Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 1 | /* |
| 2 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 3 | * Copyright 2016 gRPC authors. |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 4 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | * you may not use this file except in compliance with the License. |
| 7 | * You may obtain a copy of the License at |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 8 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 10 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 11 | * Unless required by applicable law or agreed to in writing, software |
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | * See the License for the specific language governing permissions and |
| 15 | * limitations under the License. |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 16 | * |
| 17 | */ |
| 18 | |
| 19 | #ifndef GRPC_GRPC_SECURITY_CONSTANTS_H |
| 20 | #define GRPC_GRPC_SECURITY_CONSTANTS_H |
| 21 | |
| 22 | #ifdef __cplusplus |
| 23 | extern "C" { |
| 24 | #endif |
| 25 | |
| 26 | #define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME "transport_security_type" |
| 27 | #define GRPC_SSL_TRANSPORT_SECURITY_TYPE "ssl" |
| 28 | |
| 29 | #define GRPC_X509_CN_PROPERTY_NAME "x509_common_name" |
| 30 | #define GRPC_X509_SAN_PROPERTY_NAME "x509_subject_alternative_name" |
| 31 | #define GRPC_X509_PEM_CERT_PROPERTY_NAME "x509_pem_cert" |
| 32 | |
Alexander Polcyn | d809a15 | 2017-05-03 14:49:41 -0700 | [diff] [blame] | 33 | /** Environment variable that points to the default SSL roots file. This file |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 34 | must be a PEM encoded file with all the roots such as the one that can be |
| 35 | downloaded from https://pki.google.com/roots.pem. */ |
| 36 | #define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \ |
| 37 | "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH" |
| 38 | |
Alexander Polcyn | d809a15 | 2017-05-03 14:49:41 -0700 | [diff] [blame] | 39 | /** Environment variable that points to the google default application |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 40 | credentials json key or refresh token. Used in the |
| 41 | grpc_google_default_credentials_create function. */ |
| 42 | #define GRPC_GOOGLE_CREDENTIALS_ENV_VAR "GOOGLE_APPLICATION_CREDENTIALS" |
| 43 | |
Alexander Polcyn | d809a15 | 2017-05-03 14:49:41 -0700 | [diff] [blame] | 44 | /** Results for the SSL roots override callback. */ |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 45 | typedef enum { |
| 46 | GRPC_SSL_ROOTS_OVERRIDE_OK, |
Alexander Polcyn | d809a15 | 2017-05-03 14:49:41 -0700 | [diff] [blame] | 47 | GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /** Do not try fallback options. */ |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 48 | GRPC_SSL_ROOTS_OVERRIDE_FAIL |
| 49 | } grpc_ssl_roots_override_result; |
| 50 | |
Justin Burke | c1d354d | 2017-09-19 15:06:01 -0700 | [diff] [blame] | 51 | /** Callback results for dynamically loading a SSL certificate config. */ |
| 52 | typedef enum { |
| 53 | GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED, |
| 54 | GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW, |
| 55 | GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL |
| 56 | } grpc_ssl_certificate_config_reload_status; |
| 57 | |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 58 | typedef enum { |
Alexander Polcyn | d809a15 | 2017-05-03 14:49:41 -0700 | [diff] [blame] | 59 | /** Server does not request client certificate. A client can present a self |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 60 | signed or signed certificates if it wishes to do so and they would be |
| 61 | accepted. */ |
| 62 | GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, |
Alexander Polcyn | d809a15 | 2017-05-03 14:49:41 -0700 | [diff] [blame] | 63 | /** Server requests client certificate but does not enforce that the client |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 64 | presents a certificate. |
| 65 | |
| 66 | If the client presents a certificate, the client authentication is left to |
| 67 | the application based on the metadata like certificate etc. |
| 68 | |
| 69 | The key cert pair should still be valid for the SSL connection to be |
| 70 | established. */ |
| 71 | GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, |
Alexander Polcyn | d809a15 | 2017-05-03 14:49:41 -0700 | [diff] [blame] | 72 | /** Server requests client certificate but does not enforce that the client |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 73 | presents a certificate. |
| 74 | |
| 75 | If the client presents a certificate, the client authentication is done by |
| 76 | grpc framework (The client needs to either present a signed cert or skip no |
| 77 | certificate for a successful connection). |
| 78 | |
| 79 | The key cert pair should still be valid for the SSL connection to be |
| 80 | established. */ |
| 81 | GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY, |
Alexander Polcyn | d809a15 | 2017-05-03 14:49:41 -0700 | [diff] [blame] | 82 | /** Server requests client certificate but enforces that the client presents a |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 83 | certificate. |
| 84 | |
| 85 | If the client presents a certificate, the client authentication is left to |
| 86 | the application based on the metadata like certificate etc. |
| 87 | |
| 88 | The key cert pair should still be valid for the SSL connection to be |
| 89 | established. */ |
| 90 | GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, |
Alexander Polcyn | d809a15 | 2017-05-03 14:49:41 -0700 | [diff] [blame] | 91 | /** Server requests client certificate but enforces that the client presents a |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 92 | certificate. |
| 93 | |
| 94 | The cerificate presented by the client is verified by grpc framework (The |
| 95 | client needs to present signed certs for a successful connection). |
| 96 | |
| 97 | The key cert pair should still be valid for the SSL connection to be |
| 98 | established. */ |
| 99 | GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY |
| 100 | } grpc_ssl_client_certificate_request_type; |
| 101 | |
| 102 | #ifdef __cplusplus |
| 103 | } |
| 104 | #endif |
| 105 | |
| 106 | #endif /* GRPC_GRPC_SECURITY_CONSTANTS_H */ |