[security] Reland: Refactor credentials types to remove special handling for insecure creds (#36242)

See #36176. The only difference is a temporary shim for Secure credentials types, which was already discussed and approved separately. Closes #36242 COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/36242 from drfloob:reland/36176 f07bebe289 PiperOrigin-RevId: 621879911
8 months ago · f238e5399c
parent 9dea752699
commit f238e5399c
37 changed files with 558 additions and 585 deletions
--- a/22
+++ b/22
@ -325,7 +325,9 @@ GRPC_PUBLIC_EVENT_ENGINE_HDRS = [
 ]
 GRPCXX_SRCS = [
    "src/cpp/client/call_credentials.cc",
    "src/cpp/client/channel_cc.cc",
    "src/cpp/client/channel_credentials.cc",
    "src/cpp/client/client_callback.cc",
    "src/cpp/client/client_context.cc",
    "src/cpp/client/client_interceptor.cc",
@ -351,6 +353,7 @@ GRPCXX_SRCS = [
    "src/cpp/server/server_callback.cc",
    "src/cpp/server/server_cc.cc",
    "src/cpp/server/server_context.cc",
    "src/cpp/server/server_credentials.cc",
    "src/cpp/server/server_posix.cc",
    "src/cpp/thread_manager/thread_manager.cc",
    "src/cpp/util/byte_buffer_cc.cc",
@ -941,9 +944,7 @@ grpc_cc_library(
        },
    ],
    tags = ["nofixdeps"],
-    visibility = [
+    visibility = ["@grpc:public"],
        "@grpc:public",
    ],
    deps = [
        "grpc++_base",
        "//src/core:gpr_atm",
@ -1216,6 +1217,9 @@ grpc_cc_library(
    ],
 )
 # TODO(hork): restructure the grpc++_unsecure and grpc++ build targets in a
 # similar way to how the grpc_unsecure and grpc targets were restructured in
 # #25586
 grpc_cc_library(
    name = "grpc++_unsecure",
    srcs = [
@ -1223,18 +1227,26 @@ grpc_cc_library(
        "src/cpp/common/insecure_create_auth_context.cc",
        "src/cpp/server/insecure_server_credentials.cc",
    ],
    external_deps = [
        "absl/strings",
        "absl/synchronization",
    ],
    language = "c++",
    public_hdrs = GRPCXX_PUBLIC_HDRS,
    tags = [
        "avoid_dep",
        "nofixdeps",
    ],
    visibility = ["@grpc:public"],
    deps = [
        "channel_arg_names",
        "gpr",
        "grpc++_base_unsecure",
        "grpc++_codegen_proto",
        "grpc_public_hdrs",
        "grpc_security_base",
        "grpc_unsecure",
        "//src/core:gpr_atm",
        "//src/core:grpc_insecure_credentials",
    ],
 )
@ -2374,7 +2386,6 @@ grpc_cc_library(
        "src/cpp/client/secure_credentials.cc",
        "src/cpp/common/auth_property_iterator.cc",
        "src/cpp/common/secure_auth_context.cc",
        "src/cpp/common/secure_channel_arguments.cc",
        "src/cpp/common/secure_create_auth_context.cc",
        "src/cpp/common/tls_certificate_provider.cc",
        "src/cpp/common/tls_certificate_verifier.cc",
@ -2498,6 +2509,7 @@ grpc_cc_library(
        "grpc_base",
        "grpc_health_upb",
        "grpc_public_hdrs",
        "grpc_security_base",
        "grpc_service_config_impl",
        "grpc_trace",
        "grpc_unsecure",
@ -4704,7 +4716,7 @@ grpc_cc_library(
    visibility = ["@grpc:chaotic_good"],
    deps = [
        "gpr",
-        "grpc++_public_hdrs",
+        "grpc++_base",
        "grpc_public_hdrs",
        "//src/core:chaotic_good_connector",
        "//src/core:chaotic_good_server",
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -4045,7 +4045,9 @@ add_library(grpc++
  src/core/ext/transport/binder/wire_format/transaction.cc
  src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  src/core/ext/transport/binder/wire_format/wire_writer.cc
  src/cpp/client/call_credentials.cc
  src/cpp/client/channel_cc.cc
  src/cpp/client/channel_credentials.cc
  src/cpp/client/client_callback.cc
  src/cpp/client/client_context.cc
  src/cpp/client/client_interceptor.cc
@ -4063,7 +4065,6 @@ add_library(grpc++
  src/cpp/common/resource_quota_cc.cc
  src/cpp/common/rpc_method.cc
  src/cpp/common/secure_auth_context.cc
  src/cpp/common/secure_channel_arguments.cc
  src/cpp/common/secure_create_auth_context.cc
  src/cpp/common/tls_certificate_provider.cc
  src/cpp/common/tls_certificate_verifier.cc
@ -4084,6 +4085,7 @@ add_library(grpc++
  src/cpp/server/server_callback.cc
  src/cpp/server/server_cc.cc
  src/cpp/server/server_context.cc
  src/cpp/server/server_credentials.cc
  src/cpp/server/server_posix.cc
  src/cpp/server/xds_server_builder.cc
  src/cpp/server/xds_server_credentials.cc
@ -4793,7 +4795,9 @@ target_link_libraries(grpc++_test_util
 endif()
 add_library(grpc++_unsecure
  src/cpp/client/call_credentials.cc
  src/cpp/client/channel_cc.cc
  src/cpp/client/channel_credentials.cc
  src/cpp/client/client_callback.cc
  src/cpp/client/client_context.cc
  src/cpp/client/client_interceptor.cc
@ -4823,6 +4827,7 @@ add_library(grpc++_unsecure
  src/cpp/server/server_callback.cc
  src/cpp/server/server_cc.cc
  src/cpp/server/server_context.cc
  src/cpp/server/server_credentials.cc
  src/cpp/server/server_posix.cc
  src/cpp/thread_manager/thread_manager.cc
  src/cpp/util/byte_buffer_cc.cc
@ -8154,7 +8159,9 @@ add_executable(binder_transport_test
  src/core/ext/transport/binder/wire_format/transaction.cc
  src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  src/core/ext/transport/binder/wire_format/wire_writer.cc
  src/cpp/client/call_credentials.cc
  src/cpp/client/channel_cc.cc
  src/cpp/client/channel_credentials.cc
  src/cpp/client/client_callback.cc
  src/cpp/client/client_context.cc
  src/cpp/client/client_interceptor.cc
@ -8171,7 +8178,6 @@ add_executable(binder_transport_test
  src/cpp/common/resource_quota_cc.cc
  src/cpp/common/rpc_method.cc
  src/cpp/common/secure_auth_context.cc
  src/cpp/common/secure_channel_arguments.cc
  src/cpp/common/secure_create_auth_context.cc
  src/cpp/common/tls_certificate_provider.cc
  src/cpp/common/tls_certificate_verifier.cc
@ -8192,6 +8198,7 @@ add_executable(binder_transport_test
  src/cpp/server/server_callback.cc
  src/cpp/server/server_cc.cc
  src/cpp/server/server_context.cc
  src/cpp/server/server_credentials.cc
  src/cpp/server/server_posix.cc
  src/cpp/thread_manager/thread_manager.cc
  src/cpp/util/byte_buffer_cc.cc
@ -12670,7 +12677,9 @@ add_executable(endpoint_binder_pool_test
  src/core/ext/transport/binder/wire_format/transaction.cc
  src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  src/core/ext/transport/binder/wire_format/wire_writer.cc
  src/cpp/client/call_credentials.cc
  src/cpp/client/channel_cc.cc
  src/cpp/client/channel_credentials.cc
  src/cpp/client/client_callback.cc
  src/cpp/client/client_context.cc
  src/cpp/client/client_interceptor.cc
@ -12687,7 +12696,6 @@ add_executable(endpoint_binder_pool_test
  src/cpp/common/resource_quota_cc.cc
  src/cpp/common/rpc_method.cc
  src/cpp/common/secure_auth_context.cc
  src/cpp/common/secure_channel_arguments.cc
  src/cpp/common/secure_create_auth_context.cc
  src/cpp/common/tls_certificate_provider.cc
  src/cpp/common/tls_certificate_verifier.cc
@ -12708,6 +12716,7 @@ add_executable(endpoint_binder_pool_test
  src/cpp/server/server_callback.cc
  src/cpp/server/server_cc.cc
  src/cpp/server/server_context.cc
  src/cpp/server/server_credentials.cc
  src/cpp/server/server_posix.cc
  src/cpp/thread_manager/thread_manager.cc
  src/cpp/util/byte_buffer_cc.cc
@ -13527,7 +13536,9 @@ add_executable(fake_binder_test
  src/core/ext/transport/binder/wire_format/transaction.cc
  src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  src/core/ext/transport/binder/wire_format/wire_writer.cc
  src/cpp/client/call_credentials.cc
  src/cpp/client/channel_cc.cc
  src/cpp/client/channel_credentials.cc
  src/cpp/client/client_callback.cc
  src/cpp/client/client_context.cc
  src/cpp/client/client_interceptor.cc
@ -13544,7 +13555,6 @@ add_executable(fake_binder_test
  src/cpp/common/resource_quota_cc.cc
  src/cpp/common/rpc_method.cc
  src/cpp/common/secure_auth_context.cc
  src/cpp/common/secure_channel_arguments.cc
  src/cpp/common/secure_create_auth_context.cc
  src/cpp/common/tls_certificate_provider.cc
  src/cpp/common/tls_certificate_verifier.cc
@ -13565,6 +13575,7 @@ add_executable(fake_binder_test
  src/cpp/server/server_callback.cc
  src/cpp/server/server_cc.cc
  src/cpp/server/server_context.cc
  src/cpp/server/server_credentials.cc
  src/cpp/server/server_posix.cc
  src/cpp/thread_manager/thread_manager.cc
  src/cpp/util/byte_buffer_cc.cc
@ -31370,7 +31381,9 @@ add_executable(transport_stream_receiver_test
  src/core/ext/transport/binder/wire_format/transaction.cc
  src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  src/core/ext/transport/binder/wire_format/wire_writer.cc
  src/cpp/client/call_credentials.cc
  src/cpp/client/channel_cc.cc
  src/cpp/client/channel_credentials.cc
  src/cpp/client/client_callback.cc
  src/cpp/client/client_context.cc
  src/cpp/client/client_interceptor.cc
@ -31387,7 +31400,6 @@ add_executable(transport_stream_receiver_test
  src/cpp/common/resource_quota_cc.cc
  src/cpp/common/rpc_method.cc
  src/cpp/common/secure_auth_context.cc
  src/cpp/common/secure_channel_arguments.cc
  src/cpp/common/secure_create_auth_context.cc
  src/cpp/common/tls_certificate_provider.cc
  src/cpp/common/tls_certificate_verifier.cc
@ -31408,6 +31420,7 @@ add_executable(transport_stream_receiver_test
  src/cpp/server/server_callback.cc
  src/cpp/server/server_cc.cc
  src/cpp/server/server_context.cc
  src/cpp/server/server_credentials.cc
  src/cpp/server/server_posix.cc
  src/cpp/thread_manager/thread_manager.cc
  src/cpp/util/byte_buffer_cc.cc
@ -32202,7 +32215,9 @@ add_executable(wire_reader_test
  src/core/ext/transport/binder/wire_format/transaction.cc
  src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  src/core/ext/transport/binder/wire_format/wire_writer.cc
  src/cpp/client/call_credentials.cc
  src/cpp/client/channel_cc.cc
  src/cpp/client/channel_credentials.cc
  src/cpp/client/client_callback.cc
  src/cpp/client/client_context.cc
  src/cpp/client/client_interceptor.cc
@ -32219,7 +32234,6 @@ add_executable(wire_reader_test
  src/cpp/common/resource_quota_cc.cc
  src/cpp/common/rpc_method.cc
  src/cpp/common/secure_auth_context.cc
  src/cpp/common/secure_channel_arguments.cc
  src/cpp/common/secure_create_auth_context.cc
  src/cpp/common/tls_certificate_provider.cc
  src/cpp/common/tls_certificate_verifier.cc
@ -32240,6 +32254,7 @@ add_executable(wire_reader_test
  src/cpp/server/server_callback.cc
  src/cpp/server/server_cc.cc
  src/cpp/server/server_context.cc
  src/cpp/server/server_credentials.cc
  src/cpp/server/server_posix.cc
  src/cpp/thread_manager/thread_manager.cc
  src/cpp/util/byte_buffer_cc.cc
@ -32308,7 +32323,9 @@ add_executable(wire_writer_test
  src/core/ext/transport/binder/wire_format/transaction.cc
  src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  src/core/ext/transport/binder/wire_format/wire_writer.cc
  src/cpp/client/call_credentials.cc
  src/cpp/client/channel_cc.cc
  src/cpp/client/channel_credentials.cc
  src/cpp/client/client_callback.cc
  src/cpp/client/client_context.cc
  src/cpp/client/client_interceptor.cc
@ -32325,7 +32342,6 @@ add_executable(wire_writer_test
  src/cpp/common/resource_quota_cc.cc
  src/cpp/common/rpc_method.cc
  src/cpp/common/secure_auth_context.cc
  src/cpp/common/secure_channel_arguments.cc
  src/cpp/common/secure_create_auth_context.cc
  src/cpp/common/tls_certificate_provider.cc
  src/cpp/common/tls_certificate_verifier.cc
@ -32346,6 +32362,7 @@ add_executable(wire_writer_test
  src/cpp/server/server_callback.cc
  src/cpp/server/server_cc.cc
  src/cpp/server/server_context.cc
  src/cpp/server/server_credentials.cc
  src/cpp/server/server_posix.cc
