Allow trustedRootCerts to be present in static CertificateValidationContext when SystemRootCerts is also there.

Author: kannanjgithub

xds/src/main/java/io/grpc/xds/internal/security/trust/XdsTrustManagerFactory.java

@@ -81,7 +81,8 @@ private XdsTrustManagerFactory(
       throws CertStoreException {
     if (validationContextIsStatic) {
       checkArgument(
-          certificateValidationContext == null || !certificateValidationContext.hasTrustedCa(),
+          certificateValidationContext == null || !certificateValidationContext.hasTrustedCa()
+          || certificateValidationContext.hasSystemRootCerts(),
           "only static certificateValidationContext expected");
     }
     xdsX509TrustManager = createX509TrustManager(certs, certificateValidationContext, sniForSanMatching);

xds/src/test/java/io/grpc/xds/internal/security/trust/XdsTrustManagerFactoryTest.java

@@ -176,6 +176,19 @@ public void constructorRootCert_nonStaticContext_throwsException()
     }
   }
 
+  @Test
+  public void constructorRootCert_nonStaticContext_systemRootCerts_valid()
+      throws CertificateException, IOException, CertStoreException {
+    X509Certificate x509Cert = TestUtils.loadX509Cert(CA_PEM_FILE);
+    CertificateValidationContext certValidationContext = CertificateValidationContext.newBuilder()
+        .setTrustedCa(
+            DataSource.newBuilder().setFilename(TestUtils.loadCert(CA_PEM_FILE).getAbsolutePath()))
+        .setSystemRootCerts(CertificateValidationContext.SystemRootCerts.getDefaultInstance())
+        .build();
+    new XdsTrustManagerFactory(
+        new X509Certificate[] {x509Cert}, certValidationContext, null);
+  }
+
   @Test
   public void constructorRootCert_checkServerTrusted_throwsException()
       throws CertificateException, IOException, CertStoreException {