From 88a9b329369d6d5effa5df6763edf66c4c134d5f Mon Sep 17 00:00:00 2001
From: Jan Tattermusch <jtattermusch@google.com>
Date: Thu, 23 Jul 2015 21:43:44 -0700
Subject: [PATCH] added option to authenticate client using root cert chain
---
src/csharp/Grpc.Core/Credentials.cs | 48 +++++++++--
src/csharp/Grpc.Core/Grpc.Core.csproj | 1 +
.../Internal/CredentialsSafeHandle.cs | 11 ++-
.../Internal/ServerCredentialsSafeHandle.cs | 4 +-
src/csharp/Grpc.Core/KeyCertificatePair.cs | 84 +++++++++++++++++++
src/csharp/Grpc.Core/ServerCredentials.cs | 67 ++++++++-------
6 files changed, 177 insertions(+), 38 deletions(-)
create mode 100644 src/csharp/Grpc.Core/KeyCertificatePair.cs
diff --git a/src/csharp/Grpc.Core/Credentials.cs b/src/csharp/Grpc.Core/Credentials.cs
index e64c1e3dc1..d2dbaaf52f 100644
--- a/src/csharp/Grpc.Core/Credentials.cs
+++ b/src/csharp/Grpc.Core/Credentials.cs
@@ -53,27 +53,63 @@ namespace Grpc.Core
/// </summary>
public class SslCredentials : Credentials
{
- string pemRootCerts;
+ readonly string rootCertificates;
+ readonly KeyCertificatePair keyCertificatePair;
- public SslCredentials(string pemRootCerts)
+ /// <summary>
+ /// Creates client-side SSL credentials loaded from
+ /// disk file pointed to by the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable.
+ /// If that fails, gets the roots certificates from a well known place on disk.
+ /// </summary>
+ public SslCredentials() : this(null, null)
{
- this.pemRootCerts = pemRootCerts;
+ }
+
+ /// <summary>
+ /// Creates client-side SSL credentials from
+ /// a string containing PEM encoded root certificates.
+ /// </summary>
+ public SslCredentials(string rootCertificates) : this(rootCertificates, null)
+ {
+ }
+
+ /// <summary>
+ /// Creates client-side SSL credentials.
+ /// </summary>
+ /// <param name="rootCertificates">string containing PEM encoded server root certificates.</param>
+ /// <param name="keyCertificatePair">a key certificate pair.</param>
+ public SslCredentials(string rootCertificates, KeyCertificatePair keyCertificatePair)
+ {
+ this.rootCertificates = rootCertificates;
+ this.keyCertificatePair = keyCertificatePair;
}
/// <summary>
/// PEM encoding of the server root certificates.
/// </summary>
- public string RootCerts
+ public string RootCertificates
+ {
+ get
+ {
+ return this.rootCertificates;
+ }
+ }
+
+ /// <summary>
+ /// Client side key and certificate pair.
+ /// If null, client will not use key and certificate pair.
