diff options
Diffstat (limited to 'grpc/spm-cpp-include/grpcpp/security/tls_credentials_options.h')
| -rw-r--r-- | grpc/spm-cpp-include/grpcpp/security/tls_credentials_options.h | 38 |
1 files changed, 25 insertions, 13 deletions
diff --git a/grpc/spm-cpp-include/grpcpp/security/tls_credentials_options.h b/grpc/spm-cpp-include/grpcpp/security/tls_credentials_options.h index 6abdcaa7..da2b595b 100644 --- a/grpc/spm-cpp-include/grpcpp/security/tls_credentials_options.h +++ b/grpc/spm-cpp-include/grpcpp/security/tls_credentials_options.h @@ -155,13 +155,21 @@ class TlsCredentialsOptions { // // @param certificate_provider the provider which fetches TLS credentials that // will be used in the TLS handshake - explicit TlsCredentialsOptions( - std::shared_ptr<CertificateProviderInterface> certificate_provider); + TlsCredentialsOptions(); // ---- Setters for member fields ---- + // Sets the certificate provider used to store root certs and identity certs. + void set_certificate_provider( + std::shared_ptr<CertificateProviderInterface> certificate_provider); // Watches the updates of root certificates with name |root_cert_name|. - // If used in TLS credentials, it should always be set unless the root - // certificates are not needed(e.g. in the one-side TLS scenario, the server - // is not required to verify the client). + // If used in TLS credentials, setting this field is optional for both the + // client side and the server side. + // If this is not set on the client side, we will use the root certificates + // stored in the default system location, since client side must provide root + // certificates in TLS(no matter single-side TLS or mutual TLS). + // If this is not set on the server side, we will not watch any root + // certificate updates, and assume no root certificates needed for the server + // (in the one-side TLS scenario, the server is not required to provide root + // certs). We don't support default root certs on server side. void watch_root_certs(); // Sets the name of root certificates being watched, if |watch_root_certs| is // called. If not set, an empty string will be used as the name. @@ -169,9 +177,9 @@ class TlsCredentialsOptions { // @param root_cert_name the name of root certs being set. void set_root_cert_name(const std::string& root_cert_name); // Watches the updates of identity key-cert pairs with name - // |identity_cert_name|. If used in TLS credentials, it should always be set - // unless the identity certificates are not needed(e.g. in the one-side TLS - // scenario, the client is not required to provide certs). + // |identity_cert_name|. If used in TLS credentials, it is required to be set + // on the server side, and optional for the client side(in the one-side + // TLS scenario, the client is not required to provide identity certs). void watch_identity_key_cert_pairs(); // Sets the name of identity key-cert pairs being watched, if // |watch_identity_key_cert_pairs| is called. If not set, an empty string will @@ -192,13 +200,13 @@ class TlsCredentialsOptions { }; // Contains configurable options on the client side. +// Client side doesn't need to always use certificate provider. When the +// certificate provider is not set, we will use the root certificates stored +// in the system default locations, and assume client won't provide any +// identity certificates(single side TLS). // It is used for experimental purposes for now and it is subject to change. class TlsChannelCredentialsOptions final : public TlsCredentialsOptions { public: - explicit TlsChannelCredentialsOptions( - std::shared_ptr<CertificateProviderInterface> certificate_provider) - : TlsCredentialsOptions(std::move(certificate_provider)) {} - // Sets the option to verify the server. // The default is GRPC_TLS_SERVER_VERIFICATION. void set_server_verification_option( @@ -215,9 +223,13 @@ class TlsChannelCredentialsOptions final : public TlsCredentialsOptions { // It is used for experimental purposes for now and it is subject to change. class TlsServerCredentialsOptions final : public TlsCredentialsOptions { public: + // Server side is required to use a provider, because server always needs to + // use identity certs. explicit TlsServerCredentialsOptions( std::shared_ptr<CertificateProviderInterface> certificate_provider) - : TlsCredentialsOptions(std::move(certificate_provider)) {} + : TlsCredentialsOptions() { + set_certificate_provider(certificate_provider); + } // Sets option to request the certificates from the client. // The default is GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE. |