Changing the SSL (Server) Credentials API.

- Changed the unsigned char * + size to NULL terminated strings which
  makes sense for the PEM format. I may change TSI later (but the impact
  will hopefully be much more limited).
- Added a way to pass multiple key/cert pairs to servers which is needed
  when hosting more than one domain.
- Removed the C++ SSL credentials tests as we are going to have an
  option to not specify the roots which will then be derived from the
  environment (well-known platform dependent locations and/or
  environment variable).
- Fixed the php build which is the only one added in the run_test.py.
  This change will certainly break node, python and ruby.

include/grpc++/server_credentials.h

@@ -35,6 +35,7 @@
 #define __GRPCPP_SERVER_CREDENTIALS_H_
 
 #include <memory>
+#include <vector>
 
 #include <grpc++/config.h>
 
@@ -60,9 +61,12 @@ class ServerCredentials final {
 
 // Options to create ServerCredentials with SSL
 struct SslServerCredentialsOptions {
+  struct PemKeyCertPair{
+    grpc::string private_key;
+    grpc::string cert_chain;
+  };
   grpc::string pem_root_certs;
-  grpc::string pem_private_key;
-  grpc::string pem_cert_chain;
+  std::vector<PemKeyCertPair> pem_key_cert_pairs;
 };
 
 // Factory for building different types of ServerCredentials

include/grpc/grpc_security.h

@@ -54,22 +54,26 @@ void grpc_credentials_release(grpc_credentials *creds);
 /* Creates default credentials. */
 grpc_credentials *grpc_default_credentials_create(void);
 
+/* Object that holds a private key / certificate chain pair in PEM format. */
+typedef struct {
+  /* private_key is the NULL-terminated string containing the PEM encoding of
+     the client's private key. */
+  const char *private_key;
+
+   /* cert_chain is the NULL-terminated string containing the PEM encoding of
+      the client's certificate chain. */
+  const char *cert_chain;
+} grpc_ssl_pem_key_cert_pair;
+
 /* Creates an SSL credentials object.
-   - pem_roots_cert is the buffer containing the PEM encoding of the server
-     root certificates. This parameter cannot be NULL.
-   - pem_roots_cert_size is the size of the associated buffer.
-   - pem_private_key is the buffer containing the PEM encoding of the client's
-     private key. This parameter can be NULL if the client does not have a
-     private key.
-   - pem_private_key_size is the size of the associated buffer.
-   - pem_cert_chain is the buffer containing the PEM encoding of the client's
-     certificate chain. This parameter can be NULL if the client does not have
-     a certificate chain.
-   - pem_cert_chain_size is the size of the associated buffer. */
+   - pem_roots_cert is the NULL-terminated string containing the PEM encoding
+     of the server root certificates. If this parameter is NULL, the default
+     roots will be used.
+   - pem_key_cert_pair is a pointer on the object containing client's private
+     key and certificate chain. This parameter can be NULL if the client does
+     not have such a key/cert pair.  */
 grpc_credentials *grpc_ssl_credentials_create(
-    const unsigned char *pem_root_certs, size_t pem_root_certs_size,
-    const unsigned char *pem_private_key, size_t pem_private_key_size,
-    const unsigned char *pem_cert_chain, size_t pem_cert_chain_size);
+    const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair);
 
 /* Creates a composite credentials object. */
 grpc_credentials *grpc_composite_credentials_create(grpc_credentials *creds1,
@@ -130,22 +134,16 @@ typedef struct grpc_server_credentials grpc_server_credentials;
 void grpc_server_credentials_release(grpc_server_credentials *creds);
 
 /* Creates an SSL server_credentials object.
-   TODO(jboeuf): Change the constructor so that it can support multiple
-   key/cert pairs.
-   - pem_roots_cert is the buffer containing the PEM encoding of the server
-     root certificates. This parameter may be NULL if the server does not want
-     the client to be authenticated with SSL.
-   - pem_roots_cert_size is the size of the associated buffer.
-   - pem_private_key is the buffer containing the PEM encoding of the client's
-     private key. This parameter cannot be NULL.
-   - pem_private_key_size is the size of the associated buffer.
-   - pem_cert_chain is the buffer containing the PEM encoding of the client's
-     certificate chain. This parameter cannot be NULL.
-   - pem_cert_chain_size is the size of the associated buffer. */
+   - pem_roots_cert is the NULL-terminated string containing the PEM encoding of
+     the client root certificates. This parameter may be NULL if the server does
+     not want the client to be authenticated with SSL.
+   - pem_key_cert_pairs is an array private key / certificate chains of the
+     server. This parameter cannot be NULL.
+   - num_key_cert_pairs indicates the number of items in the private_key_files
+     and cert_chain_files parameters. It should be at least 1. */
 grpc_server_credentials *grpc_ssl_server_credentials_create(
-    const unsigned char *pem_root_certs, size_t pem_root_certs_size,
-    const unsigned char *pem_private_key, size_t pem_private_key_size,
-    const unsigned char *pem_cert_chain, size_t pem_cert_chain_size);
+    const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs,
+    size_t num_key_cert_pairs);
 