  src/cpp/thread_manager/thread_manager.cc
  src/cpp/util/byte_buffer_cc.cc
--- a/build_autogenerated.yaml
+++ b/build_autogenerated.yaml
@ -3886,7 +3886,9 @@ libs:
  - src/core/ext/transport/binder/wire_format/transaction.cc
  - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  - src/core/ext/transport/binder/wire_format/wire_writer.cc
  - src/cpp/client/call_credentials.cc
  - src/cpp/client/channel_cc.cc
  - src/cpp/client/channel_credentials.cc
  - src/cpp/client/client_callback.cc
  - src/cpp/client/client_context.cc
  - src/cpp/client/client_interceptor.cc
@ -3904,7 +3906,6 @@ libs:
  - src/cpp/common/resource_quota_cc.cc
  - src/cpp/common/rpc_method.cc
  - src/cpp/common/secure_auth_context.cc
  - src/cpp/common/secure_channel_arguments.cc
  - src/cpp/common/secure_create_auth_context.cc
  - src/cpp/common/tls_certificate_provider.cc
  - src/cpp/common/tls_certificate_verifier.cc
@ -3925,6 +3926,7 @@ libs:
  - src/cpp/server/server_callback.cc
  - src/cpp/server/server_cc.cc
  - src/cpp/server/server_context.cc
  - src/cpp/server/server_credentials.cc
  - src/cpp/server/server_posix.cc
  - src/cpp/server/xds_server_builder.cc
  - src/cpp/server/xds_server_credentials.cc
@ -4024,6 +4026,7 @@ libs:
  - test/core/util/tracer_util.h
  - test/cpp/util/byte_buffer_proto_helper.h
  - test/cpp/util/create_test_channel.h
  - test/cpp/util/credentials.h
  - test/cpp/util/string_ref_helper.h
  - test/cpp/util/subprocess.h
  - test/cpp/util/test_credentials_provider.h
@ -4266,7 +4269,9 @@ libs:
  - src/cpp/server/thread_pool_interface.h
  - src/cpp/thread_manager/thread_manager.h
  src:
  - src/cpp/client/call_credentials.cc
  - src/cpp/client/channel_cc.cc
  - src/cpp/client/channel_credentials.cc
  - src/cpp/client/client_callback.cc
  - src/cpp/client/client_context.cc
  - src/cpp/client/client_interceptor.cc
@ -4296,6 +4301,7 @@ libs:
  - src/cpp/server/server_callback.cc
  - src/cpp/server/server_cc.cc
  - src/cpp/server/server_context.cc
  - src/cpp/server/server_credentials.cc
  - src/cpp/server/server_posix.cc
  - src/cpp/thread_manager/thread_manager.cc
  - src/cpp/util/byte_buffer_cc.cc
@ -5285,6 +5291,7 @@ targets:
  - test/core/util/slice_splitter.h
  - test/core/util/tracer_util.h
  - test/cpp/util/byte_buffer_proto_helper.h
  - test/cpp/util/credentials.h
  - test/cpp/util/string_ref_helper.h
  - test/cpp/util/subprocess.h
  src:
@ -6173,7 +6180,9 @@ targets:
  - src/core/ext/transport/binder/wire_format/transaction.cc
  - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  - src/core/ext/transport/binder/wire_format/wire_writer.cc
  - src/cpp/client/call_credentials.cc
  - src/cpp/client/channel_cc.cc
  - src/cpp/client/channel_credentials.cc
  - src/cpp/client/client_callback.cc
  - src/cpp/client/client_context.cc
  - src/cpp/client/client_interceptor.cc
@ -6190,7 +6199,6 @@ targets:
  - src/cpp/common/resource_quota_cc.cc
  - src/cpp/common/rpc_method.cc
  - src/cpp/common/secure_auth_context.cc
  - src/cpp/common/secure_channel_arguments.cc
  - src/cpp/common/secure_create_auth_context.cc
  - src/cpp/common/tls_certificate_provider.cc
  - src/cpp/common/tls_certificate_verifier.cc
@ -6211,6 +6219,7 @@ targets:
  - src/cpp/server/server_callback.cc
  - src/cpp/server/server_cc.cc
  - src/cpp/server/server_context.cc
  - src/cpp/server/server_credentials.cc
  - src/cpp/server/server_posix.cc
  - src/cpp/thread_manager/thread_manager.cc
  - src/cpp/util/byte_buffer_cc.cc
@ -8868,7 +8877,9 @@ targets:
  - src/core/ext/transport/binder/wire_format/transaction.cc
  - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  - src/core/ext/transport/binder/wire_format/wire_writer.cc
  - src/cpp/client/call_credentials.cc
  - src/cpp/client/channel_cc.cc
  - src/cpp/client/channel_credentials.cc
  - src/cpp/client/client_callback.cc
  - src/cpp/client/client_context.cc
  - src/cpp/client/client_interceptor.cc
@ -8885,7 +8896,6 @@ targets:
  - src/cpp/common/resource_quota_cc.cc
  - src/cpp/common/rpc_method.cc
  - src/cpp/common/secure_auth_context.cc
  - src/cpp/common/secure_channel_arguments.cc
  - src/cpp/common/secure_create_auth_context.cc
  - src/cpp/common/tls_certificate_provider.cc
  - src/cpp/common/tls_certificate_verifier.cc
@ -8906,6 +8916,7 @@ targets:
  - src/cpp/server/server_callback.cc
  - src/cpp/server/server_cc.cc
  - src/cpp/server/server_context.cc
  - src/cpp/server/server_credentials.cc
  - src/cpp/server/server_posix.cc
  - src/cpp/thread_manager/thread_manager.cc
  - src/cpp/util/byte_buffer_cc.cc
@ -9363,7 +9374,9 @@ targets:
  - src/core/ext/transport/binder/wire_format/transaction.cc
  - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  - src/core/ext/transport/binder/wire_format/wire_writer.cc
  - src/cpp/client/call_credentials.cc
  - src/cpp/client/channel_cc.cc
  - src/cpp/client/channel_credentials.cc
  - src/cpp/client/client_callback.cc
  - src/cpp/client/client_context.cc
  - src/cpp/client/client_interceptor.cc
@ -9380,7 +9393,6 @@ targets:
  - src/cpp/common/resource_quota_cc.cc
  - src/cpp/common/rpc_method.cc
  - src/cpp/common/secure_auth_context.cc
  - src/cpp/common/secure_channel_arguments.cc
  - src/cpp/common/secure_create_auth_context.cc
  - src/cpp/common/tls_certificate_provider.cc
  - src/cpp/common/tls_certificate_verifier.cc
@ -9401,6 +9413,7 @@ targets:
  - src/cpp/server/server_callback.cc
  - src/cpp/server/server_cc.cc
  - src/cpp/server/server_context.cc
  - src/cpp/server/server_credentials.cc
  - src/cpp/server/server_posix.cc
  - src/cpp/thread_manager/thread_manager.cc
  - src/cpp/util/byte_buffer_cc.cc
@ -19578,7 +19591,9 @@ targets:
  - src/core/ext/transport/binder/wire_format/transaction.cc
  - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  - src/core/ext/transport/binder/wire_format/wire_writer.cc
  - src/cpp/client/call_credentials.cc
  - src/cpp/client/channel_cc.cc
  - src/cpp/client/channel_credentials.cc
  - src/cpp/client/client_callback.cc
  - src/cpp/client/client_context.cc
  - src/cpp/client/client_interceptor.cc
@ -19595,7 +19610,6 @@ targets:
  - src/cpp/common/resource_quota_cc.cc
  - src/cpp/common/rpc_method.cc
  - src/cpp/common/secure_auth_context.cc
  - src/cpp/common/secure_channel_arguments.cc
  - src/cpp/common/secure_create_auth_context.cc
  - src/cpp/common/tls_certificate_provider.cc
  - src/cpp/common/tls_certificate_verifier.cc
@ -19616,6 +19630,7 @@ targets:
  - src/cpp/server/server_callback.cc
  - src/cpp/server/server_cc.cc
  - src/cpp/server/server_context.cc
  - src/cpp/server/server_credentials.cc
  - src/cpp/server/server_posix.cc
  - src/cpp/thread_manager/thread_manager.cc
  - src/cpp/util/byte_buffer_cc.cc
@ -19953,7 +19968,9 @@ targets:
  - src/core/ext/transport/binder/wire_format/transaction.cc
  - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  - src/core/ext/transport/binder/wire_format/wire_writer.cc
  - src/cpp/client/call_credentials.cc
  - src/cpp/client/channel_cc.cc
  - src/cpp/client/channel_credentials.cc
  - src/cpp/client/client_callback.cc
  - src/cpp/client/client_context.cc
  - src/cpp/client/client_interceptor.cc
@ -19970,7 +19987,6 @@ targets:
  - src/cpp/common/resource_quota_cc.cc
  - src/cpp/common/rpc_method.cc
  - src/cpp/common/secure_auth_context.cc
  - src/cpp/common/secure_channel_arguments.cc
  - src/cpp/common/secure_create_auth_context.cc
  - src/cpp/common/tls_certificate_provider.cc
  - src/cpp/common/tls_certificate_verifier.cc
@ -19991,6 +20007,7 @@ targets:
  - src/cpp/server/server_callback.cc
  - src/cpp/server/server_cc.cc
  - src/cpp/server/server_context.cc
  - src/cpp/server/server_credentials.cc
  - src/cpp/server/server_posix.cc
  - src/cpp/thread_manager/thread_manager.cc
  - src/cpp/util/byte_buffer_cc.cc
@ -20060,7 +20077,9 @@ targets:
  - src/core/ext/transport/binder/wire_format/transaction.cc
  - src/core/ext/transport/binder/wire_format/wire_reader_impl.cc
  - src/core/ext/transport/binder/wire_format/wire_writer.cc
  - src/cpp/client/call_credentials.cc
  - src/cpp/client/channel_cc.cc
  - src/cpp/client/channel_credentials.cc
  - src/cpp/client/client_callback.cc
  - src/cpp/client/client_context.cc
  - src/cpp/client/client_interceptor.cc
@ -20077,7 +20096,6 @@ targets:
  - src/cpp/common/resource_quota_cc.cc
  - src/cpp/common/rpc_method.cc
  - src/cpp/common/secure_auth_context.cc
  - src/cpp/common/secure_channel_arguments.cc
  - src/cpp/common/secure_create_auth_context.cc
  - src/cpp/common/tls_certificate_provider.cc
  - src/cpp/common/tls_certificate_verifier.cc
@ -20098,6 +20116,7 @@ targets:
  - src/cpp/server/server_callback.cc
  - src/cpp/server/server_cc.cc
  - src/cpp/server/server_context.cc
  - src/cpp/server/server_credentials.cc
  - src/cpp/server/server_posix.cc
  - src/cpp/thread_manager/thread_manager.cc
  - src/cpp/util/byte_buffer_cc.cc
--- a/gRPC-C++.podspec
+++ b/gRPC-C++.podspec
@ -1345,7 +1345,9 @@ Pod::Spec.new do |s|
                      'src/core/tsi/transport_security.h',
                      'src/core/tsi/transport_security_grpc.h',
                      'src/core/tsi/transport_security_interface.h',
                      'src/cpp/client/call_credentials.cc',
                      'src/cpp/client/channel_cc.cc',
                      'src/cpp/client/channel_credentials.cc',
                      'src/cpp/client/client_callback.cc',
                      'src/cpp/client/client_context.cc',
                      'src/cpp/client/client_interceptor.cc',
@ -1367,7 +1369,6 @@ Pod::Spec.new do |s|
                      'src/cpp/common/rpc_method.cc',
                      'src/cpp/common/secure_auth_context.cc',
                      'src/cpp/common/secure_auth_context.h',
                      'src/cpp/common/secure_channel_arguments.cc',
                      'src/cpp/common/secure_create_auth_context.cc',
                      'src/cpp/common/tls_certificate_provider.cc',
                      'src/cpp/common/tls_certificate_verifier.cc',
@ -1393,6 +1394,7 @@ Pod::Spec.new do |s|
                      'src/cpp/server/server_callback.cc',
                      'src/cpp/server/server_cc.cc',
                      'src/cpp/server/server_context.cc',
                      'src/cpp/server/server_credentials.cc',
                      'src/cpp/server/server_posix.cc',
                      'src/cpp/server/thread_pool_interface.h',
                      'src/cpp/server/xds_server_builder.cc',
--- a/include/grpcpp/security/credentials.h
+++ b/include/grpcpp/security/credentials.h
@ -37,9 +37,10 @@ struct grpc_call;
 namespace grpc {
 class CallCredentials;
 class SecureCallCredentials;
 class SecureChannelCredentials;
 class ChannelCredentials;
 namespace testing {
 std::string GetOauth2AccessToken();
 }
 std::shared_ptr<Channel> CreateCustomChannel(
    const grpc::string& target,
@ -68,26 +69,18 @@ std::shared_ptr<ChannelCredentials> XdsCredentials(
 /// \see https://grpc.io/docs/guides/auth.html
 class ChannelCredentials : private grpc::internal::GrpcLibrary {
 public:
- protected:
+  ~ChannelCredentials() override;
  friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
      const std::shared_ptr<ChannelCredentials>& channel_creds,
      const std::shared_ptr<CallCredentials>& call_creds);
-  // TODO(yashykt): We need this friend declaration mainly for access to
+ protected:
-  // AsSecureCredentials(). Once we are able to remove insecure builds from gRPC
+  explicit ChannelCredentials(grpc_channel_credentials* creds);
  // (and also internal dependencies on the indirect method of creating a
  // channel through credentials), we would be able to remove this.
