Using the certificate fetcher API

[Amirsaman Memaripour]

Hi,

We are working on using the C++ implementation of gRPC and wanted to see what's the best way to implement certificate rotation. I was able to rotate certificates using the certificate fetcher callback API, but noticed that it's only available through the private headers of the core library. Are there plans to make this API public? Just checking to make sure the feature is not going to be deprecated and entirely removed form the repository. Thank you! 

[Amirsaman Memaripour]

Following up on this question, is there a plan for supporting the certificate fetcher API in the public facing headers?

[Luwei Ge]

Hi,

Does the FileWatcherCertificateProvider work at https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h for your use case? It's an experimental API but we plan to stabilize it soon.

Best,

Luwei

[Amirsaman Memaripour]

Ho Luwei,

Thanks for your response. We'd need to expand that API since the rotation of certificates must be controlled/guarded by a change of state in the system, and we may need to process the contents of the certificate files before loading them into memory for gRPC's consumption. My initial plan was to utilize the callback fetcher API to implement something similar to the following, where I can invoke custom logic in `certificateConfigCallback` and update the cached certificates when needed (e.g. after receiving a command from the user that the certificates must be rotated). Just verifying that the new API you noted in your email will support such a use-case. Thank you!

struct Options {

std::string tlsPEMKeyFile;

std::string tlsCAFile;

};

auto certificateConfigCallback(void* options, grpc_ssl_server_certificate_config** config) {

// Return `GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED` if not changed.

// Return `GRPC_SSL_ROOTS_OVERRIDE_FAIL` if loading (or verifying) the certificates fails.

// Otherwise, load the new certificates ...

Options* optionsPtr = reinterpret_cast<Options*>(options);

std::string caCert = util::readPEMFile(optionsPtr->tlsCAFile);

auto keyCertPair = util::parsePEMKeyFile(optionsPtr->tlsPEMKeyFile);

grpc_ssl_pem_key_cert_pair pemKeyCertPair = {keyCertPair.private_key.c_str(),

keyCertPair.cert_chain.c_str()};

*config = grpc_ssl_server_certificate_config_create(caCert.c_str(), &pemKeyCertPair, 1);

return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;

}

auto makeServerCredentialsWithFetcher() {

Options options;

grpc_ssl_server_credentials_options* opts =

grpc_ssl_server_credentials_create_options_using_config_fetcher(

::grpc_ssl_client_certificate_request_type::GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,

certificateConfigCallback,

&options);

grpc_server_credentials* creds = grpc_ssl_server_credentials_create_with_options(opts);

return std::shared_ptr<::grpc::ServerCredentials>(new ::grpc::SecureServerCredentials(creds));

}

void startServer() {

::grpc::ServerBuilder builder;

auto credentials = makeServerCredentialsWithFetcher();

builder.AddListeningPort("127.0.0.1:20000", credentials);

// TODO register service via `builder.RegisterService()`

builder.SetMaxReceiveMessageSize(MaxMessageSizeBytes);

builder.SetMaxSendMessageSize(MaxMessageSizeBytes);

builder.SetDefaultCompressionAlgorithm(::grpc_compression_algorithm::GRPC_COMPRESS_NONE);

::grpc::ResourceQuota quota;

quota.SetMaxThreads(MaxWorkerThreads);

builder.SetResourceQuota(quota);

server = builder.BuildAndStart();

}

[Mohamed Hasan]

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com.

[Luwei Ge]

As of now, the CertificateProvider APIs I mentioned only come with two built-in types, StaticData and FileWatcher. So unfortunately, the custom logic you'd like isn't supported. That said, we are considering whether we will support user-defined CertificateProvider implementations. This is yet to be finalized so I cannot guarantee anything right now.

Back to the APIs you referred to, they are defined in include/grpc/grpc_security.h so technically it's not in private headers. I don't think we will ever remove things defined there, but it's generally not recommended for C++ library users to consume APIs in that C-Core layer.