.h>
 #include <grpc/status.h>
+#include <grpc/support/port_platform.h>
 #include <grpcpp/support/config.h>

 namespace grpc {
@ -67,6 +71,12 @@ class GRPCXX_DLL StaticDataCertificateProvider

  grpc_tls_certificate_provider* c_provider() override { return c_provider_; }

+  // Returns an OK status if the following conditions hold:
+  // - the root certificates consist of one or more valid PEM blocks, and
+  // - every identity key-cert pair has a certificate chain that consists of
+  //   valid PEM blocks and has a private key is a valid PEM block.
+  absl::Status ValidateCredentials() const;
+
 private:
  grpc_tls_certificate_provider* c_provider_ = nullptr;
 };
@ -117,6 +127,14 @@ class GRPCXX_DLL FileWatcherCertificateProvider final

  grpc_tls_certificate_provider* c_provider() override { return c_provider_; }

+  // Returns an OK status if the following conditions hold:
+  // - the currently-loaded root certificates, if any, consist of one or more
+  //   valid PEM blocks, and
+  // - every currently-loaded identity key-cert pair, if any, has a certificate
+  //   chain that consists of valid PEM blocks and has a private key is a valid
+  //   PEM block.
+  absl::Status ValidateCredentials() const;
+
 private:
  grpc_tls_certificate_provider* c_provider_ = nullptr;
 };
--- a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc
+++ b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc
@ -26,6 +26,7 @@
 #include "absl/log/check.h"
 #include "absl/log/log.h"
 #include "absl/status/status.h"
+#include "absl/strings/string_view.h"

 #include <grpc/credentials.h>
 #include <grpc/slice.h>
@ -35,13 +36,53 @@
 #include "src/core/lib/debug/trace.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/iomgr/exec_ctx.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
 #include "src/core/lib/slice/slice.h"
 #include "src/core/lib/slice/slice_internal.h"
+#include "src/core/tsi/ssl_transport_security_utils.h"
 #include "src/core/util/load_file.h"
 #include "src/core/util/stat.h"
 #include "src/core/util/status_helper.h"

 namespace grpc_core {
+namespace {
+
+absl::Status ValidateRootCertificates(absl::string_view root_certificates) {
+  if (root_certificates.empty()) return absl::OkStatus();
+  absl::StatusOr<std::vector<X509*>> parsed_roots =
+      ParsePemCertificateChain(root_certificates);
+  if (!parsed_roots.ok()) {
+    return parsed_roots.status();
+  }
+  for (X509* x509 : *parsed_roots) {
+    X509_free(x509);
+  }
+  return absl::OkStatus();
+}
+
+absl::Status ValidatePemKeyCertPair(absl::string_view cert_chain,
+                                    absl::string_view private_key) {
+  if (cert_chain.empty() && private_key.empty()) return absl::OkStatus();
+  // Check that the cert chain consists of valid PEM blocks.
+  absl::StatusOr<std::vector<X509*>> parsed_certs =
+      ParsePemCertificateChain(cert_chain);
+  if (!parsed_certs.ok()) {
+    return parsed_certs.status();
+  }
+  for (X509* x509 : *parsed_certs) {
+    X509_free(x509);
+  }
+  // Check that the private key consists of valid PEM blocks.
+  absl::StatusOr<EVP_PKEY*> parsed_private_key =
+      ParsePemPrivateKey(private_key);
+  if (!parsed_private_key.ok()) {
+    return parsed_private_key.status();
+  }
+  EVP_PKEY_free(*parsed_private_key);
+  return absl::OkStatus();
+}
+
+}  // namespace

 StaticDataCertificateProvider::StaticDataCertificateProvider(
    std::string root_certificate, PemKeyCertPairList pem_key_cert_pairs)
@ -102,6 +143,21 @@ UniqueTypeName StaticDataCertificateProvider::type() const {
  return kFactory.Create();
 }

+absl::Status StaticDataCertificateProvider::ValidateCredentials() const {
+  absl::Status status = ValidateRootCertificates(root_certificate_);
+  if (!status.ok()) {
+    return status;
+  }
+  for (const PemKeyCertPair& pair : pem_key_cert_pairs_) {
+    absl::Status status =
+        ValidatePemKeyCertPair(pair.cert_chain(), pair.private_key());
+    if (!status.ok()) {
+      return status;
+    }
+  }
+  return absl::OkStatus();
+}
+
 namespace {

 gpr_timespec TimeoutSecondsToDeadline(int64_t seconds) {
@ -206,6 +262,22 @@ UniqueTypeName FileWatcherCertificateProvider::type() const {
  return kFactory.Create();
 }

