Search in sources :

Example 1 with AdvancedTlsX509TrustManager

use of io.grpc.util.AdvancedTlsX509TrustManager in project grpc-java by grpc.

the class AdvancedTlsTest method advancedTlsKeyManagerTrustManagerMutualTlsTest.

@Test
public void advancedTlsKeyManagerTrustManagerMutualTlsTest() throws Exception {
    // Create a server with the key manager and trust manager.
    AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
    serverKeyManager.updateIdentityCredentials(serverKey0, serverCert0);
    AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).build();
    serverTrustManager.updateTrustCredentials(caCert);
    ServerCredentials serverCredentials = TlsServerCredentials.newBuilder().keyManager(serverKeyManager).trustManager(serverTrustManager).clientAuth(ClientAuth.REQUIRE).build();
    server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(new SimpleServiceImpl()).build().start();
    // Create a client with the key manager and trust manager.
    AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
    clientKeyManager.updateIdentityCredentials(clientKey0, clientCert0);
    AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION).build();
    clientTrustManager.updateTrustCredentials(caCert);
    ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder().keyManager(clientKeyManager).trustManager(clientTrustManager).build();
    channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials).overrideAuthority("foo.test.google.com.au").build();
    // Start the connection.
    try {
        SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
        client.unaryRpc(SimpleRequest.getDefaultInstance());
    } catch (StatusRuntimeException e) {
        fail("Failed to make a connection");
        e.printStackTrace();
    }
}
Also used : AdvancedTlsX509KeyManager(io.grpc.util.AdvancedTlsX509KeyManager) TlsServerCredentials(io.grpc.TlsServerCredentials) ServerCredentials(io.grpc.ServerCredentials) ChannelCredentials(io.grpc.ChannelCredentials) TlsChannelCredentials(io.grpc.TlsChannelCredentials) AdvancedTlsX509TrustManager(io.grpc.util.AdvancedTlsX509TrustManager) StatusRuntimeException(io.grpc.StatusRuntimeException) SimpleServiceGrpc(io.grpc.testing.protobuf.SimpleServiceGrpc) Test(org.junit.Test)

Example 2 with AdvancedTlsX509TrustManager

use of io.grpc.util.AdvancedTlsX509TrustManager in project grpc-java by grpc.

the class AdvancedTlsTest method trustManagerCustomVerifierMutualTlsTest.

@Test
public void trustManagerCustomVerifierMutualTlsTest() throws Exception {
    AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
    serverKeyManager.updateIdentityCredentials(serverKey0, serverCert0);
    // Set server's custom verification based on the information of clientCert0.
    AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).setSslSocketAndEnginePeerVerifier(new SslSocketAndEnginePeerVerifier() {

        @Override
        public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, Socket socket) throws CertificateException {
            if (peerCertChain == null || peerCertChain.length == 0) {
                throw new CertificateException("peerCertChain is empty");
            }
            X509Certificate leafCert = peerCertChain[0];
            if (!leafCert.getSubjectDN().getName().contains("testclient")) {
                throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
            }
        }

        @Override
        public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, SSLEngine engine) throws CertificateException {
            if (peerCertChain == null || peerCertChain.length == 0) {
                throw new CertificateException("peerCertChain is empty");
            }
            X509Certificate leafCert = peerCertChain[0];
            if (!leafCert.getSubjectDN().getName().contains("testclient")) {
                throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
            }
        }
    }).build();
    serverTrustManager.updateTrustCredentials(caCert);
    ServerCredentials serverCredentials = TlsServerCredentials.newBuilder().keyManager(serverKeyManager).trustManager(serverTrustManager).clientAuth(ClientAuth.REQUIRE).build();
    server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(new SimpleServiceImpl()).build().start();
    AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
    clientKeyManager.updateIdentityCredentials(clientKey0, clientCert0);
    // Set client's custom verification based on the information of serverCert0.
    AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).setSslSocketAndEnginePeerVerifier(new SslSocketAndEnginePeerVerifier() {

        @Override
        public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, Socket socket) throws CertificateException {
            if (peerCertChain == null || peerCertChain.length == 0) {
                throw new CertificateException("peerCertChain is empty");
            }
            X509Certificate leafCert = peerCertChain[0];
            if (!leafCert.getSubjectDN().getName().contains("*.test.google.com.au")) {
                throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
            }
        }