 /* Creates a fake server transport security credentials object for testing. */
 grpc_server_credentials *grpc_fake_transport_security_server_credentials_create(

src/core/security/credentials.c

@@ -139,7 +139,7 @@ typedef struct {
 
 typedef struct {
   grpc_server_credentials base;
-  grpc_ssl_config config;
+  grpc_ssl_server_config config;
 } grpc_ssl_server_credentials;
 
 static void ssl_destroy(grpc_credentials *creds) {
@@ -152,9 +152,24 @@ static void ssl_destroy(grpc_credentials *creds) {
 
 static void ssl_server_destroy(grpc_server_credentials *creds) {
   grpc_ssl_server_credentials *c = (grpc_ssl_server_credentials *)creds;
+  size_t i;
+  for (i = 0; i < c->config.num_key_cert_pairs; i++) {
+    if (c->config.pem_private_keys[i] != NULL) {
+      gpr_free(c->config.pem_private_keys[i]);
+    }
+    if (c->config.pem_cert_chains[i]!= NULL)  {
+      gpr_free(c->config.pem_cert_chains[i]);
+    }
+  }
+  if (c->config.pem_private_keys != NULL) gpr_free(c->config.pem_private_keys);
+  if (c->config.pem_private_keys_sizes != NULL) {
+    gpr_free(c->config.pem_private_keys_sizes);
+  }
+  if (c->config.pem_cert_chains != NULL) gpr_free(c->config.pem_cert_chains);
+  if (c->config.pem_cert_chains_sizes != NULL) {
+    gpr_free(c->config.pem_cert_chains_sizes);
+  }
   if (c->config.pem_root_certs != NULL) gpr_free(c->config.pem_root_certs);
-  if (c->config.pem_private_key != NULL) gpr_free(c->config.pem_private_key);
-  if (c->config.pem_cert_chain != NULL) gpr_free(c->config.pem_cert_chain);
   gpr_free(creds);
 }
 
@@ -179,7 +194,7 @@ const grpc_ssl_config *grpc_ssl_credentials_get_config(
   }
 }
 
-const grpc_ssl_config *grpc_ssl_server_credentials_get_config(
+const grpc_ssl_server_config *grpc_ssl_server_credentials_get_config(
     const grpc_server_credentials *creds) {
   if (creds == NULL || strcmp(creds->type, GRPC_CREDENTIALS_TYPE_SSL)) {
     return NULL;
@@ -189,57 +204,89 @@ const grpc_ssl_config *grpc_ssl_server_credentials_get_config(
   }
 }
 
