use of io.grpc.util.AdvancedTlsX509TrustManager in project grpc-java by grpc.
the class AdvancedTlsTest method advancedTlsKeyManagerTrustManagerMutualTlsTest.
@Test
public void advancedTlsKeyManagerTrustManagerMutualTlsTest() throws Exception {
// Create a server with the key manager and trust manager.
AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
serverKeyManager.updateIdentityCredentials(serverKey0, serverCert0);
AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).build();
serverTrustManager.updateTrustCredentials(caCert);
ServerCredentials serverCredentials = TlsServerCredentials.newBuilder().keyManager(serverKeyManager).trustManager(serverTrustManager).clientAuth(ClientAuth.REQUIRE).build();
server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(new SimpleServiceImpl()).build().start();
// Create a client with the key manager and trust manager.
AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
clientKeyManager.updateIdentityCredentials(clientKey0, clientCert0);
AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION).build();
clientTrustManager.updateTrustCredentials(caCert);
ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder().keyManager(clientKeyManager).trustManager(clientTrustManager).build();
channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials).overrideAuthority("foo.test.google.com.au").build();
// Start the connection.
try {
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
client.unaryRpc(SimpleRequest.getDefaultInstance());
} catch (StatusRuntimeException e) {
fail("Failed to make a connection");
e.printStackTrace();
}
}
use of io.grpc.util.AdvancedTlsX509TrustManager in project grpc-java by grpc.
the class AdvancedTlsTest method trustManagerCustomVerifierMutualTlsTest.
@Test
public void trustManagerCustomVerifierMutualTlsTest() throws Exception {
AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
serverKeyManager.updateIdentityCredentials(serverKey0, serverCert0);
// Set server's custom verification based on the information of clientCert0.
AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).setSslSocketAndEnginePeerVerifier(new SslSocketAndEnginePeerVerifier() {
@Override
public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, Socket socket) throws CertificateException {
if (peerCertChain == null || peerCertChain.length == 0) {
throw new CertificateException("peerCertChain is empty");
}
X509Certificate leafCert = peerCertChain[0];
if (!leafCert.getSubjectDN().getName().contains("testclient")) {
throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
}
}
@Override
public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, SSLEngine engine) throws CertificateException {
if (peerCertChain == null || peerCertChain.length == 0) {
throw new CertificateException("peerCertChain is empty");
}
X509Certificate leafCert = peerCertChain[0];
if (!leafCert.getSubjectDN().getName().contains("testclient")) {
throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
}
}
}).build();
serverTrustManager.updateTrustCredentials(caCert);
ServerCredentials serverCredentials = TlsServerCredentials.newBuilder().keyManager(serverKeyManager).trustManager(serverTrustManager).clientAuth(ClientAuth.REQUIRE).build();
server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(new SimpleServiceImpl()).build().start();
AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
clientKeyManager.updateIdentityCredentials(clientKey0, clientCert0);
// Set client's custom verification based on the information of serverCert0.
AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).setSslSocketAndEnginePeerVerifier(new SslSocketAndEnginePeerVerifier() {
@Override
public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, Socket socket) throws CertificateException {
if (peerCertChain == null || peerCertChain.length == 0) {
throw new CertificateException("peerCertChain is empty");
}
X509Certificate leafCert = peerCertChain[0];
if (!leafCert.getSubjectDN().getName().contains("*.test.google.com.au")) {
throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
}
}
@Override
public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, SSLEngine engine) throws CertificateException {
if (peerCertChain == null || peerCertChain.length == 0) {
throw new CertificateException("peerCertChain is empty");
}
X509Certificate leafCert = peerCertChain[0];
if (!leafCert.getSubjectDN().getName().contains("*.test.google.com.au")) {
throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
}
}
}).build();
clientTrustManager.updateTrustCredentials(caCert);
ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder().keyManager(clientKeyManager).trustManager(clientTrustManager).build();
channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials).build();
// Start the connection.
try {
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
client.unaryRpc(SimpleRequest.getDefaultInstance());
} catch (StatusRuntimeException e) {
fail("Failed to make a connection");
e.printStackTrace();
}
}
use of io.grpc.util.AdvancedTlsX509TrustManager in project grpc-java by grpc.
the class AdvancedTlsTest method trustManagerCheckTrustedWithSocketTest.
@Test
public void trustManagerCheckTrustedWithSocketTest() throws Exception {
AdvancedTlsX509TrustManager tm = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.INSECURELY_SKIP_ALL_VERIFICATION).build();
tm.updateTrustCredentials(caCert);
tm.checkClientTrusted(serverCert0, "RSA", new Socket());
tm.useSystemDefaultTrustCerts();
tm.checkServerTrusted(clientCert0, "RSA", new Socket());
}
use of io.grpc.util.AdvancedTlsX509TrustManager in project grpc-java by grpc.
the class AdvancedTlsTest method trustManagerCheckClientTrustedWithoutParameterTest.
@Test
public void trustManagerCheckClientTrustedWithoutParameterTest() throws Exception {
exceptionRule.expect(CertificateException.class);
exceptionRule.expectMessage("Not enough information to validate peer. SSLEngine or Socket required.");
AdvancedTlsX509TrustManager tm = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.INSECURELY_SKIP_ALL_VERIFICATION).build();
tm.checkClientTrusted(serverCert0, "RSA");
}
use of io.grpc.util.AdvancedTlsX509TrustManager in project grpc-java by grpc.
the class AdvancedTlsTest method trustManagerBadCustomVerificationTest.
@Test
public void trustManagerBadCustomVerificationTest() throws Exception {
exceptionRule.expect(CertificateException.class);
exceptionRule.expectMessage("Bad Custom Verification");
AdvancedTlsX509TrustManager tm = AdvancedTlsX509TrustManager.newBuilder().setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION).setSslSocketAndEnginePeerVerifier(new SslSocketAndEnginePeerVerifier() {
@Override
public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, Socket socket) throws CertificateException {
throw new CertificateException("Bad Custom Verification");
}
@Override
public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, SSLEngine engine) throws CertificateException {
throw new CertificateException("Bad Custom Verification");
}
}).build();
tm.updateTrustCredentials(caCert);
tm.checkClientTrusted(serverCert0, "RSA", new Socket());
}
Aggregations