+ /// </summary>
+ public KeyCertificatePair KeyCertificatePair
{
get
{
- return this.pemRootCerts;
+ return this.keyCertificatePair;
}
}
internal override CredentialsSafeHandle ToNativeCredentials()
{
- return CredentialsSafeHandle.CreateSslCredentials(pemRootCerts);
+ return CredentialsSafeHandle.CreateSslCredentials(rootCertificates, keyCertificatePair);
}
}
}
diff --git a/src/csharp/Grpc.Core/Grpc.Core.csproj b/src/csharp/Grpc.Core/Grpc.Core.csproj
index d756254b02..2705c95a26 100644
--- a/src/csharp/Grpc.Core/Grpc.Core.csproj
+++ b/src/csharp/Grpc.Core/Grpc.Core.csproj
@@ -104,6 +104,7 @@
<Compile Include="AsyncUnaryCall.cs" />
<Compile Include="VersionInfo.cs" />
<Compile Include="Internal\CStringSafeHandle.cs" />
+ <Compile Include="KeyCertificatePair.cs" />
</ItemGroup>
<ItemGroup>
<None Include="Grpc.Core.nuspec" />
diff --git a/src/csharp/Grpc.Core/Internal/CredentialsSafeHandle.cs b/src/csharp/Grpc.Core/Internal/CredentialsSafeHandle.cs
index f361199068..52d4dfbbac 100644
--- a/src/csharp/Grpc.Core/Internal/CredentialsSafeHandle.cs
+++ b/src/csharp/Grpc.Core/Internal/CredentialsSafeHandle.cs
@@ -50,9 +50,16 @@ namespace Grpc.Core.Internal
{
}
- public static CredentialsSafeHandle CreateSslCredentials(string pemRootCerts)
+ public static CredentialsSafeHandle CreateSslCredentials(string pemRootCerts, KeyCertificatePair keyCertPair)
{
- return grpcsharp_ssl_credentials_create(pemRootCerts, null, null);
+ if (keyCertPair != null)
+ {
+ return grpcsharp_ssl_credentials_create(pemRootCerts, keyCertPair.CertificateChain, keyCertPair.PrivateKey);
+ }
+ else
+ {
+ return grpcsharp_ssl_credentials_create(pemRootCerts, null, null);
+ }
}
protected override bool ReleaseHandle()
diff --git a/src/csharp/Grpc.Core/Internal/ServerCredentialsSafeHandle.cs b/src/csharp/Grpc.Core/Internal/ServerCredentialsSafeHandle.cs
index 961180741a..59238a452c 100644
--- a/src/csharp/Grpc.Core/Internal/ServerCredentialsSafeHandle.cs
+++ b/src/csharp/Grpc.Core/Internal/ServerCredentialsSafeHandle.cs
@@ -51,10 +51,10 @@ namespace Grpc.Core.Internal
{
}
- public static ServerCredentialsSafeHandle CreateSslCredentials(string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray)
+ public static ServerCredentialsSafeHandle CreateSslCredentials(string pemRootCerts, string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray)
{
Preconditions.CheckArgument(keyCertPairCertChainArray.Length == keyCertPairPrivateKeyArray.Length);
- return grpcsharp_ssl_server_credentials_create(null,
+ return grpcsharp_ssl_server_credentials_create(pemRootCerts,
keyCertPairCertChainArray, keyCertPairPrivateKeyArray,
new UIntPtr((ulong)keyCertPairCertChainArray.Length));
}
diff --git a/src/csharp/Grpc.Core/KeyCertificatePair.cs b/src/csharp/Grpc.Core/KeyCertificatePair.cs
new file mode 100644
index 0000000000..7cea18618e
--- /dev/null
+++ b/src/csharp/Grpc.Core/KeyCertificatePair.cs
@@ -0,0 +1,84 @@
+#region Copyright notice and license
+
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#endregion
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+
+using Grpc.Core.Internal;
+using Grpc.Core.Utils;
+
+namespace Grpc.Core
+{
+ /// <summary>
+ /// Key certificate pair (in PEM encoding).
+ /// </summary>
+ public sealed class KeyCertificatePair
+ {
+ readonly string certificateChain;
+ readonly string privateKey;
+
+ /// <summary>
+ /// Creates a new certificate chain - private key pair.
+ /// </summary>
+ /// <param name="certificateChain">PEM encoded certificate chain.</param>
+ /// <param name="privateKey">PEM encoded private key.</param>
+ public KeyCertificatePair(string certificateChain, string privateKey)
+ {
+ this.certificateChain = Preconditions.CheckNotNull(certificateChain);
+ this.privateKey = Preconditions.CheckNotNull(privateKey);
+ }
+
+ /// <summary>
+ /// PEM encoded certificate chain.