-static void ssl_build_config(const unsigned char *pem_root_certs,
-                             size_t pem_root_certs_size,
-                             const unsigned char *pem_private_key,
-                             size_t pem_private_key_size,
-                             const unsigned char *pem_cert_chain,
-                             size_t pem_cert_chain_size,
+static void ssl_copy_key_material(const char *input, unsigned char **output,
+                                  size_t *output_size) {
+  *output_size = strlen(input);
+  *output = gpr_malloc(*output_size);
+  memcpy(*output, input, *output_size);
+}
+
+static void ssl_build_config(const char *pem_root_certs,
+                             grpc_ssl_pem_key_cert_pair *pem_key_cert_pair,
                              grpc_ssl_config *config) {
+  if (pem_root_certs == NULL) {
+    /* TODO(jboeuf): Get them from the environment. */
+    gpr_log(GPR_ERROR, "Default SSL roots not yet implemented.");
+  } else {
+    ssl_copy_key_material(pem_root_certs, &config->pem_root_certs,
+                          &config->pem_root_certs_size);
+  }
+
+  if (pem_key_cert_pair != NULL) {
+    GPR_ASSERT(pem_key_cert_pair->private_key != NULL);
+    GPR_ASSERT(pem_key_cert_pair->cert_chain != NULL);
+    ssl_copy_key_material(pem_key_cert_pair->private_key,
+                          &config->pem_private_key,
+                          &config->pem_private_key_size);
+    ssl_copy_key_material(pem_key_cert_pair->cert_chain,
+                          &config->pem_cert_chain,
+                          &config->pem_cert_chain_size);
+  }
+}
+
+static void ssl_build_server_config(
+    const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs,
+    size_t num_key_cert_pairs, grpc_ssl_server_config *config) {
+  size_t i;
   if (pem_root_certs != NULL) {
-    config->pem_root_certs = gpr_malloc(pem_root_certs_size);
-    memcpy(config->pem_root_certs, pem_root_certs, pem_root_certs_size);
-    config->pem_root_certs_size = pem_root_certs_size;
+    ssl_copy_key_material(pem_root_certs, &config->pem_root_certs,
+                          &config->pem_root_certs_size);
   }
-  if (pem_private_key != NULL) {
-    config->pem_private_key = gpr_malloc(pem_private_key_size);
-    memcpy(config->pem_private_key, pem_private_key, pem_private_key_size);
-    config->pem_private_key_size = pem_private_key_size;
+  if (num_key_cert_pairs > 0) {
+    GPR_ASSERT(pem_key_cert_pairs != NULL);
+    config->pem_private_keys =
+        gpr_malloc(num_key_cert_pairs * sizeof(unsigned char *));
+    config->pem_cert_chains =
+        gpr_malloc(num_key_cert_pairs * sizeof(unsigned char *));
+    config->pem_private_keys_sizes =
+        gpr_malloc(num_key_cert_pairs * sizeof(size_t));
+    config->pem_cert_chains_sizes =
+        gpr_malloc(num_key_cert_pairs * sizeof(size_t));
   }
-  if (pem_cert_chain != NULL) {
-    config->pem_cert_chain = gpr_malloc(pem_cert_chain_size);
-    memcpy(config->pem_cert_chain, pem_cert_chain, pem_cert_chain_size);
-    config->pem_cert_chain_size = pem_cert_chain_size;
+  config->num_key_cert_pairs = num_key_cert_pairs;
+  for (i = 0; i < num_key_cert_pairs; i++) {
+    GPR_ASSERT(pem_key_cert_pairs[i].private_key != NULL);
+    GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != NULL);
+    ssl_copy_key_material(pem_key_cert_pairs[i].private_key,
+                          &config->pem_private_keys[i],
+                          &config->pem_private_keys_sizes[i]);
+    ssl_copy_key_material(pem_key_cert_pairs[i].cert_chain,
+                          &config->pem_cert_chains[i],
+                          &config->pem_cert_chains_sizes[i]);
   }
 }
 
 grpc_credentials *grpc_ssl_credentials_create(
-    const unsigned char *pem_root_certs, size_t pem_root_certs_size,
-    const unsigned char *pem_private_key, size_t pem_private_key_size,
-    const unsigned char *pem_cert_chain, size_t pem_cert_chain_size) {
+    const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair) {
   grpc_ssl_credentials *c = gpr_malloc(sizeof(grpc_ssl_credentials));
   memset(c, 0, sizeof(grpc_ssl_credentials));
   c->base.type = GRPC_CREDENTIALS_TYPE_SSL;
   c->base.vtable = &ssl_vtable;
   gpr_ref_init(&c->base.refcount, 1);
-  ssl_build_config(pem_root_certs, pem_root_certs_size, pem_private_key,
-                   pem_private_key_size, pem_cert_chain, pem_cert_chain_size,
-                   &c->config);
+  ssl_build_config(pem_root_certs, pem_key_cert_pair, &c->config);
   return &c->base;
 }
 
 grpc_server_credentials *grpc_ssl_server_credentials_create(
-    const unsigned char *pem_root_certs, size_t pem_root_certs_size,
-    const unsigned char *pem_private_key, size_t pem_private_key_size,
-    const unsigned char *pem_cert_chain, size_t pem_cert_chain_size) {
+    const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs,
+    size_t num_key_cert_pairs) {
   grpc_ssl_server_credentials *c =
       gpr_malloc(sizeof(grpc_ssl_server_credentials));
   memset(c, 0, sizeof(grpc_ssl_server_credentials));
   c->base.type = GRPC_CREDENTIALS_TYPE_SSL;
   c->base.vtable = &ssl_server_vtable;
-  ssl_build_config(pem_root_certs, pem_root_certs_size, pem_private_key,
-                   pem_private_key_size, pem_cert_chain, pem_cert_chain_size,
-                   &c->config);
+  ssl_build_server_config(pem_root_certs, pem_key_cert_pairs,
+                          num_key_cert_pairs, &c->config);
   return &c->base;
 }
 

src/core/security/credentials.h

@@ -137,10 +137,17 @@ struct grpc_server_credentials {
   const char *type;
 };
 
