Example 41 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class ClientSslContextProviderFactoryTest method createNewCertProviderClientSslContextProvider_onlyRootCert.
@Test
public void createNewCertProviderClientSslContextProvider_onlyRootCert() {
final CertificateProvider.DistributorWatcher[] watcherCaptor = new CertificateProvider.DistributorWatcher[1];
createAndRegisterProviderProvider(certificateProviderRegistry, watcherCaptor, "testca", 0);
CertificateValidationContext staticCertValidationContext = CertificateValidationContext.newBuilder().addAllMatchSubjectAltNames(ImmutableSet.of(StringMatcher.newBuilder().setExact("foo").build(), StringMatcher.newBuilder().setExact("bar").build())).build();
UpstreamTlsContext upstreamTlsContext = CommonTlsContextTestsUtil.buildNewUpstreamTlsContextForCertProviderInstance(/* certInstanceName= */
null, /* certName= */
null, "gcp_id", "root-default", /* alpnProtocols= */
null, staticCertValidationContext);
Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
clientSslContextProviderFactory = new ClientSslContextProviderFactory(bootstrapInfo, certProviderClientSslContextProviderFactory);
SslContextProvider sslContextProvider = clientSslContextProviderFactory.create(upstreamTlsContext);
assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
verifyWatcher(sslContextProvider, watcherCaptor[0]);
}
Also used :
Bootstrapper(io.grpc.xds.Bootstrapper)
UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext)
CertProviderClientSslContextProvider(io.grpc.xds.internal.certprovider.CertProviderClientSslContextProvider)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Example 42 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class ClientSslContextProviderFactoryTest method createNewCertProviderClientSslContextProvider_withSans.
@Test
public void createNewCertProviderClientSslContextProvider_withSans() {
final CertificateProvider.DistributorWatcher[] watcherCaptor = new CertificateProvider.DistributorWatcher[2];
createAndRegisterProviderProvider(certificateProviderRegistry, watcherCaptor, "testca", 0);
createAndRegisterProviderProvider(certificateProviderRegistry, watcherCaptor, "file_watcher", 1);
CertificateValidationContext staticCertValidationContext = CertificateValidationContext.newBuilder().addAllMatchSubjectAltNames(ImmutableSet.of(StringMatcher.newBuilder().setExact("foo").build(), StringMatcher.newBuilder().setExact("bar").build())).build();
UpstreamTlsContext upstreamTlsContext = CommonTlsContextTestsUtil.buildNewUpstreamTlsContextForCertProviderInstance("gcp_id", "cert-default", "file_provider", "root-default", /* alpnProtocols= */
null, staticCertValidationContext);
Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
clientSslContextProviderFactory = new ClientSslContextProviderFactory(bootstrapInfo, certProviderClientSslContextProviderFactory);
SslContextProvider sslContextProvider = clientSslContextProviderFactory.create(upstreamTlsContext);
assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
verifyWatcher(sslContextProvider, watcherCaptor[0]);
verifyWatcher(sslContextProvider, watcherCaptor[1]);
}
Also used :
Bootstrapper(io.grpc.xds.Bootstrapper)
UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext)
CertProviderClientSslContextProvider(io.grpc.xds.internal.certprovider.CertProviderClientSslContextProvider)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Example 43 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class ClientSslContextProviderFactoryTest method addFilenames.
@SuppressWarnings("deprecation")
static CommonTlsContext.Builder addFilenames(CommonTlsContext.Builder builder, String certChain, String privateKey, String trustCa) {
TlsCertificate tlsCert = TlsCertificate.newBuilder().setCertificateChain(DataSource.newBuilder().setFilename(certChain)).setPrivateKey(DataSource.newBuilder().setFilename(privateKey)).build();
CertificateValidationContext certContext = CertificateValidationContext.newBuilder().setTrustedCa(DataSource.newBuilder().setFilename(trustCa)).build();
CommonTlsContext.CertificateProviderInstance certificateProviderInstance = builder.getValidationContextCertificateProviderInstance();
CommonTlsContext.CombinedCertificateValidationContext.Builder combinedBuilder = CommonTlsContext.CombinedCertificateValidationContext.newBuilder();
combinedBuilder.setDefaultValidationContext(certContext).setValidationContextCertificateProviderInstance(certificateProviderInstance);
return builder.addTlsCertificates(tlsCert).setCombinedValidationContext(combinedBuilder.build());
}
Also used :
CommonTlsContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext)
TlsCertificate(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Example 44 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class CommonTlsContextTestsUtil method addNewCertificateValidationContext.
private static CommonTlsContext.Builder addNewCertificateValidationContext(CommonTlsContext.Builder builder, String rootInstanceName, String rootCertName, CertificateValidationContext staticCertValidationContext) {
if (rootInstanceName != null) {
CertificateProviderPluginInstance providerInstance = CertificateProviderPluginInstance.newBuilder().setInstanceName(rootInstanceName).setCertificateName(rootCertName).build();
CertificateValidationContext.Builder validationContextBuilder = staticCertValidationContext != null ? staticCertValidationContext.toBuilder() : CertificateValidationContext.newBuilder();
return builder.setValidationContext(validationContextBuilder.setCaCertificateProviderInstance(providerInstance));
}
return builder;
}
Also used :
CertificateProviderPluginInstance(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
CombinedCertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext)
Example 45 with CertificateValidationContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext in project grpc-java by grpc.
the class ClientXdsClient method validateCommonTlsContext.
