in-progress changes.

Author: kannanjgithub

core/src/main/java/io/grpc/internal/CertificateUtils.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright 2024 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.internal;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.security.auth.x500.X500Principal;
+
+/**
+ * Contains certificate/key PEM file utility method(s) for internal usage.
+ */
+public class CertificateUtils {
+  /**
+   * Creates X509TrustManagers using the provided CA certs.
+   */
+  public static TrustManager[] createTrustManager(byte[] rootCerts) throws GeneralSecurityException {
+    InputStream rootCertsStream = new ByteArrayInputStream(rootCerts);
+    try {
+      return io.grpc.internal.CertificateUtils.createTrustManager(rootCertsStream);
+    } finally {
+      GrpcUtil.closeQuietly(rootCertsStream);
+    }
+  }
+
+  /**
+   * Creates X509TrustManagers using the provided input stream of CA certs.
+   */
+  public static TrustManager[] createTrustManager(InputStream rootCerts)
+          throws GeneralSecurityException {
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    try {
+      ks.load(null, null);
+    } catch (IOException ex) {
+      // Shouldn't really happen, as we're not loading any data.
+      throw new GeneralSecurityException(ex);
+    }
+    X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);
+    for (X509Certificate cert : certs) {
+      X500Principal principal = cert.getSubjectX500Principal();
+      ks.setCertificateEntry(principal.getName("RFC2253"), cert);
+    }
+
+    TrustManagerFactory trustManagerFactory =
+            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+    trustManagerFactory.init(ks);
+    return trustManagerFactory.getTrustManagers();
+  }
+
+  private static X509Certificate[] getX509Certificates(InputStream inputStream)
+          throws CertificateException {
+    CertificateFactory factory = CertificateFactory.getInstance("X.509");
+    Collection<? extends Certificate> certs = factory.generateCertificates(inputStream);
+    return certs.toArray(new X509Certificate[0]);
+  }
+}

okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java

@@ -16,37 +16,13 @@
 
 package io.grpc.okhttp;
 
-import static com.google.common.base.Preconditions.checkNotNull;
-import static io.grpc.internal.GrpcUtil.DEFAULT_KEEPALIVE_TIMEOUT_NANOS;
-import static io.grpc.internal.GrpcUtil.KEEPALIVE_TIME_NANOS_DISABLED;
-
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
-import io.grpc.CallCredentials;
-import io.grpc.ChannelCredentials;
-import io.grpc.ChannelLogger;
-import io.grpc.ChoiceChannelCredentials;
-import io.grpc.CompositeCallCredentials;
-import io.grpc.CompositeChannelCredentials;
-import io.grpc.ExperimentalApi;
-import io.grpc.ForwardingChannelBuilder2;
-import io.grpc.InsecureChannelCredentials;
-import io.grpc.Internal;
-import io.grpc.ManagedChannelBuilder;
-import io.grpc.TlsChannelCredentials;
-import io.grpc.internal.AtomicBackoff;
-import io.grpc.internal.ClientTransportFactory;
-import io.grpc.internal.ConnectionClientTransport;
-import io.grpc.internal.FixedObjectPool;
-import io.grpc.internal.GrpcUtil;
-import io.grpc.internal.KeepAliveManager;
-import io.grpc.internal.ManagedChannelImplBuilder;
+import io.grpc.*;
+import io.grpc.internal.*;
 import io.grpc.internal.ManagedChannelImplBuilder.ChannelBuilderDefaultPortProvider;
 import io.grpc.internal.ManagedChannelImplBuilder.ClientTransportFactoryBuilder;
-import io.grpc.internal.ObjectPool;
 import io.grpc.internal.SharedResourceHolder.Resource;
-import io.grpc.internal.SharedResourcePool;
-import io.grpc.internal.TransportTracer;
 import io.grpc.internal.TransportTracer.Factory;
 import io.grpc.okhttp.internal.CipherSuite;
 import io.grpc.okhttp.internal.ConnectionSpec;
@@ -66,24 +42,18 @@
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.Set;
-import java.util.concurrent.Executor;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeUnit;
+import java.util.concurrent.*;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.CheckReturnValue;
 import javax.annotation.Nullable;
 import javax.net.SocketFactory;
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.security.auth.x500.X500Principal;
+import javax.net.ssl.*;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+import static io.grpc.internal.CertificateUtils.createTrustManager;
+import static io.grpc.internal.GrpcUtil.DEFAULT_KEEPALIVE_TIMEOUT_NANOS;
+import static io.grpc.internal.GrpcUtil.KEEPALIVE_TIME_NANOS_DISABLED;
 
 /** Convenience class for building channels with the OkHttp transport. */
 @ExperimentalApi("https://github.com/grpc/grpc-java/issues/1785")
@@ -707,35 +677,6 @@ static KeyManager[] createKeyManager(InputStream certChain, InputStream privateK
     return keyManagerFactory.getKeyManagers();
   }
 