-/* TODO(jboeuf): Have an ssl_server_config that can contain multiple key/cert
-   pairs. */
+typedef struct {
+  unsigned char **pem_private_keys;
+  size_t *pem_private_keys_sizes;
+  unsigned char **pem_cert_chains;
+  size_t *pem_cert_chains_sizes;
+  size_t num_key_cert_pairs;
+  unsigned char *pem_root_certs;
+  size_t pem_root_certs_size;
+} grpc_ssl_server_config;
 
-const grpc_ssl_config *grpc_ssl_server_credentials_get_config(
+const grpc_ssl_server_config *grpc_ssl_server_credentials_get_config(
     const grpc_server_credentials *ssl_creds);
 
 #endif /* __GRPC_INTERNAL_SECURITY_CREDENTIALS_H__ */

src/core/security/security_context.c

@@ -382,7 +382,7 @@ error:
 }
 
 grpc_security_status grpc_ssl_server_security_context_create(
-    const grpc_ssl_config *config, grpc_security_context **ctx) {
+    const grpc_ssl_server_config *config, grpc_security_context **ctx) {
   size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions();
   const unsigned char **alpn_protocol_strings =
       gpr_malloc(sizeof(const char *) * num_alpn_protocols);
@@ -399,8 +399,7 @@ grpc_security_status grpc_ssl_server_security_context_create(
         strlen(grpc_chttp2_get_alpn_version_index(i));
   }
 
-  if (config == NULL || config->pem_private_key == NULL ||
-      config->pem_cert_chain == NULL) {
+  if (config == NULL || config->num_key_cert_pairs == 0) {
     gpr_log(GPR_ERROR, "An SSL server needs a key and a cert.");
     goto error;
   }
@@ -410,13 +409,13 @@ grpc_security_status grpc_ssl_server_security_context_create(
   gpr_ref_init(&c->base.refcount, 1);
   c->base.vtable = &ssl_server_vtable;
   result = tsi_create_ssl_server_handshaker_factory(
-      (const unsigned char **)&config->pem_private_key,
-      &config->pem_private_key_size,
-      (const unsigned char **)&config->pem_cert_chain,
-      &config->pem_cert_chain_size, 1, config->pem_root_certs,
-      config->pem_root_certs_size, GRPC_SSL_CIPHER_SUITES,
-      alpn_protocol_strings, alpn_protocol_string_lengths, num_alpn_protocols,
-      &c->handshaker_factory);
+      (const unsigned char **)config->pem_private_keys,
+      config->pem_private_keys_sizes,
+      (const unsigned char **)config->pem_cert_chains,
+      config->pem_cert_chains_sizes, config->num_key_cert_pairs,
+      config->pem_root_certs, config->pem_root_certs_size,
+      GRPC_SSL_CIPHER_SUITES, alpn_protocol_strings,
+      alpn_protocol_string_lengths, num_alpn_protocols, &c->handshaker_factory);
   if (result != TSI_OK) {
     gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
             tsi_result_to_string(result));

src/core/security/security_context.h

@@ -157,7 +157,7 @@ grpc_security_status grpc_ssl_channel_security_context_create(
   specific error code otherwise.
 */
 grpc_security_status grpc_ssl_server_security_context_create(
-    const grpc_ssl_config *config, grpc_security_context **ctx);
+    const grpc_ssl_server_config *config, grpc_security_context **ctx);
 
 /* --- Creation of high level objects. --- */
 

src/cpp/client/credentials.cc

@@ -54,26 +54,12 @@ std::unique_ptr<Credentials> CredentialsFactory::DefaultCredentials() {
 // Builds SSL Credentials given SSL specific options
 std::unique_ptr<Credentials> CredentialsFactory::SslCredentials(
     const SslCredentialsOptions &options) {
-  const unsigned char *pem_root_certs =
-      options.pem_root_certs.empty() ? nullptr
-                                     : reinterpret_cast<const unsigned char *>(
-                                           options.pem_root_certs.c_str());
-  if (pem_root_certs == nullptr) {
-    return std::unique_ptr<Credentials>();
-  }
-  const unsigned char *pem_private_key =
-      options.pem_private_key.empty() ? nullptr
-                                      : reinterpret_cast<const unsigned char *>(
-                                            options.pem_private_key.c_str());
-  const unsigned char *pem_cert_chain =
-      options.pem_cert_chain.empty() ? nullptr
-                                     : reinterpret_cast<const unsigned char *>(
-                                           options.pem_cert_chain.c_str());
+  grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {
+      options.pem_private_key.c_str(), options.pem_cert_chain.c_str()};
 
