Search in sources :

Example 11 with ServerCredentials

use of io.grpc.ServerCredentials in project grpc-java by grpc.

the class AdvancedTlsTest method trustManagerCustomVerifierMutualTlsTest.

@Test
public void trustManagerCustomVerifierMutualTlsTest() throws Exception {
    AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
    serverKeyManager.updateIdentityCredentials(serverKey0, serverCert0);
    // Set server's custom verification based on the information of clientCert0.
    AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).setSslSocketAndEnginePeerVerifier(new SslSocketAndEnginePeerVerifier() {

        @Override
        public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, Socket socket) throws CertificateException {
            if (peerCertChain == null || peerCertChain.length == 0) {
                throw new CertificateException("peerCertChain is empty");
            }
            X509Certificate leafCert = peerCertChain[0];
            if (!leafCert.getSubjectDN().getName().contains("testclient")) {
                throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
            }
        }

        @Override
        public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, SSLEngine engine) throws CertificateException {
            if (peerCertChain == null || peerCertChain.length == 0) {
                throw new CertificateException("peerCertChain is empty");
            }
            X509Certificate leafCert = peerCertChain[0];
            if (!leafCert.getSubjectDN().getName().contains("testclient")) {
                throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
            }
        }
    }).build();
    serverTrustManager.updateTrustCredentials(caCert);
    ServerCredentials serverCredentials = TlsServerCredentials.newBuilder().keyManager(serverKeyManager).trustManager(serverTrustManager).clientAuth(ClientAuth.REQUIRE).build();
    server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(new SimpleServiceImpl()).build().start();
    AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
    clientKeyManager.updateIdentityCredentials(clientKey0, clientCert0);
    // Set client's custom verification based on the information of serverCert0.
    AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).setSslSocketAndEnginePeerVerifier(new SslSocketAndEnginePeerVerifier() {

        @Override
        public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, Socket socket) throws CertificateException {
            if (peerCertChain == null || peerCertChain.length == 0) {
                throw new CertificateException("peerCertChain is empty");
            }
            X509Certificate leafCert = peerCertChain[0];
            if (!leafCert.getSubjectDN().getName().contains("*.test.google.com.au")) {
                throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
            }
        }

        @Override
        public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, SSLEngine engine) throws CertificateException {
            if (peerCertChain == null || peerCertChain.length == 0) {
                throw new CertificateException("peerCertChain is empty");
            }
            X509Certificate leafCert = peerCertChain[0];
            if (!leafCert.getSubjectDN().getName().contains("*.test.google.com.au")) {
                throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
            }
        }
    }).build();
    clientTrustManager.updateTrustCredentials(caCert);
    ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder().keyManager(clientKeyManager).trustManager(clientTrustManager).build();
    channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials).build();
    // Start the connection.
    try {
        SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
        client.unaryRpc(SimpleRequest.getDefaultInstance());
    } catch (StatusRuntimeException e) {
        fail("Failed to make a connection");
        e.printStackTrace();
    }
}
Also used : AdvancedTlsX509KeyManager(io.grpc.util.AdvancedTlsX509KeyManager) SSLEngine(javax.net.ssl.SSLEngine) TlsServerCredentials(io.grpc.TlsServerCredentials) ServerCredentials(io.grpc.ServerCredentials) AdvancedTlsX509TrustManager(io.grpc.util.AdvancedTlsX509TrustManager) CertificateException(java.security.cert.CertificateException) SimpleServiceGrpc(io.grpc.testing.protobuf.SimpleServiceGrpc) X509Certificate(java.security.cert.X509Certificate) SslSocketAndEnginePeerVerifier(io.grpc.util.AdvancedTlsX509TrustManager.SslSocketAndEnginePeerVerifier) ChannelCredentials(io.grpc.ChannelCredentials) TlsChannelCredentials(io.grpc.TlsChannelCredentials) StatusRuntimeException(io.grpc.StatusRuntimeException) Socket(java.net.Socket) Test(org.junit.Test)

Example 12 with ServerCredentials

use of io.grpc.ServerCredentials in project grpc-java by grpc.

the class AdvancedTlsTest method basicMutualTlsTest.

@Test
public void basicMutualTlsTest() throws Exception {
    // Create & start a server.
    ServerCredentials serverCredentials = TlsServerCredentials.newBuilder().keyManager(serverCert0File, serverKey0File).trustManager(caCertFile).clientAuth(ClientAuth.REQUIRE).build();
    server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(new SimpleServiceImpl()).build().start();
    // Create a client to connect.
    ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder().keyManager(clientCert0File, clientKey0File).trustManager(caCertFile).build();
    channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials).overrideAuthority("foo.test.google.com.au").build();
    // Start the connection.
    try {
        SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
        // Send an actual request, via the full GRPC & network stack, and check that a proper
        // response comes back.
        client.unaryRpc(SimpleRequest.getDefaultInstance());
    } catch (StatusRuntimeException e) {
        e.printStackTrace();
        fail("Failed to make a connection");
        e.printStackTrace();
    }
}
Also used : TlsServerCredentials(io.grpc.TlsServerCredentials) ServerCredentials(io.grpc.ServerCredentials) ChannelCredentials(io.grpc.ChannelCredentials) TlsChannelCredentials(io.grpc.TlsChannelCredentials) StatusRuntimeException(io.grpc.StatusRuntimeException) SimpleServiceGrpc(io.grpc.testing.protobuf.SimpleServiceGrpc) Test(org.junit.Test)

