grpc/cpp/private__key__signer_8h_source.html

//

//

// Copyright 2025 gRPC authors.

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

//     http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.

//

//


#ifndef GRPC_PRIVATE_KEY_SIGNER_H

#define GRPC_PRIVATE_KEY_SIGNER_H


#include <grpc/credentials.h>


#include <memory>

#include <string>

#include <variant>


#include "absl/functional/any_invocable.h"

#include "absl/status/statusor.h"

#include "absl/strings/string_view.h"


namespace grpc_core {


// Implementations of this class must be thread-safe.

class PrivateKeySigner {

 public:

  // A handle for an asynchronous signing operation.

  //

  // When `PrivateKeySigner::Sign` is implemented asynchronously, it returns an

  // instance of a concrete implementation of this class. This handle is used

  // to manage the asynchronous signing operation and can be used to cancel the

  // operation via `PrivateKeySigner::Cancel`.

  //

  // Users must provide their own concrete implementation of this class. The

  // handle can store any state needed for the asynchronous operation.

  class AsyncSigningHandle {

   public:

    virtual ~AsyncSigningHandle() = default;

  };


  // Enum class representing TLS signature algorithm identifiers from BoringSSL.

  // The values correspond to the SSL_SIGN_* macros in <openssl/ssl.h>.

  enum class SignatureAlgorithm {

    kRsaPkcs1Sha256,

    kRsaPkcs1Sha384,

    kRsaPkcs1Sha512,

    kEcdsaSecp256r1Sha256,

    kEcdsaSecp384r1Sha384,

    kEcdsaSecp521r1Sha512,

    kRsaPssRsaeSha256,

    kRsaPssRsaeSha384,

    kRsaPssRsaeSha512,

  };


  // A callback that is invoked when an asynchronous signing operation is

  // complete. The argument should contain the signed bytes on success, or a

  // non-OK status on failure.

  using OnSignComplete = absl::AnyInvocable<void(absl::StatusOr<std::string>)>;


  virtual ~PrivateKeySigner() = default;


  // Signs data_to_sign.

  // May return either synchronously or asynchronously.

  // For synchronous returns, directly returns either the signed bytes

  // or a failed status, and the callback will never be invoked.

  // For asynchronous implementations, returns a handle for the asynchronous

  // signing operation. The function argument on_sign_complete must be called by

  // the implementer when the async signing operation is complete.

  // on_sign_complete must not be invoked synchronously within Sign().

  virtual std::variant<absl::StatusOr<std::string>,

                       std::shared_ptr<AsyncSigningHandle>>

  Sign(absl::string_view data_to_sign, SignatureAlgorithm signature_algorithm,

       OnSignComplete on_sign_complete) = 0;


  // Cancels an in-flight async signing operation using a handle returned

  // from a previous call to Sign().

  virtual void Cancel(std::shared_ptr<AsyncSigningHandle> handle) = 0;

};

}  // namespace grpc_core


absl::Status grpc_tls_identity_pairs_add_pair_with_signer(

    grpc_tls_identity_pairs* pairs,

    std::shared_ptr<grpc_core::PrivateKeySigner> private_key_signer,

    absl::string_view cert_chain);


#endif /* GRPC_PRIVATE_KEY_SIGNER_H */