1*cc02d7e2SAndroid Build Coastguard Worker /* 2*cc02d7e2SAndroid Build Coastguard Worker * 3*cc02d7e2SAndroid Build Coastguard Worker * Copyright 2015 gRPC authors. 4*cc02d7e2SAndroid Build Coastguard Worker * 5*cc02d7e2SAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 6*cc02d7e2SAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 7*cc02d7e2SAndroid Build Coastguard Worker * You may obtain a copy of the License at 8*cc02d7e2SAndroid Build Coastguard Worker * 9*cc02d7e2SAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 10*cc02d7e2SAndroid Build Coastguard Worker * 11*cc02d7e2SAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 12*cc02d7e2SAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 13*cc02d7e2SAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14*cc02d7e2SAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 15*cc02d7e2SAndroid Build Coastguard Worker * limitations under the License. 16*cc02d7e2SAndroid Build Coastguard Worker * 17*cc02d7e2SAndroid Build Coastguard Worker */ 18*cc02d7e2SAndroid Build Coastguard Worker 19*cc02d7e2SAndroid Build Coastguard Worker #ifndef GRPC_GRPC_SECURITY_H 20*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_GRPC_SECURITY_H 21*cc02d7e2SAndroid Build Coastguard Worker 22*cc02d7e2SAndroid Build Coastguard Worker #include <stdbool.h> 23*cc02d7e2SAndroid Build Coastguard Worker 24*cc02d7e2SAndroid Build Coastguard Worker #include <grpc/grpc.h> 25*cc02d7e2SAndroid Build Coastguard Worker #include <grpc/grpc_security_constants.h> 26*cc02d7e2SAndroid Build Coastguard Worker #include <grpc/status.h> 27*cc02d7e2SAndroid Build Coastguard Worker #include <grpc/support/port_platform.h> 28*cc02d7e2SAndroid Build Coastguard Worker 29*cc02d7e2SAndroid Build Coastguard Worker #ifdef __cplusplus 30*cc02d7e2SAndroid Build Coastguard Worker extern "C" { 31*cc02d7e2SAndroid Build Coastguard Worker #endif 32*cc02d7e2SAndroid Build Coastguard Worker 33*cc02d7e2SAndroid Build Coastguard Worker /** --- Authentication Context. --- */ 34*cc02d7e2SAndroid Build Coastguard Worker 35*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_auth_context grpc_auth_context; 36*cc02d7e2SAndroid Build Coastguard Worker 37*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_auth_property_iterator { 38*cc02d7e2SAndroid Build Coastguard Worker const grpc_auth_context* ctx; 39*cc02d7e2SAndroid Build Coastguard Worker size_t index; 40*cc02d7e2SAndroid Build Coastguard Worker const char* name; 41*cc02d7e2SAndroid Build Coastguard Worker } grpc_auth_property_iterator; 42*cc02d7e2SAndroid Build Coastguard Worker 43*cc02d7e2SAndroid Build Coastguard Worker /** value, if not NULL, is guaranteed to be NULL terminated. */ 44*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_auth_property { 45*cc02d7e2SAndroid Build Coastguard Worker char* name; 46*cc02d7e2SAndroid Build Coastguard Worker char* value; 47*cc02d7e2SAndroid Build Coastguard Worker size_t value_length; 48*cc02d7e2SAndroid Build Coastguard Worker } grpc_auth_property; 49*cc02d7e2SAndroid Build Coastguard Worker 50*cc02d7e2SAndroid Build Coastguard Worker /** Returns NULL when the iterator is at the end. */ 51*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI const grpc_auth_property* grpc_auth_property_iterator_next( 52*cc02d7e2SAndroid Build Coastguard Worker grpc_auth_property_iterator* it); 53*cc02d7e2SAndroid Build Coastguard Worker 54*cc02d7e2SAndroid Build Coastguard Worker /** Iterates over the auth context. */ 55*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_auth_property_iterator 56*cc02d7e2SAndroid Build Coastguard Worker grpc_auth_context_property_iterator(const grpc_auth_context* ctx); 57*cc02d7e2SAndroid Build Coastguard Worker 58*cc02d7e2SAndroid Build Coastguard Worker /** Gets the peer identity. Returns an empty iterator (first _next will return 59*cc02d7e2SAndroid Build Coastguard Worker NULL) if the peer is not authenticated. */ 60*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_auth_property_iterator 61*cc02d7e2SAndroid Build Coastguard Worker grpc_auth_context_peer_identity(const grpc_auth_context* ctx); 62*cc02d7e2SAndroid Build Coastguard Worker 63*cc02d7e2SAndroid Build Coastguard Worker /** Finds a property in the context. May return an empty iterator (first _next 64*cc02d7e2SAndroid Build Coastguard Worker will return NULL) if no property with this name was found in the context. */ 65*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_auth_property_iterator grpc_auth_context_find_properties_by_name( 66*cc02d7e2SAndroid Build Coastguard Worker const grpc_auth_context* ctx, const char* name); 67*cc02d7e2SAndroid Build Coastguard Worker 68*cc02d7e2SAndroid Build Coastguard Worker /** Gets the name of the property that indicates the peer identity. Will return 69*cc02d7e2SAndroid Build Coastguard Worker NULL if the peer is not authenticated. */ 70*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI const char* grpc_auth_context_peer_identity_property_name( 71*cc02d7e2SAndroid Build Coastguard Worker const grpc_auth_context* ctx); 72*cc02d7e2SAndroid Build Coastguard Worker 73*cc02d7e2SAndroid Build Coastguard Worker /** Returns 1 if the peer is authenticated, 0 otherwise. */ 74*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI int grpc_auth_context_peer_is_authenticated( 75*cc02d7e2SAndroid Build Coastguard Worker const grpc_auth_context* ctx); 76*cc02d7e2SAndroid Build Coastguard Worker 77*cc02d7e2SAndroid Build Coastguard Worker /** Gets the auth context from the call. Caller needs to call 78*cc02d7e2SAndroid Build Coastguard Worker grpc_auth_context_release on the returned context. */ 79*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_auth_context* grpc_call_auth_context(grpc_call* call); 80*cc02d7e2SAndroid Build Coastguard Worker 81*cc02d7e2SAndroid Build Coastguard Worker /** Releases the auth context returned from grpc_call_auth_context. */ 82*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_auth_context_release(grpc_auth_context* context); 83*cc02d7e2SAndroid Build Coastguard Worker 84*cc02d7e2SAndroid Build Coastguard Worker /** -- 85*cc02d7e2SAndroid Build Coastguard Worker The following auth context methods should only be called by a server metadata 86*cc02d7e2SAndroid Build Coastguard Worker processor to set properties extracted from auth metadata. 87*cc02d7e2SAndroid Build Coastguard Worker -- */ 88*cc02d7e2SAndroid Build Coastguard Worker 89*cc02d7e2SAndroid Build Coastguard Worker /** Add a property. */ 90*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_auth_context_add_property(grpc_auth_context* ctx, 91*cc02d7e2SAndroid Build Coastguard Worker const char* name, const char* value, 92*cc02d7e2SAndroid Build Coastguard Worker size_t value_length); 93*cc02d7e2SAndroid Build Coastguard Worker 94*cc02d7e2SAndroid Build Coastguard Worker /** Add a C string property. */ 95*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_auth_context_add_cstring_property(grpc_auth_context* ctx, 96*cc02d7e2SAndroid Build Coastguard Worker const char* name, 97*cc02d7e2SAndroid Build Coastguard Worker const char* value); 98*cc02d7e2SAndroid Build Coastguard Worker 99*cc02d7e2SAndroid Build Coastguard Worker /** Sets the property name. Returns 1 if successful or 0 in case of failure 100*cc02d7e2SAndroid Build Coastguard Worker (which means that no property with this name exists). */ 101*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI int grpc_auth_context_set_peer_identity_property_name( 102*cc02d7e2SAndroid Build Coastguard Worker grpc_auth_context* ctx, const char* name); 103*cc02d7e2SAndroid Build Coastguard Worker 104*cc02d7e2SAndroid Build Coastguard Worker /** --- SSL Session Cache. --- 105*cc02d7e2SAndroid Build Coastguard Worker 106*cc02d7e2SAndroid Build Coastguard Worker A SSL session cache object represents a way to cache client sessions 107*cc02d7e2SAndroid Build Coastguard Worker between connections. Only ticket-based resumption is supported. */ 108*cc02d7e2SAndroid Build Coastguard Worker 109*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_ssl_session_cache grpc_ssl_session_cache; 110*cc02d7e2SAndroid Build Coastguard Worker 111*cc02d7e2SAndroid Build Coastguard Worker /** Create LRU cache for client-side SSL sessions with the given capacity. 112*cc02d7e2SAndroid Build Coastguard Worker If capacity is < 1, a default capacity is used instead. */ 113*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_ssl_session_cache* grpc_ssl_session_cache_create_lru( 114*cc02d7e2SAndroid Build Coastguard Worker size_t capacity); 115*cc02d7e2SAndroid Build Coastguard Worker 116*cc02d7e2SAndroid Build Coastguard Worker /** Destroy SSL session cache. */ 117*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_ssl_session_cache_destroy(grpc_ssl_session_cache* cache); 118*cc02d7e2SAndroid Build Coastguard Worker 119*cc02d7e2SAndroid Build Coastguard Worker /** Create a channel arg with the given cache object. */ 120*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_arg 121*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_session_cache_create_channel_arg(grpc_ssl_session_cache* cache); 122*cc02d7e2SAndroid Build Coastguard Worker 123*cc02d7e2SAndroid Build Coastguard Worker /** --- grpc_call_credentials object. 124*cc02d7e2SAndroid Build Coastguard Worker 125*cc02d7e2SAndroid Build Coastguard Worker A call credentials object represents a way to authenticate on a particular 126*cc02d7e2SAndroid Build Coastguard Worker call. These credentials can be composed with a channel credentials object 127*cc02d7e2SAndroid Build Coastguard Worker so that they are sent with every call on this channel. */ 128*cc02d7e2SAndroid Build Coastguard Worker 129*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_call_credentials grpc_call_credentials; 130*cc02d7e2SAndroid Build Coastguard Worker 131*cc02d7e2SAndroid Build Coastguard Worker /** Releases a call credentials object. 132*cc02d7e2SAndroid Build Coastguard Worker The creator of the credentials object is responsible for its release. */ 133*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_call_credentials_release(grpc_call_credentials* creds); 134*cc02d7e2SAndroid Build Coastguard Worker 135*cc02d7e2SAndroid Build Coastguard Worker /** Creates default credentials to connect to a google gRPC service. 136*cc02d7e2SAndroid Build Coastguard Worker WARNING: Do NOT use this credentials to connect to a non-google service as 137*cc02d7e2SAndroid Build Coastguard Worker this could result in an oauth2 token leak. The security level of the 138*cc02d7e2SAndroid Build Coastguard Worker resulting connection is GRPC_PRIVACY_AND_INTEGRITY. 139*cc02d7e2SAndroid Build Coastguard Worker 140*cc02d7e2SAndroid Build Coastguard Worker If specified, the supplied call credentials object will be attached to the 141*cc02d7e2SAndroid Build Coastguard Worker returned channel credentials object. The call_credentials object must remain 142*cc02d7e2SAndroid Build Coastguard Worker valid throughout the lifetime of the returned grpc_channel_credentials 143*cc02d7e2SAndroid Build Coastguard Worker object. It is expected that the call credentials object was generated 144*cc02d7e2SAndroid Build Coastguard Worker according to the Application Default Credentials mechanism and asserts the 145*cc02d7e2SAndroid Build Coastguard Worker identity of the default service account of the machine. Supplying any other 146*cc02d7e2SAndroid Build Coastguard Worker sort of call credential will result in undefined behavior, up to and 147*cc02d7e2SAndroid Build Coastguard Worker including the sudden and unexpected failure of RPCs. 148*cc02d7e2SAndroid Build Coastguard Worker 149*cc02d7e2SAndroid Build Coastguard Worker If nullptr is supplied, the returned channel credentials object will use a 150*cc02d7e2SAndroid Build Coastguard Worker call credentials object based on the Application Default Credentials 151*cc02d7e2SAndroid Build Coastguard Worker mechanism. 152*cc02d7e2SAndroid Build Coastguard Worker */ 153*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_channel_credentials* grpc_google_default_credentials_create( 154*cc02d7e2SAndroid Build Coastguard Worker grpc_call_credentials* call_credentials); 155*cc02d7e2SAndroid Build Coastguard Worker 156*cc02d7e2SAndroid Build Coastguard Worker /** Callback for getting the SSL roots override from the application. 157*cc02d7e2SAndroid Build Coastguard Worker In case of success, *pem_roots_certs must be set to a NULL terminated string 158*cc02d7e2SAndroid Build Coastguard Worker containing the list of PEM encoded root certificates. The ownership is passed 159*cc02d7e2SAndroid Build Coastguard Worker to the core and freed (laster by the core) with gpr_free. 160*cc02d7e2SAndroid Build Coastguard Worker If this function fails and GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is 161*cc02d7e2SAndroid Build Coastguard Worker set to a valid path, it will override the roots specified this func */ 162*cc02d7e2SAndroid Build Coastguard Worker typedef grpc_ssl_roots_override_result (*grpc_ssl_roots_override_callback)( 163*cc02d7e2SAndroid Build Coastguard Worker char** pem_root_certs); 164*cc02d7e2SAndroid Build Coastguard Worker 165*cc02d7e2SAndroid Build Coastguard Worker /** Setup a callback to override the default TLS/SSL roots. 166*cc02d7e2SAndroid Build Coastguard Worker This function is not thread-safe and must be called at initialization time 167*cc02d7e2SAndroid Build Coastguard Worker before any ssl credentials are created to have the desired side effect. 