src/core/tsi/ssl_transport_security.h - platform/external/grpc-grpc - Gitiles

 /*
  *
  * Copyright 2015, Google Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
  * copyright notice, this list of conditions and the following disclaimer
  * in the documentation and/or other materials provided with the
  * distribution.
  *     * Neither the name of Google Inc. nor the names of its
  * contributors may be used to endorse or promote products derived from
  * this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
  */

 #ifndef GRPC_CORE_TSI_SSL_TRANSPORT_SECURITY_H
 #define GRPC_CORE_TSI_SSL_TRANSPORT_SECURITY_H

 #include "src/core/tsi/transport_security_interface.h"

 #ifdef __cplusplus
 extern "C" {
 #endif

 /* Value for the TSI_CERTIFICATE_TYPE_PEER_PROPERTY property for X509 certs. */
 #define TSI_X509_CERTIFICATE_TYPE "X509"

 /* This property is of type TSI_PEER_PROPERTY_STRING.  */
 #define TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY "x509_subject_common_name"
 #define TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY \
   "x509_subject_alternative_name"

 #define TSI_X509_PEM_CERT_PROPERTY "x509_pem_cert"

 #define TSI_SSL_ALPN_SELECTED_PROTOCOL "ssl_alpn_selected_protocol"

 /* --- tsi_ssl_client_handshaker_factory object ---

    This object creates a client tsi_handshaker objects implemented in terms of
    the TLS 1.2 specificiation.  */

 typedef struct tsi_ssl_client_handshaker_factory
     tsi_ssl_client_handshaker_factory;

 /* Object that holds a private key / certificate chain pair in PEM format. */
 typedef struct {
   /* private_key is the NULL-terminated string containing the PEM encoding of
      the client's private key. */
   const char *private_key;

   /* cert_chain is the NULL-terminated string containing the PEM encoding of
      the client's certificate chain. */
   const char *cert_chain;
 } tsi_ssl_pem_key_cert_pair;

 /* Creates a client handshaker factory.
    - pem_key_cert_pair is a pointer to the object containing client's private
      key and certificate chain. This parameter can be NULL if the client does
      not have such a key/cert pair.
    - pem_roots_cert is the NULL-terminated string containing the PEM encoding of
      the client root certificates. This parameter may be NULL if the server does
      not want the client to be authenticated with SSL.
    - cipher_suites contains an optional list of the ciphers that the client
      supports. The format of this string is described in:
      https://www.openssl.org/docs/apps/ciphers.html.
      This parameter can be set to NULL to use the default set of ciphers.
      TODO(jboeuf): Revisit the format of this parameter.
    - alpn_protocols is an array containing the NULL terminated protocol names
      that the handshakers created with this factory support. This parameter can
      be NULL.
    - num_alpn_protocols is the number of alpn protocols and associated lengths
      specified. If this parameter is 0, the other alpn parameters must be NULL.
    - factory is the address of the factory pointer to be created.

    - This method returns TSI_OK on success or TSI_INVALID_PARAMETER in the case
      where a parameter is invalid.  */
 tsi_result tsi_create_ssl_client_handshaker_factory(
     const tsi_ssl_pem_key_cert_pair *pem_key_cert_pair,
     const char *pem_root_certs, const char *cipher_suites,
     const char **alpn_protocols, uint16_t num_alpn_protocols,
     tsi_ssl_client_handshaker_factory **factory);

 /* Creates a client handshaker.
   - self is the factory from which the handshaker will be created.
   - server_name_indication indicates the name of the server the client is
     trying to connect to which will be relayed to the server using the SNI
     extension.
   - handshaker is the address of the handshaker pointer to be created.

