在grpc服务器端调用时检索SSL证书

Question

I have a gRPC client/server combination which uses the SSLCredentials method for encrypting the communication. I'm trying to retrieve the client's SSL certificate on the server' side (which is written in C++) so I can distinguish between different clients calling the server.

So far I've only been able to find an example for Go which seems to do roughly that, but on the C++ side I was only able to find the AuthMetadataProcessor overloading which only provides the information below, which isn't what I need.

:authority  =  localhost:50051
:path  =  /API.GameDatabase/saveData
grpc-accept-encoding  =  identity,deflate,gzip
grpc-encoding  =  identity
user-agent  =  grpc-csharp/1.0.1 grpc-c/1.0.1 (linux; chttp2)
Dispatch value:  "/API.GameDatabase/saveData"

Would this be possible or would I have to send this kind of metadata myself?

Answer 1

You can retrieve the client's SSL cert using the AuthContext either in your response handler from the ServerContext or from the AuthMetadataProcessor if you decide to use such an interceptor in order to factor out the authentication/authorization logic from the business logic of your handler. http://www.grpc.io/grpc/cpp/classgrpc_1_1_auth_context.html

The peer identity property for X509 is set to the SANs if present or CN otherwise. However you have access to the full cert by using the http://www.grpc.io/grpc/core/grpc__security__constants_8h.html#ad46c3fd565d6a24eeb25d1fdc342cb28 property which is populated in the AuthContext.

Answer 2

With the help of Julien's answer I was able to get it to work, I'm accepting his answer but giving a code example below:

grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp =
{"<key>", "<cert>"};

// The client must be force to present a cert every time a call is made,
// else it will only happen once when the first connection is made.
// The other options can be found here:
// http://www.grpc.io/grpc/core/grpc__security__constants_8h.html#a29ffe63a8bb3b4945ecab42d82758f09
grpc::SslServerCredentialsOptions 
ssl_opts(GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);

ssl_opts.pem_root_certs = "<CA cert>";
ssl_opts.pem_key_cert_pairs.push_back(pkcp);

std::shared_ptr<grpc::ServerCredentials> sslCredentials = 
grpc::SslServerCredentials(ssl_opts);

builder.AddListeningPort("<server address>", sslCredentials);

There are two options to retrieve the ssl certificate:

1. Subclass AuthMetaDataProcessor ( refer to this post for more info ), this way you will be able to get the ssl cert in a central place every time a call is made:

    std::shared_ptr<AuthMetaDataProcessor> auth_processor = std::make_shared<AuthMetaDataProcessor>(); // Add the meta data processor to the ssl credentials before building the server sslCredentials->SetAuthMetadataProcessor(auth_processor); 

   and then in the overriden Process function:

    grpc::Status Process(const InputMetadata& auth_metadata, grpc::AuthContext* context, OutputMetadata* consumed_auth_metadata, OutputMetadata* response_metadata) override { std::string cert = context->FindPropertyValues("x509_pem_cert").front().data(); return grpc::Status::OK; } 

2. Get it from the ServerContext which is provided for every call

    std::string cert = context->auth_context()->FindPropertyValues("x509_pem_cert").front().data(); 

I hope this helps.