grpc: upgrade to 1.68.0
upgrade grpc from 1.66.1 + ValidateCredentials patch to 1.68.0
thus no need to maintain the validate credential patch
Tested:
All platform build
http://fusion2/93f424b6-fab7-397a-9b25-77fb94e4020e
http://fusion2/da9ebcfc-df81-316f-a0e8-a3eef4561d70
http://fusion2/53bc5aa7-0393-3673-8607-a8b50fb81a04
http://fusion2/003ad891-69fe-30f9-8c73-f8531568b0c2
Google-Bug-Id: 372315156
Change-Id: I588829be871d3a41ac8ebde68ad5ee47f238a83f
Signed-off-by: Dan Zhang <zhdaniel@google.com>
diff --git a/recipes-devtools/grpc/grpc/0001-tls-Add-ValidateCredentials-API-to-the-TLS-certifica.patch b/recipes-devtools/grpc/grpc/0001-tls-Add-ValidateCredentials-API-to-the-TLS-certifica.patch
deleted file mode 100644
index 32f563c..0000000
--- a/recipes-devtools/grpc/grpc/0001-tls-Add-ValidateCredentials-API-to-the-TLS-certifica.patch
+++ /dev/null
@@ -1,598 +0,0 @@
-From 6b0bd3e7826deabc34b544f3347173b4a36482c1 Mon Sep 17 00:00:00 2001
-From: Matthew Stevenson <mattstev@google.com>
-Date: Mon, 23 Sep 2024 10:25:10 -0700
-Subject: [PATCH] [tls] Add ValidateCredentials API to the TLS certificate
- provider. (#37565)
-
-Add a ValidateCredentials API to the TLS certificate provider interface. A user can call this API to check that the credentials currently held by the certificate provider instance are valid. The definition of "valid" depends on provider that is being used. For the static data and file watcher providers, "valid" means that the credentials consist of valid PEM.
-
-~Currently there is no check to ensure that credentials consist of valid PEM blocks before a TLS handshake commences. This PR creates a static factory for FileWatcherCertificateProvider (and marks the constructor as deprecated) which performs this validation check. The analogous work for StaticDataCertificateProvider will be done in a follow-up PR.~
-
-Closes #37565
-
-COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/37565 from matthewstevenson88:filewatcher f2232280232a9600cb32008597ed096352b65e34
-PiperOrigin-RevId: 677847751
-
-(cherry picked from commit b87ed725df3b7bc562acbccff079b3494a8628a8)
-Signed-off-by: Dan Zhang <zhdaniel@google.com>
----
- BUILD | 3 +
- .../security/tls_certificate_provider.h | 19 ++++-
- .../tls/grpc_tls_certificate_provider.cc | 72 +++++++++++++++++++
- .../tls/grpc_tls_certificate_provider.h | 6 +-
- src/core/tsi/test_creds/BUILD | 2 +
- src/core/tsi/test_creds/README | 7 ++
- src/core/tsi/test_creds/malformed-cert.pem | 22 ++++++
- src/core/tsi/test_creds/malformed-key.pem | 28 ++++++++
- src/cpp/common/tls_certificate_provider.cc | 16 +++++
- test/core/security/BUILD | 2 +
- .../grpc_tls_certificate_provider_test.cc | 72 +++++++++++++++++++
- test/cpp/server/BUILD | 2 +
- test/cpp/server/credentials_test.cc | 37 ++++++++++
- 13 files changed, 286 insertions(+), 2 deletions(-)
- create mode 100644 src/core/tsi/test_creds/malformed-cert.pem
- create mode 100644 src/core/tsi/test_creds/malformed-key.pem
-
-diff --git a/BUILD b/BUILD
-index fdc12602ed..bdb5115ef0 100644
---- a/BUILD
-+++ b/BUILD
-@@ -896,6 +896,7 @@ grpc_cc_library(
- "absl/log:log",
- "absl/log:absl_check",
- "absl/log:absl_log",
-+ "absl/status:statusor",
- "absl/strings:cord",
- "absl/synchronization",
- "protobuf_headers",
-@@ -1247,6 +1248,7 @@ grpc_cc_library(
- "absl/log:log",
- "absl/log:absl_check",
- "absl/log:absl_log",
-+ "absl/status:statusor",
- "absl/strings",
- "absl/synchronization",
- ],
-@@ -2489,6 +2491,7 @@ grpc_cc_library(
- "//src/core:grpc_backend_metric_provider",
- "//src/core:grpc_crl_provider",
- "//src/core:grpc_service_config",
-+ "//src/core:grpc_tls_credentials",
- "//src/core:grpc_transport_chttp2_server",
- "//src/core:grpc_transport_inproc",