  friend std::shared_ptr<ChannelCredentials> grpc::XdsCredentials(
      const std::shared_ptr<ChannelCredentials>& fallback_creds);
-  virtual SecureChannelCredentials* AsSecureCredentials() = 0;
+  grpc_channel_credentials* c_creds() { return c_creds_; }
 private:
  friend std::shared_ptr<grpc::Channel> CreateCustomChannel(
      const grpc::string& target,
      const std::shared_ptr<grpc::ChannelCredentials>& creds,
      const grpc::ChannelArguments& args);
  friend std::shared_ptr<grpc::Channel>
  grpc::experimental::CreateCustomChannelWithInterceptors(
      const grpc::string& target,
@ -96,24 +89,23 @@ class ChannelCredentials : private grpc::internal::GrpcLibrary {
      std::vector<std::unique_ptr<
          grpc::experimental::ClientInterceptorFactoryInterface>>
          interceptor_creators);
  friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
      const std::shared_ptr<ChannelCredentials>& channel_creds,
      const std::shared_ptr<CallCredentials>& call_creds);
  friend class XdsChannelCredentialsImpl;
  virtual std::shared_ptr<Channel> CreateChannelImpl(
-      const grpc::string& target, const ChannelArguments& args) = 0;
+      const grpc::string& target, const ChannelArguments& args) {
    return CreateChannelWithInterceptors(target, args, {});
  }
  // This function should have been a pure virtual function, but it is
  // implemented as a virtual function so that it does not break API.
  virtual std::shared_ptr<Channel> CreateChannelWithInterceptors(
-      const grpc::string& /*target*/, const ChannelArguments& /*args*/,
+      const grpc::string& target, const ChannelArguments& args,
      std::vector<std::unique_ptr<
          grpc::experimental::ClientInterceptorFactoryInterface>>
-      /*interceptor_creators*/) {
+          interceptor_creators);
    return nullptr;
  }
-  // TODO(yashkt): This is a hack that is needed since InsecureCredentials can
+  grpc_channel_credentials* const c_creds_;
  // not use grpc_channel_credentials internally and should be removed after
  // insecure builds are removed from gRPC.
  virtual bool IsInsecure() const { return false; }
 };
 /// A call credentials object encapsulates the state needed by a client to
@ -122,22 +114,24 @@ class ChannelCredentials : private grpc::internal::GrpcLibrary {
 /// \see https://grpc.io/docs/guides/auth.html
 class CallCredentials : private grpc::internal::GrpcLibrary {
 public:
  ~CallCredentials() override;
  /// Apply this instance's credentials to \a call.
-  virtual bool ApplyToCall(grpc_call* call) = 0;
+  bool ApplyToCall(grpc_call* call);
-  virtual grpc::string DebugString() {
+
-    return "CallCredentials did not provide a debug string";
+  grpc::string DebugString();
  }
 protected:
  explicit CallCredentials(grpc_call_credentials* creds);
 private:
  friend std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
      const std::shared_ptr<ChannelCredentials>& channel_creds,
      const std::shared_ptr<CallCredentials>& call_creds);
  friend class CompositeCallCredentialsImpl;
  friend std::string grpc::testing::GetOauth2AccessToken();
-  friend std::shared_ptr<CallCredentials> CompositeCallCredentials(
+  grpc_call_credentials* c_creds_ = nullptr;
      const std::shared_ptr<CallCredentials>& creds1,
      const std::shared_ptr<CallCredentials>& creds2);
  virtual SecureCallCredentials* AsSecureCredentials() = 0;
 };
 /// Options used to build SslCredentials.
--- a/include/grpcpp/security/server_credentials.h
+++ b/include/grpcpp/security/server_credentials.h
@ -34,7 +34,7 @@ namespace grpc {
 class Server;
 class ServerCredentials;
-class SecureServerCredentials;
+
 /// Options to create ServerCredentials with SSL
 struct SslServerCredentialsOptions {
  /// \warning Deprecated
@ -68,17 +68,22 @@ std::shared_ptr<ServerCredentials> XdsServerCredentials(
 /// Wrapper around \a grpc_server_credentials, a way to authenticate a server.
 class ServerCredentials : private grpc::internal::GrpcLibrary {
 public:
  ~ServerCredentials() override;
  /// This method is not thread-safe and has to be called before the server is
  /// started. The last call to this function wins.
  virtual void SetAuthMetadataProcessor(
-      const std::shared_ptr<grpc::AuthMetadataProcessor>& processor) = 0;
+      const std::shared_ptr<grpc::AuthMetadataProcessor>& processor);
 protected:
  explicit ServerCredentials(grpc_server_credentials* creds);
  grpc_server_credentials* c_creds() const { return c_creds_; }
 private:
  // Needed for access to AddPortToServer.
  friend class Server;
-
+  // Needed for access to c_creds_.
  // We need this friend declaration for access to Insecure() and
  // AsSecureServerCredentials(). When these two functions are no longer
  // necessary, this friend declaration can be removed too.
  friend std::shared_ptr<ServerCredentials> grpc::XdsServerCredentials(
      const std::shared_ptr<ServerCredentials>& fallback_credentials);
@ -87,18 +92,9 @@ class ServerCredentials : private grpc::internal::GrpcLibrary {
  ///
  /// \return bound port number on success, 0 on failure.
  // TODO(dgq): the "port" part seems to be a misnomer.
-  virtual int AddPortToServer(const std::string& addr, grpc_server* server) = 0;
+  virtual int AddPortToServer(const std::string& addr, grpc_server* server);
-
+
-  // TODO(yashykt): This is a hack since InsecureServerCredentials() cannot use
+  grpc_server_credentials* c_creds_;
  // grpc_insecure_server_credentials_create() and should be removed after
  // insecure builds are removed from gRPC.
  virtual bool IsInsecure() const { return false; }
  // TODO(yashkt): This is a hack that should be removed once we remove insecure
  // builds and the indirect method of adding ports to a server.
  virtual SecureServerCredentials* AsSecureServerCredentials() {
    return nullptr;
  }
 };
 /// Builds SSL ServerCredentials given SSL specific options
--- a/include/grpcpp/support/channel_arguments.h
+++ b/include/grpcpp/support/channel_arguments.h
@ -28,7 +28,7 @@
 #include <grpcpp/support/config.h>
 namespace grpc {
-class SecureChannelCredentials;
+class ChannelCredentials;
 namespace testing {
 class ChannelArgumentsTest;
 }  // namespace testing
@ -120,7 +120,7 @@ class ChannelArguments {
  }
 private:
-  friend class grpc::SecureChannelCredentials;
+  friend class grpc::ChannelCredentials;
  friend class grpc::testing::ChannelArgumentsTest;
  /// Default pointer argument operations.