   grpc_credentials *c_creds = grpc_ssl_credentials_create(
-      pem_root_certs, options.pem_root_certs.size(), pem_private_key,
-      options.pem_private_key.size(), pem_cert_chain,
-      options.pem_cert_chain.size());
+      options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(),
+      options.pem_private_key.empty() ? nullptr : &pem_key_cert_pair);
   std::unique_ptr<Credentials> cpp_creds(
       c_creds == nullptr ? nullptr : new Credentials(c_creds));
   return cpp_creds;

src/cpp/server/server_credentials.cc

@@ -48,23 +48,14 @@ grpc_server_credentials *ServerCredentials::GetRawCreds() { return creds_; }
 
 std::shared_ptr<ServerCredentials> ServerCredentialsFactory::SslCredentials(
     const SslServerCredentialsOptions &options) {
-  const unsigned char *pem_root_certs =
-      options.pem_root_certs.empty() ? nullptr
-                                     : reinterpret_cast<const unsigned char *>(
-                                           options.pem_root_certs.c_str());
-  const unsigned char *pem_private_key =
-      options.pem_private_key.empty() ? nullptr
-                                      : reinterpret_cast<const unsigned char *>(
-                                            options.pem_private_key.c_str());
-  const unsigned char *pem_cert_chain =
-      options.pem_cert_chain.empty() ? nullptr
-                                     : reinterpret_cast<const unsigned char *>(
-                                           options.pem_cert_chain.c_str());
-
+  std::vector<grpc_ssl_pem_key_cert_pair> pem_key_cert_pairs;
+  for (const auto &key_cert_pair : options.pem_key_cert_pairs) {
+    pem_key_cert_pairs.push_back(
+        {key_cert_pair.private_key.c_str(), key_cert_pair.cert_chain.c_str()});
+  }
   grpc_server_credentials *c_creds = grpc_ssl_server_credentials_create(
-      pem_root_certs, options.pem_root_certs.size(), pem_private_key,
-      options.pem_private_key.size(), pem_cert_chain,
-      options.pem_cert_chain.size());
+      options.pem_root_certs.empty() ? nullptr : options.pem_root_certs.c_str(),
+      &pem_key_cert_pairs[0], pem_key_cert_pairs.size());
   return std::shared_ptr<ServerCredentials>(new ServerCredentials(c_creds));
 }
 

src/php/ext/grpc/credentials.c

@@ -77,24 +77,23 @@ PHP_METHOD(Credentials, createDefault) {
  */
 PHP_METHOD(Credentials, createSsl) {
   char *pem_root_certs;
-  char *pem_private_key = NULL;
-  char *pem_cert_chain = NULL;
+  grpc_ssl_pem_key_cert_pair pem_key_cert_pair;
 
   int root_certs_length, private_key_length = 0, cert_chain_length = 0;
 
   /* "s|s!s! == 1 string, 2 optional nullable strings */
   if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s!s!",
                             &pem_root_certs, &root_certs_length,
-                            &pem_private_key, &private_key_length,
-                            &pem_cert_chain, &cert_chain_length) == FAILURE) {
+                            &pem_key_cert_pair.private_key, &private_key_length,
+                            &pem_key_cert_pair.cert_chain,
+                            &cert_chain_length) == FAILURE) {
     zend_throw_exception(spl_ce_InvalidArgumentException,
                          "createSsl expects 1 to 3 strings", 1 TSRMLS_CC);
     return;
   }
   grpc_credentials *creds = grpc_ssl_credentials_create(
-      (unsigned char *)pem_root_certs, (size_t)root_certs_length,
-      (unsigned char *)pem_private_key, (size_t)private_key_length,
-      (unsigned char *)pem_cert_chain, (size_t)cert_chain_length);
+      pem_root_certs,
+      pem_key_cert_pair.private_key == NULL ? NULL : &pem_key_cert_pair);
   zval *creds_object = grpc_php_wrap_credentials(creds);
   RETURN_DESTROY_ZVAL(creds_object);
 }

src/php/ext/grpc/server_credentials.c

@@ -66,24 +66,22 @@ zval *grpc_php_wrap_server_credentials(grpc_server_credentials *wrapped) {
  */
 PHP_METHOD(ServerCredentials, createSsl) {
   char *pem_root_certs = 0;
-  char *pem_private_key;
-  char *pem_cert_chain;
+  grpc_ssl_pem_key_cert_pair pem_key_cert_pair;
 
   int root_certs_length = 0, private_key_length, cert_chain_length;
 