- "//src/core:json",
-diff --git a/include/grpcpp/security/tls_certificate_provider.h b/include/grpcpp/security/tls_certificate_provider.h
-index 3e7c952315..fc34d67a6d 100644
---- a/include/grpcpp/security/tls_certificate_provider.h
-+++ b/include/grpcpp/security/tls_certificate_provider.h
-@@ -18,13 +18,16 @@
- #define GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
-
- #include <memory>
-+#include <string>
- #include <vector>
-
-+#include "absl/status/statusor.h"
-+
- #include <grpc/credentials.h>
- #include <grpc/grpc_security.h>
- #include <grpc/grpc_security_constants.h>
- #include <grpc/status.h>
--#include <grpc/support/log.h>
-+#include <grpc/support/port_platform.h>
- #include <grpcpp/support/config.h>
-
- namespace grpc {
-@@ -68,6 +71,12 @@ class GRPCXX_DLL StaticDataCertificateProvider
-
- grpc_tls_certificate_provider* c_provider() override { return c_provider_; }
-
-+ // Returns an OK status if the following conditions hold:
-+ // - the root certificates consist of one or more valid PEM blocks, and
-+ // - every identity key-cert pair has a certificate chain that consists of
-+ // valid PEM blocks and has a private key is a valid PEM block.
-+ absl::Status ValidateCredentials() const;
-+
- private:
- grpc_tls_certificate_provider* c_provider_ = nullptr;
- };
-@@ -118,6 +127,14 @@ class GRPCXX_DLL FileWatcherCertificateProvider final
-
- grpc_tls_certificate_provider* c_provider() override { return c_provider_; }
-
-+ // Returns an OK status if the following conditions hold:
-+ // - the currently-loaded root certificates, if any, consist of one or more
-+ // valid PEM blocks, and
-+ // - every currently-loaded identity key-cert pair, if any, has a certificate
-+ // chain that consists of valid PEM blocks and has a private key is a valid
-+ // PEM block.
-+ absl::Status ValidateCredentials() const;
-+
- private:
- grpc_tls_certificate_provider* c_provider_ = nullptr;
- };
-diff --git a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc
-index 82a56f43eb..aa1bc2acf4 100644
---- a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc
-+++ b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc
-@@ -26,6 +26,7 @@
- #include "absl/log/check.h"
- #include "absl/log/log.h"
- #include "absl/status/status.h"
-+#include "absl/strings/string_view.h"
-
- #include <grpc/credentials.h>
- #include <grpc/slice.h>
-@@ -38,10 +39,50 @@
- #include "src/core/lib/gprpp/status_helper.h"
- #include "src/core/lib/iomgr/error.h"
- #include "src/core/lib/iomgr/exec_ctx.h"
-+#include "src/core/lib/security/security_connector/ssl_utils.h"
- #include "src/core/lib/slice/slice.h"
- #include "src/core/lib/slice/slice_internal.h"
-+#include "src/core/tsi/ssl_transport_security_utils.h"
-
- namespace grpc_core {
-+namespace {
-+
-+absl::Status ValidateRootCertificates(absl::string_view root_certificates) {
-+ if (root_certificates.empty()) return absl::OkStatus();
-+ absl::StatusOr<std::vector<X509*>> parsed_roots =
-+ ParsePemCertificateChain(root_certificates);
-+ if (!parsed_roots.ok()) {
-+ return parsed_roots.status();
-+ }
-+ for (X509* x509 : *parsed_roots) {
-+ X509_free(x509);
-+ }
-+ return absl::OkStatus();
-+}
-+
-+absl::Status ValidatePemKeyCertPair(absl::string_view cert_chain,
-+ absl::string_view private_key) {
-+ if (cert_chain.empty() && private_key.empty()) return absl::OkStatus();
-+ // Check that the cert chain consists of valid PEM blocks.
-+ absl::StatusOr<std::vector<X509*>> parsed_certs =
-+ ParsePemCertificateChain(cert_chain);
-+ if (!parsed_certs.ok()) {
-+ return parsed_certs.status();
-+ }
-+ for (X509* x509 : *parsed_certs) {
-+ X509_free(x509);
-+ }
-+ // Check that the private key consists of valid PEM blocks.