+ /// </summary>
+ public string CertificateChain
+ {
+ get
+ {
+ return certificateChain;
+ }
+ }
+
+ /// <summary>
+ /// PEM encoded private key.
+ /// </summary>
+ public string PrivateKey
+ {
+ get
+ {
+ return privateKey;
+ }
+ }
+ }
+}
diff --git a/src/csharp/Grpc.Core/ServerCredentials.cs b/src/csharp/Grpc.Core/ServerCredentials.cs
index ab7d0b4914..334211e9f9 100644
--- a/src/csharp/Grpc.Core/ServerCredentials.cs
+++ b/src/csharp/Grpc.Core/ServerCredentials.cs
@@ -35,6 +35,7 @@ using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using Grpc.Core.Internal;
+using Grpc.Core.Utils;
namespace Grpc.Core
{
@@ -51,59 +52,69 @@ namespace Grpc.Core
}
/// <summary>
- /// Key certificate pair (in PEM encoding).
+ /// Server-side SSL credentials.
/// </summary>
- public class KeyCertificatePair
+ public class SslServerCredentials : ServerCredentials
{
- readonly string certChain;
- readonly string privateKey;
+ readonly IList<KeyCertificatePair> keyCertificatePairs;
+ readonly string rootCertificates;
- public KeyCertificatePair(string certChain, string privateKey)
+ /// <summary>
+ /// Creates server-side SSL credentials.
+ /// </summary>
+ /// <param name="rootCertificates">PEM encoded client root certificates used to authenticate client.</param>
+ /// <param name="keyCertificatePairs">Key-certificates to use.</param>
+ public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs, string rootCertificates)
{
- this.certChain = certChain;
- this.privateKey = privateKey;
+ this.rootCertificates = rootCertificates;
+ this.keyCertificatePairs = new List<KeyCertificatePair>(keyCertificatePairs).AsReadOnly();
+ Preconditions.CheckArgument(this.keyCertificatePairs.Count == 0,
+ "At least one KeyCertificatePair needs to be provided");
}
- public string CertChain
+ /// <summary>
+ /// Creates server-side SSL credentials.
+ /// This constructor should be use if you do not wish to autheticate client
+ /// using client root certificates.
+ /// </summary>
+ /// <param name="keyCertificatePairs">Key-certificates to use.</param>
+ public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs) : this(keyCertificatePairs, null)
{
- get
- {
- return certChain;
- }
}
- public string PrivateKey
+ /// <summary>
+ /// Key-certificate pairs.
+ /// </summary>
+ public IList<KeyCertificatePair> KeyCertificatePairs
{
get
{
- return privateKey;
+ return this.keyCertificatePairs;
}
}
- }
- /// <summary>
- /// Server-side SSL credentials.
- /// </summary>
- public class SslServerCredentials : ServerCredentials
- {
- ImmutableList<KeyCertificatePair> keyCertPairs;
-
- public SslServerCredentials(ImmutableList<KeyCertificatePair> keyCertPairs)
+ /// <summary>
+ /// PEM encoded client root certificates.
+ /// </summary>
+ public string RootCertificates
{
- this.keyCertPairs = keyCertPairs;
+ get
+ {
+ return this.rootCertificates;
+ }
}
internal override ServerCredentialsSafeHandle ToNativeCredentials()
{
- int count = keyCertPairs.Count;
+ int count = keyCertificatePairs.Count;
string[] certChains = new string[count];
string[] keys = new string[count];
for (int i = 0; i < count; i++)
{
- certChains[i] = keyCertPairs[i].CertChain;
- keys[i] = keyCertPairs[i].PrivateKey;
+ certChains[i] = keyCertificatePairs[i].CertificateChain;
+ keys[i] = keyCertificatePairs[i].PrivateKey;
}
- return ServerCredentialsSafeHandle.CreateSslCredentials(certChains, keys);
+ return ServerCredentialsSafeHandle.CreateSslCredentials(rootCertificates, certChains, keys);
}
}
}
--
GitLab