+absl::Status FileWatcherCertificateProvider::ValidateCredentials() const {
+  MutexLock lock(&mu_);
+  absl::Status status = ValidateRootCertificates(root_certificate_);
+  if (!status.ok()) {
+    return status;
+  }
+  for (const PemKeyCertPair& pair : pem_key_cert_pairs_) {
+    absl::Status status =
+        ValidatePemKeyCertPair(pair.cert_chain(), pair.private_key());
+    if (!status.ok()) {
+      return status;
+    }
+  }
+  return absl::OkStatus();
+}
+
 void FileWatcherCertificateProvider::ForceUpdate() {
  absl::optional<std::string> root_certificate;
  absl::optional<PemKeyCertPairList> pem_key_cert_pairs;
--- a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h
+++ b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h
@ -108,6 +108,8 @@ class StaticDataCertificateProvider final

  UniqueTypeName type() const override;

+  absl::Status ValidateCredentials() const;
+
 private:
  struct WatcherInfo {
    bool root_being_watched = false;
@ -147,6 +149,8 @@ class FileWatcherCertificateProvider final

  UniqueTypeName type() const override;

+  absl::Status ValidateCredentials() const;
+
  int64_t TestOnlyGetRefreshIntervalSecond() const;

 private:
@ -183,7 +187,7 @@ class FileWatcherCertificateProvider final
  gpr_event shutdown_event_;

  // Guards members below.
-  Mutex mu_;
+  mutable Mutex mu_;
  // The most-recent credential data. It will be empty if the most recent read
  // attempt failed.
  std::string root_certificate_ ABSL_GUARDED_BY(mu_);
--- a/src/core/tsi/test_creds/BUILD
+++ b/src/core/tsi/test_creds/BUILD
@ -32,4 +32,6 @@ exports_files([
    "multi-domain.pem",
    "leaf_signed_by_intermediate.key",
    "leaf_and_intermediate_chain.pem",
+    "malformed-cert.pem",
+    "malformed-key.pem",
 ])
--- a/src/core/tsi/test_creds/README
+++ b/src/core/tsi/test_creds/README
@ -13,6 +13,13 @@ When prompted for certificate information, everything is default except the
 common name which is set to badserver.test.google.com.


+Malformed credentials (malformed.*):
+=====================================
+
+These are invalid PEM blocks. They can be built by generating a valid
+PEM-encoded certificate or private key and deleting a random character in the
+body of the PEM-encoding.
+
 Valid test credentials:
 =======================

--- a/src/core/tsi/test_creds/malformed-cert.pem
+++ b/src/core/tsi/test_creds/malformed-cert.pem
@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgIUONWbkUn1obHCw9L7lMNEE5REvb8wDQYJKoZIhvcNAQEL
+BQAwaTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEiMCAGA1UEAwwZYmFkY2xpZW50LnRl
+c3QuZ29vZ2xlLmNvbTAeFw0yMDAzMTcxNzQzMjNaFw0zMDAzMTUxNzQzMjNaMGkx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxIjAgBgNVBAMMGWJhZGNsaWVudC50ZXN0Lmdv
+b2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvdzKDTYvR
+gjBOUOrzDwkAZGwNFHHlMYyMGI5tItj3tCzXkbpM0uz3ZjHVahu+eYc+KvYApM64
+F2dBb16hs713FCk8mihYABjnSndrQsl/U2v8YFT7DipfLReqqaOGu2o9HdvWfiUl
+aiC/UGGfR+YblpK7CG+7/hvTXtUsMw+OppoeH9z87rhOJMxtiC7XwU5rhEmab/1f
+1XM/nLoZrfDAcTbDywoeu826SJ3mifajq7oK3LDdNLjWZwfEsCO1qp2C4gLvBlOO
+KsWOLNby6ByxCOPlCTa0UCaVuoNclYol71jyi17KW+Nk0nNe9yaVcyr6H0z3bImf
+JhbSu4rzI93nAgMBAAGjUzBRB0GA1UdDgQWBBTKJskEYd2ndrwihPTg2PzYF/kP
+gzAfBgNVHSMEGDAWgBTKJskEYd2ndrwihPTg2PzYF/kPgzAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBoGwWR0pLM1icX4bIJ6yduFU/A4jSiqET6
+gvJhwgErilqTKfH6Y89rqtzW8k4UurAOCsE4FA6wbkHWwrUMnClY4lkHJh+MuNaJ
+nCGrK8wRKGb/mqW9d5pP72Et1Q6OW6DAKqGfjDWh2MzSPHBxcCLeyigO1wqd4W1T
+nvvql6l4L+B5IT/c+/EHO3PwbI9v6MGTtLjsZgkRKItaPh+YeJdmBYhRD1BvWb6s
+VwEb7aQ1oSF+esUvMmjGVuHXuQvWJahnjYdYT2DikyqR+AwaKzre4GJMHsX3/Cf8
+qdxyI+B1jUwNr7sLA2EYDjnUR0jEHcrOBSpIQyRMGWduj0P16yb9
+-----END CERTIFICATE-----
--- a/src/core/tsi/test_creds/malformed-key.pem
+++ b/src/core/tsi/test_creds/malformed-key.pem
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDvdzKDTYvRgjBO
+UOrzDwkAZGwNFHHlMYyMGI5tItj3tCzXkbpM0uz3ZjHVahu+eYc+KvYApM64F2dB
+b16hs713FCk8mihYABjnSndrQsl/U2v8YFT7DipfLReqqaOGu2o9HdvWfiUlaiC/
+UGGfR+YblpK7CG+7/hvTXtUsMw+OppoeH9z87rhOJMxtiC7XwU5rhEmab/1f1XM/
+nLoZrfDAcTbDywoeu826SJ3mifajq7oK3LDdNLjWZwfEsCO1qp2C4gLvBlOOKsWO
+LNby6ByxCOPlCTa0UCaVuoNclYol71jyi17KW+Nk0nNe9yaVcyr6H0z3bImfJhbS
+u4rzI93nAgMBAAECggEBAOIPOJRTpGaH7GpCYUpLK0g/hPFkF5EyEWg/1lSYzRIp
+RsX6zOS+zkiNHEv1jkeKNo7XDiHXM7U6RkQtdkZAQdk9PjM3sEUdm4CEnIjfmzA
+p/R8TD0kxkNLIkhuFH2gd05y3ZHDS/XiFkAE9eOT0FrC7om6ESD7ZfFIWR18pncW
+ZGq7tFAZZRmpkum2D+MJy1gWxIXBxt5madTEpRxQd56toEnfx372F0y4zkcX3pnE
+4H6FaJUBjdvKl2QzF5c0jBqgxMRvWP5YfNu8+dmaQORPkpzSptOPmZM9VKV+tJVS
+1xnOI6DtrnNZRojegR/E6KhNyiPTYy97UgYzdKS+SSECgYEA+wgSIqrfkeqqotJx
+cGxF4x9v/ldKr5hlhJNoKXLkepkcrvhhxfHKgjWz1nZY/+Rpg42GFMvxWRrGTMIJ
+ddiOr24p0HCkusWRMKQL7XxvuHDq0ro8SGqXzqWGuH31R+YNP8dy2pqd3OlwzTgg
+8v0wwzx8AuyP5Ys4M20Ewv7Xuy0CgYEA9DSGMU8jmjxJ/uPDCXWOEAqtE78wTtIw
+uMBv+ge0inc37xf+fN6D/ziTrJvgw/XyT15pmQdOlXx3Sg1h9XBZeIlaeCdFWrFB
+oYrVsiuoXRswfkFwA0yOkCsHyGiI4TE0W1rGbqP158IjwXPczBswWI7i/D6LpINL
+BD7YYpfHmeMCgYB08AiKr7Cf54H/gSqo5TcVGzLvdzhqXgKEZKp0DHpUhfivpTLe
+o8jjKSMSN2U0JvHj/0xDdGO4YMYhJcll3C4VggSejaybpA46WJJCdt9PtSUv36P
+eWAoOkFstfhJuufXGxDstnPtUa1jW881gi5x9D4MmqhZlKXkhtdeApr6LQKBgQDd
+ItsJt9JTjpirGfC5lhwI5sIICa9jEO9RveEoluWkJYUfG6k1xgHdkYwYWCdXDFZa
+DPKuwnEk6MrU4f181joO7sJf35/sGmuGL0SHzQTvGvn0uqkGM8M9RdoMXqzkzzvM
+Jg1ej1bUgXcDbTnaEhzbdLiTFsg5NzMtKwOjdDIpZQKBgEIHeJIqiGjYgf7mUlX2
+vNWgFNlzApkFSCQ8TkzkDOjtCdSHfdRDJ6+q8cS2TSQ7QPoAlI1woS0G48TNbVSo
+wD0jNVRTdpA6R5FPsg09ohB/caSn0zlGVha2GS08ceYrn7nn4PSZ/UIYTm3pjUlV
+H5tvHv0gG2C5vy3tIYQtSQCk
+-----END PRIVATE KEY----
--- a/src/cpp/common/tls_certificate_provider.cc
+++ b/src/cpp/common/tls_certificate_provider.cc
@ -23,6 +23,8 @@
 #include <grpc/grpc_security.h>
 #include <grpcpp/security/tls_certificate_provider.h>