@VisibleForTesting
static void validateCommonTlsContext(CommonTlsContext commonTlsContext, Set<String> certProviderInstances, boolean server) throws ResourceInvalidException {
if (commonTlsContext.hasCustomHandshaker()) {
throw new ResourceInvalidException("common-tls-context with custom_handshaker is not supported");
}
if (commonTlsContext.hasTlsParams()) {
throw new ResourceInvalidException("common-tls-context with tls_params is not supported");
}
if (commonTlsContext.hasValidationContextSdsSecretConfig()) {
throw new ResourceInvalidException("common-tls-context with validation_context_sds_secret_config is not supported");
}
if (commonTlsContext.hasValidationContextCertificateProvider()) {
throw new ResourceInvalidException("common-tls-context with validation_context_certificate_provider is not supported");
}
if (commonTlsContext.hasValidationContextCertificateProviderInstance()) {
throw new ResourceInvalidException("common-tls-context with validation_context_certificate_provider_instance is not" + " supported");
}
String certInstanceName = getIdentityCertInstanceName(commonTlsContext);
if (certInstanceName == null) {
if (server) {
throw new ResourceInvalidException("tls_certificate_provider_instance is required in downstream-tls-context");
}
if (commonTlsContext.getTlsCertificatesCount() > 0) {
throw new ResourceInvalidException("tls_certificate_provider_instance is unset");
}
if (commonTlsContext.getTlsCertificateSdsSecretConfigsCount() > 0) {
throw new ResourceInvalidException("tls_certificate_provider_instance is unset");
}
if (commonTlsContext.hasTlsCertificateCertificateProvider()) {
throw new ResourceInvalidException("tls_certificate_provider_instance is unset");
}
} else if (certProviderInstances == null || !certProviderInstances.contains(certInstanceName)) {
throw new ResourceInvalidException("CertificateProvider instance name '" + certInstanceName + "' not defined in the bootstrap file.");
}
String rootCaInstanceName = getRootCertInstanceName(commonTlsContext);
if (rootCaInstanceName == null) {
if (!server) {
throw new ResourceInvalidException("ca_certificate_provider_instance is required in upstream-tls-context");
}
} else {
if (certProviderInstances == null || !certProviderInstances.contains(rootCaInstanceName)) {
throw new ResourceInvalidException("ca_certificate_provider_instance name '" + rootCaInstanceName + "' not defined in the bootstrap file.");
}
CertificateValidationContext certificateValidationContext = null;
if (commonTlsContext.hasValidationContext()) {
certificateValidationContext = commonTlsContext.getValidationContext();
} else if (commonTlsContext.hasCombinedValidationContext() && commonTlsContext.getCombinedValidationContext().hasDefaultValidationContext()) {
certificateValidationContext = commonTlsContext.getCombinedValidationContext().getDefaultValidationContext();
}
if (certificateValidationContext != null) {
if (certificateValidationContext.getMatchSubjectAltNamesCount() > 0 && server) {
throw new ResourceInvalidException("match_subject_alt_names only allowed in upstream_tls_context");
}
if (certificateValidationContext.getVerifyCertificateSpkiCount() > 0) {
throw new ResourceInvalidException("verify_certificate_spki in default_validation_context is not supported");
}
if (certificateValidationContext.getVerifyCertificateHashCount() > 0) {
throw new ResourceInvalidException("verify_certificate_hash in default_validation_context is not supported");
}
if (certificateValidationContext.hasRequireSignedCertificateTimestamp()) {
throw new ResourceInvalidException("require_signed_certificate_timestamp in default_validation_context is not " + "supported");
}
if (certificateValidationContext.hasCrl()) {
throw new ResourceInvalidException("crl in default_validation_context is not supported");
}
if (certificateValidationContext.hasCustomValidatorConfig()) {
throw new ResourceInvalidException("custom_validator_config in default_validation_context is not supported");
}
}
}
}
Also used :
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Aggregations
CertificateValidationContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)45
Test (org.junit.Test)40
X509Certificate (java.security.cert.X509Certificate)30
StringMatcher (io.envoyproxy.envoy.type.matcher.v3.StringMatcher)27
CertificateException (java.security.cert.CertificateException)15
Bootstrapper (io.grpc.xds.Bootstrapper)5
CommonTlsContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext)3
CombinedCertificateValidationContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext)3
UpstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext)3
CertProviderClientSslContextProvider (io.grpc.xds.internal.certprovider.CertProviderClientSslContextProvider)3
TestCallback (io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.TestCallback)3
CertificateProviderInstance (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance)2
DownstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext)2
CertProviderServerSslContextProvider (io.grpc.xds.internal.certprovider.CertProviderServerSslContextProvider)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
CertificateProviderPluginInstance (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance)1
TlsCertificate (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate)1
ApplicationProtocolConfig (io.netty.handler.ssl.ApplicationProtocolConfig)1
SslContext (io.netty.handler.ssl.SslContext)1
SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)1
