1*cc02d7e2SAndroid Build Coastguard Worker /* 2*cc02d7e2SAndroid Build Coastguard Worker * 3*cc02d7e2SAndroid Build Coastguard Worker * Copyright 2016 gRPC authors. 4*cc02d7e2SAndroid Build Coastguard Worker * 5*cc02d7e2SAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 6*cc02d7e2SAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 7*cc02d7e2SAndroid Build Coastguard Worker * You may obtain a copy of the License at 8*cc02d7e2SAndroid Build Coastguard Worker * 9*cc02d7e2SAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 10*cc02d7e2SAndroid Build Coastguard Worker * 11*cc02d7e2SAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 12*cc02d7e2SAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 13*cc02d7e2SAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14*cc02d7e2SAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 15*cc02d7e2SAndroid Build Coastguard Worker * limitations under the License. 16*cc02d7e2SAndroid Build Coastguard Worker * 17*cc02d7e2SAndroid Build Coastguard Worker */ 18*cc02d7e2SAndroid Build Coastguard Worker 19*cc02d7e2SAndroid Build Coastguard Worker #ifndef GRPC_GRPC_SECURITY_CONSTANTS_H 20*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_GRPC_SECURITY_CONSTANTS_H 21*cc02d7e2SAndroid Build Coastguard Worker 22*cc02d7e2SAndroid Build Coastguard Worker #ifdef __cplusplus 23*cc02d7e2SAndroid Build Coastguard Worker extern "C" { 24*cc02d7e2SAndroid Build Coastguard Worker #endif 25*cc02d7e2SAndroid Build Coastguard Worker 26*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME "transport_security_type" 27*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_SSL_TRANSPORT_SECURITY_TYPE "ssl" 28*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_TLS_TRANSPORT_SECURITY_TYPE "tls" 29*cc02d7e2SAndroid Build Coastguard Worker 30*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_X509_CN_PROPERTY_NAME "x509_common_name" 31*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_X509_SUBJECT_PROPERTY_NAME "x509_subject" 32*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_X509_SAN_PROPERTY_NAME "x509_subject_alternative_name" 33*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_X509_PEM_CERT_PROPERTY_NAME "x509_pem_cert" 34*cc02d7e2SAndroid Build Coastguard Worker // Please note that internally, we just faithfully pass whatever value we got by 35*cc02d7e2SAndroid Build Coastguard Worker // calling SSL_get_peer_cert_chain() in OpenSSL/BoringSSL. This will mean in 36*cc02d7e2SAndroid Build Coastguard Worker // OpenSSL, the following conditions might apply: 37*cc02d7e2SAndroid Build Coastguard Worker // 1. On the client side, this property returns the full certificate chain. On 38*cc02d7e2SAndroid Build Coastguard Worker // the server side, this property will return the certificate chain without the 39*cc02d7e2SAndroid Build Coastguard Worker // leaf certificate. Application can use GRPC_X509_PEM_CERT_PROPERTY_NAME to 40*cc02d7e2SAndroid Build Coastguard Worker // get the peer leaf certificate. 41*cc02d7e2SAndroid Build Coastguard Worker // 2. If the session is resumed, this property could be empty for OpenSSL (but 42*cc02d7e2SAndroid Build Coastguard Worker // not for BoringSSL). 43*cc02d7e2SAndroid Build Coastguard Worker // For more, please refer to the official OpenSSL manual: 44*cc02d7e2SAndroid Build Coastguard Worker // https://www.openssl.org/docs/man1.1.0/man3/SSL_get_peer_cert_chain.html. 45*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_X509_PEM_CERT_CHAIN_PROPERTY_NAME "x509_pem_cert_chain" 46*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_SSL_SESSION_REUSED_PROPERTY "ssl_session_reused" 47*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME "security_level" 48*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_PEER_DNS_PROPERTY_NAME "peer_dns" 49*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_PEER_SPIFFE_ID_PROPERTY_NAME "peer_spiffe_id" 50*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_PEER_URI_PROPERTY_NAME "peer_uri" 51*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_PEER_EMAIL_PROPERTY_NAME "peer_email" 52*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_PEER_IP_PROPERTY_NAME "peer_ip" 53*cc02d7e2SAndroid Build Coastguard Worker 54*cc02d7e2SAndroid Build Coastguard