+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
+
 namespace grpc {
 namespace experimental {

@ -44,6 +46,13 @@ StaticDataCertificateProvider::~StaticDataCertificateProvider() {
  grpc_tls_certificate_provider_release(c_provider_);
 };

+absl::Status StaticDataCertificateProvider::ValidateCredentials() const {
+  auto* provider =
+      grpc_core::DownCast<grpc_core::StaticDataCertificateProvider*>(
+          c_provider_);
+  return provider->ValidateCredentials();
+}
+
 FileWatcherCertificateProvider::FileWatcherCertificateProvider(
    const std::string& private_key_path,
    const std::string& identity_certificate_path,
@ -58,5 +67,12 @@ FileWatcherCertificateProvider::~FileWatcherCertificateProvider() {
  grpc_tls_certificate_provider_release(c_provider_);
 };

+absl::Status FileWatcherCertificateProvider::ValidateCredentials() const {
+  auto* provider =
+      grpc_core::DownCast<grpc_core::FileWatcherCertificateProvider*>(
+          c_provider_);
+  return provider->ValidateCredentials();
+}
+
 }  // namespace experimental
 }  // namespace grpc
--- a/test/core/security/BUILD
+++ b/test/core/security/BUILD
@ -439,6 +439,8 @@ grpc_cc_test(
    srcs = ["grpc_tls_certificate_provider_test.cc"],
    data = [
        "//src/core/tsi/test_creds:ca.pem",
+        "//src/core/tsi/test_creds:malformed-cert.pem",
+        "//src/core/tsi/test_creds:malformed-key.pem",
        "//src/core/tsi/test_creds:multi-domain.key",
        "//src/core/tsi/test_creds:multi-domain.pem",
        "//src/core/tsi/test_creds:server0.key",
--- a/test/core/security/grpc_tls_certificate_provider_test.cc
+++ b/test/core/security/grpc_tls_certificate_provider_test.cc
@ -23,6 +23,7 @@
 #include <gtest/gtest.h>

 #include "absl/log/check.h"
+#include "absl/status/status.h"

 #include <grpc/support/alloc.h>
 #include <grpc/support/string_util.h>
@ -40,6 +41,8 @@
 #define SERVER_CERT_PATH_2 "src/core/tsi/test_creds/server0.pem"
 #define SERVER_KEY_PATH_2 "src/core/tsi/test_creds/server0.key"
 #define INVALID_PATH "invalid/path"
+#define MALFORMED_CERT_PATH "src/core/tsi/test_creds/malformed-cert.pem"
+#define MALFORMED_KEY_PATH "src/core/tsi/test_creds/malformed-key.pem"

 namespace grpc_core {

@ -162,6 +165,8 @@ class GrpcTlsCertificateProviderTest : public ::testing::Test {
    root_cert_2_ = GetFileContents(CA_CERT_PATH_2);
    cert_chain_2_ = GetFileContents(SERVER_CERT_PATH_2);
    private_key_2_ = GetFileContents(SERVER_KEY_PATH_2);
+    malformed_cert_ = GetFileContents(MALFORMED_CERT_PATH);
+    malformed_key_ = GetFileContents(MALFORMED_KEY_PATH);
  }