        @Override
        public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, SSLEngine engine) throws CertificateException {
            if (peerCertChain == null || peerCertChain.length == 0) {
                throw new CertificateException("peerCertChain is empty");
            }
            X509Certificate leafCert = peerCertChain[0];
            if (!leafCert.getSubjectDN().getName().contains("*.test.google.com.au")) {
                throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
            }
        }
    }).build();
    clientTrustManager.updateTrustCredentials(caCert);
    ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder().keyManager(clientKeyManager).trustManager(clientTrustManager).build();
    channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials).build();
    // Start the connection.
    try {
        SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
        client.unaryRpc(SimpleRequest.getDefaultInstance());
    } catch (StatusRuntimeException e) {
        fail("Failed to make a connection");
        e.printStackTrace();
    }
}
Also used : AdvancedTlsX509KeyManager(io.grpc.util.AdvancedTlsX509KeyManager) SSLEngine(javax.net.ssl.SSLEngine) TlsServerCredentials(io.grpc.TlsServerCredentials) ServerCredentials(io.grpc.ServerCredentials) AdvancedTlsX509TrustManager(io.grpc.util.AdvancedTlsX509TrustManager) CertificateException(java.security.cert.CertificateException) SimpleServiceGrpc(io.grpc.testing.protobuf.SimpleServiceGrpc) X509Certificate(java.security.cert.X509Certificate) SslSocketAndEnginePeerVerifier(io.grpc.util.AdvancedTlsX509TrustManager.SslSocketAndEnginePeerVerifier) ChannelCredentials(io.grpc.ChannelCredentials) TlsChannelCredentials(io.grpc.TlsChannelCredentials) StatusRuntimeException(io.grpc.StatusRuntimeException) Socket(java.net.Socket) Test(org.junit.Test)

Example 3 with AdvancedTlsX509TrustManager

use of io.grpc.util.AdvancedTlsX509TrustManager in project grpc-java by grpc.

the class AdvancedTlsTest method trustManagerCheckTrustedWithSocketTest.

@Test
public void trustManagerCheckTrustedWithSocketTest() throws Exception {
    AdvancedTlsX509TrustManager tm = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.INSECURELY_SKIP_ALL_VERIFICATION).build();
    tm.updateTrustCredentials(caCert);
    tm.checkClientTrusted(serverCert0, "RSA", new Socket());
    tm.useSystemDefaultTrustCerts();
    tm.checkServerTrusted(clientCert0, "RSA", new Socket());
}
Also used : AdvancedTlsX509TrustManager(io.grpc.util.AdvancedTlsX509TrustManager) Socket(java.net.Socket) Test(org.junit.Test)

Example 4 with AdvancedTlsX509TrustManager

use of io.grpc.util.AdvancedTlsX509TrustManager in project grpc-java by grpc.

the class AdvancedTlsTest method trustManagerCheckClientTrustedWithoutParameterTest.

@Test
public void trustManagerCheckClientTrustedWithoutParameterTest() throws Exception {
    exceptionRule.expect(CertificateException.class);
    exceptionRule.expectMessage("Not enough information to validate peer. SSLEngine or Socket required.");
    AdvancedTlsX509TrustManager tm = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.INSECURELY_SKIP_ALL_VERIFICATION).build();
    tm.checkClientTrusted(serverCert0, "RSA");
}
Also used : AdvancedTlsX509TrustManager(io.grpc.util.AdvancedTlsX509TrustManager) Test(org.junit.Test)

Example 5 with AdvancedTlsX509TrustManager

use of io.grpc.util.AdvancedTlsX509TrustManager in project grpc-java by grpc.

the class AdvancedTlsTest method trustManagerBadCustomVerificationTest.

@Test
public void trustManagerBadCustomVerificationTest() throws Exception {
    exceptionRule.expect(CertificateException.class);
    exceptionRule.expectMessage("Bad Custom Verification");
    AdvancedTlsX509TrustManager tm = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).setSslSocketAndEnginePeerVerifier(new SslSocketAndEnginePeerVerifier() {

        @Override
        public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, Socket socket) throws CertificateException {
            throw new CertificateException("Bad Custom Verification");
        }

        @Override
        public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, SSLEngine engine) throws CertificateException {
            throw new CertificateException("Bad Custom Verification");
        }
    }).build();
    tm.updateTrustCredentials(caCert);
    tm.checkClientTrusted(serverCert0, "RSA", new Socket());
}
Also used : SslSocketAndEnginePeerVerifier(io.grpc.util.AdvancedTlsX509TrustManager.SslSocketAndEnginePeerVerifier) SSLEngine(javax.net.ssl.SSLEngine) AdvancedTlsX509TrustManager(io.grpc.util.AdvancedTlsX509TrustManager) CertificateException(java.security.cert.CertificateException) Socket(java.net.Socket) Test(org.junit.Test)

Aggregations

AdvancedTlsX509TrustManager (io.grpc.util.AdvancedTlsX509TrustManager)11 Test (org.junit.Test)11 ChannelCredentials (io.grpc.ChannelCredentials)5 ServerCredentials (io.grpc.ServerCredentials)5 StatusRuntimeException (io.grpc.StatusRuntimeException)5 TlsChannelCredentials (io.grpc.TlsChannelCredentials)5 TlsServerCredentials (io.grpc.TlsServerCredentials)5 SimpleServiceGrpc (io.grpc.testing.protobuf.SimpleServiceGrpc)5 AdvancedTlsX509KeyManager (io.grpc.util.AdvancedTlsX509KeyManager)5 Socket (java.net.Socket)4 SslSocketAndEnginePeerVerifier (io.grpc.util.AdvancedTlsX509TrustManager.SslSocketAndEnginePeerVerifier)3 SSLEngine (javax.net.ssl.SSLEngine)3 Closeable (java.io.Closeable)2 CertificateException (java.security.cert.CertificateException)2 X509Certificate (java.security.cert.X509Certificate)1