--- a/src/core/ext/transport/binder/server/binder_server_credentials.cc
+++ b/src/core/ext/transport/binder/server/binder_server_credentials.cc
@ -32,7 +32,7 @@ class BinderServerCredentialsImpl final : public ServerCredentials {
  explicit BinderServerCredentialsImpl(
      std::shared_ptr<grpc::experimental::binder::SecurityPolicy>
          security_policy)
-      : security_policy_(security_policy) {}
+      : ServerCredentials(nullptr), security_policy_(security_policy) {}
 #ifdef GPR_SUPPORT_BINDER_TRANSPORT
  int AddPortToServer(const std::string& addr, grpc_server* server) override {
    return grpc_core::AddBinderPort(
@ -50,14 +50,7 @@ class BinderServerCredentialsImpl final : public ServerCredentials {
  }
 #endif  // GPR_SUPPORT_BINDER_TRANSPORT
  void SetAuthMetadataProcessor(
      const std::shared_ptr<AuthMetadataProcessor>& /*processor*/) override {
    grpc_core::Crash("unreachable");
  }
 private:
  bool IsInsecure() const override { return true; }
  std::shared_ptr<grpc::experimental::binder::SecurityPolicy> security_policy_;
 };
--- a/src/cpp/client/call_credentials.cc
+++ b/src/cpp/client/call_credentials.cc
@ -0,0 +1,39 @@
 // Copyright 2024 The gRPC Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 #include <grpc/support/port_platform.h>
 #include "absl/strings/str_cat.h"
 #include <grpcpp/security/credentials.h>
 #include "src/core/lib/security/credentials/credentials.h"
 namespace grpc {
 CallCredentials::CallCredentials(grpc_call_credentials* c_creds)
    : c_creds_(c_creds) {
  GPR_ASSERT(c_creds != nullptr);
 }
 CallCredentials::~CallCredentials() { grpc_call_credentials_release(c_creds_); }
 grpc::string CallCredentials::DebugString() {
  return absl::StrCat("CallCredentials{", c_creds_->debug_string(), "}");
 }
 bool CallCredentials::ApplyToCall(grpc_call* call) {
  return grpc_call_set_credentials(call, c_creds_) == GRPC_CALL_OK;
 }
 }  // namespace grpc
--- a/src/cpp/client/channel_credentials.cc
+++ b/src/cpp/client/channel_credentials.cc
@ -0,0 +1,47 @@
 // Copyright 2024 The gRPC Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 #include <grpc/support/port_platform.h>
 #include <memory>
 #include <string>
 #include <vector>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 #include <grpcpp/security/credentials.h>
 #include <grpcpp/support/channel_arguments.h>
 namespace grpc {
 ChannelCredentials::ChannelCredentials(grpc_channel_credentials* c_creds)
    : c_creds_(c_creds) {}
 ChannelCredentials::~ChannelCredentials() {
  grpc_channel_credentials_release(c_creds_);
 }
 std::shared_ptr<Channel> ChannelCredentials::CreateChannelWithInterceptors(
    const std::string& target, const ChannelArguments& args,
    std::vector<
        std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>
        interceptor_creators) {
  grpc_channel_args channel_args;
  args.SetChannelArgs(&channel_args);
  return grpc::CreateChannelInternal(
      args.GetSslTargetNameOverride(),
      grpc_channel_create(target.c_str(), c_creds_, &channel_args),
      std::move(interceptor_creators));
 }
 }  // namespace grpc
--- a/src/cpp/client/cronet_credentials.cc
+++ b/src/cpp/client/cronet_credentials.cc
@ -35,17 +35,8 @@ namespace grpc {
 class CronetChannelCredentialsImpl final : public ChannelCredentials {
 public:
-  explicit CronetChannelCredentialsImpl(void* engine) : engine_(engine) {}
+  explicit CronetChannelCredentialsImpl(void* engine)
-
+      : ChannelCredentials(nullptr), engine_(engine) {}
  std::shared_ptr<grpc::Channel> CreateChannelImpl(
      const string& target, const grpc::ChannelArguments& args) override {
    return CreateChannelWithInterceptors(
        target, args,
        std::vector<std::unique_ptr<
            experimental::ClientInterceptorFactoryInterface>>());
  }
  SecureChannelCredentials* AsSecureCredentials() override { return nullptr; }
 private:
  std::shared_ptr<grpc::Channel> CreateChannelWithInterceptors(
@ -61,6 +52,7 @@ class CronetChannelCredentialsImpl final : public ChannelCredentials {
                                          &channel_args, nullptr),
        std::move(interceptor_creators));
  }
  void* engine_;
 };
--- a/src/cpp/client/insecure_credentials.cc
+++ b/src/cpp/client/insecure_credentials.cc
@ -16,9 +16,6 @@
 //
 //
 #include <memory>
 #include <string>
 #include <utility>
 #include <vector>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
@ -27,21 +24,14 @@
 #include <grpcpp/support/channel_arguments.h>
 #include <grpcpp/support/client_interceptor.h>
 #include "src/cpp/client/create_channel_internal.h"
 namespace grpc {
 namespace {
 class InsecureChannelCredentialsImpl final : public ChannelCredentials {
 public:
-  std::shared_ptr<Channel> CreateChannelImpl(
+  InsecureChannelCredentialsImpl()
-      const std::string& target, const ChannelArguments& args) override {
+      : ChannelCredentials(grpc_insecure_credentials_create()) {}
    return CreateChannelWithInterceptors(
        target, args,
        std::vector<std::unique_ptr<
            grpc::experimental::ClientInterceptorFactoryInterface>>());
  }
 private:
  std::shared_ptr<Channel> CreateChannelWithInterceptors(
      const std::string& target, const ChannelArguments& args,
      std::vector<std::unique_ptr<
@ -49,24 +39,15 @@ class InsecureChannelCredentialsImpl final : public ChannelCredentials {
          interceptor_creators) override {
    grpc_channel_args channel_args;
    args.SetChannelArgs(&channel_args);
-    grpc_channel_credentials* creds = grpc_insecure_credentials_create();
+    return grpc::CreateChannelInternal(
-    std::shared_ptr<Channel> channel = grpc::CreateChannelInternal(
+        "", grpc_channel_create(target.c_str(), c_creds(), &channel_args),
        "", grpc_channel_create(target.c_str(), creds, &channel_args),
        std::move(interceptor_creators));
    grpc_channel_credentials_release(creds);
    return channel;
  }
  SecureChannelCredentials* AsSecureCredentials() override { return nullptr; }
 private:
  bool IsInsecure() const override { return true; }
 };
 }  // namespace
 std::shared_ptr<ChannelCredentials> InsecureChannelCredentials() {
-  return std::shared_ptr<ChannelCredentials>(
+  return std::make_shared<InsecureChannelCredentialsImpl>();
      new InsecureChannelCredentialsImpl());
 }
 }  // namespace grpc
--- a/src/cpp/client/secure_credentials.cc
+++ b/src/cpp/client/secure_credentials.cc
@ -20,8 +20,8 @@
 #include <string.h>
 #include <algorithm>
 #include <map>
 #include <memory>
 #include <utility>
 #include "absl/status/status.h"
@ -30,6 +30,7 @@
 #include "absl/types/optional.h"
 #include <grpc/event_engine/event_engine.h>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security_constants.h>
 #include <grpc/slice.h>
 #include <grpc/support/json.h>
@ -47,73 +48,44 @@
 #include "src/core/lib/event_engine/default_event_engine.h"
 #include "src/core/lib/gprpp/env.h"
 #include "src/core/lib/gprpp/load_file.h"
 #include "src/core/lib/gprpp/status_helper.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/json/json.h"
 #include "src/core/lib/json/json_reader.h"
 #include "src/core/lib/security/util/json_util.h"
 #include "src/cpp/client/create_channel_internal.h"
 #include "src/cpp/common/secure_auth_context.h"
 #include "src/cpp/server/thread_pool_interface.h"
 namespace grpc {
-SecureChannelCredentials::SecureChannelCredentials(
+namespace {
-    grpc_channel_credentials* c_creds)
+class WrappedCallCredentials : public CallCredentials {
-    : c_creds_(c_creds) {}
+ public:
-
+  explicit WrappedCallCredentials(grpc_call_credentials* creds)
-std::shared_ptr<Channel> SecureChannelCredentials::CreateChannelImpl(
+      : CallCredentials(creds) {}
-    const std::string& target, const ChannelArguments& args) {
+};
  return CreateChannelWithInterceptors(
      target, args,
      std::vector<std::unique_ptr<
          grpc::experimental::ClientInterceptorFactoryInterface>>());
 }
 std::shared_ptr<Channel>
 SecureChannelCredentials::CreateChannelWithInterceptors(
    const std::string& target, const ChannelArguments& args,
    std::vector<
        std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>
        interceptor_creators) {
  grpc_channel_args channel_args;
  args.SetChannelArgs(&channel_args);
  return grpc::CreateChannelInternal(
      args.GetSslTargetNameOverride(),
      grpc_channel_create(target.c_str(), c_creds_, &channel_args),
      std::move(interceptor_creators));
 }
 SecureCallCredentials::SecureCallCredentials(grpc_call_credentials* c_creds)
    : c_creds_(c_creds) {}
-bool SecureCallCredentials::ApplyToCall(grpc_call* call) {
+std::shared_ptr<WrappedCallCredentials> WrapCallCredentials(
-  return grpc_call_set_credentials(call, c_creds_) == GRPC_CALL_OK;
+    grpc_call_credentials* creds) {
  return creds == nullptr ? nullptr
                          : std::make_shared<WrappedCallCredentials>(creds);
 }
-namespace internal {
+class WrappedChannelCredentials final : public ChannelCredentials {
 public:
  explicit WrappedChannelCredentials(grpc_channel_credentials* c_creds)
      : ChannelCredentials(c_creds) {}
 };
-std::shared_ptr<ChannelCredentials> WrapChannelCredentials(
+std::shared_ptr<WrappedChannelCredentials> WrapChannelCredentials(
    grpc_channel_credentials* creds) {
  return creds == nullptr ? nullptr
-                          : std::shared_ptr<ChannelCredentials>(
+                          : std::make_shared<WrappedChannelCredentials>(creds);
                                new SecureChannelCredentials(creds));
 }
 }  // namespace internal
 namespace {
 std::shared_ptr<CallCredentials> WrapCallCredentials(
    grpc_call_credentials* creds) {
  return creds == nullptr ? nullptr
                          : std::shared_ptr<CallCredentials>(
                                new SecureCallCredentials(creds));
 }
 }  // namespace
 std::shared_ptr<ChannelCredentials> GoogleDefaultCredentials() {
  grpc::internal::GrpcLibrary init;  // To call grpc_init().
-  return internal::WrapChannelCredentials(
+  return WrapChannelCredentials(
      grpc_google_default_credentials_create(nullptr));
 }
@ -130,12 +102,10 @@ std::shared_ptr<ChannelCredentials> SslCredentials(
  grpc::internal::GrpcLibrary init;  // To call grpc_init().
  grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {
      options.pem_private_key.c_str(), options.pem_cert_chain.c_str()};
-
+  return WrapChannelCredentials(grpc_ssl_credentials_create(
  grpc_channel_credentials* c_creds = grpc_ssl_credentials_create(
      options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(),
      options.pem_private_key.empty() ? nullptr : &pem_key_cert_pair, nullptr,
-      nullptr);
+      nullptr));
  return internal::WrapChannelCredentials(c_creds);
 }
 namespace experimental {
@ -259,21 +229,6 @@ std::shared_ptr<CallCredentials> StsCredentials(
  return WrapCallCredentials(grpc_sts_credentials_create(&opts, nullptr));
 }
 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
    std::unique_ptr<MetadataCredentialsPlugin> plugin,
    grpc_security_level min_security_level) {
  grpc::internal::GrpcLibrary init;  // To call grpc_init().
  const char* type = plugin->GetType();
  grpc::MetadataCredentialsPluginWrapper* wrapper =
      new grpc::MetadataCredentialsPluginWrapper(std::move(plugin));
  grpc_metadata_credentials_plugin c_plugin = {
      grpc::MetadataCredentialsPluginWrapper::GetMetadata,
      grpc::MetadataCredentialsPluginWrapper::DebugString,
      grpc::MetadataCredentialsPluginWrapper::Destroy, wrapper, type};
  return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin(
      c_plugin, min_security_level, nullptr));
 }
 // Builds ALTS Credentials given ALTS specific options
 std::shared_ptr<ChannelCredentials> AltsCredentials(
    const AltsCredentialsOptions& options) {
@ -286,20 +241,20 @@ std::shared_ptr<ChannelCredentials> AltsCredentials(
  }
  grpc_channel_credentials* c_creds = grpc_alts_credentials_create(c_options);
  grpc_alts_credentials_options_destroy(c_options);
-  return internal::WrapChannelCredentials(c_creds);
+  return WrapChannelCredentials(c_creds);
 }
 // Builds Local Credentials
 std::shared_ptr<ChannelCredentials> LocalCredentials(
    grpc_local_connect_type type) {
  grpc::internal::GrpcLibrary init;  // To call grpc_init().
-  return internal::WrapChannelCredentials(grpc_local_credentials_create(type));
+  return WrapChannelCredentials(grpc_local_credentials_create(type));
 }
 // Builds TLS Credentials given TLS options.
 std::shared_ptr<ChannelCredentials> TlsCredentials(
    const TlsChannelCredentialsOptions& options) {
-  return internal::WrapChannelCredentials(
+  return WrapChannelCredentials(
      grpc_tls_credentials_create(options.c_credentials_options()));
 }
@ -361,93 +316,24 @@ std::shared_ptr<ChannelCredentials> CompositeChannelCredentials(
  // here. This is OK because the underlying C objects (i.e., channel_creds and
  // call_creds) into grpc_composite_credentials_create will see their refcounts
  // incremented.
