Merge pull request #678 from jboeuf/installed_ssl_roots

Adding roots.pem from Mozilla and associated logic.
pull/713/head
Craig Tiller 10 years ago
commit cc69f8d958
  1. 7
      Makefile
  2. 5114
      etc/roots.pem
  3. 7
      include/grpc/grpc_security.h
  4. 11
      src/core/security/security_context.c
  5. 7
      templates/Makefile.template

@ -1930,7 +1930,7 @@ $(OBJDIR)/$(CONFIG)/%.o : %.cc
$(Q) $(CXX) $(CXXFLAGS) $(CPPFLAGS) -MMD -MF $(addsuffix .dep, $(basename $@)) -c -o $@ $< $(Q) $(CXX) $(CXXFLAGS) $(CPPFLAGS) -MMD -MF $(addsuffix .dep, $(basename $@)) -c -o $@ $<
install: install_c install_cxx install-plugins verify-install install: install_c install_cxx install-plugins install-certs verify-install
install_c: install-headers_c install-static_c install-shared_c install_c: install-headers_c install-static_c install-shared_c
@ -2074,6 +2074,11 @@ else
$(Q) $(INSTALL) $(BINDIR)/$(CONFIG)/grpc_ruby_plugin $(prefix)/bin/grpc_ruby_plugin $(Q) $(INSTALL) $(BINDIR)/$(CONFIG)/grpc_ruby_plugin $(prefix)/bin/grpc_ruby_plugin
endif endif
install-certs: etc/roots.pem
$(E) "[INSTALL] Installing root certificates"
$(Q) $(INSTALL) -d $(prefix)/share/grpc
$(Q) $(INSTALL) etc/roots.pem $(prefix)/share/grpc/roots.pem
verify-install: verify-install:
ifeq ($(SYSTEM_OK),true) ifeq ($(SYSTEM_OK),true)
@echo "Your system looks ready to go." @echo "Your system looks ready to go."

File diff suppressed because it is too large Load Diff

@ -73,8 +73,11 @@ typedef struct {
/* Creates an SSL credentials object. /* Creates an SSL credentials object.
- pem_roots_cert is the NULL-terminated string containing the PEM encoding - pem_roots_cert is the NULL-terminated string containing the PEM encoding
of the server root certificates. If this parameter is NULL, the default of the server root certificates. If this parameter is NULL, the
roots will be used. implementation will first try to dereference the file pointed by the
GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable, and if that fails,
get the roots from a well-known place on disk (in the grpc install
directory).
- pem_key_cert_pair is a pointer on the object containing client's private - pem_key_cert_pair is a pointer on the object containing client's private
key and certificate chain. This parameter can be NULL if the client does key and certificate chain. This parameter can be NULL if the client does
not have such a key/cert pair. */ not have such a key/cert pair. */

@ -61,9 +61,9 @@
"SHA256:AES256-SHA256" "SHA256:AES256-SHA256"
#ifndef INSTALL_PREFIX #ifndef INSTALL_PREFIX
static const char *installed_roots_path = "/etc/grpc/roots.pem"; static const char *installed_roots_path = "/usr/share/grpc/roots.pem";
#else #else
static const char *installed_roots_path = INSTALL_PREFIX "/etc/grpc/roots.pem"; static const char *installed_roots_path = INSTALL_PREFIX "/share/grpc/roots.pem";
#endif #endif
/* -- Common methods. -- */ /* -- Common methods. -- */
@ -404,6 +404,7 @@ static grpc_security_context_vtable ssl_server_vtable = {
static gpr_slice default_pem_root_certs; static gpr_slice default_pem_root_certs;
static void init_default_pem_root_certs(void) { static void init_default_pem_root_certs(void) {
/* First try to load the roots from the environment. */
char *default_root_certs_path = char *default_root_certs_path =
gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR); gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR);
if (default_root_certs_path == NULL) { if (default_root_certs_path == NULL) {
@ -412,7 +413,11 @@ static void init_default_pem_root_certs(void) {
default_pem_root_certs = gpr_load_file(default_root_certs_path, NULL); default_pem_root_certs = gpr_load_file(default_root_certs_path, NULL);
gpr_free(default_root_certs_path); gpr_free(default_root_certs_path);
} }
(void) installed_roots_path;
/* Fall back to installed certs if needed. */
if (GPR_SLICE_IS_EMPTY(default_pem_root_certs)) {
default_pem_root_certs = gpr_load_file(installed_roots_path, NULL);
}
} }
size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs) { size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs) {

@ -729,7 +729,7 @@ $(OBJDIR)/$(CONFIG)/%.o : %.cc
$(Q) $(CXX) $(CXXFLAGS) $(CPPFLAGS) -MMD -MF $(addsuffix .dep, $(basename $@)) -c -o $@ $< $(Q) $(CXX) $(CXXFLAGS) $(CPPFLAGS) -MMD -MF $(addsuffix .dep, $(basename $@)) -c -o $@ $<
install: install_c install_cxx install-plugins verify-install install: install_c install_cxx install-plugins install-certs verify-install
install_c: install-headers_c install-static_c install-shared_c install_c: install-headers_c install-static_c install-shared_c
@ -824,6 +824,11 @@ else
% endfor % endfor
endif endif
install-certs: etc/roots.pem
$(E) "[INSTALL] Installing root certificates"
$(Q) $(INSTALL) -d $(prefix)/share/grpc
$(Q) $(INSTALL) etc/roots.pem $(prefix)/share/grpc/roots.pem
verify-install: verify-install:
ifeq ($(SYSTEM_OK),true) ifeq ($(SYSTEM_OK),true)
@echo "Your system looks ready to go." @echo "Your system looks ready to go."

Loading…
Cancel
Save