   - This method returns TSI_OK on success or TSI_INVALID_PARAMETER in the case
     where a parameter is invalid.  */
 tsi_result tsi_ssl_client_handshaker_factory_create_handshaker(
     tsi_ssl_client_handshaker_factory *self, const char *server_name_indication,
     tsi_handshaker **handshaker);

 /* Destroys the handshaker factory. WARNING: it is unsafe to destroy a factory
    while handshakers created with this factory are still in use.  */
 void tsi_ssl_client_handshaker_factory_destroy(
     tsi_ssl_client_handshaker_factory *self);

 /* --- tsi_ssl_server_handshaker_factory object ---

    This object creates a client tsi_handshaker objects implemented in terms of
    the TLS 1.2 specificiation.  */

 typedef struct tsi_ssl_server_handshaker_factory
     tsi_ssl_server_handshaker_factory;

 /* Creates a server handshaker factory.
    - pem_key_cert_pairs is an array private key / certificate chains of the
      server.
    - num_key_cert_pairs is the number of items in the pem_key_cert_pairs array.
    - pem_root_certs is the NULL-terminated string containing the PEM encoding
      of the server root certificates.
    - cipher_suites contains an optional list of the ciphers that the server
      supports. The format of this string is described in:
      https://www.openssl.org/docs/apps/ciphers.html.
      This parameter can be set to NULL to use the default set of ciphers.
      TODO(jboeuf): Revisit the format of this parameter.
    - alpn_protocols is an array containing the NULL terminated protocol names
      that the handshakers created with this factory support. This parameter can
      be NULL.
    - num_alpn_protocols is the number of alpn protocols and associated lengths
      specified. If this parameter is 0, the other alpn parameters must be NULL.
    - factory is the address of the factory pointer to be created.

    - This method returns TSI_OK on success or TSI_INVALID_PARAMETER in the case
      where a parameter is invalid.  */
 tsi_result tsi_create_ssl_server_handshaker_factory(
     const tsi_ssl_pem_key_cert_pair *pem_key_cert_pairs,
     size_t num_key_cert_pairs, const char *pem_client_root_certs,
     int force_client_auth, const char *cipher_suites,
     const char **alpn_protocols, uint16_t num_alpn_protocols,
     tsi_ssl_server_handshaker_factory **factory);

 /* Same as tsi_create_ssl_server_handshaker_factory method except uses
    tsi_client_certificate_request_type to support more ways to handle client
    certificate authentication.
    - client_certificate_request, if set to non-zero will force the client to
      authenticate with an SSL cert. Note that this option is ignored if
      pem_client_root_certs is NULL or pem_client_roots_certs_size is 0 */
 tsi_result tsi_create_ssl_server_handshaker_factory_ex(
     const tsi_ssl_pem_key_cert_pair *pem_key_cert_pairs,
     size_t num_key_cert_pairs, const char *pem_client_root_certs,
     tsi_client_certificate_request_type client_certificate_request,
     const char *cipher_suites, const char **alpn_protocols,
     uint16_t num_alpn_protocols, tsi_ssl_server_handshaker_factory **factory);

 /* Creates a server handshaker.
   - self is the factory from which the handshaker will be created.
   - handshaker is the address of the handshaker pointer to be created.

   - This method returns TSI_OK on success or TSI_INVALID_PARAMETER in the case
     where a parameter is invalid.  */
 tsi_result tsi_ssl_server_handshaker_factory_create_handshaker(
     tsi_ssl_server_handshaker_factory *self, tsi_handshaker **handshaker);

 /* Destroys the handshaker factory. WARNING: it is unsafe to destroy a factory
    while handshakers created with this factory are still in use.  */
 void tsi_ssl_server_handshaker_factory_destroy(
     tsi_ssl_server_handshaker_factory *self);

 /* Util that checks that an ssl peer matches a specific name.
    Still TODO(jboeuf):
    - handle mixed case.
    - handle %encoded chars.
    - handle public suffix wildchar more strictly (e.g. *.co.uk) */
 int tsi_ssl_peer_matches_name(const tsi_peer *peer, const char *name);