   /* "s!ss" == 1 nullable string, 2 strings */
+  /* TODO: support multiple key cert pairs. */
   if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s!ss", &pem_root_certs,
-                            &root_certs_length, &pem_private_key,
-                            &private_key_length, &pem_cert_chain,
+                            &root_certs_length, &pem_key_cert_pair.private_key,
+                            &private_key_length, &pem_key_cert_pair.cert_chain,
                             &cert_chain_length) == FAILURE) {
     zend_throw_exception(spl_ce_InvalidArgumentException,
                          "createSsl expects 3 strings", 1 TSRMLS_CC);
     return;
   }
-  grpc_server_credentials *creds = grpc_ssl_server_credentials_create(
-      (unsigned char *)pem_root_certs, (size_t)root_certs_length,
-      (unsigned char *)pem_private_key, (size_t)private_key_length,
-      (unsigned char *)pem_cert_chain, (size_t)cert_chain_length);
+  grpc_server_credentials *creds =
+      grpc_ssl_server_credentials_create(pem_root_certs, &pem_key_cert_pair, 1);
   zval *creds_object = grpc_php_wrap_server_credentials(creds);
   RETURN_DESTROY_ZVAL(creds_object);
 }

test/core/end2end/data/prod_roots_certs.c

@@ -31,7 +31,7 @@
  *
  */
 
-unsigned char prod_roots_certs[] = {
+const char prod_roots_certs[] = {
     0x23, 0x20, 0x49, 0x73, 0x73, 0x75, 0x65, 0x72, 0x3a, 0x20, 0x43, 0x4e,
     0x3d, 0x47, 0x54, 0x45, 0x20, 0x43, 0x79, 0x62, 0x65, 0x72, 0x54, 0x72,
     0x75, 0x73, 0x74, 0x20, 0x47, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x20, 0x52,
@@ -11270,5 +11270,4 @@ unsigned char prod_roots_certs[] = {
     0x33, 0x50, 0x59, 0x74, 0x6c, 0x4e, 0x58, 0x4c, 0x66, 0x62, 0x51, 0x34,
     0x64, 0x64, 0x49, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44,
     0x20, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45,
-    0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a};
-unsigned int prod_roots_certs_size = 134862;
+    0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x00};

test/core/end2end/data/server1_cert.c

@@ -31,7 +31,7 @@
  *
  */
 
-unsigned char test_server1_cert[] = {
+const char test_server1_cert[] = {
     0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x43,
     0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d,
     0x2d, 0x2d, 0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x43, 0x6d, 0x7a, 0x43, 0x43,
@@ -112,5 +112,4 @@ unsigned char test_server1_cert[] = {
     0x32, 0x77, 0x65, 0x2f, 0x4b, 0x44, 0x34, 0x6f, 0x6a, 0x66, 0x39, 0x73,
     0x3d, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20, 0x43,
     0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d,
-    0x2d, 0x2d, 0x2d, 0x0a};
-unsigned int test_server1_cert_size = 964;
+    0x2d, 0x2d, 0x2d, 0x0a, 0x00};

test/core/end2end/data/server1_key.c

@@ -31,7 +31,7 @@
  *
  */
 
-unsigned char test_server1_key[] = {
+const char test_server1_key[] = {
     0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x52,
     0x53, 0x41, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x20, 0x4b,
     0x45, 0x59, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x43,
@@ -105,5 +105,4 @@ unsigned char test_server1_key[] = {
     0x6e, 0x68, 0x66, 0x66, 0x46, 0x79, 0x65, 0x37, 0x53, 0x42, 0x58, 0x79,
     0x61, 0x67, 0x3d, 0x3d, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e,
     0x44, 0x20, 0x52, 0x53, 0x41, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54,
-    0x45, 0x20, 0x4b, 0x45, 0x59, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a};
-unsigned int test_server1_key_size = 887;
+    0x45, 0x20, 0x4b, 0x45, 0x59, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x00};

test/core/end2end/data/ssl_test_data.h

@@ -34,14 +34,10 @@
 #ifndef __GRPC_TEST_END2END_DATA_SSL_TEST_DATA_H__
 #define __GRPC_TEST_END2END_DATA_SSL_TEST_DATA_H__
 
-extern unsigned char test_root_cert[];
-extern unsigned int test_root_cert_size;
-extern unsigned char test_server1_cert[];
-extern unsigned int test_server1_cert_size;
-extern unsigned char test_server1_key[];
-extern unsigned int test_server1_key_size;
+extern const char test_root_cert[];
+extern const char test_server1_cert[];
+extern const char test_server1_key[];
 
-extern unsigned char prod_roots_certs[];
-extern unsigned int prod_roots_certs_size;
+extern const char prod_roots_certs[];
 