Worker /** Environment variable that points to the default SSL roots file. This file 55*cc02d7e2SAndroid Build Coastguard Worker must be a PEM encoded file with all the roots such as the one that can be 56*cc02d7e2SAndroid Build Coastguard Worker downloaded from https://pki.google.com/roots.pem. */ 57*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \ 58*cc02d7e2SAndroid Build Coastguard Worker "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH" 59*cc02d7e2SAndroid Build Coastguard Worker 60*cc02d7e2SAndroid Build Coastguard Worker /** Environment variable that points to the google default application 61*cc02d7e2SAndroid Build Coastguard Worker credentials json key or refresh token. Used in the 62*cc02d7e2SAndroid Build Coastguard Worker grpc_google_default_credentials_create function. */ 63*cc02d7e2SAndroid Build Coastguard Worker #define GRPC_GOOGLE_CREDENTIALS_ENV_VAR "GOOGLE_APPLICATION_CREDENTIALS" 64*cc02d7e2SAndroid Build Coastguard Worker 65*cc02d7e2SAndroid Build Coastguard Worker /** Results for the SSL roots override callback. */ 66*cc02d7e2SAndroid Build Coastguard Worker typedef enum { 67*cc02d7e2SAndroid Build Coastguard Worker GRPC_SSL_ROOTS_OVERRIDE_OK, 68*cc02d7e2SAndroid Build Coastguard Worker GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /** Do not try fallback options. */ 69*cc02d7e2SAndroid Build Coastguard Worker GRPC_SSL_ROOTS_OVERRIDE_FAIL 70*cc02d7e2SAndroid Build Coastguard Worker } grpc_ssl_roots_override_result; 71*cc02d7e2SAndroid Build Coastguard Worker 72*cc02d7e2SAndroid Build Coastguard Worker /** Callback results for dynamically loading a SSL certificate config. */ 73*cc02d7e2SAndroid Build Coastguard Worker typedef enum { 74*cc02d7e2SAndroid Build Coastguard Worker GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED, 75*cc02d7e2SAndroid Build Coastguard Worker GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW, 76*cc02d7e2SAndroid Build Coastguard Worker GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL 77*cc02d7e2SAndroid Build Coastguard Worker } grpc_ssl_certificate_config_reload_status; 78*cc02d7e2SAndroid Build Coastguard Worker 79*cc02d7e2SAndroid Build Coastguard Worker typedef enum { 80*cc02d7e2SAndroid Build Coastguard Worker /** Server does not request client certificate. 81*cc02d7e2SAndroid Build Coastguard Worker The certificate presented by the client is not checked by the server at 82*cc02d7e2SAndroid Build Coastguard Worker all. (A client may present a self signed or signed certificate or not 83*cc02d7e2SAndroid Build Coastguard Worker present a certificate at all and any of those option would be accepted) */ 84*cc02d7e2SAndroid Build Coastguard Worker GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, 85*cc02d7e2SAndroid Build Coastguard Worker /** Server requests client certificate but does not enforce that the client 86*cc02d7e2SAndroid Build Coastguard Worker presents a certificate. 87*cc02d7e2SAndroid Build Coastguard Worker 88*cc02d7e2SAndroid Build Coastguard Worker If the client presents a certificate, the client authentication is left to 89*cc02d7e2SAndroid Build Coastguard Worker the application (the necessary metadata will be available to the 90*cc02d7e2SAndroid Build Coastguard Worker application via authentication context properties, see grpc_auth_context). 91*cc02d7e2SAndroid Build Coastguard Worker 92*cc02d7e2SAndroid Build Coastguard Worker The client's key certificate pair must be valid for the SSL connection to 93*cc02d7e2SAndroid Build Coastguard Worker be established. */ 94*cc02d7e2SAndroid Build Coastguard Worker GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, 95*cc02d7e2SAndroid Build Coastguard Worker /** Server requests client certificate but does not enforce that the client 96*cc02d7e2SAndroid Build Coastguard Worker presents a certificate. 