في الخميس، ١٤ سبتمبر ٢٠٢٣ ٨:١٧ م 'Amirsaman Memaripour' via grpc.io < grpc-io@googlegroups.com> كتب:
> Ho Luwei, > > Thanks for your response. We'd need to expand that API since the rotation > of certificates must be controlled/guarded by a change of state in the > system, and we may need to process the contents of the certificate files > before loading them into memory for gRPC's consumption. My initial plan was > to utilize the callback fetcher API to implement something similar to the > following, where I can invoke custom logic in `certificateConfigCallback` > and update the cached certificates when needed (e.g. after receiving a > command from the user that the certificates must be rotated). Just > verifying that the new API you noted in your email will support such a > use-case. Thank you! > > struct Options { > std::string tlsPEMKeyFile; > std::string tlsCAFile; > }; > > auto certificateConfigCallback(void* options, > grpc_ssl_server_certificate_config** config) { > // Return `GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED` if not changed. > // Return `GRPC_SSL_ROOTS_OVERRIDE_FAIL` if loading (or verifying) the > certificates fails. > // Otherwise, load the new certificates ... > Options* optionsPtr = reinterpret_cast<Options*>(options); > std::string caCert = util::readPEMFile(optionsPtr->tlsCAFile); > auto keyCertPair = util::parsePEMKeyFile(optionsPtr->tlsPEMKeyFile); > grpc_ssl_pem_key_cert_pair pemKeyCertPair = {keyCertPair.private_key.c_str > (), > keyCertPair.cert_chain.c_str()}; > *config = grpc_ssl_server_certificate_config_create(caCert.c_str(), > &pemKeyCertPair, > 1); > return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW; > } > > auto makeServerCredentialsWithFetcher() { > Options options; > grpc_ssl_server_credentials_options* opts = > grpc_ssl_server_credentials_create_options_using_config_fetcher( > ::grpc_ssl_client_certificate_request_type > ::GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, > certificateConfigCallback, > &options); > grpc_server_credentials* creds = > grpc_ssl_server_credentials_create_with_options(opts); > return std::shared_ptr<::grpc::ServerCredentials>(new ::grpc:: > SecureServerCredentials(creds)); > } > > void startServer() { > ::grpc::ServerBuilder builder; > > auto credentials = makeServerCredentialsWithFetcher(); > builder.AddListeningPort("127.0.0.1:20000", credentials); > // TODO register service via `builder.RegisterService()` > builder.SetMaxReceiveMessageSize(MaxMessageSizeBytes); > builder.SetMaxSendMessageSize(MaxMessageSizeBytes); > builder.SetDefaultCompressionAlgorithm(::grpc_compression_algorithm > ::GRPC_COMPRESS_NONE); > ::grpc::ResourceQuota quota; > quota.SetMaxThreads(MaxWorkerThreads); > builder.SetResourceQuota(quota); > > server = builder.BuildAndStart(); > } > > On Wednesday, September 13, 2023 at 3:18:39 PM UTC-4 Luwei Ge wrote: > >> Hi, >> >> Does the FileWatcherCertificateProvider work at >> https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h >> for your use case? It's an experimental API but we plan to stabilize it >> soon. >> >> Best, >> Luwei >> >> On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour >> wrote: >> >> Following up on this question, is there a plan for supporting the >> certificate fetcher API in the public facing headers? >> >> On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour >> wrote: >> >> Hi, >> >> We are working on using the C++ implementation of gRPC and wanted to see >> what's the best way to implement certificate rotation. I was able to rotate >> certificates using the certificate fetcher callback API, but noticed that >> it's only available through the private headers of the core library. Are >> there plans to make this API public? Just checking to make sure the feature >> is not going to be deprecated and entirely removed form the repository. >> Thank you! >> >> -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to grpc-io+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CAGQQ400YrN5P6o4g-g9G74ScZFz3i6Psz-nZ2NkWoJ%3DtTcJDsQ%40mail.gmail.com.