mirror
/
grpc-swift
mirror of https://github.com/grpc/grpc-swift.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236
							/*
 * Copyright 2019, gRPC Authors All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
import NIOSSL

extension ClientConnection.Configuration {
  /// TLS configuration for a `ClientConnection`.
  ///
  /// Note that this configuration is a subset of `NIOSSL.TLSConfiguration` where certain options
  /// are removed from the user's control to ensure the configuration complies with the gRPC
  /// specification.
  @available(*, deprecated, renamed: "GRPCTLSConfiguration")
  public struct TLS {
    public private(set) var configuration: TLSConfiguration

    /// Value to use for TLS SNI extension; this must not be an address.
    public var hostnameOverride: String?

    /// The certificates to offer during negotiation. If not present, no certificates will be offered.
    public var certificateChain: [NIOSSLCertificateSource] {
      get {
        return self.configuration.certificateChain
      }
      set {
        self.configuration.certificateChain = newValue
      }
    }

    /// The private key associated with the leaf certificate.
    public var privateKey: NIOSSLPrivateKeySource? {
      get {
        return self.configuration.privateKey
      }
      set {
        self.configuration.privateKey = newValue
      }
    }

    /// The trust roots to use to validate certificates. This only needs to be provided if you
    /// intend to validate certificates.
    public var trustRoots: NIOSSLTrustRoots? {
      get {
        return self.configuration.trustRoots
      }
      set {
        self.configuration.trustRoots = newValue
      }
    }

    /// Whether to verify remote certificates.
    public var certificateVerification: CertificateVerification {
      get {
        return self.configuration.certificateVerification
      }
      set {
        self.configuration.certificateVerification = newValue
      }
    }

    /// A custom verification callback that allows completely overriding the certificate verification logic for this connection.
    public var customVerificationCallback: NIOSSLCustomVerificationCallback?

    /// TLS Configuration with suitable defaults for clients.
    ///
    /// This is a wrapper around `NIOSSL.TLSConfiguration` to restrict input to values which comply
    /// with the gRPC protocol.
    ///
    /// - Parameter certificateChain: The certificate to offer during negotiation, defaults to an
    ///     empty array.
    /// - Parameter privateKey: The private key associated with the leaf certificate. This defaults
    ///     to `nil`.
    /// - Parameter trustRoots: The trust roots to validate certificates, this defaults to using a
    ///     root provided by the platform.
    /// - Parameter certificateVerification: Whether to verify the remote certificate. Defaults to
    ///     `.fullVerification`.
    /// - Parameter hostnameOverride: Value to use for TLS SNI extension; this must not be an IP
    ///     address, defaults to `nil`.
    /// - Parameter customVerificationCallback: A callback to provide to override the certificate verification logic,
    ///     defaults to `nil`.
    public init(
      certificateChain: [NIOSSLCertificateSource] = [],
      privateKey: NIOSSLPrivateKeySource? = nil,
      trustRoots: NIOSSLTrustRoots = .default,
      certificateVerification: CertificateVerification = .fullVerification,
      hostnameOverride: String? = nil,
      customVerificationCallback: NIOSSLCustomVerificationCallback? = nil
    ) {
      var configuration = TLSConfiguration.makeClientConfiguration()
      configuration.minimumTLSVersion = .tlsv12
      configuration.certificateVerification = certificateVerification
      configuration.trustRoots = trustRoots
      configuration.certificateChain = certificateChain
      configuration.privateKey = privateKey
      configuration.applicationProtocols = GRPCApplicationProtocolIdentifier.client

      self.configuration = configuration
      self.hostnameOverride = hostnameOverride
      self.customVerificationCallback = customVerificationCallback
    }

    /// Creates a TLS Configuration using the given `NIOSSL.TLSConfiguration`.
    ///
    /// - Note: If no ALPN tokens are set in `configuration.applicationProtocols` then "grpc-exp"
    ///   and "h2" will be used.
    /// - Parameters:
    ///   - configuration: The `NIOSSL.TLSConfiguration` to base this configuration on.
    ///   - hostnameOverride: The hostname override to use for the TLS SNI extension.
    public init(configuration: TLSConfiguration, hostnameOverride: String? = nil) {
      self.configuration = configuration
      self.hostnameOverride = hostnameOverride