97*cc02d7e2SAndroid Build Coastguard Worker 98*cc02d7e2SAndroid Build Coastguard Worker If the client presents a certificate, the client authentication is done by 99*cc02d7e2SAndroid Build Coastguard Worker the gRPC framework. (For a successful connection the client needs to either 100*cc02d7e2SAndroid Build Coastguard Worker present a certificate that can be verified against the root certificate 101*cc02d7e2SAndroid Build Coastguard Worker configured by the server or not present a certificate at all) 102*cc02d7e2SAndroid Build Coastguard Worker 103*cc02d7e2SAndroid Build Coastguard Worker The client's key certificate pair must be valid for the SSL connection to 104*cc02d7e2SAndroid Build Coastguard Worker be established. */ 105*cc02d7e2SAndroid Build Coastguard Worker GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY, 106*cc02d7e2SAndroid Build Coastguard Worker /** Server requests client certificate and enforces that the client presents a 107*cc02d7e2SAndroid Build Coastguard Worker certificate. 108*cc02d7e2SAndroid Build Coastguard Worker 109*cc02d7e2SAndroid Build Coastguard Worker If the client presents a certificate, the client authentication is left to 110*cc02d7e2SAndroid Build Coastguard Worker the application (the necessary metadata will be available to the 111*cc02d7e2SAndroid Build Coastguard Worker application via authentication context properties, see grpc_auth_context). 112*cc02d7e2SAndroid Build Coastguard Worker 113*cc02d7e2SAndroid Build Coastguard Worker The client's key certificate pair must be valid for the SSL connection to 114*cc02d7e2SAndroid Build Coastguard Worker be established. */ 115*cc02d7e2SAndroid Build Coastguard Worker GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, 116*cc02d7e2SAndroid Build Coastguard Worker /** Server requests client certificate and enforces that the client presents a 117*cc02d7e2SAndroid Build Coastguard Worker certificate. 118*cc02d7e2SAndroid Build Coastguard Worker 119*cc02d7e2SAndroid Build Coastguard Worker The certificate presented by the client is verified by the gRPC framework. 120*cc02d7e2SAndroid Build Coastguard Worker (For a successful connection the client needs to present a certificate that 121*cc02d7e2SAndroid Build Coastguard Worker can be verified against the root certificate configured by the server) 122*cc02d7e2SAndroid Build Coastguard Worker 123*cc02d7e2SAndroid Build Coastguard Worker The client's key certificate pair must be valid for the SSL connection to 124*cc02d7e2SAndroid Build Coastguard Worker be established. */ 125*cc02d7e2SAndroid Build Coastguard Worker GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY 126*cc02d7e2SAndroid Build Coastguard Worker } grpc_ssl_client_certificate_request_type; 127*cc02d7e2SAndroid Build Coastguard Worker 128*cc02d7e2SAndroid Build Coastguard Worker /* Security levels of grpc transport security. It represents an inherent 129*cc02d7e2SAndroid Build Coastguard Worker * property of a backend connection and is determined by a channel credential 130*cc02d7e2SAndroid Build Coastguard Worker * used to create the connection. */ 131*cc02d7e2SAndroid Build Coastguard Worker typedef enum { 132*cc02d7e2SAndroid Build Coastguard Worker GRPC_SECURITY_MIN, 133*cc02d7e2SAndroid Build Coastguard Worker GRPC_SECURITY_NONE = GRPC_SECURITY_MIN, 134*cc02d7e2SAndroid Build Coastguard Worker GRPC_INTEGRITY_ONLY, 135*cc02d7e2SAndroid Build Coastguard Worker GRPC_PRIVACY_AND_INTEGRITY, 136*cc02d7e2SAndroid Build Coastguard Worker GRPC_SECURITY_MAX = GRPC_PRIVACY_AND_INTEGRITY, 137*cc02d7e2SAndroid Build Coastguard Worker } grpc_security_level; 138*cc02d7e2SAndroid Build Coastguard Worker 139*cc02d7e2SAndroid Build Coastguard Worker /** 140*cc02d7e2SAndroid Build Coastguard Worker * Type of local connections for which local channel/server credentials will be 141*cc02d7e2SAndroid Build Coastguard Worker * applied. It supports UDS and local TCP connections. 142*cc02d7e2SAndroid Build Coastguard Worker */ 143*cc02d7e2SAndroid Build Coastguard Worker typedef enum { UDS = 0, LOCAL_TCP } grpc_local_connect_type; 144*cc02d7e2SAndroid Build Coastguard Worker 145*cc02d7e2SAndroid Build Coastguard Worker /** The TLS versions that are supported by the SSL stack. **/ 146*cc02d7e2SAndroid Build Coastguard Worker typedef enum { TLS1_2, TLS1_3 } grpc_tls_version; 147*cc02d7e2SAndroid Build Coastguard Worker 148*cc02d7e2SAndroid Build Coastguard Worker #ifdef __cplusplus 149*cc02d7e2SAndroid Build Coastguard Worker } 150*cc02d7e2SAndroid Build Coastguard Worker #endif 151*cc02d7e2SAndroid Build Coastguard Worker 152*cc02d7e2SAndroid Build Coastguard Worker #endif /* GRPC_GRPC_SECURITY_CONSTANTS_H */ 153