-  SecureChannelCredentials* s_channel_creds =
+  return channel_creds->c_creds_ == nullptr
-      channel_creds->AsSecureCredentials();
+             ? nullptr
-  SecureCallCredentials* s_call_creds = call_creds->AsSecureCredentials();
+             : WrapChannelCredentials(grpc_composite_channel_credentials_create(
-  if (s_channel_creds && s_call_creds) {
+                   channel_creds->c_creds_, call_creds->c_creds_, nullptr));
    return internal::WrapChannelCredentials(
        grpc_composite_channel_credentials_create(
            s_channel_creds->GetRawCreds(), s_call_creds->GetRawCreds(),
            nullptr));
  }
  return nullptr;
 }
 class CompositeCallCredentialsImpl : public CallCredentials {
 public:
  CompositeCallCredentialsImpl(const std::shared_ptr<CallCredentials>& creds1,
                               const std::shared_ptr<CallCredentials>& creds2)
      : CallCredentials(grpc_composite_call_credentials_create(
            creds1->c_creds_, creds2->c_creds_, nullptr)) {}
 };
 std::shared_ptr<CallCredentials> CompositeCallCredentials(
    const std::shared_ptr<CallCredentials>& creds1,
    const std::shared_ptr<CallCredentials>& creds2) {
-  SecureCallCredentials* s_creds1 = creds1->AsSecureCredentials();
+  return std::make_shared<CompositeCallCredentialsImpl>(creds1, creds2);
  SecureCallCredentials* s_creds2 = creds2->AsSecureCredentials();
  if (s_creds1 != nullptr && s_creds2 != nullptr) {
    return WrapCallCredentials(grpc_composite_call_credentials_create(
        s_creds1->GetRawCreds(), s_creds2->GetRawCreds(), nullptr));
  }
  return nullptr;
 }
 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
    std::unique_ptr<MetadataCredentialsPlugin> plugin) {
  grpc::internal::GrpcLibrary init;  // To call grpc_init().
  const char* type = plugin->GetType();
  grpc::MetadataCredentialsPluginWrapper* wrapper =
      new grpc::MetadataCredentialsPluginWrapper(std::move(plugin));
  grpc_metadata_credentials_plugin c_plugin = {
      grpc::MetadataCredentialsPluginWrapper::GetMetadata,
      grpc::MetadataCredentialsPluginWrapper::DebugString,
      grpc::MetadataCredentialsPluginWrapper::Destroy, wrapper, type};
  return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin(
      c_plugin, GRPC_PRIVACY_AND_INTEGRITY, nullptr));
 }
 char* MetadataCredentialsPluginWrapper::DebugString(void* wrapper) {
  GPR_ASSERT(wrapper);
  MetadataCredentialsPluginWrapper* w =
      static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
  return gpr_strdup(w->plugin_->DebugString().c_str());
 }
 void MetadataCredentialsPluginWrapper::Destroy(void* wrapper) {
  if (wrapper == nullptr) return;
  grpc_event_engine::experimental::GetDefaultEventEngine()->Run([wrapper] {
    grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
    grpc_core::ExecCtx exec_ctx;
    delete static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
  });
 }
 int MetadataCredentialsPluginWrapper::GetMetadata(
    void* wrapper, grpc_auth_metadata_context context,
    grpc_credentials_plugin_metadata_cb cb, void* user_data,
    grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
    size_t* num_creds_md, grpc_status_code* status,
    const char** error_details) {
  GPR_ASSERT(wrapper);
  MetadataCredentialsPluginWrapper* w =
      static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
  if (!w->plugin_) {
    *num_creds_md = 0;
    *status = GRPC_STATUS_OK;
    *error_details = nullptr;
    return 1;
  }
  if (w->plugin_->IsBlocking()) {
    // The internals of context may be destroyed if GetMetadata is cancelled.
    // Make a copy for InvokePlugin.
    grpc_auth_metadata_context context_copy = grpc_auth_metadata_context();
    grpc_auth_metadata_context_copy(&context, &context_copy);
    // Asynchronous return.
    w->thread_pool_->Add([w, context_copy, cb, user_data]() mutable {
      w->MetadataCredentialsPluginWrapper::InvokePlugin(
          context_copy, cb, user_data, nullptr, nullptr, nullptr, nullptr);
      grpc_auth_metadata_context_reset(&context_copy);
    });
    return 0;
  } else {
    // Synchronous return.
    w->InvokePlugin(context, cb, user_data, creds_md, num_creds_md, status,
                    error_details);
    return 1;
  }
 }
 namespace {
@ -459,61 +345,147 @@ void UnrefMetadata(const std::vector<grpc_metadata>& md) {
  }
 }
-}  // namespace
+class MetadataCredentialsPluginWrapper final : private internal::GrpcLibrary {
-
+ public:
-void MetadataCredentialsPluginWrapper::InvokePlugin(
+  static void Destroy(void* wrapper) {
-    grpc_auth_metadata_context context, grpc_credentials_plugin_metadata_cb cb,
+    if (wrapper == nullptr) return;
-    void* user_data, grpc_metadata creds_md[4], size_t* num_creds_md,
+    grpc_event_engine::experimental::GetDefaultEventEngine()->Run([wrapper] {
-    grpc_status_code* status_code, const char** error_details) {
+      grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
-  std::multimap<std::string, std::string> metadata;
+      grpc_core::ExecCtx exec_ctx;
-
+      delete static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
-  // const_cast is safe since the SecureAuthContext only inc/dec the refcount
+    });
  // and the object is passed as a const ref to plugin_->GetMetadata.
  SecureAuthContext cpp_channel_auth_context(
      const_cast<grpc_auth_context*>(context.channel_auth_context));
  Status status = plugin_->GetMetadata(context.service_url, context.method_name,
                                       cpp_channel_auth_context, &metadata);
  std::vector<grpc_metadata> md;
  for (auto& metadatum : metadata) {
    grpc_metadata md_entry;
    md_entry.key = SliceFromCopiedString(metadatum.first);
    md_entry.value = SliceFromCopiedString(metadatum.second);
    md.push_back(md_entry);
  }
-  if (creds_md != nullptr) {
+
-    // Synchronous return.
+  static int GetMetadata(
-    if (md.size() > GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX) {
+      void* wrapper, grpc_auth_metadata_context context,
      grpc_credentials_plugin_metadata_cb cb, void* user_data,
      grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
      size_t* num_creds_md, grpc_status_code* status,
      const char** error_details) {
    GPR_ASSERT(wrapper);
    MetadataCredentialsPluginWrapper* w =
        static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
    if (!w->plugin_) {
      *num_creds_md = 0;
-      *status_code = GRPC_STATUS_INTERNAL;
+      *status = GRPC_STATUS_OK;
-      *error_details = gpr_strdup(
+      *error_details = nullptr;
-          "blocking plugin credentials returned too many metadata keys");
+      return 1;
-      UnrefMetadata(md);
+    }
    if (w->plugin_->IsBlocking()) {
      // The internals of context may be destroyed if GetMetadata is cancelled.
      // Make a copy for InvokePlugin.
      grpc_auth_metadata_context context_copy = grpc_auth_metadata_context();
      grpc_auth_metadata_context_copy(&context, &context_copy);
      // Asynchronous return.
      // TODO(hork): replace with EventEngine::Run
      w->thread_pool_->Add([w, context_copy, cb, user_data]() mutable {
        w->MetadataCredentialsPluginWrapper::InvokePlugin(
            context_copy, cb, user_data, nullptr, nullptr, nullptr, nullptr);
        grpc_auth_metadata_context_reset(&context_copy);
      });
      return 0;
    } else {
-      for (const auto& elem : md) {
+      // Synchronous return.
-        creds_md[*num_creds_md].key = elem.key;
+      w->InvokePlugin(context, cb, user_data, creds_md, num_creds_md, status,
-        creds_md[*num_creds_md].value = elem.value;
+                      error_details);
-        ++(*num_creds_md);
+      return 1;
    }
  }
  static char* DebugString(void* wrapper) {
    GPR_ASSERT(wrapper);
    MetadataCredentialsPluginWrapper* w =
        static_cast<MetadataCredentialsPluginWrapper*>(wrapper);
    return gpr_strdup(w->plugin_->DebugString().c_str());
  }
  explicit MetadataCredentialsPluginWrapper(
      std::unique_ptr<MetadataCredentialsPlugin> plugin)
      : plugin_(std::move(plugin)) {
    if (plugin_->IsBlocking()) {
      thread_pool_.reset(CreateDefaultThreadPool());
    }
  }
 private:
  void InvokePlugin(
      grpc_auth_metadata_context context,
      grpc_credentials_plugin_metadata_cb cb, void* user_data,
      grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
      size_t* num_creds_md, grpc_status_code* status_code,
      const char** error_details) {
    std::multimap<std::string, std::string> metadata;
    // const_cast is safe since the SecureAuthContext only inc/dec the refcount
    // and the object is passed as a const ref to plugin_->GetMetadata.
    SecureAuthContext cpp_channel_auth_context(
        const_cast<grpc_auth_context*>(context.channel_auth_context));
    Status status =
        plugin_->GetMetadata(context.service_url, context.method_name,
                             cpp_channel_auth_context, &metadata);
    std::vector<grpc_metadata> md;
    for (auto& metadatum : metadata) {
      grpc_metadata md_entry;
      md_entry.key = SliceFromCopiedString(metadatum.first);
      md_entry.value = SliceFromCopiedString(metadatum.second);
      md.push_back(md_entry);
    }
    if (creds_md != nullptr) {
      // Synchronous return.
      if (md.size() > GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX) {
        *num_creds_md = 0;
        *status_code = GRPC_STATUS_INTERNAL;
        *error_details = gpr_strdup(
            "blocking plugin credentials returned too many metadata keys");
        UnrefMetadata(md);
      } else {
        for (const auto& elem : md) {
          creds_md[*num_creds_md].key = elem.key;
          creds_md[*num_creds_md].value = elem.value;
          ++(*num_creds_md);
        }
        *status_code = static_cast<grpc_status_code>(status.error_code());
        *error_details =
            status.ok() ? nullptr : gpr_strdup(status.error_message().c_str());
      }
-      *status_code = static_cast<grpc_status_code>(status.error_code());
+    } else {
-      *error_details =
+      // Asynchronous return.
-          status.ok() ? nullptr : gpr_strdup(status.error_message().c_str());
+      cb(user_data, md.empty() ? nullptr : &md[0], md.size(),
         static_cast<grpc_status_code>(status.error_code()),
         status.error_message().c_str());
      UnrefMetadata(md);
    }
  } else {
    // Asynchronous return.
    cb(user_data, md.empty() ? nullptr : &md[0], md.size(),
       static_cast<grpc_status_code>(status.error_code()),
       status.error_message().c_str());
    UnrefMetadata(md);
  }
  std::unique_ptr<ThreadPoolInterface> thread_pool_;
  std::unique_ptr<MetadataCredentialsPlugin> plugin_;
 };
 }  // namespace
 namespace experimental {
 std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
    std::unique_ptr<MetadataCredentialsPlugin> plugin,
    grpc_security_level min_security_level) {
  grpc::internal::GrpcLibrary init;  // To call grpc_init().
  const char* type = plugin->GetType();
  MetadataCredentialsPluginWrapper* wrapper =
      new MetadataCredentialsPluginWrapper(std::move(plugin));
  grpc_metadata_credentials_plugin c_plugin = {
      MetadataCredentialsPluginWrapper::GetMetadata,
      MetadataCredentialsPluginWrapper::DebugString,
      MetadataCredentialsPluginWrapper::Destroy, wrapper, type};
  return WrapCallCredentials(grpc_metadata_credentials_create_from_plugin(
      c_plugin, min_security_level, nullptr));
 }
-MetadataCredentialsPluginWrapper::MetadataCredentialsPluginWrapper(
+}  // namespace experimental
-    std::unique_ptr<MetadataCredentialsPlugin> plugin)
+
-    : plugin_(std::move(plugin)) {
+std::shared_ptr<CallCredentials> MetadataCredentialsFromPlugin(
-  if (plugin_->IsBlocking()) {
+    std::unique_ptr<MetadataCredentialsPlugin> plugin) {
-    thread_pool_.reset(CreateDefaultThreadPool());
+  return experimental::MetadataCredentialsFromPlugin(
-  }
+      std::move(plugin), GRPC_PRIVACY_AND_INTEGRITY);
 }
 }  // namespace grpc
--- a/src/cpp/client/secure_credentials.h
+++ b/src/cpp/client/secure_credentials.h
@ -19,14 +19,6 @@
 #ifndef GRPC_SRC_CPP_CLIENT_SECURE_CREDENTIALS_H
 #define GRPC_SRC_CPP_CLIENT_SECURE_CREDENTIALS_H
 #include <stddef.h>
 #include <memory>
 #include <string>
 #include <vector>
 #include "absl/strings/str_cat.h"
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 #include <grpc/status.h>
@ -35,65 +27,9 @@
 #include <grpcpp/security/credentials.h>
 #include <grpcpp/support/channel_arguments.h>
 #include <grpcpp/support/client_interceptor.h>
 // TODO(yashykt): We shouldn't be including "src/core" headers.
