From 36cf935e7d8556e49693e606ff59a093d6af4072 Mon Sep 17 00:00:00 2001 From: murgatroid99 Date: Thu, 5 Dec 2019 17:51:25 -0800 Subject: [PATCH] grpc-js: Add support for TLS-related environment variables --- packages/grpc-js/src/channel-credentials.ts | 5 +-- packages/grpc-js/src/server-credentials.ts | 4 ++- packages/grpc-js/src/tls-helpers.ts | 34 +++++++++++++++++++++ 3 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 packages/grpc-js/src/tls-helpers.ts diff --git a/packages/grpc-js/src/channel-credentials.ts b/packages/grpc-js/src/channel-credentials.ts index c29885fa..f42c7e93 100644 --- a/packages/grpc-js/src/channel-credentials.ts +++ b/packages/grpc-js/src/channel-credentials.ts @@ -18,7 +18,7 @@ import { ConnectionOptions, createSecureContext, PeerCertificate } from 'tls'; import { CallCredentials } from './call-credentials'; -import { Call } from '.'; +import {CIPHER_SUITES, getDefaultRootsData} from './tls-helpers'; // tslint:disable-next-line:no-any function verifyIsBufferOrNull(obj: any, friendlyName: string): void { @@ -141,7 +141,7 @@ export abstract class ChannelCredentials { ); } return new SecureChannelCredentialsImpl( - rootCerts || null, + rootCerts || getDefaultRootsData(), privateKey || null, certChain || null, verifyOptions || {} @@ -190,6 +190,7 @@ class SecureChannelCredentialsImpl extends ChannelCredentials { ca: rootCerts || undefined, key: privateKey || undefined, cert: certChain || undefined, + ciphers: CIPHER_SUITES }); this.connectionOptions = { secureContext }; if (verifyOptions && verifyOptions.checkServerIdentity) { diff --git a/packages/grpc-js/src/server-credentials.ts b/packages/grpc-js/src/server-credentials.ts index 1fe5f55d..b56cb68a 100644 --- a/packages/grpc-js/src/server-credentials.ts +++ b/packages/grpc-js/src/server-credentials.ts @@ -16,6 +16,7 @@ */ import { SecureServerOptions } from 'http2'; +import {CIPHER_SUITES, getDefaultRootsData} from './tls-helpers'; export interface KeyCertPair { private_key: Buffer; @@ -70,10 +71,11 @@ export abstract class ServerCredentials { } return new SecureServerCredentials({ - ca: rootCerts || undefined, + ca: rootCerts || getDefaultRootsData() || undefined, cert, key, requestCert: checkClientCertificate, + ciphers: CIPHER_SUITES }); } } diff --git a/packages/grpc-js/src/tls-helpers.ts b/packages/grpc-js/src/tls-helpers.ts new file mode 100644 index 00000000..161666ed --- /dev/null +++ b/packages/grpc-js/src/tls-helpers.ts @@ -0,0 +1,34 @@ +/* + * Copyright 2019 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +import * as fs from 'fs'; + +export const CIPHER_SUITES: string | undefined = process.env.GRPC_SSL_CIPHER_SUITES; + +const DEFAULT_ROOTS_FILE_PATH = process.env.GRPC_DEFAULT_SSL_ROOTS_FILE_PATH; + +let defaultRootsData: Buffer | null = null; + +export function getDefaultRootsData(): Buffer | null { + if (DEFAULT_ROOTS_FILE_PATH) { + if (defaultRootsData === null) { + defaultRootsData = fs.readFileSync(DEFAULT_ROOTS_FILE_PATH); + } + return defaultRootsData; + } + return null; +} \ No newline at end of file