feat(grpc): TLS channel credentials

[arjan-bal]

This change adds a rustls-based implementation of ChannelCredentials.

Notes:

• The following features have been restricted on the recommendation form the gRPC security team: TLS cipher suites for TLS 1.2, session resumption.

[sauravzg]

nit: test only code is usually considered an anti pattern(despite being widely used) , Can we manipulate the default provider in the unit test body instead of chaning the construction path?

[arjan-bal]

This constructor was simply calling Self::new_impl. Since new_impl is a private method, it is not accessible outside this module.

Can we manipulate the default provider in the unit test body...

This would either require a test-only setter or make the tests rely on the internal structure of RustlsClientTlsCredentials, making them brittle.

The common way to mock dependencies is to have them injected into the constructor. In this case, however, the crypto provider is fetched from a process-level singleton, and we don't expect users to fetch and pass it to the constructor themselves. To solve this, I introduced an internal constructor that supports dependency injection. The public constructor is now a thin wrapper that delegates to the internal one. This pattern ensures maximum test coverage without compromising the public API.

[sauravzg]

Maybe we should avoid magic strings at multiple places and use const strings?

[arjan-bal]

Introduced a constant.

[sauravzg]

Quick question: Why do we need a separate tests file instead of keeping it in the module itself? Is this a standard practice?

[arjan-bal]

The tests must be in a separate module so they stay out of the production binary. Usually, we keep the test module in the same file, but the test code was getting so long that it made scrolling through the actual logic difficult. I decided to move the tests to their own file to keep things organized, which is also a common practice.

[sauravzg]

I don't think new is appropriate here.
https://rust-lang.github.io/api-guidelines/predictability.html#constructors-are-static-inherent-methods-c-ctor mentions that IO like constructors should use domain spacific names . Aditionally, file::open retuns a Result, maybe we should consider doing the same.

Additionally, since I couldn't find any style guide around fallibility of constructors in rust . I'll be a heretic and point towards cpp style which requires constructors to be "small and infallible".

Another note, should we be supporting AsyncIo here , in case we need to support remote fs etc? I am guessing no, because the trait we want to implement is sync?

[arjan-bal]

This file is copied from the rustls repository which uses the same constructor: https://github.com/rustls/rustls/blob/b07b8419b786f05a95d08868643193465449a136/rustls-util/src/key_log_file.rs#L20

I would prefer not to make too many modifications to this file. Please let me know if you think we need to apply readability fixes here.

[sauravzg]

Is there a utility for it? This seems like a bunch of magic strings, how do we know this is correct?

[arjan-bal]

This file is copied from the rustls repository, source here: https://github.com/rustls/rustls/blob/main/rustls-util/src/key_log_file.rs

The original implementation doesn't export the constructor to set an arbitrary file path, and relies on the SSLKEYLOGFILE env variable which is commonly used by openssl. Since gRPC C++ supports specifying the file path, I copied over the file and exposed the internal constructor.

[sauravzg]

Is silently failing the correct option? What are the implications of silently failing?

[arjan-bal]

Key logging is meant for debugging. This feature must not be used in production. This file is copied from the rsutls repo.

[sauravzg]

I am guessing rustls depends on implementing this trait which happens to be infallible and hence requires us to also silently fail?

[arjan-bal]

Yes, this file is copied from the rustls repo.

[sauravzg]

Is this always a copy? Same for below.

[arjan-bal]

This results in a single copy, during the creation of a gRPC channel. I don't think the overhead is significant. This is a similar API to the one in tonic:

tonic/tonic/src/transport/tls.rs

Lines 15 to 21 in e6318b7

	/// Parse a PEM encoded X509 Certificate.
	///
	/// The provided PEM should include at least one PEM encoded certificate.
	pub fn from_pem(pem: impl AsRef<[u8]>) -> Self {
	let pem = pem.as_ref().into();
	Self { pem }
	}

[sauravzg]

These are private, right? Why do we need all of them

[arjan-bal]

Only get_ref is required. The other methods are an artifact from copying the tonic implementation, removed them now.

[sauravzg]

I am assuming we'll also need AsMut for consistency?

[arjan-bal]

Removed this for now. Using AsRead exposes the method publicly, while using the get_ref() method in the impl block above avoids this. We can add this in the future, when required.

[sauravzg]

nit: I think the provider stuff should probably be moved into its own file maybe?

[arjan-bal]

This section is roughly 50 lines, consisting mostly of documentation comments. Even with this addition, the mod.rs file remains a manageable size. I’d prefer not to split the file prematurely, but I’m happy to do so if you feel strongly about it.