-+ absl::StatusOr<EVP_PKEY*> parsed_private_key =
-+ ParsePemPrivateKey(private_key);
-+ if (!parsed_private_key.ok()) {
-+ return parsed_private_key.status();
-+ }
-+ EVP_PKEY_free(*parsed_private_key);
-+ return absl::OkStatus();
-+}
-+
-+} // namespace
-
- StaticDataCertificateProvider::StaticDataCertificateProvider(
- std::string root_certificate, PemKeyCertPairList pem_key_cert_pairs)
-@@ -102,6 +143,21 @@ UniqueTypeName StaticDataCertificateProvider::type() const {
- return kFactory.Create();
- }
-
-+absl::Status StaticDataCertificateProvider::ValidateCredentials() const {
-+ absl::Status status = ValidateRootCertificates(root_certificate_);
-+ if (!status.ok()) {
-+ return status;
-+ }
-+ for (const PemKeyCertPair& pair : pem_key_cert_pairs_) {
-+ absl::Status status =
-+ ValidatePemKeyCertPair(pair.cert_chain(), pair.private_key());
-+ if (!status.ok()) {
-+ return status;
-+ }
-+ }
-+ return absl::OkStatus();
-+}
-+
- namespace {
-
- gpr_timespec TimeoutSecondsToDeadline(int64_t seconds) {
-@@ -206,6 +262,22 @@ UniqueTypeName FileWatcherCertificateProvider::type() const {
- return kFactory.Create();
- }
-
-+absl::Status FileWatcherCertificateProvider::ValidateCredentials() const {
-+ MutexLock lock(&mu_);
-+ absl::Status status = ValidateRootCertificates(root_certificate_);
-+ if (!status.ok()) {
-+ return status;
-+ }
-+ for (const PemKeyCertPair& pair : pem_key_cert_pairs_) {
-+ absl::Status status =
-+ ValidatePemKeyCertPair(pair.cert_chain(), pair.private_key());
-+ if (!status.ok()) {
-+ return status;
-+ }
-+ }
-+ return absl::OkStatus();
-+}
-+
- void FileWatcherCertificateProvider::ForceUpdate() {
- absl::optional<std::string> root_certificate;
- absl::optional<PemKeyCertPairList> pem_key_cert_pairs;
-diff --git a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h
-index d5908d974f..de873e6184 100644
---- a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h
-+++ b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h
-@@ -109,6 +109,8 @@ class StaticDataCertificateProvider final
-
- UniqueTypeName type() const override;
-
-+ absl::Status ValidateCredentials() const;
-+
- private:
- struct WatcherInfo {
- bool root_being_watched = false;
-@@ -148,6 +150,8 @@ class FileWatcherCertificateProvider final
-
- UniqueTypeName type() const override;
-
-+ absl::Status ValidateCredentials() const;
-+
- int64_t TestOnlyGetRefreshIntervalSecond() const;
-
- private:
-@@ -184,7 +188,7 @@ class FileWatcherCertificateProvider final
- gpr_event shutdown_event_;
-
- // Guards members below.
-- Mutex mu_;
-+ mutable Mutex mu_;
- // The most-recent credential data. It will be empty if the most recent read
- // attempt failed.
- std::string root_certificate_ ABSL_GUARDED_BY(mu_);
-diff --git a/src/core/tsi/test_creds/BUILD b/src/core/tsi/test_creds/BUILD
-index f6072bc552..eeac5e35d7 100644
---- a/src/core/tsi/test_creds/BUILD
-+++ b/src/core/tsi/test_creds/BUILD
-@@ -32,4 +32,6 @@ exports_files([
- "multi-domain.pem",
- "leaf_signed_by_intermediate.key",
- "leaf_and_intermediate_chain.pem",
-+ "malformed-cert.pem",
-+ "malformed-key.pem",
- ])
-diff --git a/src/core/tsi/test_creds/README b/src/core/tsi/test_creds/README
-index f3a6679e39..d092361183 100644
---- a/src/core/tsi/test_creds/README
-+++ b/src/core/tsi/test_creds/README
-@@ -13,6 +13,13 @@ When prompted for certificate information, everything is default except the
- common name which is set to badserver.test.google.com.
-
-
-+Malformed credentials (malformed.*):
-+=====================================
-+
-+These are invalid PEM blocks. They can be built by generating a valid
-+PEM-encoded certificate or private key and deleting a random character in the
-+body of the PEM-encoding.
