Examples with CommonTlsContext io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext used on opensource projects

Search in sources :

Example 26 with CommonTlsContext

use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext in project grpc-java by grpc.

the class ClientXdsClientDataTest method validateCommonTlsContext_validationContextProviderInstance_absentInBootstrapFile.

@Test
@SuppressWarnings("deprecation")
public void validateCommonTlsContext_validationContextProviderInstance_absentInBootstrapFile() throws ResourceInvalidException {
    CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder().setCombinedValidationContext(CommonTlsContext.CombinedCertificateValidationContext.newBuilder().setValidationContextCertificateProviderInstance(CertificateProviderInstance.newBuilder().setInstanceName("bad-name").build()).build()).build();
    thrown.expect(ResourceInvalidException.class);
    thrown.expectMessage("ca_certificate_provider_instance name 'bad-name' not defined in the bootstrap file.");
    ClientXdsClient.validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), false);
}
Also used : CommonTlsContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext) Test(org.junit.Test)

Example 27 with CommonTlsContext

use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext in project grpc-java by grpc.

the class DynamicSslContextProvider method updateSslContext.

// this gets called only when requested secrets are ready...
protected final void updateSslContext() {
    try {
        CertificateValidationContext localCertValidationContext = generateCertificateValidationContext();
        SslContextBuilder sslContextBuilder = getSslContextBuilder(localCertValidationContext);
        CommonTlsContext commonTlsContext = getCommonTlsContext();
        if (commonTlsContext != null && commonTlsContext.getAlpnProtocolsCount() > 0) {
            List<String> alpnList = commonTlsContext.getAlpnProtocolsList();
            ApplicationProtocolConfig apn = new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, alpnList);
            sslContextBuilder.applicationProtocolConfig(apn);
        }
        List<Callback> pendingCallbacksCopy;
        SslContext sslContextCopy;
        synchronized (pendingCallbacks) {
            sslContext = sslContextBuilder.build();
            sslContextCopy = sslContext;
            pendingCallbacksCopy = clonePendingCallbacksAndClear();
        }
        makePendingCallbacks(sslContextCopy, pendingCallbacksCopy);
    } catch (Exception e) {
        onError(Status.fromThrowable(e));
        throw new RuntimeException(e);
    }
}
Also used : SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) CommonTlsContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) CertStoreException(java.security.cert.CertStoreException) CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext) ApplicationProtocolConfig(io.netty.handler.ssl.ApplicationProtocolConfig) SslContext(io.netty.handler.ssl.SslContext)

Example 28 with CommonTlsContext

use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext in project grpc-java by grpc.

the class ClientXdsClient method validateCommonTlsContext.

@VisibleForTesting
static void validateCommonTlsContext(CommonTlsContext commonTlsContext, Set<String> certProviderInstances, boolean server) throws ResourceInvalidException {
    if (commonTlsContext.hasCustomHandshaker()) {
        throw new ResourceInvalidException("common-tls-context with custom_handshaker is not supported");
    }
    if (commonTlsContext.hasTlsParams()) {
        throw new ResourceInvalidException("common-tls-context with tls_params is not supported");
    }
    if (commonTlsContext.hasValidationContextSdsSecretConfig()) {
        throw new ResourceInvalidException("common-tls-context with validation_context_sds_secret_config is not supported");
    }
    if (commonTlsContext.hasValidationContextCertificateProvider()) {
        throw new ResourceInvalidException("common-tls-context with validation_context_certificate_provider is not supported");
    }
    if (commonTlsContext.hasValidationContextCertificateProviderInstance()) {
        throw new ResourceInvalidException("common-tls-context with validation_context_certificate_provider_instance is not" + " supported");
    }
    String certInstanceName = getIdentityCertInstanceName(commonTlsContext);
    if (certInstanceName == null) {
        if (server) {
            throw new ResourceInvalidException("tls_certificate_provider_instance is required in downstream-tls-context");
        }
        if (commonTlsContext.getTlsCertificatesCount() > 0) {
            throw new ResourceInvalidException("tls_certificate_provider_instance is unset");
        }
        if (commonTlsContext.getTlsCertificateSdsSecretConfigsCount() > 0) {
            throw new ResourceInvalidException("tls_certificate_provider_instance is unset");
        }
        if (commonTlsContext.hasTlsCertificateCertificateProvider()) {
            throw new ResourceInvalidException("tls_certificate_provider_instance is unset");
        }
    } else if (certProviderInstances == null || !certProviderInstances.contains(certInstanceName)) {
        throw new ResourceInvalidException("CertificateProvider instance name '" + certInstanceName + "' not defined in the bootstrap file.");
    }
    String rootCaInstanceName = getRootCertInstanceName(commonTlsContext);
    if (rootCaInstanceName == null) {
        if (!server) {
            throw new ResourceInvalidException("ca_certificate_provider_instance is required in upstream-tls-context");
        }
    } else {
        if (certProviderInstances == null || !certProviderInstances.contains(rootCaInstanceName)) {
            throw new ResourceInvalidException("ca_certificate_provider_instance name '" + rootCaInstanceName + "' not defined in the bootstrap file.");
        }
        CertificateValidationContext certificateValidationContext = null;
        if (commonTlsContext.hasValidationContext()) {
            certificateValidationContext = commonTlsContext.getValidationContext();
        } else if (commonTlsContext.hasCombinedValidationContext() && commonTlsContext.getCombinedValidationContext().hasDefaultValidationContext()) {
            certificateValidationContext = commonTlsContext.getCombinedValidationContext().getDefaultValidationContext();
        }
        if (certificateValidationContext != null) {
            if (certificateValidationContext.getMatchSubjectAltNamesCount() > 0 && server) {
                throw new ResourceInvalidException("match_subject_alt_names only allowed in upstream_tls_context");
            }
            if (certificateValidationContext.getVerifyCertificateSpkiCount() > 0) {
                throw new ResourceInvalidException("verify_certificate_spki in default_validation_context is not supported");
            }
            if (certificateValidationContext.getVerifyCertificateHashCount() > 0) {
                throw new ResourceInvalidException("verify_certificate_hash in default_validation_context is not supported");
            }
            if (certificateValidationContext.hasRequireSignedCertificateTimestamp()) {
                throw new ResourceInvalidException("require_signed_certificate_timestamp in default_validation_context is not " + "supported");
            }
            if (certificateValidationContext.hasCrl()) {
                throw new ResourceInvalidException("crl in default_validation_context is not supported");
            }
            if (certificateValidationContext.hasCustomValidatorConfig()) {
                throw new ResourceInvalidException("custom_validator_config in default_validation_context is not supported");
            }
        }
    }
}
Also used : CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Aggregations

CommonTlsContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext)27 Test (org.junit.Test)25 CertificateValidationContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)3 DownstreamTlsContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext)2 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 CertificateProviderInstance (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance)1 CombinedCertificateValidationContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext)1 ApplicationProtocolConfig (io.netty.handler.ssl.ApplicationProtocolConfig)1 SslContext (io.netty.handler.ssl.SslContext)1 SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)1 IOException (java.io.IOException)1 CertStoreException (java.security.cert.CertStoreException)1 CertificateException (java.security.cert.CertificateException)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial