Merge pull request #661 from jboeuf/remove_hardcoded_ssl_roots

Removing the hardcoded SSL roots.

Makefile

@@ -2237,7 +2237,6 @@ LIBGRPC_SRC = \
     src/core/security/base64.c \
     src/core/security/credentials.c \
     src/core/security/factories.c \
-    src/core/security/google_root_certs.c \
     src/core/security/json_token.c \
     src/core/security/secure_endpoint.c \
     src/core/security/secure_transport_setup.c \
@@ -2377,7 +2376,6 @@ src/core/security/auth.c: $(OPENSSL_DEP)
 src/core/security/base64.c: $(OPENSSL_DEP)
 src/core/security/credentials.c: $(OPENSSL_DEP)
 src/core/security/factories.c: $(OPENSSL_DEP)
-src/core/security/google_root_certs.c: $(OPENSSL_DEP)
 src/core/security/json_token.c: $(OPENSSL_DEP)
 src/core/security/secure_endpoint.c: $(OPENSSL_DEP)
 src/core/security/secure_transport_setup.c: $(OPENSSL_DEP)
@@ -2534,7 +2532,6 @@ $(OBJDIR)/$(CONFIG)/src/core/security/auth.o:
 $(OBJDIR)/$(CONFIG)/src/core/security/base64.o: 
 $(OBJDIR)/$(CONFIG)/src/core/security/credentials.o: 
 $(OBJDIR)/$(CONFIG)/src/core/security/factories.o: 
-$(OBJDIR)/$(CONFIG)/src/core/security/google_root_certs.o: 
 $(OBJDIR)/$(CONFIG)/src/core/security/json_token.o: 
 $(OBJDIR)/$(CONFIG)/src/core/security/secure_endpoint.o: 
 $(OBJDIR)/$(CONFIG)/src/core/security/secure_transport_setup.o: 

build.json

@@ -307,7 +307,6 @@
         "src/core/security/auth.h",
         "src/core/security/base64.h",
         "src/core/security/credentials.h",
-        "src/core/security/google_root_certs.h",
         "src/core/security/json_token.h",
         "src/core/security/secure_transport_setup.h",
         "src/core/security/security_context.h",
@@ -321,7 +320,6 @@
         "src/core/security/base64.c",
         "src/core/security/credentials.c",
         "src/core/security/factories.c",
-        "src/core/security/google_root_certs.c",
         "src/core/security/json_token.c",
         "src/core/security/secure_endpoint.c",
         "src/core/security/secure_transport_setup.c",

src/core/httpcli/httpcli.c

@@ -43,7 +43,6 @@
 #include "src/core/httpcli/httpcli_security_context.h"
 #include "src/core/httpcli/parser.h"
 #include "src/core/security/security_context.h"
-#include "src/core/security/google_root_certs.h"
 #include "src/core/security/secure_transport_setup.h"
 #include "src/core/support/string.h"
 #include <grpc/support/alloc.h>
@@ -182,9 +181,16 @@ static void on_connected(void *arg, grpc_endpoint *tcp) {
   req->ep = tcp;
   if (req->use_ssl) {
     grpc_channel_security_context *ctx = NULL;
+    const unsigned char *pem_root_certs = NULL;
+    size_t pem_root_certs_size = grpc_get_default_ssl_roots(&pem_root_certs);
+    if (pem_root_certs == NULL || pem_root_certs_size == 0) {
+      gpr_log(GPR_ERROR, "Could not get default pem root certs.");
+      finish(req, 0);
+      return;
+    }
     GPR_ASSERT(grpc_httpcli_ssl_channel_security_context_create(
-                   grpc_google_root_certs, grpc_google_root_certs_size,
-                   req->host, &ctx) == GRPC_SECURITY_OK);
+                   pem_root_certs, pem_root_certs_size, req->host, &ctx) ==
+               GRPC_SECURITY_OK);
     grpc_setup_secure_transport(&ctx->base, tcp, on_secure_transport_setup_done,
                                 req);
     grpc_security_context_unref(&ctx->base);

src/core/security/google_root_certs.h

-/*
- *
- * Copyright 2015, Google Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- *
- *     * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *     * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following disclaimer
- * in the documentation and/or other materials provided with the
- * distribution.
- *     * Neither the name of Google Inc. nor the names of its
- * contributors may be used to endorse or promote products derived from
- * this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#ifndef __GRPC_INTERNAL_SECURITY_GOOGLE_ROOT_CERTS_H__
-#define __GRPC_INTERNAL_SECURITY_GOOGLE_ROOT_CERTS_H__
-
-extern unsigned char grpc_google_root_certs[];
-extern unsigned int grpc_google_root_certs_size;
-
-#endif /* __GRPC_INTERNAL_SECURITY_GOOGLE_ROOT_CERTS_H__ */