168*cc02d7e2SAndroid Build Coastguard Worker If GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is set to a valid path, the 169*cc02d7e2SAndroid Build Coastguard Worker callback will not be called. */ 170*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_set_ssl_roots_override_callback( 171*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_roots_override_callback cb); 172*cc02d7e2SAndroid Build Coastguard Worker 173*cc02d7e2SAndroid Build Coastguard Worker /** Object that holds a private key / certificate chain pair in PEM format. */ 174*cc02d7e2SAndroid Build Coastguard Worker typedef struct { 175*cc02d7e2SAndroid Build Coastguard Worker /** private_key is the NULL-terminated string containing the PEM encoding of 176*cc02d7e2SAndroid Build Coastguard Worker the client's private key. */ 177*cc02d7e2SAndroid Build Coastguard Worker const char* private_key; 178*cc02d7e2SAndroid Build Coastguard Worker 179*cc02d7e2SAndroid Build Coastguard Worker /** cert_chain is the NULL-terminated string containing the PEM encoding of 180*cc02d7e2SAndroid Build Coastguard Worker the client's certificate chain. */ 181*cc02d7e2SAndroid Build Coastguard Worker const char* cert_chain; 182*cc02d7e2SAndroid Build Coastguard Worker } grpc_ssl_pem_key_cert_pair; 183*cc02d7e2SAndroid Build Coastguard Worker 184*cc02d7e2SAndroid Build Coastguard Worker /** Deprecated in favor of grpc_ssl_verify_peer_options. It will be removed 185*cc02d7e2SAndroid Build Coastguard Worker after all of its call sites are migrated to grpc_ssl_verify_peer_options. 186*cc02d7e2SAndroid Build Coastguard Worker Object that holds additional peer-verification options on a secure 187*cc02d7e2SAndroid Build Coastguard Worker channel. */ 188*cc02d7e2SAndroid Build Coastguard Worker typedef struct { 189*cc02d7e2SAndroid Build Coastguard Worker /** If non-NULL this callback will be invoked with the expected 190*cc02d7e2SAndroid Build Coastguard Worker target_name, the peer's certificate (in PEM format), and whatever 191*cc02d7e2SAndroid Build Coastguard Worker userdata pointer is set below. If a non-zero value is returned by this 192*cc02d7e2SAndroid Build Coastguard Worker callback then it is treated as a verification failure. Invocation of 193*cc02d7e2SAndroid Build Coastguard Worker the callback is blocking, so any implementation should be light-weight. 194*cc02d7e2SAndroid Build Coastguard Worker */ 195*cc02d7e2SAndroid Build Coastguard Worker int (*verify_peer_callback)(const char* target_name, const char* peer_pem, 196*cc02d7e2SAndroid Build Coastguard Worker void* userdata); 197*cc02d7e2SAndroid Build Coastguard Worker /** Arbitrary userdata that will be passed as the last argument to 198*cc02d7e2SAndroid Build Coastguard Worker verify_peer_callback. */ 199*cc02d7e2SAndroid Build Coastguard Worker void* verify_peer_callback_userdata; 200*cc02d7e2SAndroid Build Coastguard Worker /** A destruct callback that will be invoked when the channel is being 201*cc02d7e2SAndroid Build Coastguard Worker cleaned up. The userdata argument will be passed to it. The intent is 202*cc02d7e2SAndroid Build Coastguard Worker to perform any cleanup associated with that userdata. */ 203*cc02d7e2SAndroid Build Coastguard Worker void (*verify_peer_destruct)(void* userdata); 204*cc02d7e2SAndroid Build Coastguard Worker } verify_peer_options; 205*cc02d7e2SAndroid Build Coastguard Worker 206*cc02d7e2SAndroid Build Coastguard Worker /** Object that holds additional peer-verification options on a secure 207*cc02d7e2SAndroid Build Coastguard Worker channel. */ 208*cc02d7e2SAndroid Build Coastguard Worker typedef struct { 209*cc02d7e2SAndroid Build Coastguard Worker /** If non-NULL this callback will be invoked with the expected 210*cc02d7e2SAndroid Build Coastguard Worker target_name, the peer's certificate (in PEM format), and whatever 211*cc02d7e2SAndroid Build Coastguard Worker userdata pointer is set below. If a non-zero value is returned by this 212*cc02d7e2SAndroid Build Coastguard Worker callback then it is treated as a verification failure. Invocation of 213*cc02d7e2SAndroid Build Coastguard Worker the callback is blocking, so any implementation should be light-weight. 214*cc02d7e2SAndroid Build Coastguard Worker */ 215*cc02d7e2SAndroid Build Coastguard Worker int (*verify_peer_callback)(const char* target_name, const char* peer_pem, 216*cc02d7e2SAndroid Build Coastguard Worker void* userdata); 217*cc02d7e2SAndroid Build Coastguard Worker /** Arbitrary userdata that will be passed as the last argument to 218*cc02d7e2SAndroid Build Coastguard Worker verify_peer_callback. */ 219*cc02d7e2SAndroid Build Coastguard Worker void* verify_peer_callback_userdata; 220*cc02d7e2SAndroid Build Coastguard Worker /** A destruct callback that will be invoked when the channel is being 221*cc02d7e2SAndroid Build Coastguard Worker cleaned up. The userdata argument will be passed to it. The intent is 222*cc02d7e2SAndroid Build Coastguard Worker to perform any cleanup associated with that userdata. */ 223*cc02d7e2SAndroid Build Coastguard Worker void (*verify_peer_destruct)(void* userdata); 224*cc02d7e2SAndroid Build Coastguard Worker } grpc_ssl_verify_peer_options; 225*cc02d7e2SAndroid Build Coastguard Worker 226*cc02d7e2SAndroid Build Coastguard Worker /** Deprecated in favor of grpc_ssl_server_credentials_create_ex. It will be 227*cc02d7e2SAndroid Build Coastguard Worker removed after all of its call sites are migrated to 228*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_credentials_create_ex. Creates an SSL credentials object. 229*cc02d7e2SAndroid Build Coastguard Worker The security level of the resulting connection is GRPC_PRIVACY_AND_INTEGRITY. 230*cc02d7e2SAndroid Build Coastguard Worker - pem_root_certs is the NULL-terminated string containing the PEM encoding 231*cc02d7e2SAndroid Build Coastguard Worker of the server root certificates. If this parameter is NULL, the 232*cc02d7e2SAndroid Build Coastguard Worker implementation will first try to dereference the file pointed by the 233*cc02d7e2SAndroid Build Coastguard Worker GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable, and if that fails, 234*cc02d7e2SAndroid Build Coastguard Worker try to get the roots set by grpc_override_ssl_default_roots. Eventually, 235*cc02d7e2SAndroid Build Coastguard Worker if all these fail, it will try to get the roots from a well-known place on 236*cc02d7e2SAndroid Build Coastguard Worker disk (in the grpc install directory). 237*cc02d7e2SAndroid Build Coastguard Worker 238*cc02d7e2SAndroid Build Coastguard Worker gRPC has implemented root cache if the underlying OpenSSL library supports 239*cc02d7e2SAndroid Build Coastguard Worker it. The gRPC root certificates cache is only applicable on the default 240*cc02d7e2SAndroid Build Coastguard Worker root certificates, which is used when this parameter is nullptr. If user 241*cc02d7e2SAndroid Build Coastguard Worker provides their own pem_root_certs, when creating an SSL credential object, 242*cc02d7e2SAndroid Build Coastguard Worker gRPC would not be able to cache it, and each subchannel will generate a 243*cc02d7e2SAndroid Build Coastguard Worker copy of the root store. So it is recommended to avoid providing large room 244*cc02d7e2SAndroid Build Coastguard Worker pem with pem_root_certs parameter to avoid excessive memory consumption, 245*cc02d7e2SAndroid Build Coastguard Worker particularly on mobile platforms such as iOS. 246*cc02d7e2SAndroid Build Coastguard Worker - pem_key_cert_pair is a pointer on the object containing client's private 247*cc02d7e2SAndroid Build Coastguard Worker key and certificate chain. This parameter can be NULL if the client does 248*cc02d7e2SAndroid Build Coastguard Worker not have such a key/cert pair. 249*cc02d7e2SAndroid Build Coastguard Worker - verify_options is an optional verify_peer_options object which holds 250*cc02d7e2SAndroid Build Coastguard Worker additional options controlling how peer certificates are verified. For 251*cc02d7e2SAndroid Build Coastguard Worker example, you can supply a callback which receives the peer's certificate 252*cc02d7e2SAndroid Build Coastguard Worker with which you can do additional verification. Can be NULL, in which 253*cc02d7e2SAndroid Build Coastguard Worker case verification will retain default behavior. Any settings in 254*cc02d7e2SAndroid Build Coastguard Worker verify_options are copied during this call, so the verify_options 255*cc02d7e2SAndroid Build Coastguard Worker object can be released afterwards. */ 256*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_channel_credentials* grpc_ssl_credentials_create( 257*cc02d7e2SAndroid Build Coastguard Worker const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair, 258*cc02d7e2SAndroid Build Coastguard Worker const verify_peer_options* verify_options, void* reserved); 259*cc02d7e2SAndroid Build Coastguard Worker 260*cc02d7e2SAndroid Build Coastguard Worker /* Creates an SSL credentials object. 261*cc02d7e2SAndroid Build Coastguard Worker The security level of the resulting connection is GRPC_PRIVACY_AND_INTEGRITY. 262*cc02d7e2SAndroid Build Coastguard Worker - pem_root_certs is the NULL-terminated string containing the PEM encoding 263*cc02d7e2SAndroid Build Coastguard Worker of the server root certificates. If this parameter is NULL, the 264*cc02d7e2SAndroid Build Coastguard Worker implementation will first try to dereference the file pointed by the 265*cc02d7e2SAndroid Build Coastguard Worker GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable, and if that fails, 266*cc02d7e2SAndroid Build Coastguard Worker try to get the roots set by grpc_override_ssl_default_roots. Eventually, 267*cc02d7e2SAndroid Build Coastguard Worker if all these fail, it will try to get the roots from a well-known place on 268*cc02d7e2SAndroid Build Coastguard Worker disk (in the grpc install directory). 269*cc02d7e2SAndroid Build Coastguard Worker 270*cc02d7e2SAndroid Build Coastguard Worker gRPC has implemented root cache if the underlying OpenSSL library supports 271*cc02d7e2SAndroid Build Coastguard Worker it. The gRPC root certificates cache is only applicable on the default 272*cc02d7e2SAndroid Build Coastguard Worker root certificates, which is used when this parameter is nullptr. If user 273*cc02d7e2SAndroid Build Coastguard Worker provides their own pem_root_certs, when creating an SSL credential object, 274*cc02d7e2SAndroid Build Coastguard Worker gRPC would not be able to cache it, and each subchannel will generate a 275*cc02d7e2SAndroid Build Coastguard Worker copy of the root store. So it is recommended to avoid providing large room 276*cc02d7e2SAndroid Build Coastguard Worker pem with pem_root_certs parameter to avoid excessive memory consumption, 277*cc02d7e2SAndroid Build Coastguard Worker particularly on mobile platforms such as iOS. 278*cc02d7e2SAndroid Build Coastguard Worker - pem_key_cert_pair is a pointer on the object containing client's private 279*cc02d7e2SAndroid Build Coastguard Worker key and certificate chain. This parameter can be NULL if the client does 280*cc02d7e2SAndroid Build Coastguard Worker not have such a key/cert pair. 281*cc02d7e2SAndroid Build Coastguard Worker - verify_options is an optional verify_peer_options object which holds 282*cc02d7e2SAndroid Build Coastguard Worker additional options controlling how peer certificates are verified. For 283*cc02d7e2SAndroid Build Coastguard Worker example, you can supply a callback which receives the peer's certificate 284*cc02d7e2SAndroid Build Coastguard Worker with which you can do additional verification. Can be NULL, in which 285*cc02d7e2SAndroid Build Coastguard Worker case verification will retain default behavior. Any settings in 286*cc02d7e2SAndroid Build Coastguard Worker verify_options are copied during this call, so the verify_options 287*cc02d7e2SAndroid Build Coastguard Worker object can be released afterwards. */ 288*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_channel_credentials* grpc_ssl_credentials_create_ex( 289*cc02d7e2SAndroid Build Coastguard Worker const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair, 290*cc02d7e2SAndroid Build Coastguard Worker const grpc_ssl_verify_peer_options* verify_options, void* reserved); 291*cc02d7e2SAndroid Build Coastguard Worker 292*cc02d7e2SAndroid Build Coastguard Worker /** Creates a composite channel credentials object. The security level of 293*cc02d7e2SAndroid Build Coastguard Worker * resulting connection is determined by channel_creds. */ 294*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_channel_credentials* grpc_composite_channel_credentials_create( 295*cc02d7e2SAndroid Build Coastguard Worker grpc_channel_credentials* channel_creds, grpc_call_credentials* call_creds, 296*cc02d7e2SAndroid Build Coastguard Worker void* reserved); 297*cc02d7e2SAndroid Build Coastguard Worker 298*cc02d7e2SAndroid Build Coastguard Worker /** --- composite credentials. */ 299*cc02d7e2SAndroid Build Coastguard Worker 300*cc02d7e2SAndroid Build Coastguard Worker /** Creates a composite call credentials object. */ 301*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_call_credentials* grpc_composite_call_credentials_create( 302*cc02d7e2SAndroid Build Coastguard Worker grpc_call_credentials* creds1, grpc_call_credentials* creds2, 303*cc02d7e2SAndroid Build Coastguard Worker void* reserved); 304*cc02d7e2SAndroid Build Coastguard Worker 305*cc02d7e2SAndroid Build Coastguard Worker /** Creates a compute engine credentials object for connecting to Google. 306*cc02d7e2SAndroid Build Coastguard Worker WARNING: Do NOT use this credentials to connect to a non-google service as 307*cc02d7e2SAndroid Build Coastguard Worker this could result in an oauth2 token leak. */ 308*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_call_credentials* grpc_google_compute_engine_credentials_create( 309*cc02d7e2SAndroid Build Coastguard Worker void* reserved); 310*cc02d7e2SAndroid Build Coastguard Worker 311*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI gpr_timespec grpc_max_auth_token_lifetime(void); 312*cc02d7e2SAndroid Build Coastguard Worker 313*cc02d7e2SAndroid Build Coastguard Worker /** Creates a JWT credentials object. May return NULL if the input is invalid. 314*cc02d7e2SAndroid Build Coastguard Worker - json_key is the JSON key string containing the client's private key. 315*cc02d7e2SAndroid Build Coastguard Worker - token_lifetime is the lifetime of each Json Web Token (JWT) created with 316*cc02d7e2SAndroid Build Coastguard Worker this credentials. It should not exceed grpc_max_auth_token_lifetime or 317*cc02d7e2SAndroid Build Coastguard Worker will be cropped to this value. */ 318*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_call_credentials* 319*cc02d7e2SAndroid Build Coastguard Worker grpc_service_account_jwt_access_credentials_create(const char* json_key, 320*cc02d7e2SAndroid Build Coastguard Worker gpr_timespec token_lifetime, 321*cc02d7e2SAndroid Build Coastguard Worker void* reserved); 322*cc02d7e2SAndroid Build Coastguard Worker 323*cc02d7e2SAndroid Build Coastguard Worker /** Builds External Account credentials. 