Example 26 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class SdsX509TrustManagerTest method oneIpAddressInPeerCertsVerifies.
@Test
public void oneIpAddressInPeerCertsVerifies() throws CertificateException, IOException {
StringMatcher stringMatcher = StringMatcher.newBuilder().setExact("x.foo.com").build();
StringMatcher stringMatcher1 = StringMatcher.newBuilder().setExact("192.168.1.3").build();
CertificateValidationContext certContext = CertificateValidationContext.newBuilder().addMatchSubjectAltNames(stringMatcher).addMatchSubjectAltNames(stringMatcher1).build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs = CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
Also used :
StringMatcher(io.envoyproxy.envoy.type.matcher.v3.StringMatcher)
X509Certificate(java.security.cert.X509Certificate)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Example 27 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class SdsX509TrustManagerTest method oneSanInPeerCertsPrefix_differentCase_expectException.
@Test
public void oneSanInPeerCertsPrefix_differentCase_expectException() throws CertificateException, IOException {
StringMatcher stringMatcher = StringMatcher.newBuilder().setPrefix("waterZooi.").setIgnoreCase(false).build();
CertificateValidationContext certContext = CertificateValidationContext.newBuilder().addMatchSubjectAltNames(stringMatcher).build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs = CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
try {
trustManager.verifySubjectAltNameInChain(certs);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
}
}
Also used :
StringMatcher(io.envoyproxy.envoy.type.matcher.v3.StringMatcher)
CertificateException(java.security.cert.CertificateException)
X509Certificate(java.security.cert.X509Certificate)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Example 28 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class SdsX509TrustManagerTest method oneSanInPeerCertsVerifies_differentCase_expectException.
@Test
public void oneSanInPeerCertsVerifies_differentCase_expectException() throws CertificateException, IOException {
StringMatcher stringMatcher = StringMatcher.newBuilder().setExact("waterZooi.test.Google.be").setIgnoreCase(false).build();
CertificateValidationContext certContext = CertificateValidationContext.newBuilder().addMatchSubjectAltNames(stringMatcher).build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs = CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
try {
trustManager.verifySubjectAltNameInChain(certs);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
}
}
Also used :
StringMatcher(io.envoyproxy.envoy.type.matcher.v3.StringMatcher)
CertificateException(java.security.cert.CertificateException)
X509Certificate(java.security.cert.X509Certificate)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Example 29 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class SdsX509TrustManagerTest method oneSanInPeerCerts_safeRegex_noMatch.
@Test
public void oneSanInPeerCerts_safeRegex_noMatch() throws CertificateException, IOException {
StringMatcher stringMatcher = StringMatcher.newBuilder().setSafeRegex(RegexMatcher.newBuilder().setRegex("water[[:alpha:]]{2}ooi\\.test\\.google\\.be")).build();
CertificateValidationContext certContext = CertificateValidationContext.newBuilder().addMatchSubjectAltNames(stringMatcher).build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs = CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
try {
trustManager.verifySubjectAltNameInChain(certs);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
}
}
Also used :
StringMatcher(io.envoyproxy.envoy.type.matcher.v3.StringMatcher)
CertificateException(java.security.cert.CertificateException)
X509Certificate(java.security.cert.X509Certificate)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Example 30 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class SdsX509TrustManagerTest method oneSanInPeerCerts_suffix.
@Test
public void oneSanInPeerCerts_suffix() throws CertificateException, IOException {
StringMatcher stringMatcher = StringMatcher.newBuilder().setSuffix(".google.be").setIgnoreCase(false).build();
CertificateValidationContext certContext = CertificateValidationContext.newBuilder().addMatchSubjectAltNames(stringMatcher).build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs = CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
Also used :
StringMatcher(io.envoyproxy.envoy.type.matcher.v3.StringMatcher)
X509Certificate(java.security.cert.X509Certificate)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Aggregations
CertificateValidationContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)45
Test (org.junit.Test)40
X509Certificate (java.security.cert.X509Certificate)30
StringMatcher (io.envoyproxy.envoy.type.matcher.v3.StringMatcher)27
CertificateException (java.security.cert.CertificateException)15
Bootstrapper (io.grpc.xds.Bootstrapper)5
CommonTlsContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext)3
CombinedCertificateValidationContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext)3
UpstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext)3
CertProviderClientSslContextProvider (io.grpc.xds.internal.certprovider.CertProviderClientSslContextProvider)3
TestCallback (io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.TestCallback)3
CertificateProviderInstance (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance)2
DownstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext)2
CertProviderServerSslContextProvider (io.grpc.xds.internal.certprovider.CertProviderServerSslContextProvider)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
CertificateProviderPluginInstance (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance)1
TlsCertificate (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate)1
ApplicationProtocolConfig (io.netty.handler.ssl.ApplicationProtocolConfig)1
SslContext (io.netty.handler.ssl.SslContext)1
SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)1