[sauravzg]

The placement of the utility functions seem slightly odd . They are used in another file but are implemented as private here. Wouldn't it be better to move them closer to their point of use unless we want to share them ?

[arjan-bal]

This will get used in the TLS server credentials implementation.

[sauravzg]

Wouldn't it be better to make it private and provide and inner and/or inner_ref method instead?

[arjan-bal]

Changed. Added a a constructor and an inner method.

[dfawley]

Should we give it a scarier name, then? insecure_with_key_log_path e.g.?

[arjan-bal]

Renamed to include an insecure_ prefix. Some rustls APIs use the word "dangerous" for this purpose.

[dfawley]

Should we put this in a rustls directory instead of tls since we know we'll eventually have a second TLS creds implementation?

[arjan-bal]

Renamed the directory and module to rustls. I suspect the configuration objects could be reused for the future BoringSSL implementation, so having them in a separate tls module might make sense down the line. However, I've kept everything in the rustls module for now. We can always move the symbols to a new module and use aliases in the rustls module later.

[dfawley]

Yeah, I think we'll want some things in tls that are common to the boring implementation, but we can wait until later.

[dfawley]

Formatting looks wrong here?

[arjan-bal]

Fixed.

[dfawley]

Does this work instead?

Suggested change

	let provider = if let Some(p) = CryptoProvider::get_default() {
	p.as_ref().clone()
	} else {
	return Err(
	"No crypto provider installed. Enable `tls-aws-lc` feature or install one manually."
	.to_string(),
	);
	};
	let Some(provider) = CryptoProvider::get_default().cloned() else {
	return Err(
	"No crypto provider installed. Enable `tls-aws-lc` feature or install one manually."
	.to_string(),
	);
	};

[arjan-bal]

Applied the change manually. I was relying on rustfmt to auto-format it, but it doesn't seem to make any changes with the default configuration.

[dfawley]

I would like us to try to name the _ variables in situations like these so that we know what it is that we're ignoring, unless it's super obvious. _io? (What's the meaning of this API? There's two different ways to access the underlying stream?)

[arjan-bal]

Renamed the ignored symbol to _io prefix.

What's the meaning of this API? There's two different ways to access the underlying stream?

The returned IO represents the plaintext IO stream that was passed to the connector.connect() method. The ClientConnection struct represents the TLS state machine. The TlsStream glues both these parts. It keeps reading data from the IO and passing it into to the ClientConnection.

[dfawley]

This might be brittle? Maybe contains("no cipher suites matching") or something would be less so?

[arjan-bal]

Relaxed the assertion.

[dfawley]

This pattern is problematic -- if you are running tests in different branches concurrently, e.g. We need something like mktemp where we don't have to see if the directory/file is already in use.

[arjan-bal]

Nice catch! The rustls tests are running the keylog tests serially and using the CWD to create a temp file: permalink

The recommended way to create temporary directories seems to be using the tempfile crate, which tonic also seems to use:

tonic/tests/default_stubs/Cargo.toml

Lines 13 to 14 in fe0393c

	[dev-dependencies]
	tempfile = "3.20"

I've added a dev dependency and switched to using the tempfile crate.

[dfawley]

Is it a requirement to list all modifications here? Because I'd rather not since I'm sure we'll make a change on some future date and forget to update it. I would prefer something like "Note: this file contains modifications by the gRPC authors; see revision history for details" if that is acceptable.

[arjan-bal]

Based on section 4.b of the liscence, the revision details are not required: https://www.apache.org/licenses/LICENSE-2.0

You must cause any modified files to carry prominent notices stating that You changed the files

I've updated the note as suggested.

[dfawley]

I think we will want to put any third-party copyrighted files into a separate "vendored" directory, per guidance from legal. We can talk about the details later; this is probably OK for now, pre-1.0.

[arjan-bal]

Tracking down all the files may be a problem later. I've moved this file to the src/vendored directory now.

[arjan-bal]

After reading the CNCF guidelines for attribution, my understanding is that the keylog file qualifies as Incorporated Code instead of Vendored component since it's modified.

• Incorporated code: portions of code that are taken from a third-party software component and incorporated directly into a CNCF project’s own source code
• Vendored component: a component whose code is incorporated, unmodified, into a folder specifically intended for third-party dependencies, often with a name such as vendor/, third_party/, node_modules/ (for NPM dependencies), etc.

The guidelines for Incorporated Code only mention copying the license into source file for sources with an Apache 2 license.

Based on this, I've moved the keylog file back to the rustls directory.

[dfawley]

With names so generic (Sender, Receiver) and reused so frequently, maybe we want to say they should always be prefixed by the module name? So, use tokio::sync::watch and watch::Receiver?

[arjan-bal]

Changed to watch::Receiver.