324*cc02d7e2SAndroid Build Coastguard Worker - json_string is the JSON string containing the credentials options. 325*cc02d7e2SAndroid Build Coastguard Worker - scopes_string contains the scopes to be binded with the credentials. 326*cc02d7e2SAndroid Build Coastguard Worker This API is used for experimental purposes for now and may change in the 327*cc02d7e2SAndroid Build Coastguard Worker future. */ 328*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_call_credentials* grpc_external_account_credentials_create( 329*cc02d7e2SAndroid Build Coastguard Worker const char* json_string, const char* scopes_string); 330*cc02d7e2SAndroid Build Coastguard Worker 331*cc02d7e2SAndroid Build Coastguard Worker /** Creates an Oauth2 Refresh Token credentials object for connecting to Google. 332*cc02d7e2SAndroid Build Coastguard Worker May return NULL if the input is invalid. 333*cc02d7e2SAndroid Build Coastguard Worker WARNING: Do NOT use this credentials to connect to a non-google service as 334*cc02d7e2SAndroid Build Coastguard Worker this could result in an oauth2 token leak. 335*cc02d7e2SAndroid Build Coastguard Worker - json_refresh_token is the JSON string containing the refresh token itself 336*cc02d7e2SAndroid Build Coastguard Worker along with a client_id and client_secret. */ 337*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_call_credentials* grpc_google_refresh_token_credentials_create( 338*cc02d7e2SAndroid Build Coastguard Worker const char* json_refresh_token, void* reserved); 339*cc02d7e2SAndroid Build Coastguard Worker 340*cc02d7e2SAndroid Build Coastguard Worker /** Creates an Oauth2 Access Token credentials with an access token that was 341*cc02d7e2SAndroid Build Coastguard Worker acquired by an out of band mechanism. */ 342*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_call_credentials* grpc_access_token_credentials_create( 343*cc02d7e2SAndroid Build Coastguard Worker const char* access_token, void* reserved); 344*cc02d7e2SAndroid Build Coastguard Worker 345*cc02d7e2SAndroid Build Coastguard Worker /** Creates an IAM credentials object for connecting to Google. */ 346*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_call_credentials* grpc_google_iam_credentials_create( 347*cc02d7e2SAndroid Build Coastguard Worker const char* authorization_token, const char* authority_selector, 348*cc02d7e2SAndroid Build Coastguard Worker void* reserved); 349*cc02d7e2SAndroid Build Coastguard Worker 350*cc02d7e2SAndroid Build Coastguard Worker /** Options for creating STS Oauth Token Exchange credentials following the IETF 351*cc02d7e2SAndroid Build Coastguard Worker draft https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16. 352*cc02d7e2SAndroid Build Coastguard Worker Optional fields may be set to NULL or empty string. It is the responsibility 353*cc02d7e2SAndroid Build Coastguard Worker of the caller to ensure that the subject and actor tokens are refreshed on 354*cc02d7e2SAndroid Build Coastguard Worker disk at the specified paths. This API is used for experimental purposes for 355*cc02d7e2SAndroid Build Coastguard Worker now and may change in the future. */ 356*cc02d7e2SAndroid Build Coastguard Worker typedef struct { 357*cc02d7e2SAndroid Build Coastguard Worker const char* token_exchange_service_uri; /* Required. */ 358*cc02d7e2SAndroid Build Coastguard Worker const char* resource; /* Optional. */ 359*cc02d7e2SAndroid Build Coastguard Worker const char* audience; /* Optional. */ 360*cc02d7e2SAndroid Build Coastguard Worker const char* scope; /* Optional. */ 361*cc02d7e2SAndroid Build Coastguard Worker const char* requested_token_type; /* Optional. */ 362*cc02d7e2SAndroid Build Coastguard Worker const char* subject_token_path; /* Required. */ 363*cc02d7e2SAndroid Build Coastguard Worker const char* subject_token_type; /* Required. */ 364*cc02d7e2SAndroid Build Coastguard Worker const char* actor_token_path; /* Optional. */ 365*cc02d7e2SAndroid Build Coastguard Worker const char* actor_token_type; /* Optional. */ 366*cc02d7e2SAndroid Build Coastguard Worker } grpc_sts_credentials_options; 367*cc02d7e2SAndroid Build Coastguard Worker 368*cc02d7e2SAndroid Build Coastguard Worker /** Creates an STS credentials following the STS Token Exchanged specifed in the 369*cc02d7e2SAndroid Build Coastguard Worker IETF draft https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16. 370*cc02d7e2SAndroid Build Coastguard Worker This API is used for experimental purposes for now and may change in the 371*cc02d7e2SAndroid Build Coastguard Worker future. */ 372*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_call_credentials* grpc_sts_credentials_create( 373*cc02d7e2SAndroid Build Coastguard Worker const grpc_sts_credentials_options* options, void* reserved); 374*cc02d7e2SAndroid Build Coastguard Worker 375*cc02d7e2SAndroid Build Coastguard Worker /** Callback function to be called by the metadata credentials plugin 376*cc02d7e2SAndroid Build Coastguard Worker implementation when the metadata is ready. 377*cc02d7e2SAndroid Build Coastguard Worker - user_data is the opaque pointer that was passed in the get_metadata method 378*cc02d7e2SAndroid Build Coastguard Worker of the grpc_metadata_credentials_plugin (see below). 379*cc02d7e2SAndroid Build Coastguard Worker - creds_md is an array of credentials metadata produced by the plugin. It 380*cc02d7e2SAndroid Build Coastguard Worker may be set to NULL in case of an error. 381*cc02d7e2SAndroid Build Coastguard Worker - num_creds_md is the number of items in the creds_md array. 382*cc02d7e2SAndroid Build Coastguard Worker - status must be GRPC_STATUS_OK in case of success or another specific error 383*cc02d7e2SAndroid Build Coastguard Worker code otherwise. 384*cc02d7e2SAndroid Build Coastguard Worker - error_details contains details about the error if any. In case of success 385*cc02d7e2SAndroid Build Coastguard Worker it should be NULL and will be otherwise ignored. */ 386*cc02d7e2SAndroid Build Coastguard Worker typedef void (*grpc_credentials_plugin_metadata_cb)( 387*cc02d7e2SAndroid Build Coastguard Worker void* user_data, const grpc_metadata* creds_md, size_t num_creds_md, 388*cc02d7e2SAndroid Build Coastguard Worker grpc_status_code status, const char* error_details); 389*cc02d7e2SAndroid Build Coastguard Worker 390*cc02d7e2SAndroid Build Coastguard Worker /** Context that can be used by metadata credentials plugin in order to create 391*cc02d7e2SAndroid Build Coastguard Worker auth related metadata. */ 392*cc02d7e2SAndroid Build Coastguard Worker typedef struct { 393*cc02d7e2SAndroid Build Coastguard Worker /** The fully qualifed service url. */ 394*cc02d7e2SAndroid Build Coastguard Worker const char* service_url; 395*cc02d7e2SAndroid Build Coastguard Worker 396*cc02d7e2SAndroid Build Coastguard Worker /** The method name of the RPC being called (not fully qualified). 397*cc02d7e2SAndroid Build Coastguard Worker The fully qualified method name can be built from the service_url: 398*cc02d7e2SAndroid Build Coastguard Worker full_qualified_method_name = ctx->service_url + '/' + ctx->method_name. */ 399*cc02d7e2SAndroid Build Coastguard Worker const char* method_name; 400*cc02d7e2SAndroid Build Coastguard Worker 401*cc02d7e2SAndroid Build Coastguard Worker /** The auth_context of the channel which gives the server's identity. */ 402*cc02d7e2SAndroid Build Coastguard Worker const grpc_auth_context* channel_auth_context; 403*cc02d7e2SAndroid Build Coastguard Worker 404*cc02d7e2SAndroid Build Coastguard Worker /** Reserved for future use. */ 405*cc02d7e2SAndroid Build Coastguard Worker void* reserved; 406*cc02d7e2SAndroid Build Coastguard Worker } grpc_auth_metadata_context; 407*cc02d7e2SAndroid Build Coastguard Worker 408*cc02d7e2SAndroid Build Coastguard Worker /** Performs a deep copy from \a from to \a to. **/ 409*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_auth_metadata_context_copy(grpc_auth_metadata_context* from, 410*cc02d7e2SAndroid Build Coastguard Worker grpc_auth_metadata_context* to); 411*cc02d7e2SAndroid Build Coastguard Worker 412*cc02d7e2SAndroid Build Coastguard Worker /** Releases internal resources held by \a context. **/ 413*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_auth_metadata_context_reset( 414*cc02d7e2SAndroid Build Coastguard Worker grpc_auth_metadata_context* context); 415*cc02d7e2SAndroid Build Coastguard Worker 416*cc02d7e2SAndroid Build Coastguard Worker /** Maximum number of metadata entries returnable by a credentials plugin via 417*cc02d7e2SAndroid Build Coastguard Worker a synchronous return. */ 418*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX 4 419*cc02d7e2SAndroid Build Coastguard Worker 420*cc02d7e2SAndroid Build Coastguard Worker /** grpc_metadata_credentials plugin is an API user provided structure used to 421*cc02d7e2SAndroid Build Coastguard Worker create grpc_credentials objects that can be set on a channel (composed) or 422*cc02d7e2SAndroid Build Coastguard Worker a call. See grpc_credentials_metadata_create_from_plugin below. 423*cc02d7e2SAndroid Build Coastguard Worker The grpc client stack will call the get_metadata method of the plugin for 424*cc02d7e2SAndroid Build Coastguard Worker every call in scope for the credentials created from it. */ 425*cc02d7e2SAndroid Build Coastguard Worker typedef struct { 426*cc02d7e2SAndroid Build Coastguard Worker /** The implementation of this method has to be non-blocking, but can 427*cc02d7e2SAndroid Build Coastguard Worker be performed synchronously or asynchronously. 428*cc02d7e2SAndroid Build Coastguard Worker 429*cc02d7e2SAndroid Build Coastguard Worker If processing occurs synchronously, returns non-zero and populates 430*cc02d7e2SAndroid Build Coastguard Worker creds_md, num_creds_md, status, and error_details. In this case, 431*cc02d7e2SAndroid Build Coastguard Worker the caller takes ownership of the entries in creds_md and of 432*cc02d7e2SAndroid Build Coastguard Worker error_details. Note that if the plugin needs to return more than 433*cc02d7e2SAndroid Build Coastguard Worker GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX entries in creds_md, it must 434*cc02d7e2SAndroid Build Coastguard Worker return asynchronously. 435*cc02d7e2SAndroid Build Coastguard Worker 436*cc02d7e2SAndroid Build Coastguard Worker If processing occurs asynchronously, returns zero and invokes \a cb 437*cc02d7e2SAndroid Build Coastguard Worker when processing is completed. \a user_data will be passed as the 438*cc02d7e2SAndroid Build Coastguard Worker first parameter of the callback. NOTE: \a cb MUST be invoked in a 439*cc02d7e2SAndroid Build Coastguard Worker different thread, not from the thread in which \a get_metadata() is 440*cc02d7e2SAndroid Build Coastguard Worker invoked. 441*cc02d7e2SAndroid Build Coastguard Worker 442*cc02d7e2SAndroid Build Coastguard Worker \a context is the information that can be used by the plugin to create 443*cc02d7e2SAndroid Build Coastguard Worker auth metadata. */ 444*cc02d7e2SAndroid Build Coastguard Worker int (*get_metadata)( 445*cc02d7e2SAndroid Build Coastguard Worker void* state, grpc_auth_metadata_context context, 446*cc02d7e2SAndroid Build Coastguard Worker grpc_credentials_plugin_metadata_cb cb, void* user_data, 447*cc02d7e2SAndroid Build Coastguard Worker grpc_metadata creds_md[GRPC_METADATA_CREDENTIALS_PLUGIN_SYNC_MAX], 448*cc02d7e2SAndroid Build Coastguard Worker size_t* num_creds_md, grpc_status_code* status, 449*cc02d7e2SAndroid Build Coastguard Worker const char** error_details); 450*cc02d7e2SAndroid Build Coastguard Worker 451*cc02d7e2SAndroid Build Coastguard Worker /** Implements debug string of the given plugin. This method returns an 452*cc02d7e2SAndroid Build Coastguard Worker * allocated string that the caller needs to free using gpr_free() */ 453*cc02d7e2SAndroid Build Coastguard Worker char* (*debug_string)(void* state); 454*cc02d7e2SAndroid Build Coastguard Worker 455*cc02d7e2SAndroid Build Coastguard Worker /** Destroys the plugin state. */ 456*cc02d7e2SAndroid Build Coastguard Worker void (*destroy)(void* state); 457*cc02d7e2SAndroid Build Coastguard Worker 458*cc02d7e2SAndroid Build Coastguard Worker /** State that will be set as the first parameter of the methods above. */ 459*cc02d7e2SAndroid Build Coastguard Worker void* state; 460*cc02d7e2SAndroid Build Coastguard Worker 461*cc02d7e2SAndroid Build Coastguard Worker /** Type of credentials that this plugin is implementing. */ 462*cc02d7e2SAndroid Build Coastguard Worker const char* type; 463*cc02d7e2SAndroid Build Coastguard Worker } grpc_metadata_credentials_plugin; 464*cc02d7e2SAndroid Build Coastguard Worker 465*cc02d7e2SAndroid Build Coastguard Worker /** Creates a credentials object from a plugin with a specified minimum security 466*cc02d7e2SAndroid Build Coastguard Worker * level. */ 467*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_call_credentials* grpc_metadata_credentials_create_from_plugin( 468*cc02d7e2SAndroid Build Coastguard Worker grpc_metadata_credentials_plugin plugin, 469*cc02d7e2SAndroid Build Coastguard Worker grpc_security_level min_security_level, void* reserved); 470*cc02d7e2SAndroid Build Coastguard Worker 471*cc02d7e2SAndroid Build Coastguard Worker /** Server certificate config object holds the server's public certificates and 472*cc02d7e2SAndroid Build Coastguard Worker associated private keys, as well as any CA certificates needed for client 473*cc02d7e2SAndroid Build Coastguard Worker certificate validation (if applicable). Create using 474*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_certificate_config_create(). */ 475*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_ssl_server_certificate_config 476*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_certificate_config; 477*cc02d7e2SAndroid Build Coastguard Worker 478*cc02d7e2SAndroid Build Coastguard Worker /** Creates a grpc_ssl_server_certificate_config object. 