      // Set the ALPN tokens if none were set.
      if self.configuration.applicationProtocols.isEmpty {
        self.configuration.applicationProtocols = GRPCApplicationProtocolIdentifier.client
      }
    }
  }
}

extension Server.Configuration {
  /// TLS configuration for a `Server`.
  ///
  /// Note that this configuration is a subset of `NIOSSL.TLSConfiguration` where certain options
  /// are removed from the users control to ensure the configuration complies with the gRPC
  /// specification.
  @available(*, deprecated, renamed: "GRPCTLSConfiguration")
  public struct TLS {
    public private(set) var configuration: TLSConfiguration

    /// Whether ALPN is required. Disabling this option may be useful in cases where ALPN is not
    /// supported.
    public var requireALPN: Bool = true

    /// The certificates to offer during negotiation. If not present, no certificates will be
    /// offered.
    public var certificateChain: [NIOSSLCertificateSource] {
      get {
        return self.configuration.certificateChain
      }
      set {
        self.configuration.certificateChain = newValue
      }
    }

    /// The private key associated with the leaf certificate.
    public var privateKey: NIOSSLPrivateKeySource? {
      get {
        return self.configuration.privateKey
      }
      set {
        self.configuration.privateKey = newValue
      }
    }

    /// The trust roots to use to validate certificates. This only needs to be provided if you
    /// intend to validate certificates.
    public var trustRoots: NIOSSLTrustRoots? {
      get {
        return self.configuration.trustRoots
      }
      set {
        self.configuration.trustRoots = newValue
      }
    }

    /// Whether to verify remote certificates.
    public var certificateVerification: CertificateVerification {
      get {
        return self.configuration.certificateVerification
      }
      set {
        self.configuration.certificateVerification = newValue
      }
    }

    /// TLS Configuration with suitable defaults for servers.
    ///
    /// This is a wrapper around `NIOSSL.TLSConfiguration` to restrict input to values which comply
    /// with the gRPC protocol.
    ///
    /// - Parameter certificateChain: The certificate to offer during negotiation.
    /// - Parameter privateKey: The private key associated with the leaf certificate.
    /// - Parameter trustRoots: The trust roots to validate certificates, this defaults to using a
    ///     root provided by the platform.
    /// - Parameter certificateVerification: Whether to verify the remote certificate. Defaults to
    ///     `.none`.
    /// - Parameter requireALPN: Whether ALPN is required or not.
    public init(
      certificateChain: [NIOSSLCertificateSource],
      privateKey: NIOSSLPrivateKeySource,
      trustRoots: NIOSSLTrustRoots = .default,
      certificateVerification: CertificateVerification = .none,
      requireALPN: Bool = true
    ) {
      var configuration = TLSConfiguration.makeServerConfiguration(
        certificateChain: certificateChain,
        privateKey: privateKey
      )
      configuration.minimumTLSVersion = .tlsv12
      configuration.certificateVerification = certificateVerification
      configuration.trustRoots = trustRoots
      configuration.applicationProtocols = GRPCApplicationProtocolIdentifier.server

      self.configuration = configuration
      self.requireALPN = requireALPN
    }

    /// Creates a TLS Configuration using the given `NIOSSL.TLSConfiguration`.
    /// - Note: If no ALPN tokens are set in `configuration.applicationProtocols` then the tokens
    ///  "grpc-exp", "h2" and "http/1.1" will be used.
    /// - Parameters:
    ///   - configuration: The `NIOSSL.TLSConfiguration` to base this configuration on.
    ///   - requireALPN: Whether ALPN is required.
    public init(configuration: TLSConfiguration, requireALPN: Bool = true) {
      self.configuration = configuration
      self.requireALPN = requireALPN

      // Set the ALPN tokens if none were set.
      if self.configuration.applicationProtocols.isEmpty {
        self.configuration.applicationProtocols = GRPCApplicationProtocolIdentifier.server
      }
    }
  }
}