Re: [grpc-io] Re: Using the certificate fetcher API
As of now, the CertificateProvider APIs I mentioned only come with two
built-in types, StaticData and FileWatcher. So unfortunately, the custom
logic you'd like isn't supported. That said, we are considering whether we
will support user-defined CertificateProvider implementations. This is yet
to be finalized so I cannot guarantee anything right now.
Back to the APIs you referred to, they are defined in
include/grpc/grpc_security.h so technically it's not in private headers. I
don't think we will ever remove things defined there, but it's generally
not recommended for C++ library users to consume APIs in that C-Core layer.
On Thursday, September 14, 2023 at 4:55:50 PM UTC-7 Mohamed Hasan wrote:
> في الخميس، ١٤ سبتمبر ٢٠٢٣ ٨:١٧ م 'Amirsaman Memaripour' via grpc.io <
> grp...@googlegroups.com> كتب:
>
>> Ho Luwei,
>>
>> Thanks for your response. We'd need to expand that API since the rotation
>> of certificates must be controlled/guarded by a change of state in the
>> system, and we may need to process the contents of the certificate files
>> before loading them into memory for gRPC's consumption. My initial plan was
>> to utilize the callback fetcher API to implement something similar to the
>> following, where I can invoke custom logic in `certificateConfigCallback`
>> and update the cached certificates when needed (e.g. after receiving a
>> command from the user that the certificates must be rotated). Just
>> verifying that the new API you noted in your email will support such a
>> use-case. Thank you!
>>
>> struct Options {
>> std::string tlsPEMKeyFile;
>> std::string tlsCAFile;
>> };
>>
>> auto certificateConfigCallback(void* options,
>> grpc_ssl_server_certificate_config** config) {
>> // Return `GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED` if not changed.
>> // Return `GRPC_SSL_ROOTS_OVERRIDE_FAIL` if loading (or verifying) the
>> certificates fails.
>> // Otherwise, load the new certificates ...
>> Options* optionsPtr = reinterpret_cast(options);
>> std::string caCert = util::readPEMFile(optionsPtr->tlsCAFile);
>> auto keyCertPair = util::parsePEMKeyFile(optionsPtr->tlsPEMKeyFile);
>> grpc_ssl_pem_key_cert_pair pemKeyCertPair = {keyCertPair.private_key.
>> c_str(),
>> keyCertPair.cert_chain.c_str()};
>> *config = grpc_ssl_server_certificate_config_create(caCert.c_str(),
>> ,
>> 1);
>> return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
>> }
>>
>> auto makeServerCredentialsWithFetcher() {
>> Options options;
>> grpc_ssl_server_credentials_options* opts =
>> grpc_ssl_server_credentials_create_options_using_config_fetcher(
>> ::grpc_ssl_client_certificate_request_type
>> ::GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,
>> certificateConfigCallback,
>> );
>> grpc_server_credentials* creds =
>> grpc_ssl_server_credentials_create_with_options(opts);
>> return std::shared_ptr<::grpc::ServerCredentials>(new ::grpc::
>> SecureServerCredentials(creds));
>> }
>>
>> void startServer() {
>> ::grpc::ServerBuilder builder;
>>
>> auto credentials = makeServerCredentialsWithFetcher();
>> builder.AddListeningPort("127.0.0.1:2", credentials);
>> // TODO register service via `builder.RegisterService()`
>> builder.SetMaxReceiveMessageSize(MaxMessageSizeBytes);
>> builder.SetMaxSendMessageSize(MaxMessageSizeBytes);
>> builder.SetDefaultCompressionAlgorithm(::grpc_compression_algorithm
>> ::GRPC_COMPRESS_NONE);
>> ::grpc::ResourceQuota quota;
>> quota.SetMaxThreads(MaxWorkerThreads);
>> builder.SetResourceQuota(quota);
>>
>> server = builder.BuildAndStart();
>> }
>>
>> On Wednesday, September 13, 2023 at 3:18:39 PM UTC-4 Luwei Ge wrote:
>>
>>> Hi,
>>>
>>> Does the FileWatcherCertificateProvider work at
>>> https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h
>>>
>>> for your use case? It's an experimental API but we plan to stabilize it
>>> soon.
>>>
>>> Best,
>>> Luwei
>>>
>>> On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour
>>> wrote:
>>>
>>> Following up on this question, is there a plan for supporting the
>>> certificate fetcher API in the public facing headers?
>>>
>>> On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour
>>> wrote:
>>>
>>> Hi,
>>>
>>> We are working on using the C++ implementation of gRPC and wanted to see
>>> what's the best way to implement certificate rotation. I was able to rotate
>>> certificates using the certificate fetcher callback API, but noticed that
>>> it's only available through the private headers of the core library. Are
>>> there plans to make this API public? Just checking to make sure the feature
>>> is not going to be deprecated and entirely removed form the repository.
