xref: /aosp_15_r20/external/grpc-grpc/include/grpc/grpc_security_constants.h (revision cc02d7e222339f7a4f6ba5f422e6413f4bd931f2) 
1 /*
2  *
3  * Copyright 2016 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef GRPC_GRPC_SECURITY_CONSTANTS_H
20 #define GRPC_GRPC_SECURITY_CONSTANTS_H
21 
22 #ifdef __cplusplus
23 extern "C" {
24 #endif
25 
26 #define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME "transport_security_type"
27 #define GRPC_SSL_TRANSPORT_SECURITY_TYPE "ssl"
28 #define GRPC_TLS_TRANSPORT_SECURITY_TYPE "tls"
29 
30 #define GRPC_X509_CN_PROPERTY_NAME "x509_common_name"
31 #define GRPC_X509_SUBJECT_PROPERTY_NAME "x509_subject"
32 #define GRPC_X509_SAN_PROPERTY_NAME "x509_subject_alternative_name"
33 #define GRPC_X509_PEM_CERT_PROPERTY_NAME "x509_pem_cert"
34 // Please note that internally, we just faithfully pass whatever value we got by
35 // calling SSL_get_peer_cert_chain() in OpenSSL/BoringSSL. This will mean in
36 // OpenSSL, the following conditions might apply:
37 // 1. On the client side, this property returns the full certificate chain. On
38 // the server side, this property will return the certificate chain without the
39 // leaf certificate. Application can use GRPC_X509_PEM_CERT_PROPERTY_NAME to
40 // get the peer leaf certificate.
41 // 2. If the session is resumed, this property could be empty for OpenSSL (but
42 // not for BoringSSL).
43 // For more, please refer to the official OpenSSL manual:
44 // https://www.openssl.org/docs/man1.1.0/man3/SSL_get_peer_cert_chain.html.
45 #define GRPC_X509_PEM_CERT_CHAIN_PROPERTY_NAME "x509_pem_cert_chain"
46 #define GRPC_SSL_SESSION_REUSED_PROPERTY "ssl_session_reused"
47 #define GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME "security_level"
48 #define GRPC_PEER_DNS_PROPERTY_NAME "peer_dns"
49 #define GRPC_PEER_SPIFFE_ID_PROPERTY_NAME "peer_spiffe_id"
50 #define GRPC_PEER_URI_PROPERTY_NAME "peer_uri"
51 #define GRPC_PEER_EMAIL_PROPERTY_NAME "peer_email"
52 #define GRPC_PEER_IP_PROPERTY_NAME "peer_ip"
53 
54 /** Environment variable that points to the default SSL roots file. This file
55    must be a PEM encoded file with all the roots such as the one that can be
56    downloaded from https://pki.google.com/roots.pem.  */
57 #define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \
58   "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"
59 
60 /** Environment variable that points to the google default application
61    credentials json key or refresh token. Used in the
62    grpc_google_default_credentials_create function. */
63 #define GRPC_GOOGLE_CREDENTIALS_ENV_VAR "GOOGLE_APPLICATION_CREDENTIALS"
64 
65 /** Results for the SSL roots override callback. */
66 typedef enum {
67   GRPC_SSL_ROOTS_OVERRIDE_OK,
68   GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /** Do not try fallback options. */
69   GRPC_SSL_ROOTS_OVERRIDE_FAIL
70 } grpc_ssl_roots_override_result;
71 
72 /** Callback results for dynamically loading a SSL certificate config. */
73 typedef enum {
74   GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED,
75   GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW,
76   GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL
77 } grpc_ssl_certificate_config_reload_status;
78 
79 typedef enum {
80   /** Server does not request client certificate.
81      The certificate presented by the client is not checked by the server at
82      all. (A client may present a self signed or signed certificate or not
83      present a certificate at all and any of those option would be accepted) */
84   GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,
85   /** Server requests client certificate but does not enforce that the client
86      presents a certificate.
87 
88      If the client presents a certificate, the client authentication is left to
89      the application (the necessary metadata will be available to the
90      application via authentication context properties, see grpc_auth_context).
91 
92      The client's key certificate pair must be valid for the SSL connection to
93      be established. */
94   GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY,
95   /** Server requests client certificate but does not enforce that the client
96      presents a certificate.
97 
98      If the client presents a certificate, the client authentication is done by
99      the gRPC framework. (For a successful connection the client needs to either
100      present a certificate that can be verified against the root certificate
101      configured by the server or not present a certificate at all)
102 
103      The client's key certificate pair must be valid for the SSL connection to
104      be established. */
105   GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY,
106   /** Server requests client certificate and enforces that the client presents a
107      certificate.
108 
109      If the client presents a certificate, the client authentication is left to
110      the application (the necessary metadata will be available to the
111      application via authentication context properties, see grpc_auth_context).
112 
113      The client's key certificate pair must be valid for the SSL connection to
114      be established. */
115   GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY,
116   /** Server requests client certificate and enforces that the client presents a
117      certificate.
118 
119      The certificate presented by the client is verified by the gRPC framework.
120      (For a successful connection the client needs to present a certificate that
121      can be verified against the root certificate configured by the server)
122 
123      The client's key certificate pair must be valid for the SSL connection to
124      be established. */
125   GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
126 } grpc_ssl_client_certificate_request_type;
127 
128 /* Security levels of grpc transport security. It represents an inherent
129  * property of a backend connection and is determined by a channel credential
130  * used to create the connection. */
131 typedef enum {
132   GRPC_SECURITY_MIN,
133   GRPC_SECURITY_NONE = GRPC_SECURITY_MIN,
134   GRPC_INTEGRITY_ONLY,
135   GRPC_PRIVACY_AND_INTEGRITY,
136   GRPC_SECURITY_MAX = GRPC_PRIVACY_AND_INTEGRITY,
137 } grpc_security_level;
138 
139 /**
140  * Type of local connections for which local channel/server credentials will be
141  * applied. It supports UDS and local TCP connections.
142  */
143 typedef enum { UDS = 0, LOCAL_TCP } grpc_local_connect_type;
144 
145 /** The TLS versions that are supported by the SSL stack. **/
146 typedef enum { TLS1_2, TLS1_3 } grpc_tls_version;
147 
148 #ifdef __cplusplus
149 }
150 #endif
151 
152 #endif /* GRPC_GRPC_SECURITY_CONSTANTS_H */
153