src/core/security/security_context.c

@@ -406,7 +406,7 @@ static void init_default_pem_root_certs(void) {
   }
 }
 
-static size_t get_default_pem_roots(const unsigned char **pem_root_certs) {
+size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs) {
   /* TODO(jboeuf@google.com): Maybe revisit the approach which consists in
      loading all the roots once for the lifetime of the process. */
   static gpr_once once = GPR_ONCE_INIT;
@@ -460,7 +460,7 @@ grpc_security_status grpc_ssl_channel_security_context_create(
     c->overridden_target_name = gpr_strdup(overridden_target_name);
   }
   if (config->pem_root_certs == NULL) {
-    pem_root_certs_size = get_default_pem_roots(&pem_root_certs);
+    pem_root_certs_size = grpc_get_default_ssl_roots(&pem_root_certs);
     if (pem_root_certs == NULL || pem_root_certs_size == 0) {
       gpr_log(GPR_ERROR, "Could not get default pem root certs.");
       goto error;

src/core/security/security_context.h

@@ -171,6 +171,8 @@ grpc_security_status grpc_ssl_server_security_context_create(
 
 /* Secure client channel creation. */
 
+size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs);
+
 grpc_channel *grpc_ssl_channel_create(grpc_credentials *ssl_creds,
                                       grpc_credentials *request_metadata_creds,
                                       const char *target,

vsprojects/vs2013/grpc.vcxproj

@@ -88,7 +88,6 @@
     <ClInclude Include="..\..\src\core\security\auth.h" />
     <ClInclude Include="..\..\src\core\security\base64.h" />
     <ClInclude Include="..\..\src\core\security\credentials.h" />
-    <ClInclude Include="..\..\src\core\security\google_root_certs.h" />
     <ClInclude Include="..\..\src\core\security\json_token.h" />
     <ClInclude Include="..\..\src\core\security\secure_transport_setup.h" />
     <ClInclude Include="..\..\src\core\security\security_context.h" />
@@ -195,8 +194,6 @@
     </ClCompile>
     <ClCompile Include="..\..\src\core\security\factories.c">
     </ClCompile>
-    <ClCompile Include="..\..\src\core\security\google_root_certs.c">
-    </ClCompile>
     <ClCompile Include="..\..\src\core\security\json_token.c">
     </ClCompile>
     <ClCompile Include="..\..\src\core\security\secure_endpoint.c">

vsprojects/vs2013/grpc.vcxproj.filters

@@ -13,9 +13,6 @@
     <ClCompile Include="..\..\src\core\security\factories.c">
       <Filter>src\core\security</Filter>
     </ClCompile>
-    <ClCompile Include="..\..\src\core\security\google_root_certs.c">
-      <Filter>src\core\security</Filter>
-    </ClCompile>
     <ClCompile Include="..\..\src\core\security\json_token.c">
       <Filter>src\core\security</Filter>
     </ClCompile>
@@ -362,9 +359,6 @@
     <ClInclude Include="..\..\src\core\security\credentials.h">
       <Filter>src\core\security</Filter>
     </ClInclude>
-    <ClInclude Include="..\..\src\core\security\google_root_certs.h">
-      <Filter>src\core\security</Filter>
-    </ClInclude>
     <ClInclude Include="..\..\src\core\security\json_token.h">
       <Filter>src\core\security</Filter>
     </ClInclude>

vsprojects/vs2013/grpc_shared.vcxproj

@@ -92,7 +92,6 @@
     <ClInclude Include="..\..\src\core\security\auth.h" />
     <ClInclude Include="..\..\src\core\security\base64.h" />
     <ClInclude Include="..\..\src\core\security\credentials.h" />
-    <ClInclude Include="..\..\src\core\security\google_root_certs.h" />
     <ClInclude Include="..\..\src\core\security\json_token.h" />
     <ClInclude Include="..\..\src\core\security\secure_transport_setup.h" />
     <ClInclude Include="..\..\src\core\security\security_context.h" />
@@ -199,8 +198,6 @@
     </ClCompile>
     <ClCompile Include="..\..\src\core\security\factories.c">
     </ClCompile>
-    <ClCompile Include="..\..\src\core\security\google_root_certs.c">
-    </ClCompile>
     <ClCompile Include="..\..\src\core\security\json_token.c">
     </ClCompile>
     <ClCompile Include="..\..\src\core\security\secure_endpoint.c">

vsprojects/vs2013/grpc_shared.vcxproj.filters

@@ -13,9 +13,6 @@
     <ClCompile Include="..\..\src\core\security\factories.c">
       <Filter>src\core\security</Filter>
     </ClCompile>
-    <ClCompile Include="..\..\src\core\security\google_root_certs.c">
-      <Filter>src\core\security</Filter>
-    </ClCompile>
     <ClCompile Include="..\..\src\core\security\json_token.c">
       <Filter>src\core\security</Filter>
     </ClCompile>
@@ -362,9 +359,6 @@
     <ClInclude Include="..\..\src\core\security\credentials.h">
       <Filter>src\core\security</Filter>
     </ClInclude>
-    <ClInclude Include="..\..\src\core\security\google_root_certs.h">
-      <Filter>src\core\security</Filter>
-    </ClInclude>
     <ClInclude Include="..\..\src\core\security\json_token.h">
       <Filter>src\core\security</Filter>
     </ClInclude>