 #ifdef __cplusplus
 }
 #endif

 #endif /* GRPC_CORE_TSI_SSL_TRANSPORT_SECURITY_H */
	/*
	*
	* Copyright 2015, Google Inc.
	* All rights reserved.
	*
	* Redistribution and use in source and binary forms, with or without
	* modification, are permitted provided that the following conditions are
	* met:
	*
	* * Redistributions of source code must retain the above copyright
	* notice, this list of conditions and the following disclaimer.
	* * Redistributions in binary form must reproduce the above
	* copyright notice, this list of conditions and the following disclaimer
	* in the documentation and/or other materials provided with the
	* distribution.
	* * Neither the name of Google Inc. nor the names of its
	* contributors may be used to endorse or promote products derived from
	* this software without specific prior written permission.
	*
	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
	* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
	* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
	* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	*
	*/

	#ifndef GRPC_CORE_TSI_SSL_TRANSPORT_SECURITY_H
	#define GRPC_CORE_TSI_SSL_TRANSPORT_SECURITY_H

	#include "src/core/tsi/transport_security_interface.h"

	#ifdef __cplusplus
	extern "C" {
	#endif

	/* Value for the TSI_CERTIFICATE_TYPE_PEER_PROPERTY property for X509 certs. */
	#define TSI_X509_CERTIFICATE_TYPE "X509"

	/* This property is of type TSI_PEER_PROPERTY_STRING. */
	#define TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY "x509_subject_common_name"
	#define TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY \
	"x509_subject_alternative_name"

	#define TSI_X509_PEM_CERT_PROPERTY "x509_pem_cert"

	#define TSI_SSL_ALPN_SELECTED_PROTOCOL "ssl_alpn_selected_protocol"

	/* --- tsi_ssl_client_handshaker_factory object ---

	This object creates a client tsi_handshaker objects implemented in terms of
	the TLS 1.2 specificiation. */

	typedef struct tsi_ssl_client_handshaker_factory
	tsi_ssl_client_handshaker_factory;

	/* Object that holds a private key / certificate chain pair in PEM format. */
	typedef struct {
	/* private_key is the NULL-terminated string containing the PEM encoding of
	the client's private key. */
	const char *private_key;

	/* cert_chain is the NULL-terminated string containing the PEM encoding of
	the client's certificate chain. */
	const char *cert_chain;
	} tsi_ssl_pem_key_cert_pair;

	/* Creates a client handshaker factory.
	- pem_key_cert_pair is a pointer to the object containing client's private
	key and certificate chain. This parameter can be NULL if the client does
	not have such a key/cert pair.
	- pem_roots_cert is the NULL-terminated string containing the PEM encoding of
	the client root certificates. This parameter may be NULL if the server does
	not want the client to be authenticated with SSL.
	- cipher_suites contains an optional list of the ciphers that the client
	supports. The format of this string is described in:
	https://www.openssl.org/docs/apps/ciphers.html.
	This parameter can be set to NULL to use the default set of ciphers.
	TODO(jboeuf): Revisit the format of this parameter.
	- alpn_protocols is an array containing the NULL terminated protocol names
	that the handshakers created with this factory support. This parameter can
	be NULL.
	- num_alpn_protocols is the number of alpn protocols and associated lengths
	specified. If this parameter is 0, the other alpn parameters must be NULL.
	- factory is the address of the factory pointer to be created.

	- This method returns TSI_OK on success or TSI_INVALID_PARAMETER in the case
	where a parameter is invalid. */
	tsi_result tsi_create_ssl_client_handshaker_factory(
	const tsi_ssl_pem_key_cert_pair *pem_key_cert_pair,
	const char pem_root_certs, const char cipher_suites,
	const char **alpn_protocols, uint16_t num_alpn_protocols,
	tsi_ssl_client_handshaker_factory **factory);

	/* Creates a client handshaker.
	- self is the factory from which the handshaker will be created.
	- server_name_indication indicates the name of the server the client is
	trying to connect to which will be relayed to the server using the SNI
	extension.
	- handshaker is the address of the handshaker pointer to be created.