-  static TrustManager[] createTrustManager(byte[] rootCerts) throws GeneralSecurityException {
-    InputStream rootCertsStream = new ByteArrayInputStream(rootCerts);
-    try {
-      return createTrustManager(rootCertsStream);
-    } finally {
-      GrpcUtil.closeQuietly(rootCertsStream);
-    }
-  }
-
-  static TrustManager[] createTrustManager(InputStream rootCerts) throws GeneralSecurityException {
-    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
-    try {
-      ks.load(null, null);
-    } catch (IOException ex) {
-      // Shouldn't really happen, as we're not loading any data.
-      throw new GeneralSecurityException(ex);
-    }
-    X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);
-    for (X509Certificate cert : certs) {
-      X500Principal principal = cert.getSubjectX500Principal();
-      ks.setCertificateEntry(principal.getName("RFC2253"), cert);
-    }
-
-    TrustManagerFactory trustManagerFactory =
-        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-    trustManagerFactory.init(ks);
-    return trustManagerFactory.getTrustManagers();
-  }
-
   static Collection<Class<? extends SocketAddress>> getSupportedSocketAddressTypes() {
     return Collections.singleton(InetSocketAddress.class);
   }

okhttp/src/main/java/io/grpc/okhttp/OkHttpClientTransport.java

@@ -72,9 +72,7 @@
 import io.grpc.okhttp.internal.framed.Variant;
 import io.grpc.okhttp.internal.proxy.HttpUrl;
 import io.grpc.okhttp.internal.proxy.Request;
-import io.grpc.util.CertificateUtils;
 import io.perfmark.PerfMark;
-import java.io.ByteArrayInputStream;
 import java.io.EOFException;
 import java.io.IOException;
 import java.net.InetSocketAddress;
@@ -86,20 +84,8 @@
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Deque;
-import java.util.EnumMap;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Locale;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Random;
+import java.util.*;
 import java.util.concurrent.BrokenBarrierException;
-import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.CyclicBarrier;
 import java.util.concurrent.Executor;
@@ -231,8 +217,13 @@ private static Map<ErrorCode, Status> buildErrorCodeToStatusMap() {
   private final boolean useGetForSafeMethods;
   @GuardedBy("lock")
   private final TransportTracer transportTracer;
-  private final ConcurrentHashMap<String, Boolean> authorityVerificationStatuses =
-      new ConcurrentHashMap<>();
+  private final LinkedHashMap<String, Status> peerVerificationResults =
+          new LinkedHashMap<String, Status>() {
+            @Override
+            protected boolean removeEldestEntry(Map.Entry<String, Status> eldest) {
+              return size() > 100;
+            }
+          };
 
   @GuardedBy("lock")
   private final InUseStateAggregator<OkHttpClientStream> inUseState =
@@ -432,45 +423,51 @@ public ClientStream newStream(
         StatsTraceContext.newClientContext(tracers, getAttributes(), headers);
     if (socket instanceof SSLSocket && callOptions.getAuthority() != null
         && channelCredentials != null && channelCredentials instanceof TlsChannelCredentials) {
-      if (hostnameVerifier != null) {
-        hostnameVerifier.verify(callOptions.getAuthority(), ((SSLSocket) socket).getSession());
-      }
-      boolean isAuthorityValid;
-      if (authorityVerificationStatuses.containsKey(callOptions.getAuthority())) {
-        isAuthorityValid = authorityVerificationStatuses.get(callOptions.getAuthority());
+      Status peerVerificationStatus;
+      if (peerVerificationResults.containsKey(callOptions.getAuthority())) {
+        peerVerificationStatus = peerVerificationResults.get(callOptions.getAuthority());
       } else {
-        Optional<TrustManager> x509ExtendedTrustManager;
-        try {
-          x509ExtendedTrustManager = getX509ExtendedTrustManager(
-              (TlsChannelCredentials) channelCredentials);
-        } catch (GeneralSecurityException e) {
-          log.log(Level.FINE, "Failure getting X509ExtendedTrustManager from TlsCredentials", e);
-          return new FailingClientStream(Status.INTERNAL.withDescription(
-              "Failure getting X509ExtendedTrustManager from TlsCredentials"),
-              tracers);
-        }
-        if (!x509ExtendedTrustManager.isPresent()) {
-          return new FailingClientStream(Status.INTERNAL.withDescription(
-              "Can't allow authority override in rpc when X509ExtendedTrustManager is not "
-                  + "available"), tracers);
-        }
-        try {
-          Certificate[] peerCertificates = sslSession.getPeerCertificates();
-          X509Certificate[] x509PeerCertificates = new X509Certificate[peerCertificates.length];
-          for (int i = 0; i < peerCertificates.length; i++) {
-            x509PeerCertificates[i] = (X509Certificate) peerCertificates[i];
+        if (hostnameVerifier != null &&
+                !hostnameVerifier.verify(callOptions.getAuthority(),
+                        ((SSLSocket) socket).getSession())) {
+          peerVerificationStatus = Status.UNAVAILABLE.withDescription(
+                  String.format("HostNameVerifier verification failed for authority '%s'.",
+                          callOptions.getAuthority()));
+        } else {
+          Optional<TrustManager> x509ExtendedTrustManager;
+          try {
+            x509ExtendedTrustManager = getX509ExtendedTrustManager(
+                    (TlsChannelCredentials) channelCredentials);
+          } catch (GeneralSecurityException e) {
+            return new FailingClientStream(Status.UNAVAILABLE.withDescription(
+                    "Failure getting X509ExtendedTrustManager from TlsCredentials").withCause(e),
+                    tracers);
+          }
+          if (!x509ExtendedTrustManager.isPresent()) {
+            return new FailingClientStream(Status.UNAVAILABLE.withDescription(
+                    "Can't allow authority override in rpc when X509ExtendedTrustManager is not "
+                            + "available"), tracers);
+          }
+          try {
+            Certificate[] peerCertificates = sslSession.getPeerCertificates();
+            X509Certificate[] x509PeerCertificates = new X509Certificate[peerCertificates.length];
+            for (int i = 0; i < peerCertificates.length; i++) {
+              x509PeerCertificates[i] = (X509Certificate) peerCertificates[i];
+            }
+            ((X509ExtendedTrustManager) x509ExtendedTrustManager.get()).checkServerTrusted(
+                    x509PeerCertificates, "RSA",
+                    new SslSocketWrapper((SSLSocket) socket, callOptions.getAuthority()));
+            peerVerificationStatus = Status.OK;
+          } catch (SSLPeerUnverifiedException | CertificateException e) {
+            peerVerificationStatus = Status.INTERNAL.withDescription(
+                    String.format("Failure in verifying authority '%s' against peer",
+                            callOptions.getAuthority())).withCause(e);
           }
-          ((X509ExtendedTrustManager) x509ExtendedTrustManager.get()).checkServerTrusted(
-              x509PeerCertificates, "RSA",
-              new SslSocketWrapper((SSLSocket) socket, callOptions.getAuthority()));
-          authorityVerificationStatuses.put(callOptions.getAuthority(), true);
-        } catch (SSLPeerUnverifiedException | CertificateException e) {
-          log.log(Level.FINE, "Failure in verifying authority against peer", e);
-          authorityVerificationStatuses.put(callOptions.getAuthority(), false);
-          return new FailingClientStream(Status.INTERNAL.withDescription(
-              "Failure in verifying authority against peer"),
-              tracers);
         }
+        peerVerificationResults.put(callOptions.getAuthority(), peerVerificationStatus);
+      }
+      if (!peerVerificationStatus.isOk()) {
+        return new FailingClientStream(peerVerificationStatus, tracers);
       }
     }
     // FIXME: it is likely wrong to pass the transportTracer here as it'll exit the lock's scope
@@ -495,21 +492,19 @@ public ClientStream newStream(
 
   private Optional<TrustManager> getX509ExtendedTrustManager(TlsChannelCredentials tlsCreds)
       throws GeneralSecurityException {
-    Optional<TrustManager> x509ExtendedTrustManager;
+    TrustManager[] tm = null;
+    // Using the same way of creating TrustManager from {@link OkHttpChannelBuilder#sslSocketFactoryFrom}.
     if (tlsCreds.getTrustManagers() != null) {
-      x509ExtendedTrustManager = tlsCreds.getTrustManagers().stream().filter(
-          trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
+      tm = tlsCreds.getTrustManagers().toArray(new TrustManager[0]);
     } else if (tlsCreds.getRootCertificates() != null) {
-      x509ExtendedTrustManager = CertificateUtils.getX509ExtendedTrustManager(
-          new ByteArrayInputStream(tlsCreds.getRootCertificates()));
+      tm = io.grpc.internal.CertificateUtils.createTrustManager(tlsCreds.getRootCertificates());
     } else { // else use system default
       TrustManagerFactory tmf = TrustManagerFactory.getInstance(
           TrustManagerFactory.getDefaultAlgorithm());
       tmf.init((KeyStore) null);
-      x509ExtendedTrustManager = Arrays.stream(tmf.getTrustManagers())
-          .filter(trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
+      tm = tmf.getTrustManagers();
     }
-    return x509ExtendedTrustManager;
+    return Arrays.stream(tm).filter(trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
   }
 
   @GuardedBy("lock")