479*cc02d7e2SAndroid Build Coastguard Worker - pem_roots_cert is the NULL-terminated string containing the PEM encoding of 480*cc02d7e2SAndroid Build Coastguard Worker the client root certificates. This parameter may be NULL if the server does 481*cc02d7e2SAndroid Build Coastguard Worker not want the client to be authenticated with SSL. 482*cc02d7e2SAndroid Build Coastguard Worker - pem_key_cert_pairs is an array private key / certificate chains of the 483*cc02d7e2SAndroid Build Coastguard Worker server. This parameter cannot be NULL. 484*cc02d7e2SAndroid Build Coastguard Worker - num_key_cert_pairs indicates the number of items in the private_key_files 485*cc02d7e2SAndroid Build Coastguard Worker and cert_chain_files parameters. It must be at least 1. 486*cc02d7e2SAndroid Build Coastguard Worker - It is the caller's responsibility to free this object via 487*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_certificate_config_destroy(). */ 488*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_ssl_server_certificate_config* 489*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_certificate_config_create( 490*cc02d7e2SAndroid Build Coastguard Worker const char* pem_root_certs, 491*cc02d7e2SAndroid Build Coastguard Worker const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, 492*cc02d7e2SAndroid Build Coastguard Worker size_t num_key_cert_pairs); 493*cc02d7e2SAndroid Build Coastguard Worker 494*cc02d7e2SAndroid Build Coastguard Worker /** Destroys a grpc_ssl_server_certificate_config object. */ 495*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_ssl_server_certificate_config_destroy( 496*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_certificate_config* config); 497*cc02d7e2SAndroid Build Coastguard Worker 498*cc02d7e2SAndroid Build Coastguard Worker /** Callback to retrieve updated SSL server certificates, private keys, and 499*cc02d7e2SAndroid Build Coastguard Worker trusted CAs (for client authentication). 500*cc02d7e2SAndroid Build Coastguard Worker - user_data parameter, if not NULL, contains opaque data to be used by the 501*cc02d7e2SAndroid Build Coastguard Worker callback. 502*cc02d7e2SAndroid Build Coastguard Worker - Use grpc_ssl_server_certificate_config_create to create the config. 503*cc02d7e2SAndroid Build Coastguard Worker - The caller assumes ownership of the config. */ 504*cc02d7e2SAndroid Build Coastguard Worker typedef grpc_ssl_certificate_config_reload_status ( 505*cc02d7e2SAndroid Build Coastguard Worker *grpc_ssl_server_certificate_config_callback)( 506*cc02d7e2SAndroid Build Coastguard Worker void* user_data, grpc_ssl_server_certificate_config** config); 507*cc02d7e2SAndroid Build Coastguard Worker 508*cc02d7e2SAndroid Build Coastguard Worker /** Deprecated in favor of grpc_ssl_server_credentials_create_ex. 509*cc02d7e2SAndroid Build Coastguard Worker Creates an SSL server_credentials object. 510*cc02d7e2SAndroid Build Coastguard Worker - pem_roots_cert is the NULL-terminated string containing the PEM encoding of 511*cc02d7e2SAndroid Build Coastguard Worker the client root certificates. This parameter may be NULL if the server does 512*cc02d7e2SAndroid Build Coastguard Worker not want the client to be authenticated with SSL. 513*cc02d7e2SAndroid Build Coastguard Worker - pem_key_cert_pairs is an array private key / certificate chains of the 514*cc02d7e2SAndroid Build Coastguard Worker server. This parameter cannot be NULL. 515*cc02d7e2SAndroid Build Coastguard Worker - num_key_cert_pairs indicates the number of items in the private_key_files 516*cc02d7e2SAndroid Build Coastguard Worker and cert_chain_files parameters. It should be at least 1. 517*cc02d7e2SAndroid Build Coastguard Worker - force_client_auth, if set to non-zero will force the client to authenticate 518*cc02d7e2SAndroid Build Coastguard Worker with an SSL cert. Note that this option is ignored if pem_root_certs is 519*cc02d7e2SAndroid Build Coastguard Worker NULL. */ 520*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_server_credentials* grpc_ssl_server_credentials_create( 521*cc02d7e2SAndroid Build Coastguard Worker const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, 522*cc02d7e2SAndroid Build Coastguard Worker size_t num_key_cert_pairs, int force_client_auth, void* reserved); 523*cc02d7e2SAndroid Build Coastguard Worker 524*cc02d7e2SAndroid Build Coastguard Worker /** Deprecated in favor of grpc_ssl_server_credentials_create_with_options. 525*cc02d7e2SAndroid Build Coastguard Worker Same as grpc_ssl_server_credentials_create method except uses 526*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_client_certificate_request_type enum to support more ways to 527*cc02d7e2SAndroid Build Coastguard Worker authenticate client certificates.*/ 528*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_server_credentials* grpc_ssl_server_credentials_create_ex( 529*cc02d7e2SAndroid Build Coastguard Worker const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, 530*cc02d7e2SAndroid Build Coastguard Worker size_t num_key_cert_pairs, 531*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_client_certificate_request_type client_certificate_request, 532*cc02d7e2SAndroid Build Coastguard Worker void* reserved); 533*cc02d7e2SAndroid Build Coastguard Worker 534*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_ssl_server_credentials_options 535*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_credentials_options; 536*cc02d7e2SAndroid Build Coastguard Worker 537*cc02d7e2SAndroid Build Coastguard Worker /** Creates an options object using a certificate config. Use this method when 538*cc02d7e2SAndroid Build Coastguard Worker the certificates and keys of the SSL server will not change during the 539*cc02d7e2SAndroid Build Coastguard Worker server's lifetime. 540*cc02d7e2SAndroid Build Coastguard Worker - Takes ownership of the certificate_config parameter. */ 541*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_ssl_server_credentials_options* 542*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_credentials_create_options_using_config( 543*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_client_certificate_request_type client_certificate_request, 544*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_certificate_config* certificate_config); 545*cc02d7e2SAndroid Build Coastguard Worker 546*cc02d7e2SAndroid Build Coastguard Worker /** Creates an options object using a certificate config fetcher. Use this 547*cc02d7e2SAndroid Build Coastguard Worker method to reload the certificates and keys of the SSL server without 548*cc02d7e2SAndroid Build Coastguard Worker interrupting the operation of the server. Initial certificate config will be 549*cc02d7e2SAndroid Build Coastguard Worker fetched during server initialization. 550*cc02d7e2SAndroid Build Coastguard Worker - user_data parameter, if not NULL, contains opaque data which will be passed 551*cc02d7e2SAndroid Build Coastguard Worker to the fetcher (see definition of 552*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_certificate_config_callback). */ 553*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_ssl_server_credentials_options* 554*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_credentials_create_options_using_config_fetcher( 555*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_client_certificate_request_type client_certificate_request, 556*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_certificate_config_callback cb, void* user_data); 557*cc02d7e2SAndroid Build Coastguard Worker 558*cc02d7e2SAndroid Build Coastguard Worker /** Destroys a grpc_ssl_server_credentials_options object. */ 559*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_ssl_server_credentials_options_destroy( 560*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_credentials_options* options); 561*cc02d7e2SAndroid Build Coastguard Worker 562*cc02d7e2SAndroid Build Coastguard Worker /** Creates an SSL server_credentials object using the provided options struct. 563*cc02d7e2SAndroid Build Coastguard Worker - Takes ownership of the options parameter. */ 564*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_server_credentials* 565*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_credentials_create_with_options( 566*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_server_credentials_options* options); 567*cc02d7e2SAndroid Build Coastguard Worker 568*cc02d7e2SAndroid Build Coastguard Worker /** --- Call specific credentials. --- */ 569*cc02d7e2SAndroid Build Coastguard Worker 570*cc02d7e2SAndroid Build Coastguard Worker /** Sets a credentials to a call. Can only be called on the client side before 571*cc02d7e2SAndroid Build Coastguard Worker grpc_call_start_batch. */ 572*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_call_error grpc_call_set_credentials(grpc_call* call, 573*cc02d7e2SAndroid Build Coastguard Worker grpc_call_credentials* creds); 574*cc02d7e2SAndroid Build Coastguard Worker 575*cc02d7e2SAndroid Build Coastguard Worker /** --- Auth Metadata Processing --- */ 576*cc02d7e2SAndroid Build Coastguard Worker 577*cc02d7e2SAndroid Build Coastguard Worker /** Callback function that is called when the metadata processing is done. 578*cc02d7e2SAndroid Build Coastguard Worker - Consumed metadata will be removed from the set of metadata available on the 579*cc02d7e2SAndroid Build Coastguard Worker call. consumed_md may be NULL if no metadata has been consumed. 580*cc02d7e2SAndroid Build Coastguard Worker - Response metadata will be set on the response. response_md may be NULL. 581*cc02d7e2SAndroid Build Coastguard Worker - status is GRPC_STATUS_OK for success or a specific status for an error. 582*cc02d7e2SAndroid Build Coastguard Worker Common error status for auth metadata processing is either 583*cc02d7e2SAndroid Build Coastguard Worker GRPC_STATUS_UNAUTHENTICATED in case of an authentication failure or 584*cc02d7e2SAndroid Build Coastguard Worker GRPC_STATUS PERMISSION_DENIED in case of an authorization failure. 585*cc02d7e2SAndroid Build Coastguard Worker - error_details gives details about the error. May be NULL. */ 586*cc02d7e2SAndroid Build Coastguard Worker typedef void (*grpc_process_auth_metadata_done_cb)( 587*cc02d7e2SAndroid Build Coastguard Worker void* user_data, const grpc_metadata* consumed_md, size_t num_consumed_md, 588*cc02d7e2SAndroid Build Coastguard Worker const grpc_metadata* response_md, size_t num_response_md, 589*cc02d7e2SAndroid Build Coastguard Worker grpc_status_code status, const char* error_details); 590*cc02d7e2SAndroid Build Coastguard Worker 591*cc02d7e2SAndroid Build Coastguard Worker /** Pluggable server-side metadata processor object. */ 592*cc02d7e2SAndroid Build Coastguard Worker typedef struct { 593*cc02d7e2SAndroid Build Coastguard Worker /** The context object is read/write: it contains the properties of the 594*cc02d7e2SAndroid Build Coastguard Worker channel peer and it is the job of the process function to augment it with 595*cc02d7e2SAndroid Build Coastguard Worker properties derived from the passed-in metadata. 596*cc02d7e2SAndroid Build Coastguard Worker The lifetime of these objects is guaranteed until cb is invoked. */ 597*cc02d7e2SAndroid Build Coastguard Worker void (*process)(void* state, grpc_auth_context* context, 598*cc02d7e2SAndroid Build Coastguard Worker const grpc_metadata* md, size_t num_md, 599*cc02d7e2SAndroid Build Coastguard Worker grpc_process_auth_metadata_done_cb cb, void* user_data); 600*cc02d7e2SAndroid Build Coastguard Worker void (*destroy)(void* state); 601*cc02d7e2SAndroid Build Coastguard Worker void* state; 602*cc02d7e2SAndroid Build Coastguard Worker } grpc_auth_metadata_processor; 603*cc02d7e2SAndroid Build Coastguard Worker 604*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_server_credentials_set_auth_metadata_processor( 605*cc02d7e2SAndroid Build Coastguard Worker grpc_server_credentials* creds, grpc_auth_metadata_processor processor); 606*cc02d7e2SAndroid Build Coastguard Worker 607*cc02d7e2SAndroid Build Coastguard Worker /** --- ALTS channel/server credentials --- **/ 608*cc02d7e2SAndroid Build Coastguard Worker 609*cc02d7e2SAndroid Build Coastguard Worker /** 610*cc02d7e2SAndroid Build Coastguard Worker * Main interface for ALTS credentials options. The options will contain 611*cc02d7e2SAndroid Build Coastguard Worker * information that will be passed from grpc to TSI layer such as RPC protocol 612*cc02d7e2SAndroid Build Coastguard Worker * versions. ALTS client (channel) and server credentials will have their own 613*cc02d7e2SAndroid Build Coastguard Worker * implementation of this interface. The APIs listed in this header are 614*cc02d7e2SAndroid Build Coastguard Worker * thread-compatible. It is used for experimental purpose for now and subject 615*cc02d7e2SAndroid Build Coastguard Worker * to change. 616*cc02d7e2SAndroid Build Coastguard Worker */ 617*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_alts_credentials_options grpc_alts_credentials_options; 618*cc02d7e2SAndroid Build Coastguard Worker 619*cc02d7e2SAndroid Build Coastguard Worker /** 620*cc02d7e2SAndroid Build Coastguard Worker * This method creates a grpc ALTS credentials client options instance. 621*cc02d7e2SAndroid Build Coastguard Worker * It is used for experimental purpose for now and subject to change. 622*cc02d7e2SAndroid Build Coastguard Worker */ 623*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_alts_credentials_options* 624*cc02d7e2SAndroid Build Coastguard Worker grpc_alts_credentials_client_options_create(void); 625*cc02d7e2SAndroid Build Coastguard Worker 626*cc02d7e2SAndroid Build Coastguard Worker /** 627*cc02d7e2SAndroid Build Coastguard Worker * This method creates a grpc ALTS credentials server options instance. 628*cc02d7e2SAndroid Build Coastguard Worker * It is used for experimental purpose for now and subject to change. 