	- This method returns TSI_OK on success or TSI_INVALID_PARAMETER in the case
	where a parameter is invalid. */
	tsi_result tsi_ssl_client_handshaker_factory_create_handshaker(
	tsi_ssl_client_handshaker_factory self, const char server_name_indication,
	tsi_handshaker **handshaker);

	/* Destroys the handshaker factory. WARNING: it is unsafe to destroy a factory
	while handshakers created with this factory are still in use. */
	void tsi_ssl_client_handshaker_factory_destroy(
	tsi_ssl_client_handshaker_factory *self);

	/* --- tsi_ssl_server_handshaker_factory object ---

	This object creates a client tsi_handshaker objects implemented in terms of
	the TLS 1.2 specificiation. */

	typedef struct tsi_ssl_server_handshaker_factory
	tsi_ssl_server_handshaker_factory;

	/* Creates a server handshaker factory.
	- pem_key_cert_pairs is an array private key / certificate chains of the
	server.
	- num_key_cert_pairs is the number of items in the pem_key_cert_pairs array.
	- pem_root_certs is the NULL-terminated string containing the PEM encoding
	of the server root certificates.
	- cipher_suites contains an optional list of the ciphers that the server
	supports. The format of this string is described in:
	https://www.openssl.org/docs/apps/ciphers.html.
	This parameter can be set to NULL to use the default set of ciphers.
	TODO(jboeuf): Revisit the format of this parameter.
	- alpn_protocols is an array containing the NULL terminated protocol names
	that the handshakers created with this factory support. This parameter can
	be NULL.
	- num_alpn_protocols is the number of alpn protocols and associated lengths
	specified. If this parameter is 0, the other alpn parameters must be NULL.
	- factory is the address of the factory pointer to be created.

	- This method returns TSI_OK on success or TSI_INVALID_PARAMETER in the case
	where a parameter is invalid. */
	tsi_result tsi_create_ssl_server_handshaker_factory(
	const tsi_ssl_pem_key_cert_pair *pem_key_cert_pairs,
	size_t num_key_cert_pairs, const char *pem_client_root_certs,
	int force_client_auth, const char *cipher_suites,
	const char **alpn_protocols, uint16_t num_alpn_protocols,
	tsi_ssl_server_handshaker_factory **factory);

	/* Same as tsi_create_ssl_server_handshaker_factory method except uses
	tsi_client_certificate_request_type to support more ways to handle client
	certificate authentication.
	- client_certificate_request, if set to non-zero will force the client to
	authenticate with an SSL cert. Note that this option is ignored if
	pem_client_root_certs is NULL or pem_client_roots_certs_size is 0 */
	tsi_result tsi_create_ssl_server_handshaker_factory_ex(
	const tsi_ssl_pem_key_cert_pair *pem_key_cert_pairs,
	size_t num_key_cert_pairs, const char *pem_client_root_certs,
	tsi_client_certificate_request_type client_certificate_request,
	const char cipher_suites, const char *alpn_protocols,
	uint16_t num_alpn_protocols, tsi_ssl_server_handshaker_factory **factory);

	/* Creates a server handshaker.
	- self is the factory from which the handshaker will be created.
	- handshaker is the address of the handshaker pointer to be created.

	- This method returns TSI_OK on success or TSI_INVALID_PARAMETER in the case
	where a parameter is invalid. */
	tsi_result tsi_ssl_server_handshaker_factory_create_handshaker(
	tsi_ssl_server_handshaker_factory self, tsi_handshaker *handshaker);

	/* Destroys the handshaker factory. WARNING: it is unsafe to destroy a factory
	while handshakers created with this factory are still in use. */
	void tsi_ssl_server_handshaker_factory_destroy(
	tsi_ssl_server_handshaker_factory *self);

	/* Util that checks that an ssl peer matches a specific name.
	Still TODO(jboeuf):
	- handle mixed case.
	- handle %encoded chars.
	- handle public suffix wildchar more strictly (e.g. .co.uk) /
	int tsi_ssl_peer_matches_name(const tsi_peer peer, const char name);

	#ifdef __cplusplus
	}
	#endif

	#endif /* GRPC_CORE_TSI_SSL_TRANSPORT_SECURITY_H */