use of io.grpc.ServerCredentials in project grpc-java by grpc.
the class AdvancedTlsTest method trustManagerCustomVerifierMutualTlsTest.
@Test
public void trustManagerCustomVerifierMutualTlsTest() throws Exception {
AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
serverKeyManager.updateIdentityCredentials(serverKey0, serverCert0);
// Set server's custom verification based on the information of clientCert0.
AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).setSslSocketAndEnginePeerVerifier(new SslSocketAndEnginePeerVerifier() {
@Override
public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, Socket socket) throws CertificateException {
if (peerCertChain == null || peerCertChain.length == 0) {
throw new CertificateException("peerCertChain is empty");
}
X509Certificate leafCert = peerCertChain[0];
if (!leafCert.getSubjectDN().getName().contains("testclient")) {
throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
}
}
@Override
public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, SSLEngine engine) throws CertificateException {
if (peerCertChain == null || peerCertChain.length == 0) {
throw new CertificateException("peerCertChain is empty");
}
X509Certificate leafCert = peerCertChain[0];
if (!leafCert.getSubjectDN().getName().contains("testclient")) {
throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
}
}
}).build();
serverTrustManager.updateTrustCredentials(caCert);
ServerCredentials serverCredentials = TlsServerCredentials.newBuilder().keyManager(serverKeyManager).trustManager(serverTrustManager).clientAuth(ClientAuth.REQUIRE).build();
server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(new SimpleServiceImpl()).build().start();
AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
clientKeyManager.updateIdentityCredentials(clientKey0, clientCert0);
// Set client's custom verification based on the information of serverCert0.
AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).setSslSocketAndEnginePeerVerifier(new SslSocketAndEnginePeerVerifier() {
@Override
public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, Socket socket) throws CertificateException {
if (peerCertChain == null || peerCertChain.length == 0) {
throw new CertificateException("peerCertChain is empty");
}
X509Certificate leafCert = peerCertChain[0];
if (!leafCert.getSubjectDN().getName().contains("*.test.google.com.au")) {
throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
}
}
@Override
public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, SSLEngine engine) throws CertificateException {
if (peerCertChain == null || peerCertChain.length == 0) {
throw new CertificateException("peerCertChain is empty");
}
X509Certificate leafCert = peerCertChain[0];
if (!leafCert.getSubjectDN().getName().contains("*.test.google.com.au")) {
throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
}
}
}).build();
clientTrustManager.updateTrustCredentials(caCert);
ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder().keyManager(clientKeyManager).trustManager(clientTrustManager).build();
channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials).build();
// Start the connection.
try {
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
client.unaryRpc(SimpleRequest.getDefaultInstance());
} catch (StatusRuntimeException e) {
fail("Failed to make a connection");
e.printStackTrace();
}
}
use of io.grpc.ServerCredentials in project grpc-java by grpc.
the class AdvancedTlsTest method basicMutualTlsTest.
@Test
public void basicMutualTlsTest() throws Exception {
// Create & start a server.
ServerCredentials serverCredentials = TlsServerCredentials.newBuilder().keyManager(serverCert0File, serverKey0File).trustManager(caCertFile).clientAuth(ClientAuth.REQUIRE).build();
server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(new SimpleServiceImpl()).build().start();
// Create a client to connect.
ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder().keyManager(clientCert0File, clientKey0File).trustManager(caCertFile).build();
channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials).overrideAuthority("foo.test.google.com.au").build();
// Start the connection.
try {
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
// Send an actual request, via the full GRPC & network stack, and check that a proper
// response comes back.
client.unaryRpc(SimpleRequest.getDefaultInstance());
} catch (StatusRuntimeException e) {
e.printStackTrace();
fail("Failed to make a connection");
e.printStackTrace();
}
}
use of io.grpc.ServerCredentials in project grpc-java by grpc.
the class ProtocolNegotiators method from.
public static FromServerCredentialsResult from(ServerCredentials creds) {
if (creds instanceof TlsServerCredentials) {
TlsServerCredentials tlsCreds = (TlsServerCredentials) creds;
Set<TlsServerCredentials.Feature> incomprehensible = tlsCreds.incomprehensible(understoodServerTlsFeatures);
if (!incomprehensible.isEmpty()) {
return FromServerCredentialsResult.error("TLS features not understood: " + incomprehensible);
}
SslContextBuilder builder;
if (tlsCreds.getKeyManagers() != null) {
builder = GrpcSslContexts.configure(SslContextBuilder.forServer(new FixedKeyManagerFactory(tlsCreds.getKeyManagers())));
} else if (tlsCreds.getPrivateKey() != null) {
builder = GrpcSslContexts.forServer(new ByteArrayInputStream(tlsCreds.getCertificateChain()), new ByteArrayInputStream(tlsCreds.getPrivateKey()), tlsCreds.getPrivateKeyPassword());
} else {
throw new AssertionError("BUG! No key");
}
if (tlsCreds.getTrustManagers() != null) {
builder.trustManager(new FixedTrustManagerFactory(tlsCreds.getTrustManagers()));
} else if (tlsCreds.getRootCertificates() != null) {
builder.trustManager(new ByteArrayInputStream(tlsCreds.getRootCertificates()));
}
// else use system default
switch(tlsCreds.getClientAuth()) {
case OPTIONAL:
builder.clientAuth(io.netty.handler.ssl.ClientAuth.OPTIONAL);
break;
case REQUIRE:
builder.clientAuth(io.netty.handler.ssl.ClientAuth.REQUIRE);
break;
case NONE:
builder.clientAuth(io.netty.handler.ssl.ClientAuth.NONE);
break;
default:
return FromServerCredentialsResult.error("Unknown TlsServerCredentials.ClientAuth value: " + tlsCreds.getClientAuth());
}
SslContext sslContext;
try {
sslContext = builder.build();
} catch (SSLException ex) {
throw new IllegalArgumentException("Unexpected error converting ServerCredentials to Netty SslContext", ex);
}
return FromServerCredentialsResult.negotiator(serverTlsFactory(sslContext));
} else if (creds instanceof InsecureServerCredentials) {
return FromServerCredentialsResult.negotiator(serverPlaintextFactory());
} else if (creds instanceof NettyServerCredentials) {
NettyServerCredentials nettyCreds = (NettyServerCredentials) creds;
return FromServerCredentialsResult.negotiator(nettyCreds.getNegotiator());
} else if (creds instanceof ChoiceServerCredentials) {
ChoiceServerCredentials choiceCreds = (ChoiceServerCredentials) creds;
StringBuilder error = new StringBuilder();
for (ServerCredentials innerCreds : choiceCreds.getCredentialsList()) {
FromServerCredentialsResult result = from(innerCreds);
if (result.error == null) {
return result;
}
error.append(", ");
error.append(result.error);
}
return FromServerCredentialsResult.error(error.substring(2));
} else {
return FromServerCredentialsResult.error("Unsupported credential type: " + creds.getClass().getName());
}
}
use of io.grpc.ServerCredentials in project grpc-java by grpc.
the class XdsServerBuilder method forPort.
/**
* Creates a gRPC server builder for the given port.
*/
public static XdsServerBuilder forPort(int port, ServerCredentials serverCredentials) {
checkNotNull(serverCredentials, "serverCredentials");
InternalProtocolNegotiator.ServerFactory originalNegotiatorFactory = InternalNettyServerCredentials.toNegotiator(serverCredentials);
ServerCredentials wrappedCredentials = InternalNettyServerCredentials.create(new FilterChainMatchingNegotiatorServerFactory(originalNegotiatorFactory));
NettyServerBuilder nettyDelegate = NettyServerBuilder.forPort(port, wrappedCredentials);
return new XdsServerBuilder(nettyDelegate, port);
}
use of io.grpc.ServerCredentials in project grpc-java by grpc.
the class AdvancedTlsTest method onFileLoadingKeyManagerTrustManagerTest.
@Test
public void onFileLoadingKeyManagerTrustManagerTest() throws Exception {
// Create & start a server.
AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
serverKeyManager.updateIdentityCredentialsFromFile(serverKey0File, serverCert0File);
AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).build();
serverTrustManager.updateTrustCredentialsFromFile(caCertFile);
ServerCredentials serverCredentials = TlsServerCredentials.newBuilder().keyManager(serverKeyManager).trustManager(serverTrustManager).clientAuth(ClientAuth.REQUIRE).build();
server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(new SimpleServiceImpl()).build().start();
// Create a client to connect.
AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
clientKeyManager.updateIdentityCredentialsFromFile(clientKey0File, clientCert0File);
AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION).build();
clientTrustManager.updateTrustCredentialsFromFile(caCertFile);
ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder().keyManager(clientKeyManager).trustManager(clientTrustManager).build();
channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials).overrideAuthority("foo.test.google.com.au").build();
// Start the connection.
try {
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
// Send an actual request, via the full GRPC & network stack, and check that a proper
// response comes back.
client.unaryRpc(SimpleRequest.getDefaultInstance());
} catch (StatusRuntimeException e) {
e.printStackTrace();
fail("Find error: " + e.getMessage());
}
}
Aggregations