Example 16 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class SdsX509TrustManagerTest method missingPeerCerts.
@Test
public void missingPeerCerts() {
StringMatcher stringMatcher = StringMatcher.newBuilder().setExact("foo.com").build();
CertificateValidationContext certContext = CertificateValidationContext.newBuilder().addMatchSubjectAltNames(stringMatcher).build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
try {
trustManager.verifySubjectAltNameInChain(null);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate(s) missing");
}
}
Also used :
StringMatcher(io.envoyproxy.envoy.type.matcher.v3.StringMatcher)
CertificateException(java.security.cert.CertificateException)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Example 17 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class CertProviderServerSslContextProviderTest method testProviderForServer_sslContextException_onError.
@Test
public void testProviderForServer_sslContextException_onError() throws Exception {
CertificateValidationContext staticCertValidationContext = CertificateValidationContext.newBuilder().setTrustedCa(DataSource.newBuilder().setInlineString("foo")).build();
final CertificateProvider.DistributorWatcher[] watcherCaptor = new CertificateProvider.DistributorWatcher[1];
TestCertificateProvider.createAndRegisterProviderProvider(certificateProviderRegistry, watcherCaptor, "testca", 0);
CertProviderServerSslContextProvider provider = getSslContextProvider(/* certInstanceName= */
"gcp_id", /* rootInstanceName= */
"gcp_id", CommonBootstrapperTestUtils.getTestBootstrapInfo(), /* alpnProtocols= */
null, staticCertValidationContext, /* requireClientCert= */
true);
// now generate cert update
watcherCaptor[0].updateCertificate(CommonCertProviderTestUtils.getPrivateKey(SERVER_0_KEY_FILE), ImmutableList.of(getCertFromResourceName(SERVER_0_PEM_FILE)));
TestCallback testCallback = new TestCallback(MoreExecutors.directExecutor());
provider.addCallback(testCallback);
try {
watcherCaptor[0].updateTrustedRoots(ImmutableList.of(getCertFromResourceName(CA_PEM_FILE)));
fail("exception expected");
} catch (RuntimeException expected) {
assertThat(expected).hasMessageThat().contains("only static certificateValidationContext expected");
}
assertThat(testCallback.updatedThrowable).isNotNull();
assertThat(testCallback.updatedThrowable).hasCauseThat().hasMessageThat().contains("only static certificateValidationContext expected");
}
Also used :
TestCallback(io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.TestCallback)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Example 18 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class CertProviderServerSslContextProviderTest method testProviderForServer_mtls_newXds.
@Test
public void testProviderForServer_mtls_newXds() throws Exception {
final CertificateProvider.DistributorWatcher[] watcherCaptor = new CertificateProvider.DistributorWatcher[1];
TestCertificateProvider.createAndRegisterProviderProvider(certificateProviderRegistry, watcherCaptor, "testca", 0);
CertificateValidationContext staticCertValidationContext = CertificateValidationContext.newBuilder().addAllMatchSubjectAltNames(Arrays.asList(StringMatcher.newBuilder().setExact("foo.com").build(), StringMatcher.newBuilder().setExact("bar.com").build())).build();
CertProviderServerSslContextProvider provider = getNewSslContextProvider("gcp_id", "gcp_id", CommonBootstrapperTestUtils.getTestBootstrapInfo(), /* alpnProtocols= */
null, staticCertValidationContext, /* requireClientCert= */
true);
assertThat(provider.savedKey).isNull();
assertThat(provider.savedCertChain).isNull();
assertThat(provider.savedTrustedRoots).isNull();
assertThat(provider.getSslContext()).isNull();
// now generate cert update
watcherCaptor[0].updateCertificate(CommonCertProviderTestUtils.getPrivateKey(SERVER_0_KEY_FILE), ImmutableList.of(getCertFromResourceName(SERVER_0_PEM_FILE)));
assertThat(provider.savedKey).isNotNull();
assertThat(provider.savedCertChain).isNotNull();
assertThat(provider.getSslContext()).isNull();
// now generate root cert update
watcherCaptor[0].updateTrustedRoots(ImmutableList.of(getCertFromResourceName(CA_PEM_FILE)));
assertThat(provider.getSslContext()).isNotNull();
assertThat(provider.savedKey).isNull();
assertThat(provider.savedCertChain).isNull();
assertThat(provider.savedTrustedRoots).isNull();
TestCallback testCallback = CommonTlsContextTestsUtil.getValueThruCallback(provider);
doChecksOnSslContext(true, testCallback.updatedSslContext, /* expectedApnProtos= */
null);
TestCallback testCallback1 = CommonTlsContextTestsUtil.getValueThruCallback(provider);
assertThat(testCallback1.updatedSslContext).isSameInstanceAs(testCallback.updatedSslContext);
// just do root cert update: sslContext should still be the same
watcherCaptor[0].updateTrustedRoots(ImmutableList.of(getCertFromResourceName(CLIENT_PEM_FILE)));
assertThat(provider.savedKey).isNull();
assertThat(provider.savedCertChain).isNull();
assertThat(provider.savedTrustedRoots).isNotNull();
testCallback1 = CommonTlsContextTestsUtil.getValueThruCallback(provider);
assertThat(testCallback1.updatedSslContext).isSameInstanceAs(testCallback.updatedSslContext);
// now update id cert: sslContext should be updated i.e.different from the previous one
watcherCaptor[0].updateCertificate(CommonCertProviderTestUtils.getPrivateKey(SERVER_1_KEY_FILE), ImmutableList.of(getCertFromResourceName(SERVER_1_PEM_FILE)));
assertThat(provider.savedKey).isNull();
assertThat(provider.savedCertChain).isNull();
assertThat(provider.savedTrustedRoots).isNull();
assertThat(provider.getSslContext()).isNotNull();
testCallback1 = CommonTlsContextTestsUtil.getValueThruCallback(provider);
assertThat(testCallback1.updatedSslContext).isNotSameInstanceAs(testCallback.updatedSslContext);
}
Also used :
TestCallback(io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.TestCallback)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Example 19 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class ClientSslContextProviderFactoryTest method createCertProviderClientSslContextProvider_withStaticContext.
@Test
public void createCertProviderClientSslContextProvider_withStaticContext() throws XdsInitializationException {
final CertificateProvider.DistributorWatcher[] watcherCaptor = new CertificateProvider.DistributorWatcher[1];
createAndRegisterProviderProvider(certificateProviderRegistry, watcherCaptor, "testca", 0);
CertificateValidationContext staticCertValidationContext = CertificateValidationContext.newBuilder().addAllMatchSubjectAltNames(ImmutableSet.of(StringMatcher.newBuilder().setExact("foo").build(), StringMatcher.newBuilder().setExact("bar").build())).build();
UpstreamTlsContext upstreamTlsContext = CommonTlsContextTestsUtil.buildUpstreamTlsContextForCertProviderInstance(/* certInstanceName= */
null, /* certName= */
null, "gcp_id", "root-default", /* alpnProtocols= */
null, staticCertValidationContext);
Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
clientSslContextProviderFactory = new ClientSslContextProviderFactory(bootstrapInfo, certProviderClientSslContextProviderFactory);
SslContextProvider sslContextProvider = clientSslContextProviderFactory.create(upstreamTlsContext);
assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
verifyWatcher(sslContextProvider, watcherCaptor[0]);
}
Also used :
Bootstrapper(io.grpc.xds.Bootstrapper)
UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext)
CertProviderClientSslContextProvider(io.grpc.xds.internal.certprovider.CertProviderClientSslContextProvider)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Example 20 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class DynamicSslContextProvider method updateSslContext.
// this gets called only when requested secrets are ready...
protected final void updateSslContext() {
try {
CertificateValidationContext localCertValidationContext = generateCertificateValidationContext();
SslContextBuilder sslContextBuilder = getSslContextBuilder(localCertValidationContext);
CommonTlsContext commonTlsContext = getCommonTlsContext();
if (commonTlsContext != null && commonTlsContext.getAlpnProtocolsCount() > 0) {
List<String> alpnList = commonTlsContext.getAlpnProtocolsList();
ApplicationProtocolConfig apn = new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, alpnList);
sslContextBuilder.applicationProtocolConfig(apn);
}
List<Callback> pendingCallbacksCopy;
SslContext sslContextCopy;
synchronized (pendingCallbacks) {
sslContext = sslContextBuilder.build();
sslContextCopy = sslContext;
pendingCallbacksCopy = clonePendingCallbacksAndClear();
}
makePendingCallbacks(sslContextCopy, pendingCallbacksCopy);
} catch (Exception e) {
onError(Status.fromThrowable(e));
throw new RuntimeException(e);
}
}
Also used :
SslContextBuilder(io.netty.handler.ssl.SslContextBuilder)
CommonTlsContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
CertStoreException(java.security.cert.CertStoreException)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
ApplicationProtocolConfig(io.netty.handler.ssl.ApplicationProtocolConfig)
SslContext(io.netty.handler.ssl.SslContext)
Aggregations
CertificateValidationContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)45
Test (org.junit.Test)40
X509Certificate (java.security.cert.X509Certificate)30
StringMatcher (io.envoyproxy.envoy.type.matcher.v3.StringMatcher)27
CertificateException (java.security.cert.CertificateException)15
Bootstrapper (io.grpc.xds.Bootstrapper)5
CommonTlsContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext)3
CombinedCertificateValidationContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext)3
UpstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext)3
CertProviderClientSslContextProvider (io.grpc.xds.internal.certprovider.CertProviderClientSslContextProvider)3
TestCallback (io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.TestCallback)3
CertificateProviderInstance (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance)2
DownstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext)2
CertProviderServerSslContextProvider (io.grpc.xds.internal.certprovider.CertProviderServerSslContextProvider)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
CertificateProviderPluginInstance (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance)1
TlsCertificate (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate)1
ApplicationProtocolConfig (io.netty.handler.ssl.ApplicationProtocolConfig)1
SslContext (io.netty.handler.ssl.SslContext)1
SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)1
