في الخميس، ١٤ سبتمبر ٢٠٢٣ ٨:١٧ م 'Amirsaman Memaripour' via grpc.io <
grpc-io@googlegroups.com> كتب:
> Ho Luwei,
>
> Thanks for your response. We'd need to expand that API since the rotation
> of certificates must be controlled/guarded by a change of state in the
> system, and we may need to process the contents of the certificate files
> before loading them into memory for gRPC's consumption. My initial plan was
> to utilize the callback fetcher API to implement something similar to the
> following, where I can invoke custom logic in `certificateConfigCallback`
> and update the cached certificates when needed (e.g. after receiving a
> command from the user that the certificates must be rotated). Just
> verifying that the new API you noted in your email will support such a
> use-case. Thank you!
>
> struct Options {
> std::string tlsPEMKeyFile;
> std::string tlsCAFile;
> };
>
> auto certificateConfigCallback(void* options,
> grpc_ssl_server_certificate_config** config) {
> // Return `GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED` if not changed.
> // Return `GRPC_SSL_ROOTS_OVERRIDE_FAIL` if loading (or verifying) the
> certificates fails.
> // Otherwise, load the new certificates ...
> Options* optionsPtr = reinterpret_cast<Options*>(options);
> std::string caCert = util::readPEMFile(optionsPtr->tlsCAFile);
> auto keyCertPair = util::parsePEMKeyFile(optionsPtr->tlsPEMKeyFile);
> grpc_ssl_pem_key_cert_pair pemKeyCertPair = {keyCertPair.private_key.c_str
> (),
> keyCertPair.cert_chain.c_str()};
> *config = grpc_ssl_server_certificate_config_create(caCert.c_str(),
> &pemKeyCertPair,
> 1);
> return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
> }
>
> auto makeServerCredentialsWithFetcher() {
> Options options;
> grpc_ssl_server_credentials_options* opts =
> grpc_ssl_server_credentials_create_options_using_config_fetcher(
> ::grpc_ssl_client_certificate_request_type
> ::GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,
> certificateConfigCallback,
> &options);
> grpc_server_credentials* creds =
> grpc_ssl_server_credentials_create_with_options(opts);
> return std::shared_ptr<::grpc::ServerCredentials>(new ::grpc::
> SecureServerCredentials(creds));
> }
>
> void startServer() {
> ::grpc::ServerBuilder builder;
>
> auto credentials = makeServerCredentialsWithFetcher();
> builder.AddListeningPort("127.0.0.1:20000", credentials);
> // TODO register service via `builder.RegisterService()`
> builder.SetMaxReceiveMessageSize(MaxMessageSizeBytes);
> builder.SetMaxSendMessageSize(MaxMessageSizeBytes);
> builder.SetDefaultCompressionAlgorithm(::grpc_compression_algorithm
> ::GRPC_COMPRESS_NONE);
> ::grpc::ResourceQuota quota;
> quota.SetMaxThreads(MaxWorkerThreads);
> builder.SetResourceQuota(quota);
>
> server = builder.BuildAndStart();
> }
>
> On Wednesday, September 13, 2023 at 3:18:39 PM UTC-4 Luwei Ge wrote:
>
>> Hi,
>>
>> Does the FileWatcherCertificateProvider work at
>> https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h
>> for your use case? It's an experimental API but we plan to stabilize it
>> soon.
>>
>> Best,
>> Luwei
>>
>> On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour
>> wrote:
>>
>> Following up on this question, is there a plan for supporting the
>> certificate fetcher API in the public facing headers?
>>
>> On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour
>> wrote:
>>
>> Hi,
>>
>> We are working on using the C++ implementation of gRPC and wanted to see
>> what's the best way to implement certificate rotation. I was able to rotate
>> certificates using the certificate fetcher callback API, but noticed that
>> it's only available through the private headers of the core library. Are
>> there plans to make this API public? Just checking to make sure the feature
>> is not going to be deprecated and entirely removed form the repository.
>> Thank you!
>>
>> --
> You received this message because you are subscribed to the Google Groups "
> grpc.io" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to grpc-io+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com
> <https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/CAGQQ400YrN5P6o4g-g9G74ScZFz3i6Psz-nZ2NkWoJ%3DtTcJDsQ%40mail.gmail.com.