 #endif /* __GRPC_TEST_END2END_DATA_SSL_TEST_DATA_H__ */

test/core/end2end/data/test_root_cert.c

@@ -31,7 +31,7 @@
  *
  */
 
-unsigned char test_root_cert[] = {
+const char test_root_cert[] = {
     0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x43,
     0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d,
     0x2d, 0x2d, 0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x43, 0x49, 0x7a, 0x43, 0x43,
@@ -98,5 +98,4 @@ unsigned char test_root_cert[] = {
     0x31, 0x59, 0x75, 0x58, 0x32, 0x72, 0x6e, 0x65, 0x78, 0x30, 0x4a, 0x68,
     0x75, 0x54, 0x51, 0x66, 0x63, 0x49, 0x3d, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d,
     0x2d, 0x45, 0x4e, 0x44, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49,
-    0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a};
-unsigned int test_root_cert_size = 802;
+    0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x00};

test/core/end2end/fixtures/chttp2_simple_ssl_fullstack.c

@@ -98,8 +98,8 @@ void chttp2_tear_down_secure_fullstack(grpc_end2end_test_fixture *f) {
 
 static void chttp2_init_client_simple_ssl_secure_fullstack(
     grpc_end2end_test_fixture *f, grpc_channel_args *client_args) {
-  grpc_credentials *ssl_creds = grpc_ssl_credentials_create(
-      test_root_cert, test_root_cert_size, NULL, 0, NULL, 0);
+  grpc_credentials *ssl_creds =
+      grpc_ssl_credentials_create(test_root_cert, NULL);
   grpc_arg ssl_name_override = {GRPC_ARG_STRING,
                                 GRPC_SSL_TARGET_NAME_OVERRIDE_ARG,
                                 {"foo.test.google.com"}};
@@ -111,9 +111,10 @@ static void chttp2_init_client_simple_ssl_secure_fullstack(
 
 static void chttp2_init_server_simple_ssl_secure_fullstack(
     grpc_end2end_test_fixture *f, grpc_channel_args *server_args) {
-  grpc_server_credentials *ssl_creds = grpc_ssl_server_credentials_create(
-      NULL, 0, test_server1_key, test_server1_key_size, test_server1_cert,
-      test_server1_cert_size);
+  grpc_ssl_pem_key_cert_pair pem_cert_key_pair = {test_server1_key,
+                                                  test_server1_cert};
+  grpc_server_credentials *ssl_creds =
+      grpc_ssl_server_credentials_create(NULL, &pem_cert_key_pair, 1);
   chttp2_init_server_secure_fullstack(f, server_args, ssl_creds);
 }
 

test/core/end2end/fixtures/chttp2_simple_ssl_with_oauth2_fullstack.c

@@ -99,8 +99,7 @@ void chttp2_tear_down_secure_fullstack(grpc_end2end_test_fixture *f) {
 
 static void chttp2_init_client_simple_ssl_with_oauth2_secure_fullstack(
     grpc_end2end_test_fixture *f, grpc_channel_args *client_args) {
-  grpc_credentials *ssl_creds = grpc_ssl_credentials_create(
-      test_root_cert, test_root_cert_size, NULL, 0, NULL, 0);
+  grpc_credentials *ssl_creds = grpc_ssl_credentials_create(test_root_cert, NULL);
   grpc_credentials *oauth2_creds =
       grpc_fake_oauth2_credentials_create("Bearer aaslkfjs424535asdf", 1);
   grpc_credentials *ssl_oauth2_creds =
@@ -118,9 +117,10 @@ static void chttp2_init_client_simple_ssl_with_oauth2_secure_fullstack(
 
 static void chttp2_init_server_simple_ssl_secure_fullstack(
     grpc_end2end_test_fixture *f, grpc_channel_args *server_args) {
-  grpc_server_credentials *ssl_creds = grpc_ssl_server_credentials_create(
-      NULL, 0, test_server1_key, test_server1_key_size, test_server1_cert,
-      test_server1_cert_size);
+  grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {test_server1_key,
+                                                  test_server1_cert};
+  grpc_server_credentials *ssl_creds =
+      grpc_ssl_server_credentials_create(NULL, &pem_key_cert_pair, 1);
   chttp2_init_server_secure_fullstack(f, server_args, ssl_creds);
 }
 

test/core/fling/server.c

@@ -101,9 +101,10 @@ int main(int argc, char **argv) {
 
   cq = grpc_completion_queue_create();
   if (secure) {
-    grpc_server_credentials *ssl_creds = grpc_ssl_server_credentials_create(
-        NULL, 0, test_server1_key, test_server1_key_size, test_server1_cert,
-        test_server1_cert_size);
+    grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {test_server1_key,
+                                                    test_server1_cert};
+    grpc_server_credentials *ssl_creds =
+        grpc_ssl_server_credentials_create(NULL, &pem_key_cert_pair, 1);
     server = grpc_secure_server_create(ssl_creds, cq, NULL);
     GPR_ASSERT(grpc_server_add_secure_http2_port(server, addr));
     grpc_server_credentials_release(ssl_creds);