-+
- Valid test credentials:
- =======================
-
-diff --git a/src/core/tsi/test_creds/malformed-cert.pem b/src/core/tsi/test_creds/malformed-cert.pem
-new file mode 100644
-index 0000000000..59326fceeb
---- /dev/null
-+++ b/src/core/tsi/test_creds/malformed-cert.pem
-@@ -0,0 +1,22 @@
-+-----BEGIN CERTIFICATE-----
-+MIIDszCCApugAwIBAgIUONWbkUn1obHCw9L7lMNEE5REvb8wDQYJKoZIhvcNAQEL
-+BQAwaTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
-+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEiMCAGA1UEAwwZYmFkY2xpZW50LnRl
-+c3QuZ29vZ2xlLmNvbTAeFw0yMDAzMTcxNzQzMjNaFw0zMDAzMTUxNzQzMjNaMGkx
-+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
-+cm5ldCBXaWRnaXRzIFB0eSBMdGQxIjAgBgNVBAMMGWJhZGNsaWVudC50ZXN0Lmdv
-+b2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvdzKDTYvR
-+gjBOUOrzDwkAZGwNFHHlMYyMGI5tItj3tCzXkbpM0uz3ZjHVahu+eYc+KvYApM64
-+F2dBb16hs713FCk8mihYABjnSndrQsl/U2v8YFT7DipfLReqqaOGu2o9HdvWfiUl
-+aiC/UGGfR+YblpK7CG+7/hvTXtUsMw+OppoeH9z87rhOJMxtiC7XwU5rhEmab/1f
-+1XM/nLoZrfDAcTbDywoeu826SJ3mifajq7oK3LDdNLjWZwfEsCO1qp2C4gLvBlOO
-+KsWOLNby6ByxCOPlCTa0UCaVuoNclYol71jyi17KW+Nk0nNe9yaVcyr6H0z3bImf
-+JhbSu4rzI93nAgMBAAGjUzBRB0GA1UdDgQWBBTKJskEYd2ndrwihPTg2PzYF/kP
-+gzAfBgNVHSMEGDAWgBTKJskEYd2ndrwihPTg2PzYF/kPgzAPBgNVHRMBAf8EBTAD
-+AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBoGwWR0pLM1icX4bIJ6yduFU/A4jSiqET6
-+gvJhwgErilqTKfH6Y89rqtzW8k4UurAOCsE4FA6wbkHWwrUMnClY4lkHJh+MuNaJ
-+nCGrK8wRKGb/mqW9d5pP72Et1Q6OW6DAKqGfjDWh2MzSPHBxcCLeyigO1wqd4W1T
-+nvvql6l4L+B5IT/c+/EHO3PwbI9v6MGTtLjsZgkRKItaPh+YeJdmBYhRD1BvWb6s
-+VwEb7aQ1oSF+esUvMmjGVuHXuQvWJahnjYdYT2DikyqR+AwaKzre4GJMHsX3/Cf8
-+qdxyI+B1jUwNr7sLA2EYDjnUR0jEHcrOBSpIQyRMGWduj0P16yb9
-+-----END CERTIFICATE-----
-diff --git a/src/core/tsi/test_creds/malformed-key.pem b/src/core/tsi/test_creds/malformed-key.pem
-new file mode 100644
-index 0000000000..238055d7c9
---- /dev/null
-+++ b/src/core/tsi/test_creds/malformed-key.pem
-@@ -0,0 +1,28 @@
-+-----BEGIN PRIVATE KEY-----
-+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDvdzKDTYvRgjBO
-+UOrzDwkAZGwNFHHlMYyMGI5tItj3tCzXkbpM0uz3ZjHVahu+eYc+KvYApM64F2dB
-+b16hs713FCk8mihYABjnSndrQsl/U2v8YFT7DipfLReqqaOGu2o9HdvWfiUlaiC/
-+UGGfR+YblpK7CG+7/hvTXtUsMw+OppoeH9z87rhOJMxtiC7XwU5rhEmab/1f1XM/
-+nLoZrfDAcTbDywoeu826SJ3mifajq7oK3LDdNLjWZwfEsCO1qp2C4gLvBlOOKsWO
-+LNby6ByxCOPlCTa0UCaVuoNclYol71jyi17KW+Nk0nNe9yaVcyr6H0z3bImfJhbS
-+u4rzI93nAgMBAAECggEBAOIPOJRTpGaH7GpCYUpLK0g/hPFkF5EyEWg/1lSYzRIp
-++RsX6zOS+zkiNHEv1jkeKNo7XDiHXM7U6RkQtdkZAQdk9PjM3sEUdm4CEnIjfmzA
-+p/R8TD0kxkNLIkhuFH2gd05y3ZHDS/XiFkAE9eOT0FrC7om6ESD7ZfFIWR18pncW
-+ZGq7tFAZZRmpkum2D+MJy1gWxIXBxt5madTEpRxQd56toEnfx372F0y4zkcX3pnE
-+4H6FaJUBjdvKl2QzF5c0jBqgxMRvWP5YfNu8+dmaQORPkpzSptOPmZM9VKV+tJVS
-+1xnOI6DtrnNZRojegR/E6KhNyiPTYy97UgYzdKS+SSECgYEA+wgSIqrfkeqqotJx
-+cGxF4x9v/ldKr5hlhJNoKXLkepkcrvhhxfHKgjWz1nZY/+Rpg42GFMvxWRrGTMIJ
-+ddiOr24p0HCkusWRMKQL7XxvuHDq0ro8SGqXzqWGuH31R+YNP8dy2pqd3OlwzTgg
-+8v0wwzx8AuyP5Ys4M20Ewv7Xuy0CgYEA9DSGMU8jmjxJ/uPDCXWOEAqtE78wTtIw