>>> Thank you!
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "grpc.io" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to grpc-io+u...@googlegroups.com.
>> To view this discussion on the web visit
>>
Re: [grpc-io] Re: Using the certificate fetcher API
في الخميس، ١٤ سبتمبر ٢٠٢٣ ٨:١٧ م 'Amirsaman Memaripour' via grpc.io <
grpc-io@googlegroups.com> كتب:
> Ho Luwei,
>
> Thanks for your response. We'd need to expand that API since the rotation
> of certificates must be controlled/guarded by a change of state in the
> system, and we may need to process the contents of the certificate files
> before loading them into memory for gRPC's consumption. My initial plan was
> to utilize the callback fetcher API to implement something similar to the
> following, where I can invoke custom logic in `certificateConfigCallback`
> and update the cached certificates when needed (e.g. after receiving a
> command from the user that the certificates must be rotated). Just
> verifying that the new API you noted in your email will support such a
> use-case. Thank you!
>
> struct Options {
> std::string tlsPEMKeyFile;
> std::string tlsCAFile;
> };
>
> auto certificateConfigCallback(void* options,
> grpc_ssl_server_certificate_config** config) {
> // Return `GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED` if not changed.
> // Return `GRPC_SSL_ROOTS_OVERRIDE_FAIL` if loading (or verifying) the
> certificates fails.
> // Otherwise, load the new certificates ...
> Options* optionsPtr = reinterpret_cast(options);
> std::string caCert = util::readPEMFile(optionsPtr->tlsCAFile);
> auto keyCertPair = util::parsePEMKeyFile(optionsPtr->tlsPEMKeyFile);
> grpc_ssl_pem_key_cert_pair pemKeyCertPair = {keyCertPair.private_key.c_str
> (),
> keyCertPair.cert_chain.c_str()};
> *config = grpc_ssl_server_certificate_config_create(caCert.c_str(),
> ,
> 1);
> return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
> }
>
> auto makeServerCredentialsWithFetcher() {
> Options options;
> grpc_ssl_server_credentials_options* opts =
> grpc_ssl_server_credentials_create_options_using_config_fetcher(
> ::grpc_ssl_client_certificate_request_type
> ::GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,
> certificateConfigCallback,
> );
> grpc_server_credentials* creds =
> grpc_ssl_server_credentials_create_with_options(opts);
> return std::shared_ptr<::grpc::ServerCredentials>(new ::grpc::
> SecureServerCredentials(creds));
> }
>
> void startServer() {
> ::grpc::ServerBuilder builder;
>
> auto credentials = makeServerCredentialsWithFetcher();
> builder.AddListeningPort("127.0.0.1:2", credentials);
> // TODO register service via `builder.RegisterService()`
> builder.SetMaxReceiveMessageSize(MaxMessageSizeBytes);
> builder.SetMaxSendMessageSize(MaxMessageSizeBytes);
> builder.SetDefaultCompressionAlgorithm(::grpc_compression_algorithm
> ::GRPC_COMPRESS_NONE);
> ::grpc::ResourceQuota quota;
> quota.SetMaxThreads(MaxWorkerThreads);
> builder.SetResourceQuota(quota);
>
> server = builder.BuildAndStart();
> }
>
> On Wednesday, September 13, 2023 at 3:18:39 PM UTC-4 Luwei Ge wrote:
>
>> Hi,
>>
>> Does the FileWatcherCertificateProvider work at
>> https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h
>> for your use case? It's an experimental API but we plan to stabilize it
>> soon.
>>
>> Best,
>> Luwei
>>
>> On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour
>> wrote:
>>
>> Following up on this question, is there a plan for supporting the
>> certificate fetcher API in the public facing headers?
>>
>> On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour
>> wrote:
>>
>> Hi,
>>
>> We are working on using the C++ implementation of gRPC and wanted to see
>> what's the best way to implement certificate rotation. I was able to rotate
>> certificates using the certificate fetcher callback API, but noticed that
>> it's only available through the private headers of the core library. Are
>> there plans to make this API public? Just checking to make sure the feature
>> is not going to be deprecated and entirely removed form the repository.
>> Thank you!
>>
>> --
> You received this message because you are subscribed to the Google Groups "
> grpc.io" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to grpc-io+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com
>
> .
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/CAGQQ400YrN5P6o4g-g9G74ScZFz3i6Psz-nZ2NkWoJ%3DtTcJDsQ%40mail.gmail.com.
