1 | /* |
2 | * |
3 | * Copyright 2016 gRPC authors. |
4 | * |
5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
6 | * you may not use this file except in compliance with the License. |
7 | * You may obtain a copy of the License at |
8 | * |
9 | * http://www.apache.org/licenses/LICENSE-2.0 |
10 | * |
11 | * Unless required by applicable law or agreed to in writing, software |
12 | * distributed under the License is distributed on an "AS IS" BASIS, |
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
14 | * See the License for the specific language governing permissions and |
15 | * limitations under the License. |
16 | * |
17 | */ |
18 | |
19 | #ifndef GRPC_GRPC_SECURITY_CONSTANTS_H |
20 | #define GRPC_GRPC_SECURITY_CONSTANTS_H |
21 | |
22 | #ifdef __cplusplus |
23 | extern "C" { |
24 | #endif |
25 | |
26 | #define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME "transport_security_type" |
27 | #define GRPC_SSL_TRANSPORT_SECURITY_TYPE "ssl" |
28 | |
29 | #define GRPC_X509_CN_PROPERTY_NAME "x509_common_name" |
30 | #define GRPC_X509_SAN_PROPERTY_NAME "x509_subject_alternative_name" |
31 | #define GRPC_X509_PEM_CERT_PROPERTY_NAME "x509_pem_cert" |
32 | #define GRPC_X509_PEM_CERT_CHAIN_PROPERTY_NAME "x509_pem_cert_chain" |
33 | #define GRPC_SSL_SESSION_REUSED_PROPERTY "ssl_session_reused" |
34 | #define GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME "security_level" |
35 | |
36 | /** Environment variable that points to the default SSL roots file. This file |
37 | must be a PEM encoded file with all the roots such as the one that can be |
38 | downloaded from https://pki.google.com/roots.pem. */ |
39 | #define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \ |
40 | "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH" |
41 | |
42 | /** Environment variable that points to the google default application |
43 | credentials json key or refresh token. Used in the |
44 | grpc_google_default_credentials_create function. */ |
45 | #define GRPC_GOOGLE_CREDENTIALS_ENV_VAR "GOOGLE_APPLICATION_CREDENTIALS" |
46 | |
47 | /** Results for the SSL roots override callback. */ |
48 | typedef enum { |
49 | GRPC_SSL_ROOTS_OVERRIDE_OK, |
50 | GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /** Do not try fallback options. */ |
51 | GRPC_SSL_ROOTS_OVERRIDE_FAIL |
52 | } grpc_ssl_roots_override_result; |
53 | |
54 | /** Callback results for dynamically loading a SSL certificate config. */ |
55 | typedef enum { |
56 | GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED, |
57 | GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW, |
58 | GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL |
59 | } grpc_ssl_certificate_config_reload_status; |
60 | |
61 | typedef enum { |
62 | /** Server does not request client certificate. |
63 | The certificate presented by the client is not checked by the server at |
64 | all. (A client may present a self signed or signed certificate or not |
65 | present a certificate at all and any of those option would be accepted) */ |
66 | GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, |
67 | /** Server requests client certificate but does not enforce that the client |
68 | presents a certificate. |
69 | |
70 | If the client presents a certificate, the client authentication is left to |
71 | the application (the necessary metadata will be available to the |
72 | application via authentication context properties, see grpc_auth_context). |
73 | |
74 | The client's key certificate pair must be valid for the SSL connection to |
75 | be established. */ |
76 | GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, |
77 | /** Server requests client certificate but does not enforce that the client |
78 | presents a certificate. |
79 | |
80 | If the client presents a certificate, the client authentication is done by |
81 | the gRPC framework. (For a successful connection the client needs to either |
82 | present a certificate that can be verified against the root certificate |
83 | configured by the server or not present a certificate at all) |
84 | |
85 | The client's key certificate pair must be valid for the SSL connection to |
86 | be established. */ |
87 | GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY, |
88 | /** Server requests client certificate and enforces that the client presents a |
89 | certificate. |
90 | |
91 | If the client presents a certificate, the client authentication is left to |
92 | the application (the necessary metadata will be available to the |
93 | application via authentication context properties, see grpc_auth_context). |
94 | |
95 | The client's key certificate pair must be valid for the SSL connection to |
96 | be established. */ |
97 | GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, |
98 | /** Server requests client certificate and enforces that the client presents a |
99 | certificate. |
100 | |
101 | The certificate presented by the client is verified by the gRPC framework. |
102 | (For a successful connection the client needs to present a certificate that |
103 | can be verified against the root certificate configured by the server) |
104 | |
105 | The client's key certificate pair must be valid for the SSL connection to |
106 | be established. */ |
107 | GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY |
108 | } grpc_ssl_client_certificate_request_type; |
109 | |
110 | /* Security levels of grpc transport security. It represents an inherent |
111 | * property of a backend connection and is determined by a channel credential |
112 | * used to create the connection. */ |
113 | typedef enum { |
114 | GRPC_SECURITY_MIN, |
115 | GRPC_SECURITY_NONE = GRPC_SECURITY_MIN, |
116 | GRPC_INTEGRITY_ONLY, |
117 | GRPC_PRIVACY_AND_INTEGRITY, |
118 | GRPC_SECURITY_MAX = GRPC_PRIVACY_AND_INTEGRITY, |
119 | } grpc_security_level; |
120 | |
121 | typedef enum { |
122 | /** Default option: performs server certificate verification and hostname |
123 | verification. */ |
124 | GRPC_TLS_SERVER_VERIFICATION, |
125 | /** Performs server certificate verification, but skips hostname verification |
126 | Client is responsible for verifying server's identity via |
127 | server authorization check callback. */ |
128 | GRPC_TLS_SKIP_HOSTNAME_VERIFICATION, |
129 | /** Skips both server certificate and hostname verification. |
130 | Client is responsible for verifying server's identity and |
131 | server's certificate via server authorization check callback. */ |
132 | GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION |
133 | } grpc_tls_server_verification_option; |
134 | |
135 | /** |
136 | * Type of local connections for which local channel/server credentials will be |
137 | * applied. It supports UDS and local TCP connections. |
138 | */ |
139 | typedef enum { UDS = 0, LOCAL_TCP } grpc_local_connect_type; |
140 | |
141 | #ifdef __cplusplus |
142 | } |
143 | #endif |
144 | |
145 | #endif /* GRPC_GRPC_SECURITY_CONSTANTS_H */ |
146 | |