-+uMBv+ge0inc37xf+fN6D/ziTrJvgw/XyT15pmQdOlXx3Sg1h9XBZeIlaeCdFWrFB
-+oYrVsiuoXRswfkFwA0yOkCsHyGiI4TE0W1rGbqP158IjwXPczBswWI7i/D6LpINL
-+BD7YYpfHmeMCgYB08AiKr7Cf54H/gSqo5TcVGzLvdzhqXgKEZKp0DHpUhfivpTLe
-+o8jjKSMSN2U0JvHj/0xDdGO4YMYhJcll3C4VggSejaybpA46WJJCdt9PtSUv36P
-+eWAoOkFstfhJuufXGxDstnPtUa1jW881gi5x9D4MmqhZlKXkhtdeApr6LQKBgQDd
-+ItsJt9JTjpirGfC5lhwI5sIICa9jEO9RveEoluWkJYUfG6k1xgHdkYwYWCdXDFZa
-+DPKuwnEk6MrU4f181joO7sJf35/sGmuGL0SHzQTvGvn0uqkGM8M9RdoMXqzkzzvM
-+Jg1ej1bUgXcDbTnaEhzbdLiTFsg5NzMtKwOjdDIpZQKBgEIHeJIqiGjYgf7mUlX2
-+vNWgFNlzApkFSCQ8TkzkDOjtCdSHfdRDJ6+q8cS2TSQ7QPoAlI1woS0G48TNbVSo
-+wD0jNVRTdpA6R5FPsg09ohB/caSn0zlGVha2GS08ceYrn7nn4PSZ/UIYTm3pjUlV
-+H5tvHv0gG2C5vy3tIYQtSQCk
-+-----END PRIVATE KEY----
-diff --git a/src/cpp/common/tls_certificate_provider.cc b/src/cpp/common/tls_certificate_provider.cc
-index b94a807bfd..750c3760b5 100644
---- a/src/cpp/common/tls_certificate_provider.cc
-+++ b/src/cpp/common/tls_certificate_provider.cc
-@@ -24,6 +24,8 @@
- #include <grpc/support/log.h>
- #include <grpcpp/security/tls_certificate_provider.h>
-
-+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
-+
- namespace grpc {
- namespace experimental {
-
-@@ -45,6 +47,13 @@ StaticDataCertificateProvider::~StaticDataCertificateProvider() {
- grpc_tls_certificate_provider_release(c_provider_);
- };
-
-+absl::Status StaticDataCertificateProvider::ValidateCredentials() const {
-+ auto* provider =
-+ grpc_core::DownCast<grpc_core::StaticDataCertificateProvider*>(
-+ c_provider_);
-+ return provider->ValidateCredentials();
-+}
-+
- FileWatcherCertificateProvider::FileWatcherCertificateProvider(
- const std::string& private_key_path,
- const std::string& identity_certificate_path,
-@@ -59,5 +68,12 @@ FileWatcherCertificateProvider::~FileWatcherCertificateProvider() {
- grpc_tls_certificate_provider_release(c_provider_);
- };
-
-+absl::Status FileWatcherCertificateProvider::ValidateCredentials() const {
-+ auto* provider =
-+ grpc_core::DownCast<grpc_core::FileWatcherCertificateProvider*>(
-+ c_provider_);
-+ return provider->ValidateCredentials();
-+}
-+
- } // namespace experimental
- } // namespace grpc
-diff --git a/test/core/security/BUILD b/test/core/security/BUILD
-index 4fec75a477..fa75e4d532 100644
---- a/test/core/security/BUILD
-+++ b/test/core/security/BUILD
-@@ -436,6 +436,8 @@ grpc_cc_test(
- srcs = ["grpc_tls_certificate_provider_test.cc"],
- data = [
- "//src/core/tsi/test_creds:ca.pem",
-+ "//src/core/tsi/test_creds:malformed-cert.pem",
-+ "//src/core/tsi/test_creds:malformed-key.pem",
- "//src/core/tsi/test_creds:multi-domain.key",
- "//src/core/tsi/test_creds:multi-domain.pem",
- "//src/core/tsi/test_creds:server0.key",
-diff --git a/test/core/security/grpc_tls_certificate_provider_test.cc b/test/core/security/grpc_tls_certificate_provider_test.cc
-index ed0621fef7..0c5b7b8feb 100644
---- a/test/core/security/grpc_tls_certificate_provider_test.cc
-+++ b/test/core/security/grpc_tls_certificate_provider_test.cc