test/core/security/credentials_test.c

@@ -48,7 +48,7 @@ static const char test_iam_authorization_token[] = "blahblahblhahb";
 static const char test_iam_authority_selector[] = "respectmyauthoritah";
 static const char test_oauth2_bearer_token[] =
     "Bearer blaaslkdjfaslkdfasdsfasf";
-static const unsigned char test_root_cert[] = {0xDE, 0xAD, 0xBE, 0xEF};
+static const char test_root_cert[] = "I am the root!";
 
 /* This JSON key was generated with the GCE console and revoked immediately.
    The identifiers have been changed as well.
@@ -275,8 +275,8 @@ static void check_ssl_oauth2_composite_metadata(
 }
 
 static void test_ssl_oauth2_composite_creds(void) {
-  grpc_credentials *ssl_creds = grpc_ssl_credentials_create(
-      test_root_cert, sizeof(test_root_cert), NULL, 0, NULL, 0);
+  grpc_credentials *ssl_creds =
+      grpc_ssl_credentials_create(test_root_cert, NULL);
   const grpc_credentials_array *creds_array;
   grpc_credentials *oauth2_creds =
       grpc_fake_oauth2_credentials_create(test_oauth2_bearer_token, 0);
@@ -312,8 +312,8 @@ static void check_ssl_oauth2_iam_composite_metadata(
 }
 
 static void test_ssl_oauth2_iam_composite_creds(void) {
-  grpc_credentials *ssl_creds = grpc_ssl_credentials_create(
-      test_root_cert, sizeof(test_root_cert), NULL, 0, NULL, 0);
+  grpc_credentials *ssl_creds =
+      grpc_ssl_credentials_create(test_root_cert, NULL);
   const grpc_credentials_array *creds_array;
   grpc_credentials *oauth2_creds =
       grpc_fake_oauth2_credentials_create(test_oauth2_bearer_token, 0);

test/cpp/client/credentials_test.cc

@@ -45,15 +45,6 @@ class CredentialsTest : public ::testing::Test {
  protected:
 };
 
-TEST_F(CredentialsTest, InvalidSslCreds) {
-  std::unique_ptr<Credentials> bad1 =
-      CredentialsFactory::SslCredentials({"", "", ""});
-  EXPECT_EQ(nullptr, bad1.get());
-  std::unique_ptr<Credentials> bad2 =
-      CredentialsFactory::SslCredentials({"", "bla", "bla"});
-  EXPECT_EQ(nullptr, bad2.get());
-}
-
 TEST_F(CredentialsTest, InvalidServiceAccountCreds) {
   std::unique_ptr<Credentials> bad1 =
       CredentialsFactory::ServiceAccountCredentials("", "",

test/cpp/interop/server.cc

@@ -203,11 +203,7 @@ void RunServer() {
   builder.RegisterService(service.service());
   if (FLAGS_enable_ssl) {
     SslServerCredentialsOptions ssl_opts = {
-        "",
-        {reinterpret_cast<const char*>(test_server1_key),
-         test_server1_key_size},
-        {reinterpret_cast<const char*>(test_server1_cert),
-         test_server1_cert_size}};
+        "", {{test_server1_key, test_server1_cert}}};
     std::shared_ptr<ServerCredentials> creds =
         ServerCredentialsFactory::SslCredentials(ssl_opts);
     builder.SetCredentials(creds);

test/cpp/util/create_test_channel.cc

@@ -56,11 +56,8 @@ std::shared_ptr<ChannelInterface> CreateTestChannel(
   ChannelArguments channel_args;
   if (enable_ssl) {
     const char* roots_certs =
-        use_prod_roots ? reinterpret_cast<const char*>(prod_roots_certs)
-                       : reinterpret_cast<const char*>(test_root_cert);
-    unsigned int roots_certs_size =
-        use_prod_roots ? prod_roots_certs_size : test_root_cert_size;
-    SslCredentialsOptions ssl_opts = {{roots_certs, roots_certs_size}, "", ""};
+        use_prod_roots ? prod_roots_certs : test_root_cert;
+    SslCredentialsOptions ssl_opts = {roots_certs, "", ""};
 
     std::unique_ptr<Credentials> creds =
         CredentialsFactory::SslCredentials(ssl_opts);