1 // 2 // 3 // Copyright 2023 gRPC authors. 4 // 5 // Licensed under the Apache License, Version 2.0 (the "License"); 6 // you may not use this file except in compliance with the License. 7 // You may obtain a copy of the License at 8 // 9 // http://www.apache.org/licenses/LICENSE-2.0 10 // 11 // Unless required by applicable law or agreed to in writing, software 12 // distributed under the License is distributed on an "AS IS" BASIS, 13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 // See the License for the specific language governing permissions and 15 // limitations under the License. 16 // 17 // 18 19 #ifndef GRPC_GRPC_CRL_PROVIDER_H 20 #define GRPC_GRPC_CRL_PROVIDER_H 21 22 #include <memory> 23 #include <string> 24 25 #include "absl/status/statusor.h" 26 #include "absl/strings/string_view.h" 27 28 #include <grpc/grpc_security.h> 29 #include <grpc/support/port_platform.h> 30 31 namespace grpc_core { 32 namespace experimental { 33 34 // Opaque representation of a CRL. Must be thread safe. 35 class Crl { 36 public: 37 static absl::StatusOr<std::unique_ptr<Crl>> Parse( 38 absl::string_view crl_string); 39 virtual ~Crl() = default; 40 virtual absl::string_view Issuer() = 0; 41 }; 42 43 // Information about a certificate to be used to fetch its associated CRL. Must 44 // be thread safe. 45 class CertificateInfo { 46 public: 47 virtual ~CertificateInfo() = default; 48 virtual absl::string_view Issuer() const = 0; 49 virtual absl::string_view AuthorityKeyIdentifier() const = 0; 50 }; 51 52 // The base class for CRL Provider implementations. 53 // CrlProviders can be passed in as a way to supply CRLs during handshakes. 54 // CrlProviders must be thread safe. They are on the critical path of gRPC 55 // creating a connection and doing a handshake, so the implementation of 56 // `GetCrl` should be very fast. It is suggested to have an in-memory map of 57 // CRLs for quick lookup and return, and doing expensive updates to this map 58 // asynchronously. 59 class CrlProvider { 60 public: 61 virtual ~CrlProvider() = default; 62 // Get the CRL associated with a certificate. Read-only. 63 virtual std::shared_ptr<Crl> GetCrl( 64 const CertificateInfo& certificate_info) = 0; 65 }; 66 67 absl::StatusOr<std::shared_ptr<CrlProvider>> CreateStaticCrlProvider( 68 absl::Span<const std::string> crls); 69 70 // Creates a CRL Provider that periodically and asynchronously reloads a 71 // directory. The refresh_duration minimum is 60 seconds. The 72 // reload_error_callback provides a way for the user to specifically log or 73 // otherwise notify of errors during reloading. Since reloading is asynchronous 74 // and not on the main codepath, the grpc process will continue to run through 75 // reloading errors, so this mechanism is an important way to provide signals to 76 // your monitoring and alerting setup. 77 absl::StatusOr<std::shared_ptr<CrlProvider>> CreateDirectoryReloaderCrlProvider( 78 absl::string_view directory, std::chrono::seconds refresh_duration, 79 std::function<void(absl::Status)> reload_error_callback); 80 81 } // namespace experimental 82 } // namespace grpc_core 83 84 // TODO(gtcooke94) - Mark with api macro when all wrapped langauges support C++ 85 // in core APIs 86 /** 87 * EXPERIMENTAL API - Subject to change 88 * 89 * Sets the crl provider in the options. 90 */ 91 void grpc_tls_credentials_options_set_crl_provider( 92 grpc_tls_credentials_options* options, 93 std::shared_ptr<grpc_core::experimental::CrlProvider> provider); 94 #endif /* GRPC_GRPC_CRL_PROVIDER_H */ 95