629*cc02d7e2SAndroid Build Coastguard Worker */ 630*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_alts_credentials_options* 631*cc02d7e2SAndroid Build Coastguard Worker grpc_alts_credentials_server_options_create(void); 632*cc02d7e2SAndroid Build Coastguard Worker 633*cc02d7e2SAndroid Build Coastguard Worker /** 634*cc02d7e2SAndroid Build Coastguard Worker * This method adds a target service account to grpc client's ALTS credentials 635*cc02d7e2SAndroid Build Coastguard Worker * options instance. It is used for experimental purpose for now and subject 636*cc02d7e2SAndroid Build Coastguard Worker * to change. 637*cc02d7e2SAndroid Build Coastguard Worker * 638*cc02d7e2SAndroid Build Coastguard Worker * - options: grpc ALTS credentials options instance. 639*cc02d7e2SAndroid Build Coastguard Worker * - service_account: service account of target endpoint. 640*cc02d7e2SAndroid Build Coastguard Worker */ 641*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_alts_credentials_client_options_add_target_service_account( 642*cc02d7e2SAndroid Build Coastguard Worker grpc_alts_credentials_options* options, const char* service_account); 643*cc02d7e2SAndroid Build Coastguard Worker 644*cc02d7e2SAndroid Build Coastguard Worker /** 645*cc02d7e2SAndroid Build Coastguard Worker * This method destroys a grpc_alts_credentials_options instance by 646*cc02d7e2SAndroid Build Coastguard Worker * de-allocating all of its occupied memory. It is used for experimental purpose 647*cc02d7e2SAndroid Build Coastguard Worker * for now and subject to change. 648*cc02d7e2SAndroid Build Coastguard Worker * 649*cc02d7e2SAndroid Build Coastguard Worker * - options: a grpc_alts_credentials_options instance that needs to be 650*cc02d7e2SAndroid Build Coastguard Worker * destroyed. 651*cc02d7e2SAndroid Build Coastguard Worker */ 652*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_alts_credentials_options_destroy( 653*cc02d7e2SAndroid Build Coastguard Worker grpc_alts_credentials_options* options); 654*cc02d7e2SAndroid Build Coastguard Worker 655*cc02d7e2SAndroid Build Coastguard Worker /** 656*cc02d7e2SAndroid Build Coastguard Worker * This method creates an ALTS channel credential object. The security 657*cc02d7e2SAndroid Build Coastguard Worker * level of the resulting connection is GRPC_PRIVACY_AND_INTEGRITY. 658*cc02d7e2SAndroid Build Coastguard Worker * It is used for experimental purpose for now and subject to change. 659*cc02d7e2SAndroid Build Coastguard Worker * 660*cc02d7e2SAndroid Build Coastguard Worker * - options: grpc ALTS credentials options instance for client. 661*cc02d7e2SAndroid Build Coastguard Worker * 662*cc02d7e2SAndroid Build Coastguard Worker * It returns the created ALTS channel credential object. 663*cc02d7e2SAndroid Build Coastguard Worker */ 664*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_channel_credentials* grpc_alts_credentials_create( 665*cc02d7e2SAndroid Build Coastguard Worker const grpc_alts_credentials_options* options); 666*cc02d7e2SAndroid Build Coastguard Worker 667*cc02d7e2SAndroid Build Coastguard Worker /** 668*cc02d7e2SAndroid Build Coastguard Worker * This method creates an ALTS server credential object. It is used for 669*cc02d7e2SAndroid Build Coastguard Worker * experimental purpose for now and subject to change. 670*cc02d7e2SAndroid Build Coastguard Worker * 671*cc02d7e2SAndroid Build Coastguard Worker * - options: grpc ALTS credentials options instance for server. 672*cc02d7e2SAndroid Build Coastguard Worker * 673*cc02d7e2SAndroid Build Coastguard Worker * It returns the created ALTS server credential object. 674*cc02d7e2SAndroid Build Coastguard Worker */ 675*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_server_credentials* grpc_alts_server_credentials_create( 676*cc02d7e2SAndroid Build Coastguard Worker const grpc_alts_credentials_options* options); 677*cc02d7e2SAndroid Build Coastguard Worker 678*cc02d7e2SAndroid Build Coastguard Worker /** --- Local channel/server credentials --- **/ 679*cc02d7e2SAndroid Build Coastguard Worker 680*cc02d7e2SAndroid Build Coastguard Worker /** 681*cc02d7e2SAndroid Build Coastguard Worker * This method creates a local channel credential object. The security level 682*cc02d7e2SAndroid Build Coastguard Worker * of the resulting connection is GRPC_PRIVACY_AND_INTEGRITY for UDS and 683*cc02d7e2SAndroid Build Coastguard Worker * GRPC_SECURITY_NONE for LOCAL_TCP. It is used for experimental purpose 684*cc02d7e2SAndroid Build Coastguard Worker * for now and subject to change. 685*cc02d7e2SAndroid Build Coastguard Worker * 686*cc02d7e2SAndroid Build Coastguard Worker * - type: local connection type 687*cc02d7e2SAndroid Build Coastguard Worker * 688*cc02d7e2SAndroid Build Coastguard Worker * It returns the created local channel credential object. 689*cc02d7e2SAndroid Build Coastguard Worker */ 690*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_channel_credentials* grpc_local_credentials_create( 691*cc02d7e2SAndroid Build Coastguard Worker grpc_local_connect_type type); 692*cc02d7e2SAndroid Build Coastguard Worker 693*cc02d7e2SAndroid Build Coastguard Worker /** 694*cc02d7e2SAndroid Build Coastguard Worker * This method creates a local server credential object. It is used for 695*cc02d7e2SAndroid Build Coastguard Worker * experimental purpose for now and subject to change. 696*cc02d7e2SAndroid Build Coastguard Worker * 697*cc02d7e2SAndroid Build Coastguard Worker * - type: local connection type 698*cc02d7e2SAndroid Build Coastguard Worker * 699*cc02d7e2SAndroid Build Coastguard Worker * It returns the created local server credential object. 700*cc02d7e2SAndroid Build Coastguard Worker */ 701*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_server_credentials* grpc_local_server_credentials_create( 702*cc02d7e2SAndroid Build Coastguard Worker grpc_local_connect_type type); 703*cc02d7e2SAndroid Build Coastguard Worker 704*cc02d7e2SAndroid Build Coastguard Worker /** --- TLS channel/server credentials --- 705*cc02d7e2SAndroid Build Coastguard Worker * It is used for experimental purpose for now and subject to change. */ 706*cc02d7e2SAndroid Build Coastguard Worker 707*cc02d7e2SAndroid Build Coastguard Worker /** 708*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 709*cc02d7e2SAndroid Build Coastguard Worker * 710*cc02d7e2SAndroid Build Coastguard Worker * A struct that can be specified by callers to configure underlying TLS 711*cc02d7e2SAndroid Build Coastguard Worker * behaviors. 712*cc02d7e2SAndroid Build Coastguard Worker */ 713*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_tls_credentials_options grpc_tls_credentials_options; 714*cc02d7e2SAndroid Build Coastguard Worker 715*cc02d7e2SAndroid Build Coastguard Worker /** 716*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 717*cc02d7e2SAndroid Build Coastguard Worker * 718*cc02d7e2SAndroid Build Coastguard Worker * A struct provides ways to gain credential data that will be used in the TLS 719*cc02d7e2SAndroid Build Coastguard Worker * handshake. 720*cc02d7e2SAndroid Build Coastguard Worker */ 721*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_tls_certificate_provider grpc_tls_certificate_provider; 722*cc02d7e2SAndroid Build Coastguard Worker 723*cc02d7e2SAndroid Build Coastguard Worker /** 724*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 725*cc02d7e2SAndroid Build Coastguard Worker * 726*cc02d7e2SAndroid Build Coastguard Worker * A struct that stores the credential data presented to the peer in handshake 727*cc02d7e2SAndroid Build Coastguard Worker * to show local identity. 728*cc02d7e2SAndroid Build Coastguard Worker */ 729*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_tls_identity_pairs grpc_tls_identity_pairs; 730*cc02d7e2SAndroid Build Coastguard Worker 731*cc02d7e2SAndroid Build Coastguard Worker /** 732*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 733*cc02d7e2SAndroid Build Coastguard Worker * 734*cc02d7e2SAndroid Build Coastguard Worker * Creates a grpc_tls_identity_pairs that stores a list of identity credential 735*cc02d7e2SAndroid Build Coastguard Worker * data, including identity private key and identity certificate chain. 736*cc02d7e2SAndroid Build Coastguard Worker */ 737*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_tls_identity_pairs* grpc_tls_identity_pairs_create(); 738*cc02d7e2SAndroid Build Coastguard Worker 739*cc02d7e2SAndroid Build Coastguard Worker /** 740*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 741*cc02d7e2SAndroid Build Coastguard Worker * 742*cc02d7e2SAndroid Build Coastguard Worker * Adds a identity private key and a identity certificate chain to 743*cc02d7e2SAndroid Build Coastguard Worker * grpc_tls_identity_pairs. This function will make an internal copy of 744*cc02d7e2SAndroid Build Coastguard Worker * |private_key| and |cert_chain|. 745*cc02d7e2SAndroid Build Coastguard Worker */ 746*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_identity_pairs_add_pair(grpc_tls_identity_pairs* pairs, 747*cc02d7e2SAndroid Build Coastguard Worker const char* private_key, 748*cc02d7e2SAndroid Build Coastguard Worker const char* cert_chain); 749*cc02d7e2SAndroid Build Coastguard Worker 750*cc02d7e2SAndroid Build Coastguard Worker /** 751*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 752*cc02d7e2SAndroid Build Coastguard Worker * 753*cc02d7e2SAndroid Build Coastguard Worker * Destroys a grpc_tls_identity_pairs object. If this object is passed to a 754*cc02d7e2SAndroid Build Coastguard Worker * provider initiation function, the ownership is transferred so this function 755*cc02d7e2SAndroid Build Coastguard Worker * doesn't need to be called. Otherwise the creator of the 756*cc02d7e2SAndroid Build Coastguard Worker * grpc_tls_identity_pairs object is responsible for its destruction. 757*cc02d7e2SAndroid Build Coastguard Worker */ 758*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_identity_pairs_destroy(grpc_tls_identity_pairs* pairs); 759*cc02d7e2SAndroid Build Coastguard Worker 760*cc02d7e2SAndroid Build Coastguard Worker /** 761*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 762*cc02d7e2SAndroid Build Coastguard Worker * 763*cc02d7e2SAndroid Build Coastguard Worker * Creates a grpc_tls_certificate_provider that will load credential data from 764*cc02d7e2SAndroid Build Coastguard Worker * static string during initialization. This provider will always return the 765*cc02d7e2SAndroid Build Coastguard Worker * same cert data for all cert names. 766*cc02d7e2SAndroid Build Coastguard Worker * root_certificate and pem_key_cert_pairs can be nullptr, indicating the 767*cc02d7e2SAndroid Build Coastguard Worker * corresponding credential data is not needed. 768*cc02d7e2SAndroid Build Coastguard Worker * This function will make a copy of |root_certificate|. 769*cc02d7e2SAndroid Build Coastguard Worker * The ownership of |pem_key_cert_pairs| is transferred. 770*cc02d7e2SAndroid Build Coastguard Worker */ 771*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_tls_certificate_provider* 772*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_provider_static_data_create( 773*cc02d7e2SAndroid Build Coastguard Worker const char* root_certificate, grpc_tls_identity_pairs* pem_key_cert_pairs); 774*cc02d7e2SAndroid Build Coastguard Worker 775*cc02d7e2SAndroid Build Coastguard Worker /** 776*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 777*cc02d7e2SAndroid Build Coastguard Worker * 778*cc02d7e2SAndroid Build Coastguard Worker * Creates a grpc_tls_certificate_provider that will watch the credential 779*cc02d7e2SAndroid Build Coastguard Worker * changes on the file system. This provider will always return the up-to-date 780*cc02d7e2SAndroid Build Coastguard Worker * cert data for all the cert names callers set through 781*cc02d7e2SAndroid Build Coastguard Worker * |grpc_tls_credentials_options|. Note that this API only supports one key-cert 782*cc02d7e2SAndroid Build Coastguard Worker * file and hence one set of identity key-cert pair, so SNI(Server Name 783*cc02d7e2SAndroid Build Coastguard Worker * Indication) is not supported. 784*cc02d7e2SAndroid Build Coastguard Worker * - private_key_path is the file path of the private key. This must be set if 785*cc02d7e2SAndroid Build Coastguard Worker * |identity_certificate_path| is set. Otherwise, it could be null if no 786*cc02d7e2SAndroid Build Coastguard Worker * identity credentials are needed. 787*cc02d7e2SAndroid Build Coastguard Worker * - identity_certificate_path is the file path of the identity certificate 788*cc02d7e2SAndroid Build Coastguard Worker * chain. This must be set if |private_key_path| is set. Otherwise, it could 789*cc02d7e2SAndroid Build Coastguard Worker * be null if no identity credentials are needed. 790*cc02d7e2SAndroid Build Coastguard Worker * - root_cert_path is the file path to the root certificate bundle. This 791*cc02d7e2SAndroid Build Coastguard Worker * may be null if no root certs are needed. 792*cc02d7e2SAndroid Build Coastguard Worker * - refresh_interval_sec is the refreshing interval that we will check the 793*cc02d7e2SAndroid Build Coastguard Worker * files for updates. 794*cc02d7e2SAndroid Build Coastguard Worker * It does not take ownership of parameters. 795*cc02d7e2SAndroid Build Coastguard Worker */ 796*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_tls_certificate_provider* 797*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_provider_file_watcher_create( 798*cc02d7e2SAndroid Build Coastguard Worker const char* private_key_path, const char* identity_certificate_path, 799*cc02d7e2SAndroid Build Coastguard Worker const char* root_cert_path, unsigned int refresh_interval_sec); 800*cc02d7e2SAndroid Build Coastguard Worker 801*cc02d7e2SAndroid Build Coastguard Worker /** 802*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 803*cc02d7e2SAndroid Build Coastguard Worker * 804*cc02d7e2SAndroid Build Coastguard Worker * Releases a grpc_tls_certificate_provider object. The creator of the 805*cc02d7e2SAndroid Build Coastguard Worker * grpc_tls_certificate_provider object is responsible for its release. 