-@@ -23,6 +23,7 @@
- #include <gtest/gtest.h>
-
- #include "absl/log/check.h"
-+#include "absl/status/status.h"
-
- #include <grpc/support/alloc.h>
- #include <grpc/support/log.h>
-@@ -41,6 +42,8 @@
- #define SERVER_CERT_PATH_2 "src/core/tsi/test_creds/server0.pem"
- #define SERVER_KEY_PATH_2 "src/core/tsi/test_creds/server0.key"
- #define INVALID_PATH "invalid/path"
-+#define MALFORMED_CERT_PATH "src/core/tsi/test_creds/malformed-cert.pem"
-+#define MALFORMED_KEY_PATH "src/core/tsi/test_creds/malformed-key.pem"
-
- namespace grpc_core {
-
-@@ -163,6 +166,8 @@ class GrpcTlsCertificateProviderTest : public ::testing::Test {
- root_cert_2_ = GetFileContents(CA_CERT_PATH_2);
- cert_chain_2_ = GetFileContents(SERVER_CERT_PATH_2);
- private_key_2_ = GetFileContents(SERVER_KEY_PATH_2);
-+ malformed_cert_ = GetFileContents(MALFORMED_CERT_PATH);
-+ malformed_key_ = GetFileContents(MALFORMED_KEY_PATH);
- }
-
- WatcherState* MakeWatcher(
-@@ -196,6 +201,8 @@ class GrpcTlsCertificateProviderTest : public ::testing::Test {
- std::string root_cert_2_;
- std::string private_key_2_;
- std::string cert_chain_2_;
-+ std::string malformed_cert_;
-+ std::string malformed_key_;
- RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
- // Use a std::list<> here to avoid the address invalidation caused by internal
- // reallocation of std::vector<>.
-@@ -231,6 +238,40 @@ TEST_F(GrpcTlsCertificateProviderTest, StaticDataCertificateProviderCreation) {
- CancelWatch(watcher_state_3);
- }
-
-+TEST_F(GrpcTlsCertificateProviderTest,
-+ StaticDataCertificateProviderWithGoodPathsAndCredentialValidation) {
-+ StaticDataCertificateProvider provider(
-+ root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
-+ EXPECT_EQ(provider.ValidateCredentials(), absl::OkStatus());
-+}
-+
-+TEST_F(GrpcTlsCertificateProviderTest,
-+ StaticDataCertificateProviderWithMalformedRootCertificate) {
-+ StaticDataCertificateProvider provider(
-+ malformed_cert_,
-+ MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
-+ EXPECT_EQ(provider.ValidateCredentials(),
-+ absl::FailedPreconditionError("Invalid PEM."));
-+}
-+
-+TEST_F(GrpcTlsCertificateProviderTest,
-+ StaticDataCertificateProviderWithMalformedIdentityCertificate) {
-+ StaticDataCertificateProvider provider(
-+ root_cert_,
-+ MakeCertKeyPairs(private_key_.c_str(), malformed_cert_.c_str()));
-+ EXPECT_EQ(provider.ValidateCredentials(),
-+ absl::FailedPreconditionError("Invalid PEM."));
-+}
-+
-+TEST_F(GrpcTlsCertificateProviderTest,
-+ StaticDataCertificateProviderWithMalformedIdentityKey) {
-+ StaticDataCertificateProvider provider(
-+ root_cert_,
-+ MakeCertKeyPairs(malformed_key_.c_str(), cert_chain_.c_str()));
-+ EXPECT_EQ(provider.ValidateCredentials(),
-+ absl::NotFoundError("No private key found."));
-+}
-+
- TEST_F(GrpcTlsCertificateProviderTest,
- FileWatcherCertificateProviderWithGoodPaths) {
- FileWatcherCertificateProvider provider(SERVER_KEY_PATH, SERVER_CERT_PATH,