  WatcherState* MakeWatcher(
@ -195,6 +200,8 @@ class GrpcTlsCertificateProviderTest : public ::testing::Test {
  std::string root_cert_2_;
  std::string private_key_2_;
  std::string cert_chain_2_;
+  std::string malformed_cert_;
+  std::string malformed_key_;
  RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
  // Use a std::list<> here to avoid the address invalidation caused by internal
  // reallocation of std::vector<>.
@ -230,6 +237,40 @@ TEST_F(GrpcTlsCertificateProviderTest, StaticDataCertificateProviderCreation) {
  CancelWatch(watcher_state_3);
 }

+TEST_F(GrpcTlsCertificateProviderTest,
+       StaticDataCertificateProviderWithGoodPathsAndCredentialValidation) {
+  StaticDataCertificateProvider provider(
+      root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
+  EXPECT_EQ(provider.ValidateCredentials(), absl::OkStatus());
+}
+
+TEST_F(GrpcTlsCertificateProviderTest,
+       StaticDataCertificateProviderWithMalformedRootCertificate) {
+  StaticDataCertificateProvider provider(
+      malformed_cert_,
+      MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
+  EXPECT_EQ(provider.ValidateCredentials(),
+            absl::FailedPreconditionError("Invalid PEM."));
+}
+
+TEST_F(GrpcTlsCertificateProviderTest,
+       StaticDataCertificateProviderWithMalformedIdentityCertificate) {
+  StaticDataCertificateProvider provider(
+      root_cert_,
+      MakeCertKeyPairs(private_key_.c_str(), malformed_cert_.c_str()));
+  EXPECT_EQ(provider.ValidateCredentials(),
+            absl::FailedPreconditionError("Invalid PEM."));
+}
+
+TEST_F(GrpcTlsCertificateProviderTest,
+       StaticDataCertificateProviderWithMalformedIdentityKey) {
+  StaticDataCertificateProvider provider(
+      root_cert_,
+      MakeCertKeyPairs(malformed_key_.c_str(), cert_chain_.c_str()));
+  EXPECT_EQ(provider.ValidateCredentials(),
+            absl::NotFoundError("No private key found."));
+}
+
 TEST_F(GrpcTlsCertificateProviderTest,
       FileWatcherCertificateProviderWithGoodPaths) {
  FileWatcherCertificateProvider provider(SERVER_KEY_PATH, SERVER_CERT_PATH,
@ -258,6 +299,37 @@ TEST_F(GrpcTlsCertificateProviderTest,
  CancelWatch(watcher_state_3);
 }

+TEST_F(GrpcTlsCertificateProviderTest,
+       FileWatcherCertificateProviderWithGoodPathsAndCredentialValidation) {
+  FileWatcherCertificateProvider provider(SERVER_KEY_PATH, SERVER_CERT_PATH,
+                                          CA_CERT_PATH, 1);
+  EXPECT_EQ(provider.ValidateCredentials(), absl::OkStatus());
+}
+
+TEST_F(GrpcTlsCertificateProviderTest,
+       FileWatcherCertificateProviderWithMalformedRootCertificate) {
+  FileWatcherCertificateProvider provider(SERVER_KEY_PATH_2, SERVER_CERT_PATH_2,
+                                          MALFORMED_CERT_PATH, 1);
+  EXPECT_EQ(provider.ValidateCredentials(),
+            absl::FailedPreconditionError("Invalid PEM."));
+}
+
+TEST_F(GrpcTlsCertificateProviderTest,
+       FileWatcherCertificateProviderWithMalformedIdentityCertificate) {
+  FileWatcherCertificateProvider provider(
+      SERVER_KEY_PATH_2, MALFORMED_CERT_PATH, CA_CERT_PATH_2, 1);
+  EXPECT_EQ(provider.ValidateCredentials(),
+            absl::FailedPreconditionError("Invalid PEM."));
+}
+
+TEST_F(GrpcTlsCertificateProviderTest,
+       FileWatcherCertificateProviderWithMalformedIdentityKey) {
+  FileWatcherCertificateProvider provider(
+      MALFORMED_KEY_PATH, SERVER_CERT_PATH_2, CA_CERT_PATH_2, 1);
+  EXPECT_EQ(provider.ValidateCredentials(),
+            absl::NotFoundError("No private key found."));
+}
+
 TEST_F(GrpcTlsCertificateProviderTest,
       FileWatcherCertificateProviderWithBadPaths) {
  FileWatcherCertificateProvider provider(INVALID_PATH, INVALID_PATH,
--- a/test/cpp/server/BUILD
+++ b/test/cpp/server/BUILD
@ -69,6 +69,8 @@ grpc_cc_test(
    srcs = ["credentials_test.cc"],
    data = [
        "//src/core/tsi/test_creds:ca.pem",
+        "//src/core/tsi/test_creds:malformed-cert.pem",
+        "//src/core/tsi/test_creds:malformed-key.pem",
        "//src/core/tsi/test_creds:server1.key",
        "//src/core/tsi/test_creds:server1.pem",
    ],
--- a/test/cpp/server/credentials_test.cc
+++ b/test/cpp/server/credentials_test.cc
@ -28,12 +28,14 @@
 #include <grpcpp/security/tls_crl_provider.h>

 #include "test/core/test_util/test_config.h"
+#include "test/core/test_util/tls_utils.h"
 #include "test/cpp/util/tls_test_utils.h"

 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
 #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
 #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
 #define CRL_DIR_PATH "test/core/tsi/test_creds/crl_data/crls"
+#define MALFORMED_CERT_PATH "src/core/tsi/test_creds/malformed-cert.pem"

 namespace {

@ -50,6 +52,7 @@ using ::grpc::experimental::NoOpCertificateVerifier;
 using ::grpc::experimental::StaticDataCertificateProvider;
 using ::grpc::experimental::TlsServerCredentials;
 using ::grpc::experimental::TlsServerCredentialsOptions;
+using ::grpc_core::testing::GetFileContents;

 }  // namespace

@ -116,6 +119,40 @@ TEST(
  CHECK_NE(server_credentials.get(), nullptr);
 }

+TEST(CredentialsTest,
+     StaticDataCertificateProviderValidationSuccessWithAllCredentials) {
+  std::string root_certificates = GetFileContents(CA_CERT_PATH);
+  experimental::IdentityKeyCertPair key_cert_pair;
+  key_cert_pair.private_key = GetFileContents(SERVER_KEY_PATH);
+  key_cert_pair.certificate_chain = GetFileContents(SERVER_CERT_PATH);
+  StaticDataCertificateProvider provider(root_certificates, {key_cert_pair});
+  EXPECT_EQ(provider.ValidateCredentials(), absl::OkStatus());
+}
+
+TEST(CredentialsTest, StaticDataCertificateProviderWithMalformedRoot) {
+  std::string root_certificates = GetFileContents(MALFORMED_CERT_PATH);
+  experimental::IdentityKeyCertPair key_cert_pair;
+  key_cert_pair.private_key = GetFileContents(SERVER_KEY_PATH);
+  key_cert_pair.certificate_chain = GetFileContents(SERVER_CERT_PATH);
+  StaticDataCertificateProvider provider(root_certificates, {key_cert_pair});
+  EXPECT_EQ(provider.ValidateCredentials(),
+            absl::FailedPreconditionError("Invalid PEM."));
+}
+
+TEST(CredentialsTest,
+     FileWatcherCertificateProviderValidationSuccessWithAllCredentials) {
+  FileWatcherCertificateProvider provider(SERVER_KEY_PATH, SERVER_CERT_PATH,
+                                          CA_CERT_PATH, 1);
+  EXPECT_EQ(provider.ValidateCredentials(), absl::OkStatus());
+}
+
+TEST(CredentialsTest, FileWatcherCertificateProviderWithMalformedRoot) {
+  FileWatcherCertificateProvider provider(SERVER_KEY_PATH, SERVER_CERT_PATH,
+                                          MALFORMED_CERT_PATH, 1);
+  EXPECT_EQ(provider.ValidateCredentials(),
+            absl::FailedPreconditionError("Invalid PEM."));
+}
+
 TEST(CredentialsTest, TlsServerCredentialsWithCrlChecking) {
  auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
      SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);