806*cc02d7e2SAndroid Build Coastguard Worker */ 807*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_certificate_provider_release( 808*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_provider* provider); 809*cc02d7e2SAndroid Build Coastguard Worker 810*cc02d7e2SAndroid Build Coastguard Worker /** 811*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 812*cc02d7e2SAndroid Build Coastguard Worker * 813*cc02d7e2SAndroid Build Coastguard Worker * Creates an grpc_tls_credentials_options. 814*cc02d7e2SAndroid Build Coastguard Worker */ 815*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_tls_credentials_options* grpc_tls_credentials_options_create(void); 816*cc02d7e2SAndroid Build Coastguard Worker 817*cc02d7e2SAndroid Build Coastguard Worker /** 818*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 819*cc02d7e2SAndroid Build Coastguard Worker * 820*cc02d7e2SAndroid Build Coastguard Worker * Sets the minimum TLS version that will be negotiated during the TLS 821*cc02d7e2SAndroid Build Coastguard Worker * handshake. If not set, the underlying SSL library will set it to TLS v1.2. 822*cc02d7e2SAndroid Build Coastguard Worker */ 823*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_set_min_tls_version( 824*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, grpc_tls_version min_tls_version); 825*cc02d7e2SAndroid Build Coastguard Worker 826*cc02d7e2SAndroid Build Coastguard Worker /** 827*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 828*cc02d7e2SAndroid Build Coastguard Worker * 829*cc02d7e2SAndroid Build Coastguard Worker * Sets the maximum TLS version that will be negotiated during the TLS 830*cc02d7e2SAndroid Build Coastguard Worker * handshake. If not set, the underlying SSL library will set it to TLS v1.3. 831*cc02d7e2SAndroid Build Coastguard Worker */ 832*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_set_max_tls_version( 833*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, grpc_tls_version max_tls_version); 834*cc02d7e2SAndroid Build Coastguard Worker 835*cc02d7e2SAndroid Build Coastguard Worker /** 836*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 837*cc02d7e2SAndroid Build Coastguard Worker * 838*cc02d7e2SAndroid Build Coastguard Worker * Copies a grpc_tls_credentials_options. 839*cc02d7e2SAndroid Build Coastguard Worker */ 840*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_tls_credentials_options* grpc_tls_credentials_options_copy( 841*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options); 842*cc02d7e2SAndroid Build Coastguard Worker 843*cc02d7e2SAndroid Build Coastguard Worker /** 844*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 845*cc02d7e2SAndroid Build Coastguard Worker * 846*cc02d7e2SAndroid Build Coastguard Worker * Destroys a grpc_tls_credentials_options. 847*cc02d7e2SAndroid Build Coastguard Worker */ 848*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_destroy( 849*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options); 850*cc02d7e2SAndroid Build Coastguard Worker 851*cc02d7e2SAndroid Build Coastguard Worker /** 852*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 853*cc02d7e2SAndroid Build Coastguard Worker * 854*cc02d7e2SAndroid Build Coastguard Worker * Sets the credential provider in the options. 855*cc02d7e2SAndroid Build Coastguard Worker * The |options| will implicitly take a new ref to the |provider|. 856*cc02d7e2SAndroid Build Coastguard Worker */ 857*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_set_certificate_provider( 858*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, 859*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_provider* provider); 860*cc02d7e2SAndroid Build Coastguard Worker 861*cc02d7e2SAndroid Build Coastguard Worker /** 862*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 863*cc02d7e2SAndroid Build Coastguard Worker * 864*cc02d7e2SAndroid Build Coastguard Worker * If set, gRPC stack will keep watching the root certificates with 865*cc02d7e2SAndroid Build Coastguard Worker * name |root_cert_name|. 866*cc02d7e2SAndroid Build Coastguard Worker * If this is not set on the client side, we will use the root certificates 867*cc02d7e2SAndroid Build Coastguard Worker * stored in the default system location, since client side must provide root 868*cc02d7e2SAndroid Build Coastguard Worker * certificates in TLS. 869*cc02d7e2SAndroid Build Coastguard Worker * If this is not set on the server side, we will not watch any root certificate 870*cc02d7e2SAndroid Build Coastguard Worker * updates, and assume no root certificates needed for the server(single-side 871*cc02d7e2SAndroid Build Coastguard Worker * TLS). Default root certs on the server side is not supported. 872*cc02d7e2SAndroid Build Coastguard Worker */ 873*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_watch_root_certs( 874*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options); 875*cc02d7e2SAndroid Build Coastguard Worker 876*cc02d7e2SAndroid Build Coastguard Worker /** 877*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 878*cc02d7e2SAndroid Build Coastguard Worker * 879*cc02d7e2SAndroid Build Coastguard Worker * Sets the name of the root certificates being watched. 880*cc02d7e2SAndroid Build Coastguard Worker * If not set, We will use a default empty string as the root certificate name. 881*cc02d7e2SAndroid Build Coastguard Worker */ 882*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_set_root_cert_name( 883*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, const char* root_cert_name); 884*cc02d7e2SAndroid Build Coastguard Worker 885*cc02d7e2SAndroid Build Coastguard Worker /** 886*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 887*cc02d7e2SAndroid Build Coastguard Worker * 888*cc02d7e2SAndroid Build Coastguard Worker * If set, gRPC stack will keep watching the identity key-cert pairs 889*cc02d7e2SAndroid Build Coastguard Worker * with name |identity_cert_name|. 890*cc02d7e2SAndroid Build Coastguard Worker * This is required on the server side, and optional on the client side. 891*cc02d7e2SAndroid Build Coastguard Worker */ 892*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_watch_identity_key_cert_pairs( 893*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options); 894*cc02d7e2SAndroid Build Coastguard Worker 895*cc02d7e2SAndroid Build Coastguard Worker /** 896*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 897*cc02d7e2SAndroid Build Coastguard Worker * 898*cc02d7e2SAndroid Build Coastguard Worker * Sets the name of the identity certificates being watched. 899*cc02d7e2SAndroid Build Coastguard Worker * If not set, We will use a default empty string as the identity certificate 900*cc02d7e2SAndroid Build Coastguard Worker * name. 901*cc02d7e2SAndroid Build Coastguard Worker */ 902*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_set_identity_cert_name( 903*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, const char* identity_cert_name); 904*cc02d7e2SAndroid Build Coastguard Worker 905*cc02d7e2SAndroid Build Coastguard Worker /** 906*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 907*cc02d7e2SAndroid Build Coastguard Worker * 908*cc02d7e2SAndroid Build Coastguard Worker * Sets the options of whether to request and/or verify client certs. This shall 909*cc02d7e2SAndroid Build Coastguard Worker * only be called on the server side. 910*cc02d7e2SAndroid Build Coastguard Worker */ 911*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_set_cert_request_type( 912*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, 913*cc02d7e2SAndroid Build Coastguard Worker grpc_ssl_client_certificate_request_type type); 914*cc02d7e2SAndroid Build Coastguard Worker 915*cc02d7e2SAndroid Build Coastguard Worker /** Deprecated in favor of grpc_tls_credentials_options_set_crl_provider. The 916*cc02d7e2SAndroid Build Coastguard Worker * crl provider interface provides a significantly more flexible approach to 917*cc02d7e2SAndroid Build Coastguard Worker * using CRLs. See gRFC A69 for details. 918*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 919*cc02d7e2SAndroid Build Coastguard Worker * 920*cc02d7e2SAndroid Build Coastguard Worker * If set, gRPC will read all hashed x.509 CRL files in the directory and 921*cc02d7e2SAndroid Build Coastguard Worker * enforce the CRL files on all TLS handshakes. Only supported for OpenSSL 922*cc02d7e2SAndroid Build Coastguard Worker * version > 1.1. 923*cc02d7e2SAndroid Build Coastguard Worker * It is used for experimental purpose for now and subject to change. 924*cc02d7e2SAndroid Build Coastguard Worker */ 925*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_set_crl_directory( 926*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, const char* crl_directory); 927*cc02d7e2SAndroid Build Coastguard Worker 928*cc02d7e2SAndroid Build Coastguard Worker /** 929*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 930*cc02d7e2SAndroid Build Coastguard Worker * 931*cc02d7e2SAndroid Build Coastguard Worker * Sets the options of whether to verify server certs on the client side. 932*cc02d7e2SAndroid Build Coastguard Worker * Passing in a non-zero value indicates verifying the certs. 933*cc02d7e2SAndroid Build Coastguard Worker */ 934*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_set_verify_server_cert( 935*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, int verify_server_cert); 936*cc02d7e2SAndroid Build Coastguard Worker 937*cc02d7e2SAndroid Build Coastguard Worker /** 938*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 939*cc02d7e2SAndroid Build Coastguard Worker * 940*cc02d7e2SAndroid Build Coastguard Worker * Sets whether or not a TLS server should send a list of CA names in the 941*cc02d7e2SAndroid Build Coastguard Worker * ServerHello. This list of CA names is read from the server's trust bundle, so 942*cc02d7e2SAndroid Build Coastguard Worker * that the client can use this list as a hint to know which certificate it 943*cc02d7e2SAndroid Build Coastguard Worker * should send to the server. 944*cc02d7e2SAndroid Build Coastguard Worker * 945*cc02d7e2SAndroid Build Coastguard Worker * WARNING: This API is extremely dangerous and should not be used. If the 946*cc02d7e2SAndroid Build Coastguard Worker * server's trust bundle is too large, then the TLS server will be unable to 947*cc02d7e2SAndroid Build Coastguard Worker * form a ServerHello, and hence will be unusable. The definition of "too large" 948*cc02d7e2SAndroid Build Coastguard Worker * depends on the underlying SSL library being used and on the size of the CN 949*cc02d7e2SAndroid Build Coastguard Worker * fields of the certificates in the trust bundle. 950*cc02d7e2SAndroid Build Coastguard Worker */ 951*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_set_send_client_ca_list( 952*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, bool send_client_ca_list); 953*cc02d7e2SAndroid Build Coastguard Worker 954*cc02d7e2SAndroid Build Coastguard Worker /** 955*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 956*cc02d7e2SAndroid Build Coastguard Worker * 957*cc02d7e2SAndroid Build Coastguard Worker * The read-only request information exposed in a verification call. 958*cc02d7e2SAndroid Build Coastguard Worker * Callers should not directly manage the ownership of it. We will make sure it 959*cc02d7e2SAndroid Build Coastguard Worker * is always available inside verify() or cancel() call, and will destroy the 960*cc02d7e2SAndroid Build Coastguard Worker * object at the end of custom verification. 961*cc02d7e2SAndroid Build Coastguard Worker */ 962*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_tls_custom_verification_check_request { 963*cc02d7e2SAndroid Build Coastguard Worker /* The target name of the server when the client initiates the connection. */ 964*cc02d7e2SAndroid Build Coastguard Worker /* This field will be nullptr if on the server side. */ 965*cc02d7e2SAndroid Build Coastguard Worker const char* target_name; 966*cc02d7e2SAndroid Build Coastguard Worker /* The information contained in the certificate chain sent from the peer. */ 967*cc02d7e2SAndroid Build Coastguard Worker struct peer_info { 968*cc02d7e2SAndroid Build Coastguard Worker /* The Common Name field on the peer leaf certificate. */ 969*cc02d7e2SAndroid Build Coastguard Worker const char* common_name; 970*cc02d7e2SAndroid Build Coastguard Worker /* The list of Subject Alternative Names on the peer leaf certificate. */ 971*cc02d7e2SAndroid Build Coastguard Worker struct san_names { 972*cc02d7e2SAndroid Build Coastguard Worker char** uri_names; 973*cc02d7e2SAndroid Build Coastguard Worker size_t uri_names_size; 974*cc02d7e2SAndroid Build Coastguard Worker char** dns_names; 975*cc02d7e2SAndroid Build Coastguard Worker size_t dns_names_size; 976*cc02d7e2SAndroid Build Coastguard Worker char** email_names; 977*cc02d7e2SAndroid Build Coastguard Worker size_t email_names_size; 978*cc02d7e2SAndroid Build Coastguard Worker char** ip_names; 979*cc02d7e2SAndroid Build Coastguard Worker size_t ip_names_size; 980*cc02d7e2SAndroid Build Coastguard Worker } san_names; 981*cc02d7e2SAndroid Build Coastguard Worker /* The raw peer leaf certificate. */ 982*cc02d7e2SAndroid Build Coastguard Worker const char* peer_cert; 983*cc02d7e2SAndroid Build Coastguard Worker /* The raw peer certificate chain. Note that it is not always guaranteed to 984*cc02d7e2SAndroid Build Coastguard Worker * get the peer full chain. For more, please refer to 985*cc02d7e2SAndroid Build Coastguard Worker * GRPC_X509_PEM_CERT_CHAIN_PROPERTY_NAME defined in file 986*cc02d7e2SAndroid Build Coastguard Worker * grpc_security_constants.h. 987*cc02d7e2SAndroid Build Coastguard Worker * TODO(ZhenLian): Consider fixing this in the future. */ 988*cc02d7e2SAndroid Build Coastguard Worker const char* peer_cert_full_chain; 989*cc02d7e2SAndroid Build Coastguard Worker /* The verified root cert subject. 