-@@ -259,6 +300,37 @@ TEST_F(GrpcTlsCertificateProviderTest,
- CancelWatch(watcher_state_3);
- }
-
-+TEST_F(GrpcTlsCertificateProviderTest,
-+ FileWatcherCertificateProviderWithGoodPathsAndCredentialValidation) {
-+ FileWatcherCertificateProvider provider(SERVER_KEY_PATH, SERVER_CERT_PATH,
-+ CA_CERT_PATH, 1);
-+ EXPECT_EQ(provider.ValidateCredentials(), absl::OkStatus());
-+}
-+
-+TEST_F(GrpcTlsCertificateProviderTest,
-+ FileWatcherCertificateProviderWithMalformedRootCertificate) {
-+ FileWatcherCertificateProvider provider(SERVER_KEY_PATH_2, SERVER_CERT_PATH_2,
-+ MALFORMED_CERT_PATH, 1);
-+ EXPECT_EQ(provider.ValidateCredentials(),
-+ absl::FailedPreconditionError("Invalid PEM."));
-+}
-+
-+TEST_F(GrpcTlsCertificateProviderTest,
-+ FileWatcherCertificateProviderWithMalformedIdentityCertificate) {
-+ FileWatcherCertificateProvider provider(
-+ SERVER_KEY_PATH_2, MALFORMED_CERT_PATH, CA_CERT_PATH_2, 1);
-+ EXPECT_EQ(provider.ValidateCredentials(),
-+ absl::FailedPreconditionError("Invalid PEM."));
-+}
-+
-+TEST_F(GrpcTlsCertificateProviderTest,
-+ FileWatcherCertificateProviderWithMalformedIdentityKey) {
-+ FileWatcherCertificateProvider provider(
-+ MALFORMED_KEY_PATH, SERVER_CERT_PATH_2, CA_CERT_PATH_2, 1);
-+ EXPECT_EQ(provider.ValidateCredentials(),
-+ absl::NotFoundError("No private key found."));
-+}
-+
- TEST_F(GrpcTlsCertificateProviderTest,
- FileWatcherCertificateProviderWithBadPaths) {
- FileWatcherCertificateProvider provider(INVALID_PATH, INVALID_PATH,
-diff --git a/test/cpp/server/BUILD b/test/cpp/server/BUILD
-index b65ec5c9e8..92423465fb 100644
---- a/test/cpp/server/BUILD
-+++ b/test/cpp/server/BUILD
-@@ -69,6 +69,8 @@ grpc_cc_test(
- srcs = ["credentials_test.cc"],
- data = [
- "//src/core/tsi/test_creds:ca.pem",
-+ "//src/core/tsi/test_creds:malformed-cert.pem",
-+ "//src/core/tsi/test_creds:malformed-key.pem",
- "//src/core/tsi/test_creds:server1.key",
- "//src/core/tsi/test_creds:server1.pem",
- ],
-diff --git a/test/cpp/server/credentials_test.cc b/test/cpp/server/credentials_test.cc
-index b5665c1555..32f14c3875 100644
---- a/test/cpp/server/credentials_test.cc
-+++ b/test/cpp/server/credentials_test.cc
-@@ -28,12 +28,14 @@
- #include <grpcpp/security/tls_crl_provider.h>
-
- #include "test/core/test_util/test_config.h"
-+#include "test/core/test_util/tls_utils.h"
- #include "test/cpp/util/tls_test_utils.h"
-
- #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
- #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
- #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
- #define CRL_DIR_PATH "test/core/tsi/test_creds/crl_data/crls"
-+#define MALFORMED_CERT_PATH "src/core/tsi/test_creds/malformed-cert.pem"
-
- namespace {
-
-@@ -50,6 +52,7 @@ using ::grpc::experimental::NoOpCertificateVerifier;
- using ::grpc::experimental::StaticDataCertificateProvider;
- using ::grpc::experimental::TlsServerCredentials;
- using ::grpc::experimental::TlsServerCredentialsOptions;
-+using ::grpc_core::testing::GetFileContents;
-