Example 13 with ServerCredentials

use of io.grpc.ServerCredentials in project grpc-java by grpc.

the class ProtocolNegotiators method from.

public static FromServerCredentialsResult from(ServerCredentials creds) {
    if (creds instanceof TlsServerCredentials) {
        TlsServerCredentials tlsCreds = (TlsServerCredentials) creds;
        Set<TlsServerCredentials.Feature> incomprehensible = tlsCreds.incomprehensible(understoodServerTlsFeatures);
        if (!incomprehensible.isEmpty()) {
            return FromServerCredentialsResult.error("TLS features not understood: " + incomprehensible);
        }
        SslContextBuilder builder;
        if (tlsCreds.getKeyManagers() != null) {
            builder = GrpcSslContexts.configure(SslContextBuilder.forServer(new FixedKeyManagerFactory(tlsCreds.getKeyManagers())));
        } else if (tlsCreds.getPrivateKey() != null) {
            builder = GrpcSslContexts.forServer(new ByteArrayInputStream(tlsCreds.getCertificateChain()), new ByteArrayInputStream(tlsCreds.getPrivateKey()), tlsCreds.getPrivateKeyPassword());
        } else {
            throw new AssertionError("BUG! No key");
        }
        if (tlsCreds.getTrustManagers() != null) {
            builder.trustManager(new FixedTrustManagerFactory(tlsCreds.getTrustManagers()));
        } else if (tlsCreds.getRootCertificates() != null) {
            builder.trustManager(new ByteArrayInputStream(tlsCreds.getRootCertificates()));
        }
        // else use system default
        switch(tlsCreds.getClientAuth()) {
            case OPTIONAL:
                builder.clientAuth(io.netty.handler.ssl.ClientAuth.OPTIONAL);
                break;
            case REQUIRE:
                builder.clientAuth(io.netty.handler.ssl.ClientAuth.REQUIRE);
                break;
            case NONE:
                builder.clientAuth(io.netty.handler.ssl.ClientAuth.NONE);
                break;
            default:
                return FromServerCredentialsResult.error("Unknown TlsServerCredentials.ClientAuth value: " + tlsCreds.getClientAuth());
        }
        SslContext sslContext;
        try {
            sslContext = builder.build();
        } catch (SSLException ex) {
            throw new IllegalArgumentException("Unexpected error converting ServerCredentials to Netty SslContext", ex);
        }
        return FromServerCredentialsResult.negotiator(serverTlsFactory(sslContext));
    } else if (creds instanceof InsecureServerCredentials) {
        return FromServerCredentialsResult.negotiator(serverPlaintextFactory());
    } else if (creds instanceof NettyServerCredentials) {
        NettyServerCredentials nettyCreds = (NettyServerCredentials) creds;
        return FromServerCredentialsResult.negotiator(nettyCreds.getNegotiator());
    } else if (creds instanceof ChoiceServerCredentials) {
        ChoiceServerCredentials choiceCreds = (ChoiceServerCredentials) creds;
        StringBuilder error = new StringBuilder();
        for (ServerCredentials innerCreds : choiceCreds.getCredentialsList()) {
            FromServerCredentialsResult result = from(innerCreds);
            if (result.error == null) {
                return result;
            }
            error.append(", ");
            error.append(result.error);
        }
        return FromServerCredentialsResult.error(error.substring(2));
    } else {
        return FromServerCredentialsResult.error("Unsupported credential type: " + creds.getClass().getName());
    }
}
Also used : ChoiceServerCredentials(io.grpc.ChoiceServerCredentials) ServerCredentials(io.grpc.ServerCredentials) InsecureServerCredentials(io.grpc.InsecureServerCredentials) TlsServerCredentials(io.grpc.TlsServerCredentials) ChoiceServerCredentials(io.grpc.ChoiceServerCredentials) SSLException(javax.net.ssl.SSLException) ByteArrayInputStream(java.io.ByteArrayInputStream) SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) InsecureServerCredentials(io.grpc.InsecureServerCredentials) TlsServerCredentials(io.grpc.TlsServerCredentials) SslContext(io.netty.handler.ssl.SslContext)

Example 14 with ServerCredentials

use of io.grpc.ServerCredentials in project grpc-java by grpc.

the class XdsServerBuilder method forPort.

/**
 * Creates a gRPC server builder for the given port.
 */
public static XdsServerBuilder forPort(int port, ServerCredentials serverCredentials) {
    checkNotNull(serverCredentials, "serverCredentials");
    InternalProtocolNegotiator.ServerFactory originalNegotiatorFactory = InternalNettyServerCredentials.toNegotiator(serverCredentials);
    ServerCredentials wrappedCredentials = InternalNettyServerCredentials.create(new FilterChainMatchingNegotiatorServerFactory(originalNegotiatorFactory));
    NettyServerBuilder nettyDelegate = NettyServerBuilder.forPort(port, wrappedCredentials);
    return new XdsServerBuilder(nettyDelegate, port);
}
Also used : InternalProtocolNegotiator(io.grpc.netty.InternalProtocolNegotiator) FilterChainMatchingNegotiatorServerFactory(io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingNegotiatorServerFactory) NettyServerBuilder(io.grpc.netty.NettyServerBuilder) InternalNettyServerBuilder(io.grpc.netty.InternalNettyServerBuilder) InternalNettyServerCredentials(io.grpc.netty.InternalNettyServerCredentials) ServerCredentials(io.grpc.ServerCredentials)

Example 15 with ServerCredentials

use of io.grpc.ServerCredentials in project grpc-java by grpc.

the class AdvancedTlsTest method onFileLoadingKeyManagerTrustManagerTest.

@Test
public void onFileLoadingKeyManagerTrustManagerTest() throws Exception {
    // Create & start a server.
    AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
    serverKeyManager.updateIdentityCredentialsFromFile(serverKey0File, serverCert0File);
    AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).build();
    serverTrustManager.updateTrustCredentialsFromFile(caCertFile);
    ServerCredentials serverCredentials = TlsServerCredentials.newBuilder().keyManager(serverKeyManager).trustManager(serverTrustManager).clientAuth(ClientAuth.REQUIRE).build();
    server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(new SimpleServiceImpl()).build().start();
    // Create a client to connect.
    AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
    clientKeyManager.updateIdentityCredentialsFromFile(clientKey0File, clientCert0File);
    AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION).build();
    clientTrustManager.updateTrustCredentialsFromFile(caCertFile);
    ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder().keyManager(clientKeyManager).trustManager(clientTrustManager).build();
    channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials).overrideAuthority("foo.test.google.com.au").build();
    // Start the connection.
    try {
        SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
        // Send an actual request, via the full GRPC & network stack, and check that a proper
        // response comes back.
        client.unaryRpc(SimpleRequest.getDefaultInstance());
    } catch (StatusRuntimeException e) {
        e.printStackTrace();
        fail("Find error: " + e.getMessage());
    }
}
Also used : AdvancedTlsX509KeyManager(io.grpc.util.AdvancedTlsX509KeyManager) TlsServerCredentials(io.grpc.TlsServerCredentials) ServerCredentials(io.grpc.ServerCredentials) ChannelCredentials(io.grpc.ChannelCredentials) TlsChannelCredentials(io.grpc.TlsChannelCredentials) AdvancedTlsX509TrustManager(io.grpc.util.AdvancedTlsX509TrustManager) StatusRuntimeException(io.grpc.StatusRuntimeException) SimpleServiceGrpc(io.grpc.testing.protobuf.SimpleServiceGrpc) Test(org.junit.Test)

Aggregations

ServerCredentials (io.grpc.ServerCredentials)27 TlsServerCredentials (io.grpc.TlsServerCredentials)21 InsecureServerCredentials (io.grpc.InsecureServerCredentials)16 Test (org.junit.Test)16 ChannelCredentials (io.grpc.ChannelCredentials)14 TlsChannelCredentials (io.grpc.TlsChannelCredentials)13 ChoiceServerCredentials (io.grpc.ChoiceServerCredentials)10 InsecureChannelCredentials (io.grpc.InsecureChannelCredentials)8 ChoiceChannelCredentials (io.grpc.ChoiceChannelCredentials)7 CompositeChannelCredentials (io.grpc.CompositeChannelCredentials)7 StatusRuntimeException (io.grpc.StatusRuntimeException)7 InternalChannelz (io.grpc.InternalChannelz)6 SimpleServiceGrpc (io.grpc.testing.protobuf.SimpleServiceGrpc)6 AdvancedTlsX509KeyManager (io.grpc.util.AdvancedTlsX509KeyManager)5 AdvancedTlsX509TrustManager (io.grpc.util.AdvancedTlsX509TrustManager)5 NettyServerBuilder (io.grpc.netty.NettyServerBuilder)4 InternalNettyServerBuilder (io.grpc.netty.InternalNettyServerBuilder)3 AltsServerCredentials (io.grpc.alts.AltsServerCredentials)2 SslSocketAndEnginePeerVerifier (io.grpc.util.AdvancedTlsX509TrustManager.SslSocketAndEnginePeerVerifier)2 LocalAddress (io.netty.channel.local.LocalAddress)2