 #include "src/core/lib/iomgr/exec_ctx.h"
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/cpp/server/thread_pool_interface.h"
 namespace grpc {
 class Channel;
 class SecureChannelCredentials final : public ChannelCredentials {
 public:
  explicit SecureChannelCredentials(grpc_channel_credentials* c_creds);
  ~SecureChannelCredentials() override {
    grpc_core::ExecCtx exec_ctx;
    if (c_creds_ != nullptr) c_creds_->Unref();
  }
  grpc_channel_credentials* GetRawCreds() { return c_creds_; }
  std::shared_ptr<Channel> CreateChannelImpl(
      const std::string& target, const ChannelArguments& args) override;
  SecureChannelCredentials* AsSecureCredentials() override { return this; }
 private:
  std::shared_ptr<Channel> CreateChannelWithInterceptors(
      const std::string& target, const ChannelArguments& args,
      std::vector<std::unique_ptr<
          grpc::experimental::ClientInterceptorFactoryInterface>>
          interceptor_creators) override;
  grpc_channel_credentials* const c_creds_;
 };
 class SecureCallCredentials final : public CallCredentials {
 public:
  explicit SecureCallCredentials(grpc_call_credentials* c_creds);
  ~SecureCallCredentials() override {
    grpc_core::ExecCtx exec_ctx;
    if (c_creds_ != nullptr) c_creds_->Unref();
  }
  grpc_call_credentials* GetRawCreds() { return c_creds_; }
  bool ApplyToCall(grpc_call* call) override;
  SecureCallCredentials* AsSecureCredentials() override { return this; }
  std::string DebugString() override {
    return absl::StrCat("SecureCallCredentials{",
                        std::string(c_creds_->debug_string()), "}");
  }
 private:
  grpc_call_credentials* const c_creds_;
 };
 namespace internal {
 std::shared_ptr<ChannelCredentials> WrapChannelCredentials(
    grpc_channel_credentials* creds);
 }  // namespace internal
 namespace experimental {
 // Transforms C++ STS Credentials options to core options. The pointers of the
@ -104,29 +40,22 @@ grpc_sts_credentials_options StsCredentialsCppToCoreOptions(
 }  // namespace experimental
-class MetadataCredentialsPluginWrapper final : private internal::GrpcLibrary {
+/// ---- DEPRECATED ----
 /// This type is going away. Prefer creating a subclass of
 /// grpc::ChannelCredentials.
 class SecureChannelCredentials final : public grpc::ChannelCredentials {
 public:
-  static void Destroy(void* wrapper);
+  explicit SecureChannelCredentials(grpc_channel_credentials* c_creds)
-  static int GetMetadata(
+      : ChannelCredentials(c_creds) {}
-      void* wrapper, grpc_auth_metadata_context context,
+};
      grpc_credentials_plugin_metadata_cb cb, void* user_data,
      grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
      size_t* num_creds_md, grpc_status_code* status,
      const char** error_details);
  static char* DebugString(void* wrapper);
  explicit MetadataCredentialsPluginWrapper(
      std::unique_ptr<MetadataCredentialsPlugin> plugin);
- private:
+/// ---- DEPRECATED ----
-  void InvokePlugin(
+/// This type is going away. Prefer creating a subclass of
-      grpc_auth_metadata_context context,
+/// grpc::CallCredentials.
-      grpc_credentials_plugin_metadata_cb cb, void* user_data,
+class SecureCallCredentials final : public grpc::CallCredentials {
-      grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX],
+ public:
-      size_t* num_creds_md, grpc_status_code* status_code,
+  explicit SecureCallCredentials(grpc_call_credentials* c_creds)
-      const char** error_details);
+      : CallCredentials(c_creds) {}
  std::unique_ptr<ThreadPoolInterface> thread_pool_;
  std::unique_ptr<MetadataCredentialsPlugin> plugin_;
 };
 }  // namespace grpc
--- a/src/cpp/client/xds_credentials.cc
+++ b/src/cpp/client/xds_credentials.cc
@ -23,24 +23,21 @@
 #include <grpc/support/log.h>
 #include <grpcpp/security/credentials.h>
 #include "src/cpp/client/secure_credentials.h"
 namespace grpc {
 class XdsChannelCredentialsImpl final : public ChannelCredentials {
 public:
  explicit XdsChannelCredentialsImpl(
      const std::shared_ptr<ChannelCredentials>& fallback_creds)
      : ChannelCredentials(
            grpc_xds_credentials_create(fallback_creds->c_creds_)) {
    GPR_ASSERT(fallback_creds->c_creds_ != nullptr);
  }
 };
 std::shared_ptr<ChannelCredentials> XdsCredentials(
    const std::shared_ptr<ChannelCredentials>& fallback_creds) {
  GPR_ASSERT(fallback_creds != nullptr);
-  if (fallback_creds->IsInsecure()) {
+  return std::make_shared<XdsChannelCredentialsImpl>(fallback_creds);
    grpc_channel_credentials* insecure_creds =
        grpc_insecure_credentials_create();
    auto xds_creds = internal::WrapChannelCredentials(
        grpc_xds_credentials_create(insecure_creds));
    grpc_channel_credentials_release(insecure_creds);
    return xds_creds;
  } else {
    return internal::WrapChannelCredentials(grpc_xds_credentials_create(
        fallback_creds->AsSecureCredentials()->GetRawCreds()));
  }
 }
 namespace experimental {
--- a/src/cpp/common/channel_arguments.cc
+++ b/src/cpp/common/channel_arguments.cc
@ -217,4 +217,17 @@ void ChannelArguments::SetChannelArgs(grpc_channel_args* channel_args) const {
  }
 }
 void ChannelArguments::SetSslTargetNameOverride(const std::string& name) {
  SetString(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, name);
 }
 std::string ChannelArguments::GetSslTargetNameOverride() const {
  for (unsigned int i = 0; i < args_.size(); i++) {
    if (std::string(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == args_[i].key) {
      return args_[i].value.string;
    }
  }
  return "";
 }
 }  // namespace grpc
--- a/src/cpp/common/secure_channel_arguments.cc
+++ b/src/cpp/common/secure_channel_arguments.cc
@ -1,41 +0,0 @@
 //
 //
 // Copyright 2015 gRPC authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 //
 #include <string>
 #include <vector>
 #include <grpc/grpc.h>
 #include <grpc/impl/channel_arg_names.h>
 #include <grpcpp/support/channel_arguments.h>
 namespace grpc {
 void ChannelArguments::SetSslTargetNameOverride(const std::string& name) {
  SetString(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, name);
 }
 std::string ChannelArguments::GetSslTargetNameOverride() const {
  for (unsigned int i = 0; i < args_.size(); i++) {
    if (std::string(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == args_[i].key) {
      return args_[i].value.string;
    }
  }
  return "";
 }
 }  // namespace grpc
--- a/src/cpp/ext/chaotic_good.cc
+++ b/src/cpp/ext/chaotic_good.cc
@ -20,7 +20,6 @@
 #include "src/core/ext/transport/chaotic_good/client/chaotic_good_connector.h"
 #include "src/core/ext/transport/chaotic_good/server/chaotic_good_server.h"
 #include "src/core/lib/gprpp/crash.h"
 namespace grpc {
@ -29,11 +28,9 @@ namespace {
 class ChaoticGoodInsecureChannelCredentialsImpl final
    : public ChannelCredentials {
 public:
-  std::shared_ptr<Channel> CreateChannelImpl(
+  ChaoticGoodInsecureChannelCredentialsImpl() : ChannelCredentials(nullptr) {}
      const grpc::string& target, const grpc::ChannelArguments& args) override {
    return CreateChannelWithInterceptors(target, args, {});
  }
 private:
  std::shared_ptr<Channel> CreateChannelWithInterceptors(
      const grpc::string& target, const grpc::ChannelArguments& args,
      std::vector<
@ -46,24 +43,16 @@ class ChaoticGoodInsecureChannelCredentialsImpl final
        std::move(interceptor_creators));
    return channel;
  }
  SecureChannelCredentials* AsSecureCredentials() override { return nullptr; }
 private:
  bool IsInsecure() const override { return true; }
 };
 class ChaoticGoodInsecureServerCredentialsImpl final
    : public ServerCredentials {
 public:
  ChaoticGoodInsecureServerCredentialsImpl() : ServerCredentials(nullptr) {}
  int AddPortToServer(const std::string& addr, grpc_server* server) override {
    return grpc_server_add_chaotic_good_port(server, addr.c_str());
  }
  void SetAuthMetadataProcessor(
      const std::shared_ptr<AuthMetadataProcessor>&) override {
    grpc_core::Crash("Not supported on insecure server credentials");
  }
 };
 }  // namespace
--- a/src/cpp/server/insecure_server_credentials.cc
+++ b/src/cpp/server/insecure_server_credentials.cc
@ -17,7 +17,6 @@
 //
 #include <memory>
 #include <string>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
@ -29,27 +28,13 @@ namespace grpc {
 namespace {
 class InsecureServerCredentialsImpl final : public ServerCredentials {
 public:
-  int AddPortToServer(const std::string& addr, grpc_server* server) override {
+  InsecureServerCredentialsImpl()
-    grpc_server_credentials* server_creds =
+      : ServerCredentials(grpc_insecure_server_credentials_create()) {}
        grpc_insecure_server_credentials_create();
    int result = grpc_server_add_http2_port(server, addr.c_str(), server_creds);
    grpc_server_credentials_release(server_creds);
    return result;
  }
  void SetAuthMetadataProcessor(
      const std::shared_ptr<grpc::AuthMetadataProcessor>& processor) override {
    (void)processor;
    GPR_ASSERT(0);  // Should not be called on InsecureServerCredentials.
  }
 private:
  bool IsInsecure() const override { return true; }
 };
 }  // namespace
 std::shared_ptr<ServerCredentials> InsecureServerCredentials() {
-  return std::shared_ptr<ServerCredentials>(
+  return std::make_shared<InsecureServerCredentialsImpl>();
      new InsecureServerCredentialsImpl());
 }
 }  // namespace grpc
--- a/src/cpp/server/secure_server_credentials.cc
+++ b/src/cpp/server/secure_server_credentials.cc
@ -18,8 +18,6 @@
 #include "src/cpp/server/secure_server_credentials.h"
 #include <algorithm>
 #include <map>
 #include <memory>
 #include <utility>
 #include <vector>
@ -51,6 +49,7 @@ void AuthMetadataProcessorAsyncWrapper::Process(
    return;
  }
  if (w->processor_->IsBlocking()) {
    // TODO(hork): replace with EventEngine::Run
    w->thread_pool_->Add([w, context, md, num_md, cb, user_data] {
      w->AuthMetadataProcessorAsyncWrapper::InvokeProcessor(context, md, num_md,
                                                            cb, user_data);
@ -97,17 +96,15 @@ void AuthMetadataProcessorAsyncWrapper::InvokeProcessor(
     status.error_message().c_str());
 }
-int SecureServerCredentials::AddPortToServer(const std::string& addr,
+SecureServerCredentials::SecureServerCredentials(grpc_server_credentials* creds)
-                                             grpc_server* server) {
+    : ServerCredentials(creds) {}
  return grpc_server_add_http2_port(server, addr.c_str(), creds_);
 }
 void SecureServerCredentials::SetAuthMetadataProcessor(
    const std::shared_ptr<grpc::AuthMetadataProcessor>& processor) {
  auto* wrapper = new grpc::AuthMetadataProcessorAsyncWrapper(processor);
  grpc_server_credentials_set_auth_metadata_processor(
-      creds_, {grpc::AuthMetadataProcessorAsyncWrapper::Process,
+      c_creds(), {grpc::AuthMetadataProcessorAsyncWrapper::Process,
-               grpc::AuthMetadataProcessorAsyncWrapper::Destroy, wrapper});
+                  grpc::AuthMetadataProcessorAsyncWrapper::Destroy, wrapper});
 }
 std::shared_ptr<ServerCredentials> SslServerCredentials(
--- a/src/cpp/server/secure_server_credentials.h
+++ b/src/cpp/server/secure_server_credentials.h
@ -19,10 +19,7 @@
 #ifndef GRPC_SRC_CPP_SERVER_SECURE_SERVER_CREDENTIALS_H
 #define GRPC_SRC_CPP_SERVER_SECURE_SERVER_CREDENTIALS_H
 #include <stddef.h>
 #include <memory>
 #include <string>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
@ -32,9 +29,6 @@
 #include "src/cpp/server/thread_pool_interface.h"
 namespace grpc {
 class SecureServerCredentials;
 class AuthMetadataProcessorAsyncWrapper final {
 public:
  static void Destroy(void* wrapper);
@ -59,25 +53,18 @@ class AuthMetadataProcessorAsyncWrapper final {
  std::shared_ptr<AuthMetadataProcessor> processor_;
 };
 // TODO(hork): Remove this class once we either (a) allow AuthMetadataProcessor
 // to be used with any creds type as requested in #21589 or (b) find a way to
 // remove AuthMetadataProcessor in favor of some new server-side interception
 // API.
