Fully worked-out example of tls-based mutual authentication?

[JI Ioannidis]

The examples given in the examples directory are all for insecure credentials. Does anyone have a worked-out version of  helloword (preferably for C++ or Python) where the connection happens over http2, but the actual client and server code can see who the principals of the (now mutually-authenticated) connection are so they can make access-control decisions?

Thanks

/ji

[Eric Zundel Ayers]

Hi JI, (I think we worked together on Pants)

I can’t really help that much, I’m not that deep into the gRPC codebase, but I think that Eric Richardson on our team did some work to get this working on Ruby. He had to add in a call to fetch the authenticated cert and get it into the ruby wrappers

+/* Called to obtain the x509 cert of an authenticated peer. */
+static VALUE grpc_rb_call_get_peer_cert(VALUE self) {
+  grpc_call *call = NULL;
+  VALUE res = Qnil;
+  grpc_auth_context *ctx = NULL;
+  // char *peer_cert = NULL;
+  TypedData_Get_Struct(self, grpc_call, &grpc_call_data_type, call);
+
+  ctx = grpc_call_auth_context(call);
+
+  grpc_auth_property_iterator it =
+      grpc_auth_context_find_properties_by_name(ctx, GRPC_X509_PEM_CERT_PROPERTY_NAME);
+  const grpc_auth_property *prop = grpc_auth_property_iterator_next(&it);
+  if (prop == NULL) {
+    return Qnil;
+  }
+
+  res = rb_str_new2(prop->value);
+
+  return res;
+}

​

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/e9525fad-1a5f-42af-8792-d8e67bb8fa41%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Vijay Pai]

Hi there,

There are many code samples in test/cpp that should help here.

All the best,

Vijay