990*cc02d7e2SAndroid Build Coastguard Worker * This value will only be filled if the cryptographic peer certificate 991*cc02d7e2SAndroid Build Coastguard Worker * verification was successful */ 992*cc02d7e2SAndroid Build Coastguard Worker const char* verified_root_cert_subject; 993*cc02d7e2SAndroid Build Coastguard Worker } peer_info; 994*cc02d7e2SAndroid Build Coastguard Worker } grpc_tls_custom_verification_check_request; 995*cc02d7e2SAndroid Build Coastguard Worker 996*cc02d7e2SAndroid Build Coastguard Worker /** 997*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 998*cc02d7e2SAndroid Build Coastguard Worker * 999*cc02d7e2SAndroid Build Coastguard Worker * A callback function provided by gRPC as a parameter of the |verify| function 1000*cc02d7e2SAndroid Build Coastguard Worker * in grpc_tls_certificate_verifier_external. If |verify| is expected to be run 1001*cc02d7e2SAndroid Build Coastguard Worker * asynchronously, the implementer of |verify| will need to invoke this callback 1002*cc02d7e2SAndroid Build Coastguard Worker * with |callback_arg| and proper verification status at the end to bring the 1003*cc02d7e2SAndroid Build Coastguard Worker * control back to gRPC C core. 1004*cc02d7e2SAndroid Build Coastguard Worker */ 1005*cc02d7e2SAndroid Build Coastguard Worker typedef void (*grpc_tls_on_custom_verification_check_done_cb)( 1006*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_custom_verification_check_request* request, void* callback_arg, 1007*cc02d7e2SAndroid Build Coastguard Worker grpc_status_code status, const char* error_details); 1008*cc02d7e2SAndroid Build Coastguard Worker 1009*cc02d7e2SAndroid Build Coastguard Worker /** 1010*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1011*cc02d7e2SAndroid Build Coastguard Worker * 1012*cc02d7e2SAndroid Build Coastguard Worker * The internal verifier type that will be used inside core. 1013*cc02d7e2SAndroid Build Coastguard Worker */ 1014*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_tls_certificate_verifier grpc_tls_certificate_verifier; 1015*cc02d7e2SAndroid Build Coastguard Worker 1016*cc02d7e2SAndroid Build Coastguard Worker /** 1017*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1018*cc02d7e2SAndroid Build Coastguard Worker * 1019*cc02d7e2SAndroid Build Coastguard Worker * A struct containing all the necessary functions a custom external verifier 1020*cc02d7e2SAndroid Build Coastguard Worker * needs to implement to be able to be converted to an internal verifier. 1021*cc02d7e2SAndroid Build Coastguard Worker */ 1022*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_tls_certificate_verifier_external { 1023*cc02d7e2SAndroid Build Coastguard Worker void* user_data; 1024*cc02d7e2SAndroid Build Coastguard Worker /** 1025*cc02d7e2SAndroid Build Coastguard Worker * A function pointer containing the verification logic that will be 1026*cc02d7e2SAndroid Build Coastguard Worker * performed after the TLS handshake is done. It could be processed 1027*cc02d7e2SAndroid Build Coastguard Worker * synchronously or asynchronously. 1028*cc02d7e2SAndroid Build Coastguard Worker * - If expected to be processed synchronously, the implementer should 1029*cc02d7e2SAndroid Build Coastguard Worker * populate the verification result through |sync_status| and 1030*cc02d7e2SAndroid Build Coastguard Worker * |sync_error_details|, and then return true. 1031*cc02d7e2SAndroid Build Coastguard Worker * - If expected to be processed asynchronously, the implementer should return 1032*cc02d7e2SAndroid Build Coastguard Worker * false immediately, and then in the asynchronous thread invoke |callback| 1033*cc02d7e2SAndroid Build Coastguard Worker * with the verification result. The implementer MUST NOT invoke the async 1034*cc02d7e2SAndroid Build Coastguard Worker * |callback| in the same thread before |verify| returns, otherwise it can 1035*cc02d7e2SAndroid Build Coastguard Worker * lead to deadlocks. 1036*cc02d7e2SAndroid Build Coastguard Worker * 1037*cc02d7e2SAndroid Build Coastguard Worker * user_data: any argument that is passed in the user_data of 1038*cc02d7e2SAndroid Build Coastguard Worker * grpc_tls_certificate_verifier_external during construction time 1039*cc02d7e2SAndroid Build Coastguard Worker * can be retrieved later here. 1040*cc02d7e2SAndroid Build Coastguard Worker * request: request information exposed to the function implementer. 1041*cc02d7e2SAndroid Build Coastguard Worker * callback: the callback that the function implementer needs to invoke, if 1042*cc02d7e2SAndroid Build Coastguard Worker * return a non-zero value. It is usually invoked when the 1043*cc02d7e2SAndroid Build Coastguard Worker * asynchronous verification is done, and serves to bring the 1044*cc02d7e2SAndroid Build Coastguard Worker * control back to gRPC. 1045*cc02d7e2SAndroid Build Coastguard Worker * callback_arg: A pointer to the internal ExternalVerifier instance. This is 1046*cc02d7e2SAndroid Build Coastguard Worker * mainly used as an argument in |callback|, if want to invoke 1047*cc02d7e2SAndroid Build Coastguard Worker * |callback| in async mode. 1048*cc02d7e2SAndroid Build Coastguard Worker * sync_status: indicates if a connection should be allowed. This should only 1049*cc02d7e2SAndroid Build Coastguard Worker * be used if the verification check is done synchronously. 1050*cc02d7e2SAndroid Build Coastguard Worker * sync_error_details: the error generated while verifying a connection. This 1051*cc02d7e2SAndroid Build Coastguard Worker * should only be used if the verification check is done 1052*cc02d7e2SAndroid Build Coastguard Worker * synchronously. the implementation must allocate the 1053*cc02d7e2SAndroid Build Coastguard Worker * error string via gpr_malloc() or gpr_strdup(). 1054*cc02d7e2SAndroid Build Coastguard Worker * return: return 0 if |verify| is expected to be executed asynchronously, 1055*cc02d7e2SAndroid Build Coastguard Worker * otherwise return a non-zero value. 1056*cc02d7e2SAndroid Build Coastguard Worker */ 1057*cc02d7e2SAndroid Build Coastguard Worker int (*verify)(void* user_data, 1058*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_custom_verification_check_request* request, 1059*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_on_custom_verification_check_done_cb callback, 1060*cc02d7e2SAndroid Build Coastguard Worker void* callback_arg, grpc_status_code* sync_status, 1061*cc02d7e2SAndroid Build Coastguard Worker char** sync_error_details); 1062*cc02d7e2SAndroid Build Coastguard Worker /** 1063*cc02d7e2SAndroid Build Coastguard Worker * A function pointer that cleans up the caller-specified resources when the 1064*cc02d7e2SAndroid Build Coastguard Worker * verifier is still running but the whole connection got cancelled. This 1065*cc02d7e2SAndroid Build Coastguard Worker * could happen when the verifier is doing some async operations, and the 1066*cc02d7e2SAndroid Build Coastguard Worker * whole handshaker object got destroyed because of connection time limit is 1067*cc02d7e2SAndroid Build Coastguard Worker * reached, or any other reasons. In such cases, function implementers might 1068*cc02d7e2SAndroid Build Coastguard Worker * want to be notified, and properly clean up some resources. 1069*cc02d7e2SAndroid Build Coastguard Worker * 1070*cc02d7e2SAndroid Build Coastguard Worker * user_data: any argument that is passed in the user_data of 1071*cc02d7e2SAndroid Build Coastguard Worker * grpc_tls_certificate_verifier_external during construction time 1072*cc02d7e2SAndroid Build Coastguard Worker * can be retrieved later here. 1073*cc02d7e2SAndroid Build Coastguard Worker * request: request information exposed to the function implementer. It will 1074*cc02d7e2SAndroid Build Coastguard Worker * be the same request object that was passed to verify(), and it 1075*cc02d7e2SAndroid Build Coastguard Worker * tells the cancel() which request to cancel. 1076*cc02d7e2SAndroid Build Coastguard Worker */ 1077*cc02d7e2SAndroid Build Coastguard Worker void (*cancel)(void* user_data, 1078*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_custom_verification_check_request* request); 1079*cc02d7e2SAndroid Build Coastguard Worker /** 1080*cc02d7e2SAndroid Build Coastguard Worker * A function pointer that does some additional destruction work when the 1081*cc02d7e2SAndroid Build Coastguard Worker * verifier is destroyed. This is used when the caller wants to associate some 1082*cc02d7e2SAndroid Build Coastguard Worker * objects to the lifetime of external_verifier, and destroy them when 1083*cc02d7e2SAndroid Build Coastguard Worker * external_verifier got destructed. For example, in C++, the class containing 1084*cc02d7e2SAndroid Build Coastguard Worker * user-specified callback functions should not be destroyed before 1085*cc02d7e2SAndroid Build Coastguard Worker * external_verifier, since external_verifier will invoke them while being 1086*cc02d7e2SAndroid Build Coastguard Worker * used. 1087*cc02d7e2SAndroid Build Coastguard Worker * Note that the caller MUST delete the grpc_tls_certificate_verifier_external 1088*cc02d7e2SAndroid Build Coastguard Worker * object itself in this function, otherwise it will cause memory leaks. That 1089*cc02d7e2SAndroid Build Coastguard Worker * also means the user_data has to carries at least a self pointer, for the 1090*cc02d7e2SAndroid Build Coastguard Worker * callers to later delete it in destruct(). 1091*cc02d7e2SAndroid Build Coastguard Worker * 1092*cc02d7e2SAndroid Build Coastguard Worker * user_data: any argument that is passed in the user_data of 1093*cc02d7e2SAndroid Build Coastguard Worker * grpc_tls_certificate_verifier_external during construction time 1094*cc02d7e2SAndroid Build Coastguard Worker * can be retrieved later here. 1095*cc02d7e2SAndroid Build Coastguard Worker */ 1096*cc02d7e2SAndroid Build Coastguard Worker void (*destruct)(void* user_data); 1097*cc02d7e2SAndroid Build Coastguard Worker } grpc_tls_certificate_verifier_external; 1098*cc02d7e2SAndroid Build Coastguard Worker 1099*cc02d7e2SAndroid Build Coastguard Worker /** 1100*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1101*cc02d7e2SAndroid Build Coastguard Worker * 1102*cc02d7e2SAndroid Build Coastguard Worker * Converts an external verifier to an internal verifier. 1103*cc02d7e2SAndroid Build Coastguard Worker * Note that we will not take the ownership of the external_verifier. Callers 1104*cc02d7e2SAndroid Build Coastguard Worker * will need to delete external_verifier in its own destruct function. 1105*cc02d7e2SAndroid Build Coastguard Worker */ 1106*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_verifier* grpc_tls_certificate_verifier_external_create( 1107*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_verifier_external* external_verifier); 1108*cc02d7e2SAndroid Build Coastguard Worker 1109*cc02d7e2SAndroid Build Coastguard Worker /** 1110*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1111*cc02d7e2SAndroid Build Coastguard Worker * 1112*cc02d7e2SAndroid Build Coastguard Worker * Factory function for an internal verifier that won't perform any 1113*cc02d7e2SAndroid Build Coastguard Worker * post-handshake verification. Note: using this solely without any other 1114*cc02d7e2SAndroid Build Coastguard Worker * authentication mechanisms on the peer identity will leave your applications 1115*cc02d7e2SAndroid Build Coastguard Worker * to the MITM(Man-In-The-Middle) attacks. Users should avoid doing so in 1116*cc02d7e2SAndroid Build Coastguard Worker * production environments. 1117*cc02d7e2SAndroid Build Coastguard Worker */ 1118*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_verifier* grpc_tls_certificate_verifier_no_op_create(); 1119*cc02d7e2SAndroid Build Coastguard Worker 1120*cc02d7e2SAndroid Build Coastguard Worker /** 1121*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1122*cc02d7e2SAndroid Build Coastguard Worker * 1123*cc02d7e2SAndroid Build Coastguard Worker * Factory function for an internal verifier that will do the default hostname 1124*cc02d7e2SAndroid Build Coastguard Worker * check. 1125*cc02d7e2SAndroid Build Coastguard Worker */ 1126*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_verifier* grpc_tls_certificate_verifier_host_name_create(); 1127*cc02d7e2SAndroid Build Coastguard Worker 1128*cc02d7e2SAndroid Build Coastguard Worker /** 1129*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1130*cc02d7e2SAndroid Build Coastguard Worker * 1131*cc02d7e2SAndroid Build Coastguard Worker * Releases a grpc_tls_certificate_verifier object. The creator of the 1132*cc02d7e2SAndroid Build Coastguard Worker * grpc_tls_certificate_verifier object is responsible for its release. 1133*cc02d7e2SAndroid Build Coastguard Worker */ 1134*cc02d7e2SAndroid Build Coastguard Worker void grpc_tls_certificate_verifier_release( 1135*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_verifier* verifier); 1136*cc02d7e2SAndroid Build Coastguard Worker 1137*cc02d7e2SAndroid Build Coastguard Worker /** 1138*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1139*cc02d7e2SAndroid Build Coastguard Worker * 1140*cc02d7e2SAndroid Build Coastguard Worker * Sets the verifier in options. The |options| will implicitly take a new ref to 1141*cc02d7e2SAndroid Build Coastguard Worker * the |verifier|. If not set on the client side, we will verify server's 1142*cc02d7e2SAndroid Build Coastguard Worker * certificates, and check the default hostname. If not set on the server side, 1143*cc02d7e2SAndroid Build Coastguard Worker * we will verify client's certificates. 1144*cc02d7e2SAndroid Build Coastguard Worker */ 1145*cc02d7e2SAndroid Build Coastguard Worker void grpc_tls_credentials_options_set_certificate_verifier( 1146*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, 1147*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_verifier* verifier); 1148*cc02d7e2SAndroid Build Coastguard Worker 1149*cc02d7e2SAndroid Build Coastguard Worker /** 1150*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1151*cc02d7e2SAndroid Build Coastguard Worker * 1152*cc02d7e2SAndroid Build Coastguard Worker * Sets the options of whether to check the hostname of the peer on a per-call 1153*cc02d7e2SAndroid Build Coastguard Worker * basis. This is usually used in a combination with virtual hosting at the 1154*cc02d7e2SAndroid Build Coastguard Worker * client side, where each individual call on a channel can have a different 1155*cc02d7e2SAndroid Build Coastguard Worker * host associated with it. 1156*cc02d7e2SAndroid Build Coastguard Worker * This check is intended to verify that the host specified for the individual 1157*cc02d7e2SAndroid Build Coastguard Worker * call is covered by the cert that the peer presented. 