 class SecureServerCredentials final : public ServerCredentials {
 public:
-  explicit SecureServerCredentials(grpc_server_credentials* creds)
+  explicit SecureServerCredentials(grpc_server_credentials* creds);
      : creds_(creds) {}
  ~SecureServerCredentials() override {
    grpc_server_credentials_release(creds_);
  }
  int AddPortToServer(const std::string& addr, grpc_server* server) override;
  void SetAuthMetadataProcessor(
      const std::shared_ptr<grpc::AuthMetadataProcessor>& processor) override;
  grpc_server_credentials* c_creds() { return creds_; }
 private:
  SecureServerCredentials* AsSecureServerCredentials() override { return this; }
  grpc_server_credentials* creds_;
  std::unique_ptr<grpc::AuthMetadataProcessorAsyncWrapper> processor_;
 };
--- a/src/cpp/server/server_credentials.cc
+++ b/src/cpp/server/server_credentials.cc
@ -0,0 +1,39 @@
 // Copyright 2024 The gRPC Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 #include <grpc/support/port_platform.h>
 #include <grpcpp/security/server_credentials.h>
 #include "src/core/lib/gprpp/crash.h"
 namespace grpc {
 ServerCredentials::ServerCredentials(grpc_server_credentials* creds)
    : c_creds_(creds) {}
 ServerCredentials::~ServerCredentials() {
  grpc_server_credentials_release(c_creds_);
 }
 void ServerCredentials::SetAuthMetadataProcessor(
    const std::shared_ptr<grpc::AuthMetadataProcessor>& /* processor */) {
  grpc_core::Crash("Not Supported");
 }
 int ServerCredentials::AddPortToServer(const std::string& addr,
                                       grpc_server* server) {
  return grpc_server_add_http2_port(server, addr.c_str(), c_creds_);
 }
 }  // namespace grpc
--- a/src/cpp/server/xds_server_credentials.cc
+++ b/src/cpp/server/xds_server_credentials.cc
@ -23,24 +23,14 @@
 #include <grpc/support/log.h>
 #include <grpcpp/security/server_credentials.h>
 #include "src/cpp/server/secure_server_credentials.h"
 namespace grpc {
 std::shared_ptr<ServerCredentials> XdsServerCredentials(
    const std::shared_ptr<ServerCredentials>& fallback_credentials) {
  GPR_ASSERT(fallback_credentials != nullptr);
-  if (fallback_credentials->IsInsecure()) {
+  GPR_ASSERT(fallback_credentials->c_creds_ != nullptr);
-    grpc_server_credentials* insecure_creds =
+  return std::shared_ptr<ServerCredentials>(new ServerCredentials(
-        grpc_insecure_server_credentials_create();
+      grpc_xds_server_credentials_create(fallback_credentials->c_creds_)));
    auto xds_creds = std::make_shared<SecureServerCredentials>(
        grpc_xds_server_credentials_create(insecure_creds));
    grpc_server_credentials_release(insecure_creds);
    return xds_creds;
  }
  return std::make_shared<SecureServerCredentials>(
      grpc_xds_server_credentials_create(
          fallback_credentials->AsSecureServerCredentials()->c_creds()));
 }
 namespace experimental {
--- a/test/core/transport/binder/end2end/binder_server_test.cc
+++ b/test/core/transport/binder/end2end/binder_server_test.cc
@ -38,6 +38,8 @@ namespace {
 class BinderServerCredentialsImpl final : public ServerCredentials {
 public:
  BinderServerCredentialsImpl() : ServerCredentials(nullptr) {}
  int AddPortToServer(const std::string& addr, grpc_server* server) override {
    return grpc_core::AddBinderPort(
        addr, server,
@ -49,14 +51,6 @@ class BinderServerCredentialsImpl final : public ServerCredentials {
        std::make_shared<
            grpc::experimental::binder::UntrustedSecurityPolicy>());
  }
  void SetAuthMetadataProcessor(
      const std::shared_ptr<AuthMetadataProcessor>& /*processor*/) override {
    grpc_core::Crash("unreachable");
  }
 private:
  bool IsInsecure() const override { return true; }
 };
 }  // namespace
--- a/test/cpp/end2end/client_lb_end2end_test.cc
+++ b/test/cpp/end2end/client_lb_end2end_test.cc
@ -70,7 +70,6 @@
 #include "src/core/resolver/fake/fake_resolver.h"
 #include "src/core/service_config/service_config.h"
 #include "src/core/service_config/service_config_impl.h"
 #include "src/cpp/client/secure_credentials.h"
 #include "src/cpp/server/secure_server_credentials.h"
 #include "src/proto/grpc/health/v1/health.grpc.pb.h"
 #include "src/proto/grpc/testing/echo.grpc.pb.h"
@ -81,6 +80,7 @@
 #include "test/core/util/test_lb_policies.h"
 #include "test/cpp/end2end/connection_attempt_injector.h"
 #include "test/cpp/end2end/test_service_impl.h"
 #include "test/cpp/util/credentials.h"
 namespace grpc {
 namespace testing {
@ -262,8 +262,7 @@ class ClientLbEnd2endTest : public ::testing::Test {
 protected:
  ClientLbEnd2endTest()
      : server_host_("localhost"),
-        creds_(new SecureChannelCredentials(
+        creds_(std::make_shared<FakeTransportSecurityChannelCredentials>()) {}
            grpc_fake_transport_security_credentials_create())) {}
  void SetUp() override { grpc_init(); }
--- a/test/cpp/end2end/end2end_test.cc
+++ b/test/cpp/end2end/end2end_test.cc
@ -84,52 +84,53 @@ const char kTestCredsPluginErrorMsg[] = "Could not find plugin metadata.";
 const char kFakeToken[] = "fake_token";
 const char kFakeSelector[] = "fake_selector";
 const char kExpectedFakeCredsDebugString[] =
-    "SecureCallCredentials{GoogleIAMCredentials{Token:present,"
+    "CallCredentials{GoogleIAMCredentials{Token:present,"
    "AuthoritySelector:fake_selector}}";
 const char kWrongToken[] = "wrong_token";
 const char kWrongSelector[] = "wrong_selector";
 const char kExpectedWrongCredsDebugString[] =
-    "SecureCallCredentials{GoogleIAMCredentials{Token:present,"
+    "CallCredentials{GoogleIAMCredentials{Token:present,"
    "AuthoritySelector:wrong_selector}}";
 const char kFakeToken1[] = "fake_token1";
 const char kFakeSelector1[] = "fake_selector1";
 const char kExpectedFakeCreds1DebugString[] =
-    "SecureCallCredentials{GoogleIAMCredentials{Token:present,"
+    "CallCredentials{GoogleIAMCredentials{Token:present,"
    "AuthoritySelector:fake_selector1}}";
 const char kFakeToken2[] = "fake_token2";
 const char kFakeSelector2[] = "fake_selector2";
 const char kExpectedFakeCreds2DebugString[] =
-    "SecureCallCredentials{GoogleIAMCredentials{Token:present,"
+    "CallCredentials{GoogleIAMCredentials{Token:present,"
    "AuthoritySelector:fake_selector2}}";
 const char kExpectedAuthMetadataPluginKeyFailureCredsDebugString[] =
-    "SecureCallCredentials{TestMetadataCredentials{key:TestPluginMetadata,"
+    "CallCredentials{TestMetadataCredentials{key:TestPluginMetadata,"
    "value:Does not matter, will fail the key is invalid.}}";
 const char kExpectedAuthMetadataPluginValueFailureCredsDebugString[] =
-    "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
+    "CallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
    "value:With illegal \n value.}}";
 const char kExpectedAuthMetadataPluginWithDeadlineCredsDebugString[] =
-    "SecureCallCredentials{TestMetadataCredentials{key:meta_key,value:Does not "
+    "CallCredentials{TestMetadataCredentials{key:meta_key,value:Does "
    "not "
    "matter}}";
 const char kExpectedNonBlockingAuthMetadataPluginFailureCredsDebugString[] =
-    "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
+    "CallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
    "value:Does not matter, will fail anyway (see 3rd param)}}";
 const char
    kExpectedNonBlockingAuthMetadataPluginAndProcessorSuccessCredsDebugString
-        [] = "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-"
+        [] = "CallCredentials{TestMetadataCredentials{key:test-plugin-"
             "metadata,value:Dr Jekyll}}";
 const char
    kExpectedNonBlockingAuthMetadataPluginAndProcessorFailureCredsDebugString
-        [] = "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-"
+        [] = "CallCredentials{TestMetadataCredentials{key:test-plugin-"
             "metadata,value:Mr Hyde}}";
 const char kExpectedBlockingAuthMetadataPluginFailureCredsDebugString[] =
-    "SecureCallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
+    "CallCredentials{TestMetadataCredentials{key:test-plugin-metadata,"
    "value:Does not matter, will fail anyway (see 3rd param)}}";
 const char kExpectedCompositeCallCredsDebugString[] =
-    "SecureCallCredentials{CompositeCallCredentials{TestMetadataCredentials{"
+    "CallCredentials{CompositeCallCredentials{TestMetadataCredentials{"
    "key:call-creds-key1,value:call-creds-val1},TestMetadataCredentials{key:"
    "call-creds-key2,value:call-creds-val2}}}";
--- a/test/cpp/end2end/grpclb_end2end_test.cc
+++ b/test/cpp/end2end/grpclb_end2end_test.cc
@ -58,7 +58,6 @@
 #include "src/core/resolver/endpoint_addresses.h"
 #include "src/core/resolver/fake/fake_resolver.h"
 #include "src/core/service_config/service_config_impl.h"
 #include "src/cpp/client/secure_credentials.h"
 #include "src/cpp/server/secure_server_credentials.h"
 #include "src/proto/grpc/lb/v1/load_balancer.grpc.pb.h"
 #include "src/proto/grpc/testing/echo.grpc.pb.h"
@ -67,6 +66,7 @@
 #include "test/core/util/test_config.h"
 #include "test/cpp/end2end/counted_service.h"
 #include "test/cpp/end2end/test_service_impl.h"
 #include "test/cpp/util/credentials.h"
 #include "test/cpp/util/test_config.h"
 // TODO(dgq): Other scenarios in need of testing:
@ -605,9 +605,8 @@ class GrpclbEnd2endTest : public ::testing::Test {
        grpc_fake_transport_security_credentials_create();
    grpc_call_credentials* call_creds = grpc_md_only_test_credentials_create(
        kCallCredsMdKey, kCallCredsMdValue);
-    std::shared_ptr<ChannelCredentials> creds(
+    auto creds = std::make_shared<TestCompositeChannelCredentials>(
-        new SecureChannelCredentials(grpc_composite_channel_credentials_create(
+        channel_creds, call_creds);
            channel_creds, call_creds, nullptr)));
    call_creds->Unref();
    channel_creds->Unref();
    channel_ = grpc::CreateCustomChannel(
--- a/test/cpp/end2end/resource_quota_end2end_stress_test.cc
+++ b/test/cpp/end2end/resource_quota_end2end_stress_test.cc
@ -34,11 +34,11 @@
 #include "src/core/lib/experiments/config.h"
 #include "src/core/lib/gprpp/notification.h"