[grpc-io] Re: Using the certificate fetcher API
Ho Luwei,
Thanks for your response. We'd need to expand that API since the rotation
of certificates must be controlled/guarded by a change of state in the
system, and we may need to process the contents of the certificate files
before loading them into memory for gRPC's consumption. My initial plan was
to utilize the callback fetcher API to implement something similar to the
following, where I can invoke custom logic in `certificateConfigCallback`
and update the cached certificates when needed (e.g. after receiving a
command from the user that the certificates must be rotated). Just
verifying that the new API you noted in your email will support such a
use-case. Thank you!
struct Options {
std::string tlsPEMKeyFile;
std::string tlsCAFile;
};
auto certificateConfigCallback(void* options,
grpc_ssl_server_certificate_config** config) {
// Return `GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED` if not changed.
// Return `GRPC_SSL_ROOTS_OVERRIDE_FAIL` if loading (or verifying) the
certificates fails.
// Otherwise, load the new certificates ...
Options* optionsPtr = reinterpret_cast(options);
std::string caCert = util::readPEMFile(optionsPtr->tlsCAFile);
auto keyCertPair = util::parsePEMKeyFile(optionsPtr->tlsPEMKeyFile);
grpc_ssl_pem_key_cert_pair pemKeyCertPair = {keyCertPair.private_key.c_str
(),
keyCertPair.cert_chain.c_str()};
*config = grpc_ssl_server_certificate_config_create(caCert.c_str(),
,
1);
return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
}
auto makeServerCredentialsWithFetcher() {
Options options;
grpc_ssl_server_credentials_options* opts =
grpc_ssl_server_credentials_create_options_using_config_fetcher(
::grpc_ssl_client_certificate_request_type
::GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,
certificateConfigCallback,
);
grpc_server_credentials* creds =
grpc_ssl_server_credentials_create_with_options(opts);
return std::shared_ptr<::grpc::ServerCredentials>(new ::grpc::
SecureServerCredentials(creds));
}
void startServer() {
::grpc::ServerBuilder builder;
auto credentials = makeServerCredentialsWithFetcher();
builder.AddListeningPort("127.0.0.1:2", credentials);
// TODO register service via `builder.RegisterService()`
builder.SetMaxReceiveMessageSize(MaxMessageSizeBytes);
builder.SetMaxSendMessageSize(MaxMessageSizeBytes);
builder.SetDefaultCompressionAlgorithm(::grpc_compression_algorithm
::GRPC_COMPRESS_NONE);
::grpc::ResourceQuota quota;
quota.SetMaxThreads(MaxWorkerThreads);
builder.SetResourceQuota(quota);
server = builder.BuildAndStart();
}
On Wednesday, September 13, 2023 at 3:18:39 PM UTC-4 Luwei Ge wrote:
> Hi,
>
> Does the FileWatcherCertificateProvider work at
> https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h
>
> for your use case? It's an experimental API but we plan to stabilize it
> soon.
>
> Best,
> Luwei
>
> On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour
> wrote:
>
> Following up on this question, is there a plan for supporting the
> certificate fetcher API in the public facing headers?
>
> On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour
> wrote:
>
> Hi,
>
> We are working on using the C++ implementation of gRPC and wanted to see
> what's the best way to implement certificate rotation. I was able to rotate
> certificates using the certificate fetcher callback API, but noticed that
> it's only available through the private headers of the core library. Are
> there plans to make this API public? Just checking to make sure the feature
> is not going to be deprecated and entirely removed form the repository.
> Thank you!
>
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com.
[grpc-io] Re: Using the certificate fetcher API
Hi, Does the FileWatcherCertificateProvider work at https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h for your use case? It's an experimental API but we plan to stabilize it soon. Best, Luwei On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour wrote: Following up on this question, is there a plan for supporting the certificate fetcher API in the public facing headers? On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour wrote: Hi, We are working on using the C++ implementation of gRPC and wanted to see what's the best way to implement certificate rotation. I was able to rotate certificates using the certificate fetcher callback API, but noticed that it's only available through the private headers of the core library. Are there plans to make this API public? Just checking to make sure the feature is not going to be deprecated and entirely removed form the repository. Thank you! -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/2f0ef6bf-1f2e-429c-8e5c-b4a94c3b0e1bn%40googlegroups.com.
[grpc-io] Re: Using the certificate fetcher API
Following up on this question, is there a plan for supporting the certificate fetcher API in the public facing headers? On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour wrote: > Hi, > > We are working on using the C++ implementation of gRPC and wanted to see > what's the best way to implement certificate rotation. I was able to rotate > certificates using the certificate fetcher callback API, but noticed that > it's only available through the private headers of the core library. Are > there plans to make this API public? Just checking to make sure the feature > is not going to be deprecated and entirely removed form the repository. > Thank you! > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/68ef967d-6492-41cb-a97b-d3c4738f2149n%40googlegroups.com.