- } // namespace
-
-@@ -116,6 +119,40 @@ TEST(
- CHECK_NE(server_credentials.get(), nullptr);
- }
-
-+TEST(CredentialsTest,
-+ StaticDataCertificateProviderValidationSuccessWithAllCredentials) {
-+ std::string root_certificates = GetFileContents(CA_CERT_PATH);
-+ experimental::IdentityKeyCertPair key_cert_pair;
-+ key_cert_pair.private_key = GetFileContents(SERVER_KEY_PATH);
-+ key_cert_pair.certificate_chain = GetFileContents(SERVER_CERT_PATH);
-+ StaticDataCertificateProvider provider(root_certificates, {key_cert_pair});
-+ EXPECT_EQ(provider.ValidateCredentials(), absl::OkStatus());
-+}
-+
-+TEST(CredentialsTest, StaticDataCertificateProviderWithMalformedRoot) {
-+ std::string root_certificates = GetFileContents(MALFORMED_CERT_PATH);
-+ experimental::IdentityKeyCertPair key_cert_pair;
-+ key_cert_pair.private_key = GetFileContents(SERVER_KEY_PATH);
-+ key_cert_pair.certificate_chain = GetFileContents(SERVER_CERT_PATH);
-+ StaticDataCertificateProvider provider(root_certificates, {key_cert_pair});
-+ EXPECT_EQ(provider.ValidateCredentials(),
-+ absl::FailedPreconditionError("Invalid PEM."));
-+}
-+
-+TEST(CredentialsTest,
-+ FileWatcherCertificateProviderValidationSuccessWithAllCredentials) {
-+ FileWatcherCertificateProvider provider(SERVER_KEY_PATH, SERVER_CERT_PATH,
-+ CA_CERT_PATH, 1);
-+ EXPECT_EQ(provider.ValidateCredentials(), absl::OkStatus());
-+}
-+
-+TEST(CredentialsTest, FileWatcherCertificateProviderWithMalformedRoot) {
-+ FileWatcherCertificateProvider provider(SERVER_KEY_PATH, SERVER_CERT_PATH,
-+ MALFORMED_CERT_PATH, 1);
-+ EXPECT_EQ(provider.ValidateCredentials(),
-+ absl::FailedPreconditionError("Invalid PEM."));
-+}
-+
- TEST(CredentialsTest, TlsServerCredentialsWithCrlChecking) {
- auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
- SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
---
-2.47.0.rc1.288.g06298d1525-goog
-
diff --git a/recipes-devtools/grpc/grpc_1.66.1.bbappend b/recipes-devtools/grpc/grpc_1.66.1.bbappend
deleted file mode 100644
index c9b0d1b..0000000
--- a/recipes-devtools/grpc/grpc_1.66.1.bbappend
+++ /dev/null
@@ -1,5 +0,0 @@
-FILESEXTRAPATHS:prepend:gbmc := "${THISDIR}/${PN}:"
-
-SRC_URI:append:gbmc = " \
- file://0001-tls-Add-ValidateCredentials-API-to-the-TLS-certifica.patch \
-"
diff --git a/recipes-devtools/grpc/grpc_1.66.1.bb b/recipes-devtools/grpc/grpc_1.68.0.bb
similarity index 97%
rename from recipes-devtools/grpc/grpc_1.66.1.bb
rename to recipes-devtools/grpc/grpc_1.68.0.bb
index 7968d63..caf355b 100644
--- a/recipes-devtools/grpc/grpc_1.66.1.bb
+++ b/recipes-devtools/grpc/grpc_1.68.0.bb
@@ -20,8 +20,8 @@
# RDEPENDS:${PN}-dev += "${PN}-compiler"
S = "${WORKDIR}/git"
-SRCREV_grpc = "e821cdc231bda9ee93139a6daab6311dd8953832"
-BRANCH = "v1.66.x"
+SRCREV_grpc = "6b49ae626bc9cd7033e062f89dbe0e0576b1110e"
+BRANCH = "v1.68.x"
SRC_URI = "gitsm://github.com/grpc/grpc.git;protocol=https;name=grpc;branch=${BRANCH} \
file://0001-cmake-Link-with-libatomic-on-rv32-rv64.patch \
"
