As of now, the CertificateProvider APIs I mentioned only come with two built-in types, StaticData and FileWatcher. So unfortunately, the custom logic you'd like isn't supported. That said, we are considering whether we will support user-defined CertificateProvider implementations. This is yet to be finalized so I cannot guarantee anything right now.
Back to the APIs you referred to, they are defined in include/grpc/grpc_security.h so technically it's not in private headers. I don't think we will ever remove things defined there, but it's generally not recommended for C++ library users to consume APIs in that C-Core layer. On Thursday, September 14, 2023 at 4:55:50 PM UTC-7 Mohamed Hasan wrote: > في الخميس، ١٤ سبتمبر ٢٠٢٣ ٨:١٧ م 'Amirsaman Memaripour' via grpc.io < > grp...@googlegroups.com> كتب: > >> Ho Luwei, >> >> Thanks for your response. We'd need to expand that API since the rotation >> of certificates must be controlled/guarded by a change of state in the >> system, and we may need to process the contents of the certificate files >> before loading them into memory for gRPC's consumption. My initial plan was >> to utilize the callback fetcher API to implement something similar to the >> following, where I can invoke custom logic in `certificateConfigCallback` >> and update the cached certificates when needed (e.g. after receiving a >> command from the user that the certificates must be rotated). Just >> verifying that the new API you noted in your email will support such a >> use-case. Thank you! >> >> struct Options { >> std::string tlsPEMKeyFile; >> std::string tlsCAFile; >> }; >> >> auto certificateConfigCallback(void* options, >> grpc_ssl_server_certificate_config** config) { >> // Return `GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED` if not changed. >> // Return `GRPC_SSL_ROOTS_OVERRIDE_FAIL` if loading (or verifying) the >> certificates fails. >> // Otherwise, load the new certificates ... >> Options* optionsPtr = reinterpret_cast<Options*>(options); >> std::string caCert = util::readPEMFile(optionsPtr->tlsCAFile); >> auto keyCertPair = util::parsePEMKeyFile(optionsPtr->tlsPEMKeyFile); >> grpc_ssl_pem_key_cert_pair pemKeyCertPair = {keyCertPair.private_key. >> c_str(), >> keyCertPair.cert_chain.c_str()}; >> *config = grpc_ssl_server_certificate_config_create(caCert.c_str(), >> &pemKeyCertPair, >> 1); >> return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW; >> } >> >> auto makeServerCredentialsWithFetcher() { >> Options options; >> grpc_ssl_server_credentials_options* opts = >> grpc_ssl_server_credentials_create_options_using_config_fetcher( >> ::grpc_ssl_client_certificate_request_type >> ::GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, >> certificateConfigCallback, >> &options); >> grpc_server_credentials* creds = >> grpc_ssl_server_credentials_create_with_options(opts); >> return std::shared_ptr<::grpc::ServerCredentials>(new ::grpc:: >> SecureServerCredentials(creds)); >> } >> >> void startServer() { >> ::grpc::ServerBuilder builder; >> >> auto credentials = makeServerCredentialsWithFetcher(); >> builder.AddListeningPort("127.0.0.1:20000", credentials); >> // TODO register service via `builder.RegisterService()` >> builder.SetMaxReceiveMessageSize(MaxMessageSizeBytes); >> builder.SetMaxSendMessageSize(MaxMessageSizeBytes); >> builder.SetDefaultCompressionAlgorithm(::grpc_compression_algorithm >> ::GRPC_COMPRESS_NONE); >> ::grpc::ResourceQuota quota; >> quota.SetMaxThreads(MaxWorkerThreads); >> builder.SetResourceQuota(quota); >> >> server = builder.BuildAndStart(); >> } >> >> On Wednesday, September 13, 2023 at 3:18:39 PM UTC-4 Luwei Ge wrote: >> >>> Hi, >>> >>> Does the FileWatcherCertificateProvider work at >>> https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h >>> >>> for your use case? It's an experimental API but we plan to stabilize it >>> soon. >>> >>> Best, >>> Luwei >>> >>> On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour >>> wrote: >>> >>> Following up on this question, is there a plan for supporting the >>> certificate fetcher API in the public facing headers? >>> >>> On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour >>> wrote: >>> >>> Hi, >>> >>> We are working on using the C++ implementation of gRPC and wanted to see >>> what's the best way to implement certificate rotation. I was able to rotate >>> certificates using the certificate fetcher callback API, but noticed that >>> it's only available through the private headers of the core library. Are >>> there plans to make this API public? Just checking to make sure the feature >>> is not going to be deprecated and entirely removed form the repository. >>> Thank you! >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "grpc.io" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to grpc-io+u...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/0f69f2a4-d322-40ce-8771-ad0f0eea594en%40googlegroups.com.