[Security][XDS] Support Verification with SPIFFE Bundle Maps (grpc#40321)

This PR adds APIs discussed in grpc/proposal#506 and https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md to support verification with SPIFFE Bundle Map roots.

RELEASE NOTES:
* Adds support for SPIFFE Bundle Maps in as roots of trust per [gRFC A87](https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md) and [gRFC L127](grpc/proposal#506)

Closes grpc#40321

COPYBARA_INTEGRATE_REVIEW=grpc#40321 from gtcooke94:spiffe_verification 6ddc24e
PiperOrigin-RevId: 793688101

Author: gtcooke94

CMakeLists.txt

@@ -656,14 +656,20 @@ grpc_tls_certificate_provider_static_data_create(
  *   be null if no identity credentials are needed.
  * - root_cert_path is the file path to the root certificate bundle. This
  *   may be null if no root certs are needed.
+ * - spiffe_bundle_map_path is the file path to the SPIFFE Bundle Map. If
+ * configured, this will be used to find the roots of trust for a given SPIFFE
+ * domain during verification. See
+ *   https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md for
+ * more details on SPIFFE verification.
  * - refresh_interval_sec is the refreshing interval that we will check the
  *   files for updates.
  * It does not take ownership of parameters.
  */
 GRPCAPI grpc_tls_certificate_provider*
 grpc_tls_certificate_provider_file_watcher_create(
     const char* private_key_path, const char* identity_certificate_path,
-    const char* root_cert_path, unsigned int refresh_interval_sec);
+    const char* root_cert_path, const char* spiffe_bundle_map_path,
+    unsigned int refresh_interval_sec);
 
 /**
  * EXPERIMENTAL API - Subject to change

build_autogenerated.yaml

@@ -109,19 +109,27 @@ class GRPCXX_DLL FileWatcherCertificateProvider final
   FileWatcherCertificateProvider(const std::string& private_key_path,
                                  const std::string& identity_certificate_path,
                                  const std::string& root_cert_path,
+                                 const std::string& spiffe_bundle_map_path,
                                  unsigned int refresh_interval_sec);
   // Constructor to get credential updates from identity file paths only.
   FileWatcherCertificateProvider(const std::string& private_key_path,
                                  const std::string& identity_certificate_path,
                                  unsigned int refresh_interval_sec)
       : FileWatcherCertificateProvider(private_key_path,
-                                       identity_certificate_path, "",
+                                       identity_certificate_path, "", "",
                                        refresh_interval_sec) {}
   // Constructor to get credential updates from root file path only.
   FileWatcherCertificateProvider(const std::string& root_cert_path,
                                  unsigned int refresh_interval_sec)
-      : FileWatcherCertificateProvider("", "", root_cert_path,
+      : FileWatcherCertificateProvider("", "", root_cert_path, "",
                                        refresh_interval_sec) {}
+  FileWatcherCertificateProvider(const std::string& private_key_path,
+                                 const std::string& identity_certificate_path,
+                                 const std::string& root_cert_path,
+                                 unsigned int refresh_interval_sec)
+      : FileWatcherCertificateProvider(
+            private_key_path, identity_certificate_path, root_cert_path, "",
+            refresh_interval_sec) {}
 
   ~FileWatcherCertificateProvider() override;
 

include/grpc/credentials.h

@@ -509,17 +509,18 @@ grpc_tls_certificate_provider* grpc_tls_certificate_provider_static_data_create(
       std::move(root_cert_core), std::move(identity_pairs_core));
 }
 
-// TODO(gtcooke94): Add a parameter to set the spiffe_bundle_map_path
 grpc_tls_certificate_provider*
 grpc_tls_certificate_provider_file_watcher_create(
     const char* private_key_path, const char* identity_certificate_path,
-    const char* root_cert_path, unsigned int refresh_interval_sec) {
+    const char* root_cert_path, const char* spiffe_bundle_map_path,
+    unsigned int refresh_interval_sec) {
   grpc_core::ExecCtx exec_ctx;
   return new grpc_core::FileWatcherCertificateProvider(
       private_key_path == nullptr ? "" : private_key_path,
       identity_certificate_path == nullptr ? "" : identity_certificate_path,
       root_cert_path == nullptr ? "" : root_cert_path,
-      /*spiffe_bundle_map_path=*/"", refresh_interval_sec);
+      spiffe_bundle_map_path == nullptr ? "" : spiffe_bundle_map_path,
+      refresh_interval_sec);
 }
 
 void grpc_tls_certificate_provider_release(