As of now, the CertificateProvider APIs I mentioned only come with two
built-in types, StaticData and FileWatcher. So unfortunately, the custom
logic you'd like isn't supported. That said, we are considering whether we
will support user-defined CertificateProvider implementations. This is yet
to be finalized so I cannot guarantee anything right now.
Back to the APIs you referred to, they are defined in
include/grpc/grpc_security.h so technically it's not in private headers. I
don't think we will ever remove things defined there, but it's generally
not recommended for C++ library users to consume APIs in that C-Core layer.
On Thursday, September 14, 2023 at 4:55:50 PM UTC-7 Mohamed Hasan wrote:
> في الخميس، ١٤ سبتمبر ٢٠٢٣ ٨:١٧ م 'Amirsaman Memaripour' via grpc.io <
> grp...@googlegroups.com> كتب:
>
>> Ho Luwei,
>>
>> Thanks for your response. We'd need to expand that API since the rotation
>> of certificates must be controlled/guarded by a change of state in the
>> system, and we may need to process the contents of the certificate files
>> before loading them into memory for gRPC's consumption. My initial plan was
>> to utilize the callback fetcher API to implement something similar to the
>> following, where I can invoke custom logic in `certificateConfigCallback`
>> and update the cached certificates when needed (e.g. after receiving a
>> command from the user that the certificates must be rotated). Just
>> verifying that the new API you noted in your email will support such a
>> use-case. Thank you!
>>
>> struct Options {
>> std::string tlsPEMKeyFile;
>> std::string tlsCAFile;
>> };
>>
>> auto certificateConfigCallback(void* options,
>> grpc_ssl_server_certificate_config** config) {
>> // Return `GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED` if not changed.
>> // Return `GRPC_SSL_ROOTS_OVERRIDE_FAIL` if loading (or verifying) the
>> certificates fails.
>> // Otherwise, load the new certificates ...
>> Options* optionsPtr = reinterpret_cast<Options*>(options);
>> std::string caCert = util::readPEMFile(optionsPtr->tlsCAFile);
>> auto keyCertPair = util::parsePEMKeyFile(optionsPtr->tlsPEMKeyFile);
>> grpc_ssl_pem_key_cert_pair pemKeyCertPair = {keyCertPair.private_key.
>> c_str(),
>> keyCertPair.cert_chain.c_str()};
>> *config = grpc_ssl_server_certificate_config_create(caCert.c_str(),
>> &pemKeyCertPair,
>> 1);
>> return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
>> }
>>
>> auto makeServerCredentialsWithFetcher() {
>> Options options;
>> grpc_ssl_server_credentials_options* opts =
>> grpc_ssl_server_credentials_create_options_using_config_fetcher(
>> ::grpc_ssl_client_certificate_request_type
>> ::GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,
>> certificateConfigCallback,
>> &options);
>> grpc_server_credentials* creds =
>> grpc_ssl_server_credentials_create_with_options(opts);
>> return std::shared_ptr<::grpc::ServerCredentials>(new ::grpc::
>> SecureServerCredentials(creds));
>> }
>>
>> void startServer() {
>> ::grpc::ServerBuilder builder;
>>
>> auto credentials = makeServerCredentialsWithFetcher();
>> builder.AddListeningPort("127.0.0.1:20000", credentials);
>> // TODO register service via `builder.RegisterService()`
>> builder.SetMaxReceiveMessageSize(MaxMessageSizeBytes);
>> builder.SetMaxSendMessageSize(MaxMessageSizeBytes);
>> builder.SetDefaultCompressionAlgorithm(::grpc_compression_algorithm
>> ::GRPC_COMPRESS_NONE);
>> ::grpc::ResourceQuota quota;
>> quota.SetMaxThreads(MaxWorkerThreads);
>> builder.SetResourceQuota(quota);
>>
>> server = builder.BuildAndStart();
>> }
>>
>> On Wednesday, September 13, 2023 at 3:18:39 PM UTC-4 Luwei Ge wrote:
>>
>>> Hi,
>>>
>>> Does the FileWatcherCertificateProvider work at
>>> https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h
>>>
>>> for your use case? It's an experimental API but we plan to stabilize it
>>> soon.
>>>
>>> Best,
>>> Luwei
>>>
>>> On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour
>>> wrote:
>>>
>>> Following up on this question, is there a plan for supporting the
>>> certificate fetcher API in the public facing headers?
>>>
>>> On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour
>>> wrote:
>>>
>>> Hi,
>>>
>>> We are working on using the C++ implementation of gRPC and wanted to see
>>> what's the best way to implement certificate rotation. I was able to rotate
>>> certificates using the certificate fetcher callback API, but noticed that
>>> it's only available through the private headers of the core library. Are
>>> there plans to make this API public? Just checking to make sure the feature
>>> is not going to be deprecated and entirely removed form the repository.
>>> Thank you!
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "grpc.io" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to grpc-io+u...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/0f69f2a4-d322-40ce-8771-ad0f0eea594en%40googlegroups.com.