1158*cc02d7e2SAndroid Build Coastguard Worker * The default is a non-zero value, which indicates performing such checks. 1159*cc02d7e2SAndroid Build Coastguard Worker */ 1160*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_set_check_call_host( 1161*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, int check_call_host); 1162*cc02d7e2SAndroid Build Coastguard Worker 1163*cc02d7e2SAndroid Build Coastguard Worker /** 1164*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1165*cc02d7e2SAndroid Build Coastguard Worker * 1166*cc02d7e2SAndroid Build Coastguard Worker * Performs the verification logic of an internal verifier. 1167*cc02d7e2SAndroid Build Coastguard Worker * This is typically used when composing the internal verifiers as part of the 1168*cc02d7e2SAndroid Build Coastguard Worker * custom verification. 1169*cc02d7e2SAndroid Build Coastguard Worker * If |grpc_tls_certificate_verifier_verify| returns true, inspect the 1170*cc02d7e2SAndroid Build Coastguard Worker * verification result through request->status and request->error_details. 1171*cc02d7e2SAndroid Build Coastguard Worker * Otherwise, inspect through the parameter of |callback|. 1172*cc02d7e2SAndroid Build Coastguard Worker */ 1173*cc02d7e2SAndroid Build Coastguard Worker int grpc_tls_certificate_verifier_verify( 1174*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_verifier* verifier, 1175*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_custom_verification_check_request* request, 1176*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_on_custom_verification_check_done_cb callback, void* callback_arg, 1177*cc02d7e2SAndroid Build Coastguard Worker grpc_status_code* sync_status, char** sync_error_details); 1178*cc02d7e2SAndroid Build Coastguard Worker 1179*cc02d7e2SAndroid Build Coastguard Worker /** 1180*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1181*cc02d7e2SAndroid Build Coastguard Worker * 1182*cc02d7e2SAndroid Build Coastguard Worker * Performs the cancellation logic of an internal verifier. 1183*cc02d7e2SAndroid Build Coastguard Worker * This is typically used when composing the internal verifiers as part of the 1184*cc02d7e2SAndroid Build Coastguard Worker * custom verification. 1185*cc02d7e2SAndroid Build Coastguard Worker */ 1186*cc02d7e2SAndroid Build Coastguard Worker void grpc_tls_certificate_verifier_cancel( 1187*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_certificate_verifier* verifier, 1188*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_custom_verification_check_request* request); 1189*cc02d7e2SAndroid Build Coastguard Worker 1190*cc02d7e2SAndroid Build Coastguard Worker /** 1191*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1192*cc02d7e2SAndroid Build Coastguard Worker * 1193*cc02d7e2SAndroid Build Coastguard Worker * Creates a TLS channel credential object based on the 1194*cc02d7e2SAndroid Build Coastguard Worker * grpc_tls_credentials_options specified by callers. The 1195*cc02d7e2SAndroid Build Coastguard Worker * grpc_channel_credentials will take the ownership of the |options|. The 1196*cc02d7e2SAndroid Build Coastguard Worker * security level of the resulting connection is GRPC_PRIVACY_AND_INTEGRITY. 1197*cc02d7e2SAndroid Build Coastguard Worker */ 1198*cc02d7e2SAndroid Build Coastguard Worker grpc_channel_credentials* grpc_tls_credentials_create( 1199*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options); 1200*cc02d7e2SAndroid Build Coastguard Worker 1201*cc02d7e2SAndroid Build Coastguard Worker /** 1202*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1203*cc02d7e2SAndroid Build Coastguard Worker * 1204*cc02d7e2SAndroid Build Coastguard Worker * Creates a TLS server credential object based on the 1205*cc02d7e2SAndroid Build Coastguard Worker * grpc_tls_credentials_options specified by callers. The 1206*cc02d7e2SAndroid Build Coastguard Worker * grpc_server_credentials will take the ownership of the |options|. 1207*cc02d7e2SAndroid Build Coastguard Worker */ 1208*cc02d7e2SAndroid Build Coastguard Worker grpc_server_credentials* grpc_tls_server_credentials_create( 1209*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options); 1210*cc02d7e2SAndroid Build Coastguard Worker 1211*cc02d7e2SAndroid Build Coastguard Worker /** 1212*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1213*cc02d7e2SAndroid Build Coastguard Worker * 1214*cc02d7e2SAndroid Build Coastguard Worker * This method creates an insecure channel credentials object. 1215*cc02d7e2SAndroid Build Coastguard Worker */ 1216*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_channel_credentials* grpc_insecure_credentials_create(); 1217*cc02d7e2SAndroid Build Coastguard Worker 1218*cc02d7e2SAndroid Build Coastguard Worker /** 1219*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1220*cc02d7e2SAndroid Build Coastguard Worker * 1221*cc02d7e2SAndroid Build Coastguard Worker * This method creates an insecure server credentials object. 1222*cc02d7e2SAndroid Build Coastguard Worker */ 1223*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_server_credentials* grpc_insecure_server_credentials_create(); 1224*cc02d7e2SAndroid Build Coastguard Worker 1225*cc02d7e2SAndroid Build Coastguard Worker /** 1226*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1227*cc02d7e2SAndroid Build Coastguard Worker * 1228*cc02d7e2SAndroid Build Coastguard Worker * This method creates an xDS channel credentials object. 1229*cc02d7e2SAndroid Build Coastguard Worker * 1230*cc02d7e2SAndroid Build Coastguard Worker * Creating a channel with credentials of this type indicates that the channel 1231*cc02d7e2SAndroid Build Coastguard Worker * should get credentials configuration from the xDS control plane. 1232*cc02d7e2SAndroid Build Coastguard Worker * 1233*cc02d7e2SAndroid Build Coastguard Worker * \a fallback_credentials are used if the channel target does not have the 1234*cc02d7e2SAndroid Build Coastguard Worker * 'xds:///' scheme or if the xDS control plane does not provide information on 1235*cc02d7e2SAndroid Build Coastguard Worker * how to fetch credentials dynamically. Does NOT take ownership of the \a 1236*cc02d7e2SAndroid Build Coastguard Worker * fallback_credentials. (Internally takes a ref to the object.) 1237*cc02d7e2SAndroid Build Coastguard Worker */ 1238*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_channel_credentials* grpc_xds_credentials_create( 1239*cc02d7e2SAndroid Build Coastguard Worker grpc_channel_credentials* fallback_credentials); 1240*cc02d7e2SAndroid Build Coastguard Worker 1241*cc02d7e2SAndroid Build Coastguard Worker /** 1242*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change 1243*cc02d7e2SAndroid Build Coastguard Worker * 1244*cc02d7e2SAndroid Build Coastguard Worker * This method creates an xDS server credentials object. 1245*cc02d7e2SAndroid Build Coastguard Worker * 1246*cc02d7e2SAndroid Build Coastguard Worker * \a fallback_credentials are used if the xDS control plane does not provide 1247*cc02d7e2SAndroid Build Coastguard Worker * information on how to fetch credentials dynamically. 1248*cc02d7e2SAndroid Build Coastguard Worker * 1249*cc02d7e2SAndroid Build Coastguard Worker * Does NOT take ownership of the \a fallback_credentials. (Internally takes 1250*cc02d7e2SAndroid Build Coastguard Worker * a ref to the object.) 1251*cc02d7e2SAndroid Build Coastguard Worker */ 1252*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_server_credentials* grpc_xds_server_credentials_create( 1253*cc02d7e2SAndroid Build Coastguard Worker grpc_server_credentials* fallback_credentials); 1254*cc02d7e2SAndroid Build Coastguard Worker 1255*cc02d7e2SAndroid Build Coastguard Worker /** 1256*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL - Subject to change. 1257*cc02d7e2SAndroid Build Coastguard Worker * An opaque type that is responsible for providing authorization policies to 1258*cc02d7e2SAndroid Build Coastguard Worker * gRPC. 1259*cc02d7e2SAndroid Build Coastguard Worker */ 1260*cc02d7e2SAndroid Build Coastguard Worker typedef struct grpc_authorization_policy_provider 1261*cc02d7e2SAndroid Build Coastguard Worker grpc_authorization_policy_provider; 1262*cc02d7e2SAndroid Build Coastguard Worker 1263*cc02d7e2SAndroid Build Coastguard Worker /** 1264*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL - Subject to change. 1265*cc02d7e2SAndroid Build Coastguard Worker * Creates a grpc_authorization_policy_provider using gRPC authorization policy 1266*cc02d7e2SAndroid Build Coastguard Worker * from static string. 1267*cc02d7e2SAndroid Build Coastguard Worker * - authz_policy is the input gRPC authorization policy. 1268*cc02d7e2SAndroid Build Coastguard Worker * - code is the error status code on failure. On success, it equals 1269*cc02d7e2SAndroid Build Coastguard Worker * GRPC_STATUS_OK. 1270*cc02d7e2SAndroid Build Coastguard Worker * - error_details contains details about the error if any. If the 1271*cc02d7e2SAndroid Build Coastguard Worker * initialization is successful, it will be null. Caller must use gpr_free to 1272*cc02d7e2SAndroid Build Coastguard Worker * destroy this string. 1273*cc02d7e2SAndroid Build Coastguard Worker */ 1274*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_authorization_policy_provider* 1275*cc02d7e2SAndroid Build Coastguard Worker grpc_authorization_policy_provider_static_data_create( 1276*cc02d7e2SAndroid Build Coastguard Worker const char* authz_policy, grpc_status_code* code, 1277*cc02d7e2SAndroid Build Coastguard Worker const char** error_details); 1278*cc02d7e2SAndroid Build Coastguard Worker 1279*cc02d7e2SAndroid Build Coastguard Worker /** 1280*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL - Subject to change. 1281*cc02d7e2SAndroid Build Coastguard Worker * Creates a grpc_authorization_policy_provider by watching for gRPC 1282*cc02d7e2SAndroid Build Coastguard Worker * authorization policy changes in filesystem. 1283*cc02d7e2SAndroid Build Coastguard Worker * - authz_policy is the file path of gRPC authorization policy. 1284*cc02d7e2SAndroid Build Coastguard Worker * - refresh_interval_sec is the amount of time the internal thread would wait 1285*cc02d7e2SAndroid Build Coastguard Worker * before checking for file updates. 1286*cc02d7e2SAndroid Build Coastguard Worker * - code is the error status code on failure. On success, it equals 1287*cc02d7e2SAndroid Build Coastguard Worker * GRPC_STATUS_OK. 1288*cc02d7e2SAndroid Build Coastguard Worker * - error_details contains details about the error if any. If the 1289*cc02d7e2SAndroid Build Coastguard Worker * initialization is successful, it will be null. Caller must use gpr_free to 1290*cc02d7e2SAndroid Build Coastguard Worker * destroy this string. 1291*cc02d7e2SAndroid Build Coastguard Worker */ 1292*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI grpc_authorization_policy_provider* 1293*cc02d7e2SAndroid Build Coastguard Worker grpc_authorization_policy_provider_file_watcher_create( 1294*cc02d7e2SAndroid Build Coastguard Worker const char* authz_policy_path, unsigned int refresh_interval_sec, 1295*cc02d7e2SAndroid Build Coastguard Worker grpc_status_code* code, const char** error_details); 1296*cc02d7e2SAndroid Build Coastguard Worker 1297*cc02d7e2SAndroid Build Coastguard Worker /** 1298*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL - Subject to change. 1299*cc02d7e2SAndroid Build Coastguard Worker * Releases grpc_authorization_policy_provider object. The creator of 1300*cc02d7e2SAndroid Build Coastguard Worker * grpc_authorization_policy_provider is responsible for its release. 1301*cc02d7e2SAndroid Build Coastguard Worker */ 1302*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_authorization_policy_provider_release( 1303*cc02d7e2SAndroid Build Coastguard Worker grpc_authorization_policy_provider* provider); 1304*cc02d7e2SAndroid Build Coastguard Worker 1305*cc02d7e2SAndroid Build Coastguard Worker /** --- TLS session key logging. --- 1306*cc02d7e2SAndroid Build Coastguard Worker * Experimental API to control tls session key logging. Tls session key logging 1307*cc02d7e2SAndroid Build Coastguard Worker * is expected to be used only for debugging purposes and never in production. 1308*cc02d7e2SAndroid Build Coastguard Worker * Tls session key logging is only enabled when: 1309*cc02d7e2SAndroid Build Coastguard Worker * At least one grpc_tls_credentials_options object is assigned a tls session 1310*cc02d7e2SAndroid Build Coastguard Worker * key logging file path using the API specified below. 1311*cc02d7e2SAndroid Build Coastguard Worker */ 1312*cc02d7e2SAndroid Build Coastguard Worker 1313*cc02d7e2SAndroid Build Coastguard Worker /** 1314*cc02d7e2SAndroid Build Coastguard Worker * EXPERIMENTAL API - Subject to change. 1315*cc02d7e2SAndroid Build Coastguard Worker * Configures a grpc_tls_credentials_options object with tls session key 1316*cc02d7e2SAndroid Build Coastguard Worker * logging capability. TLS channels using these credentials have tls session 1317*cc02d7e2SAndroid Build Coastguard Worker * key logging enabled. 1318*cc02d7e2SAndroid Build Coastguard Worker * - options is the grpc_tls_credentials_options object 1319*cc02d7e2SAndroid Build Coastguard Worker * - path is a string pointing to the location where TLS session keys would be 1320*cc02d7e2SAndroid Build Coastguard Worker * stored. 1321*cc02d7e2SAndroid Build Coastguard Worker */ 1322*cc02d7e2SAndroid Build Coastguard Worker GRPCAPI void grpc_tls_credentials_options_set_tls_session_key_log_file_path( 1323*cc02d7e2SAndroid Build Coastguard Worker grpc_tls_credentials_options* options, const char* path); 1324*cc02d7e2SAndroid Build Coastguard Worker 1325*cc02d7e2SAndroid Build Coastguard Worker #ifdef __cplusplus 1326*cc02d7e2SAndroid Build Coastguard Worker } 1327*cc02d7e2SAndroid Build Coastguard Worker #endif 1328*cc02d7e2SAndroid Build Coastguard Worker 1329*cc02d7e2SAndroid Build Coastguard Worker #endif /* GRPC_GRPC_SECURITY_H */ 1330