 #include "src/core/lib/security/credentials/fake/fake_credentials.h"
 #include "src/cpp/client/secure_credentials.h"
 #include "src/cpp/server/secure_server_credentials.h"
 #include "src/proto/grpc/testing/echo.grpc.pb.h"
 #include "test/core/util/port.h"
 #include "test/core/util/test_config.h"
 #include "test/cpp/util/credentials.h"
 // IWYU pragma: no_include <sys/socket.h>
@ -186,9 +186,7 @@ class End2EndConnectionQuotaTest : public ::testing::TestWithParam<int> {
    return EchoTestService::NewStub(CreateCustomChannel(
        connect_address_,
-        std::make_shared<SecureChannelCredentials>(
+        std::make_shared<FakeTransportSecurityChannelCredentials>(), args));
            grpc_fake_transport_security_credentials_create()),
        args));
  }
  void TestExceedingConnectionQuota() {
--- a/test/cpp/end2end/rls_end2end_test.cc
+++ b/test/cpp/end2end/rls_end2end_test.cc
@ -52,7 +52,6 @@
 #include "src/core/load_balancing/rls/rls.h"
 #include "src/core/resolver/fake/fake_resolver.h"
 #include "src/core/service_config/service_config_impl.h"
 #include "src/cpp/client/secure_credentials.h"
 #include "src/cpp/server/secure_server_credentials.h"
 #include "src/proto/grpc/lookup/v1/rls.grpc.pb.h"
 #include "src/proto/grpc/lookup/v1/rls.pb.h"
@ -65,6 +64,7 @@
 #include "test/cpp/end2end/counted_service.h"
 #include "test/cpp/end2end/rls_server.h"
 #include "test/cpp/end2end/test_service_impl.h"
 #include "test/cpp/util/credentials.h"
 #include "test/cpp/util/test_config.h"
 using ::grpc::lookup::v1::RouteLookupRequest;
@ -198,13 +198,12 @@ class RlsEnd2endTest : public ::testing::Test {
        grpc_fake_transport_security_credentials_create();
    grpc_call_credentials* call_creds = grpc_md_only_test_credentials_create(
        kCallCredsMdKey, kCallCredsMdValue);
-    auto creds = std::make_shared<SecureChannelCredentials>(
+    auto creds = std::make_shared<TestCompositeChannelCredentials>(
-        grpc_composite_channel_credentials_create(channel_creds, call_creds,
+        channel_creds, call_creds);
                                                  nullptr));
    call_creds->Unref();
    channel_creds->Unref();
    target_uri_ = absl::StrCat("fake:///", kServerName);
-    channel_ = grpc::CreateCustomChannel(target_uri_, std::move(creds), args);
+    channel_ = grpc::CreateCustomChannel(target_uri_, creds, args);
    stub_ = grpc::testing::EchoTestService::NewStub(channel_);
  }
--- a/test/cpp/end2end/service_config_end2end_test.cc
+++ b/test/cpp/end2end/service_config_end2end_test.cc
@ -59,13 +59,13 @@
 #include "src/core/resolver/endpoint_addresses.h"
 #include "src/core/resolver/fake/fake_resolver.h"
 #include "src/core/service_config/service_config_impl.h"
 #include "src/cpp/client/secure_credentials.h"
 #include "src/cpp/server/secure_server_credentials.h"
 #include "src/proto/grpc/testing/echo.grpc.pb.h"
 #include "test/core/util/port.h"
 #include "test/core/util/resolve_localhost_ip46.h"
 #include "test/core/util/test_config.h"
 #include "test/cpp/end2end/test_service_impl.h"
 #include "test/cpp/util/credentials.h"
 namespace grpc {
 namespace testing {
@ -119,8 +119,7 @@ class ServiceConfigEnd2endTest : public ::testing::Test {
  ServiceConfigEnd2endTest()
      : server_host_("localhost"),
        kRequestMessage_("Live long and prosper."),
-        creds_(new SecureChannelCredentials(
+        creds_(std::make_shared<FakeTransportSecurityChannelCredentials>()) {}
            grpc_fake_transport_security_credentials_create())) {}
  static void SetUpTestSuite() {
    // Make the backup poller poll very frequently in order to pick up
--- a/test/cpp/end2end/xds/xds_csds_end2end_test.cc
+++ b/test/cpp/end2end/xds/xds_csds_end2end_test.cc
@ -29,7 +29,6 @@
 #include "src/core/client_channel/backup_poller.h"
 #include "src/core/lib/config/config_vars.h"
 #include "src/cpp/client/secure_credentials.h"
 #include "src/proto/grpc/testing/xds/v3/cluster.grpc.pb.h"
 #include "src/proto/grpc/testing/xds/v3/endpoint.grpc.pb.h"
 #include "src/proto/grpc/testing/xds/v3/http_connection_manager.grpc.pb.h"
@ -38,6 +37,7 @@
 #include "test/core/util/resolve_localhost_ip46.h"
 #include "test/core/util/test_config.h"
 #include "test/cpp/end2end/xds/xds_end2end_test_lib.h"
 #include "test/cpp/util/credentials.h"
 #ifndef DISABLED_XDS_PROTO_IN_CC
@ -246,8 +246,7 @@ class ClientStatusDiscoveryServiceTest : public XdsEnd2endTest {
        grpc_core::LocalIpAndPort(admin_server_thread_->port());
    admin_channel_ = grpc::CreateChannel(
        admin_server_address,
-        std::make_shared<SecureChannelCredentials>(
+        std::make_shared<FakeTransportSecurityChannelCredentials>());
            grpc_fake_transport_security_credentials_create()));
    csds_stub_ =
        envoy::service::status::v3::ClientStatusDiscoveryService::NewStub(
            admin_channel_);
--- a/test/cpp/end2end/xds/xds_end2end_test_lib.cc
+++ b/test/cpp/end2end/xds/xds_end2end_test_lib.cc
@ -30,7 +30,6 @@
 #include "absl/strings/str_cat.h"
 #include "absl/strings/str_format.h"
 #include "absl/strings/str_join.h"
 #include "absl/strings/str_replace.h"
 #include "absl/strings/string_view.h"
 #include "absl/types/optional.h"
@ -42,10 +41,10 @@
 #include "src/core/lib/gpr/tmpfile.h"
 #include "src/core/lib/gprpp/env.h"
 #include "src/core/lib/surface/server.h"
 #include "src/cpp/client/secure_credentials.h"
 #include "src/proto/grpc/testing/xds/v3/router.grpc.pb.h"
 #include "test/core/util/resolve_localhost_ip46.h"
 #include "test/core/util/tls_utils.h"
 #include "test/cpp/util/credentials.h"
 #include "test/cpp/util/tls_test_utils.h"
 namespace grpc {
@ -572,8 +571,7 @@ std::shared_ptr<Channel> XdsEnd2endTest::CreateChannel(
  std::shared_ptr<ChannelCredentials> channel_creds =
      GetParam().use_xds_credentials()
          ? XdsCredentials(CreateTlsFallbackCredentials())
-          : std::make_shared<SecureChannelCredentials>(
+          : std::make_shared<FakeTransportSecurityChannelCredentials>();
                grpc_fake_transport_security_credentials_create());
  return grpc::CreateCustomChannel(uri, channel_creds, *args);
 }
--- a/test/cpp/interop/client_helper.cc
+++ b/test/cpp/interop/client_helper.cc
@ -34,8 +34,6 @@
 #include <grpcpp/create_channel.h>
 #include <grpcpp/security/credentials.h>
 #include "src/core/lib/gprpp/crash.h"
 #include "src/cpp/client/secure_credentials.h"
 #include "test/core/security/oauth2_utils.h"
 #include "test/cpp/util/create_test_channel.h"
 #include "test/cpp/util/test_credentials_provider.h"
@ -68,11 +66,7 @@ std::string GetServiceAccountJsonKey() {
 std::string GetOauth2AccessToken() {
  std::shared_ptr<CallCredentials> creds = GoogleComputeEngineCredentials();
-  SecureCallCredentials* secure_creds =
+  char* token = grpc_test_fetch_oauth2_token_with_credentials(creds->c_creds_);
      dynamic_cast<SecureCallCredentials*>(creds.get());
  GPR_ASSERT(secure_creds != nullptr);
  grpc_call_credentials* c_creds = secure_creds->GetRawCreds();
  char* token = grpc_test_fetch_oauth2_token_with_credentials(c_creds);
  GPR_ASSERT(token != nullptr);
  gpr_log(GPR_INFO, "Get raw oauth2 access token: %s", token);
  std::string access_token(token + sizeof("Bearer ") - 1);
--- a/test/cpp/microbenchmarks/BUILD
+++ b/test/cpp/microbenchmarks/BUILD
@ -306,7 +306,7 @@ grpc_cc_library(
    hdrs = [
        "fullstack_unary_ping_pong.h",
    ],
-    deps = [":helpers"],
+    deps = [":helpers_secure"],
 )
 grpc_cc_test(
@ -395,7 +395,7 @@ grpc_cc_library(
    deps = [
        ":helpers",
        "//src/proto/grpc/testing:echo_proto",
-        "//test/cpp/util:test_util_unsecure",
+        "//test/cpp/util:test_util",
    ],
 )
--- a/test/cpp/util/BUILD
+++ b/test/cpp/util/BUILD
@ -60,6 +60,7 @@ GRPCXX_TESTUTIL_SRCS = [
 GRPCXX_TESTUTIL_HDRS = [
    "byte_buffer_proto_helper.h",
    "credentials.h",
    "string_ref_helper.h",
    "subprocess.h",
 ]
--- a/test/cpp/util/credentials.h
+++ b/test/cpp/util/credentials.h
@ -0,0 +1,41 @@
 // Copyright 2024 The gRPC Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 #ifndef GRPC_TEST_CPP_UTIL_CREDENTIALS_H
 #define GRPC_TEST_CPP_UTIL_CREDENTIALS_H
 #include <grpcpp/security/credentials.h>
 #include "src/core/lib/security/credentials/fake/fake_credentials.h"
 namespace grpc {
 namespace testing {
 class FakeTransportSecurityChannelCredentials : public ChannelCredentials {
 public:
  FakeTransportSecurityChannelCredentials()
      : ChannelCredentials(grpc_fake_transport_security_credentials_create()) {}
 };
 class TestCompositeChannelCredentials : public ChannelCredentials {
 public:
  TestCompositeChannelCredentials(grpc_channel_credentials* channel_creds,
                                  grpc_call_credentials* call_creds)
      : ChannelCredentials(grpc_composite_channel_credentials_create(
            channel_creds, call_creds, nullptr)) {}
 };
 }  // namespace testing
 }  // namespace grpc
 #endif  // GRPC_TEST_CPP_UTIL_CREDENTIALS_H
--- a/tools/doxygen/Doxyfile.c++.internal
+++ b/tools/doxygen/Doxyfile.c++.internal
@ -3012,7 +3012,9 @@ src/core/tsi/transport_security_grpc.cc \
 src/core/tsi/transport_security_grpc.h \
 src/core/tsi/transport_security_interface.h \
 src/cpp/README.md \
 src/cpp/client/call_credentials.cc \
 src/cpp/client/channel_cc.cc \
 src/cpp/client/channel_credentials.cc \
 src/cpp/client/client_callback.cc \
 src/cpp/client/client_context.cc \
 src/cpp/client/client_interceptor.cc \
@ -3034,7 +3036,6 @@ src/cpp/common/resource_quota_cc.cc \
 src/cpp/common/rpc_method.cc \
 src/cpp/common/secure_auth_context.cc \
 src/cpp/common/secure_auth_context.h \
 src/cpp/common/secure_channel_arguments.cc \
 src/cpp/common/secure_create_auth_context.cc \
 src/cpp/common/tls_certificate_provider.cc \
 src/cpp/common/tls_certificate_verifier.cc \
@ -3060,6 +3061,7 @@ src/cpp/server/server_builder.cc \
 src/cpp/server/server_callback.cc \
 src/cpp/server/server_cc.cc \
 src/cpp/server/server_context.cc \
 src/cpp/server/server_credentials.cc \
 src/cpp/server/server_posix.cc \
 src/cpp/server/thread_pool_interface.h \
 src/cpp/server/xds_server_builder.cc \