Review comments.

Author: kannanjgithub

netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java

@@ -88,6 +88,7 @@
 import java.util.logging.Logger;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
+import javax.annotation.concurrent.GuardedBy;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLParameters;
@@ -145,10 +146,15 @@ public static FromChannelCredentialsResult from(ChannelCredentials creds) {
           trustManagers = Arrays.asList(tmf.getTrustManagers());
         }
         builder.trustManager(new FixedTrustManagerFactory(trustManagers));
-        Optional<TrustManager> x509ExtendedTrustManager = trustManagers.stream().filter(
-                trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
+        TrustManager x509ExtendedTrustManager = null;
+        for (TrustManager trustManager: trustManagers) {
+          if (trustManager instanceof X509ExtendedTrustManager) {
+            x509ExtendedTrustManager = trustManager;
+            break;
+          }
+        }
         return FromChannelCredentialsResult.negotiator(tlsClientFactory(builder.build(),
-                (X509ExtendedTrustManager) x509ExtendedTrustManager.orElse(null)));
+                (X509ExtendedTrustManager) x509ExtendedTrustManager));
       } catch (SSLException | GeneralSecurityException ex) {
         log.log(Level.FINE, "Exception building SslContext", ex);
         return FromChannelCredentialsResult.error(
@@ -567,6 +573,7 @@ protected void userEventTriggered0(ChannelHandlerContext ctx, Object evt) throws
   }
 
   static final class ClientTlsProtocolNegotiator implements ProtocolNegotiator {
+    @GuardedBy("this")
     private final LinkedHashMap<String, Status> peerVerificationResults =
             new LinkedHashMap<String, Status>() {
           @Override
@@ -617,10 +624,12 @@ public void close() {
 
     @Override
     public synchronized Status verifyAuthority(@Nonnull String authority) {
-      if (!canVerifyAuthorityOverride()) {
+      // sslEngine won't be set when creating ClientTlsHandler from InternalProtocolNegotiators
+      // for example.
+      if (sslEngine == null || x509ExtendedTrustManager == null) {
         return Status.FAILED_PRECONDITION.withDescription(
-                "Can't allow authority override in rpc when X509ExtendedTrustManager is not "
-                        + "available");
+                "Can't allow authority override in rpc when SslEngine or X509ExtendedTrustManager"
+                        + " is not available");
       }
       if (peerVerificationResults.containsKey(authority)) {
         return peerVerificationResults.get(authority);
@@ -631,7 +640,7 @@ public synchronized Status verifyAuthority(@Nonnull String authority) {
           peerVerificationStatus = Status.OK;
         } catch (SSLPeerUnverifiedException | CertificateException e) {
           peerVerificationStatus = Status.UNAVAILABLE.withDescription(
-                  String.format("Peer hostname verification failed for authority '%s'",
+                  String.format("Peer hostname verification during rpc failed for authority '%s'",
                   authority)).withCause(e);
         }
         peerVerificationResults.put(authority, peerVerificationStatus);
@@ -643,17 +652,11 @@ public void setSslEngine(SSLEngine sslEngine) {
       this.sslEngine = sslEngine;
     }
 
-    boolean canVerifyAuthorityOverride() {
-      // sslEngine won't be set when creating ClientTlsHandlder from InternalProtocolNegotiators
-      // for example.
-      return sslEngine != null && x509ExtendedTrustManager != null;
-    }
-
     private void verifyAuthorityAllowedForPeerCert(String authority)
         throws SSLPeerUnverifiedException, CertificateException {
       SSLEngine sslEngineWrapper = new SslEngineWrapper(sslEngine, authority);
       // The typecasting of Certificate to X509Certificate should work because this method will only
-      // be called when there is a X509ExtendedTrustManager available.
+      // be called when using TLS and thus X509.
       Certificate[] peerCertificates = sslEngine.getSession().getPeerCertificates();
       X509Certificate[] x509PeerCertificates = new X509Certificate[peerCertificates.length];
       for (int i = 0; i < peerCertificates.length; i++) {

netty/src/test/java/io/grpc/netty/NettyClientTransportTest.java

@@ -867,7 +867,7 @@ Rpc.METHOD, new Metadata(), CallOptions.DEFAULT.withAuthority("foo.test.google.i
     stream.appendTimeoutInsight(insightBuilder);
     assertThat(insightBuilder.toString()).contains(
         "Status{code=FAILED_PRECONDITION, description=Can't allow authority override in rpc when "
-            + "X509ExtendedTrustManager is not available, cause=null}");
+            + "SslEngine or X509ExtendedTrustManager is not available, cause=null}");
   }
 
   @Test
@@ -891,8 +891,10 @@ Rpc.METHOD, new Metadata(), CallOptions.DEFAULT.withAuthority("foo.test.google.i
     InsightBuilder insightBuilder = new InsightBuilder();
     stream.appendTimeoutInsight(insightBuilder);
     assertThat(insightBuilder.toString()).contains(
-        "Status{code=UNAVAILABLE, description=Peer hostname verification failed for authority"
-            + " 'foo.test.google.in', cause=null}");
+        "Status{code=UNAVAILABLE, description=Peer hostname verification during rpc failed for"
+                + " authority 'foo.test.google.in'");
+    assertThat(insightBuilder.toString()).contains("cause=java.security.cert.CertificateException:"
+            + " No subject alternative DNS name matching foo.test.google.in found.");
   }
 
   @Test

okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java

@@ -16,13 +16,37 @@
 
 package io.grpc.okhttp;
 
+import static com.google.common.base.Preconditions.checkNotNull;
+import static io.grpc.internal.GrpcUtil.DEFAULT_KEEPALIVE_TIMEOUT_NANOS;
+import static io.grpc.internal.GrpcUtil.KEEPALIVE_TIME_NANOS_DISABLED;
+
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
-import io.grpc.*;
-import io.grpc.internal.*;
+import io.grpc.CallCredentials;
+import io.grpc.ChannelCredentials;
+import io.grpc.ChannelLogger;
+import io.grpc.ChoiceChannelCredentials;
+import io.grpc.CompositeCallCredentials;
+import io.grpc.CompositeChannelCredentials;
+import io.grpc.ExperimentalApi;
+import io.grpc.ForwardingChannelBuilder2;
+import io.grpc.InsecureChannelCredentials;
+import io.grpc.Internal;
+import io.grpc.ManagedChannelBuilder;
+import io.grpc.TlsChannelCredentials;
+import io.grpc.internal.AtomicBackoff;
+import io.grpc.internal.ClientTransportFactory;
+import io.grpc.internal.ConnectionClientTransport;
+import io.grpc.internal.FixedObjectPool;
+import io.grpc.internal.GrpcUtil;
+import io.grpc.internal.KeepAliveManager;
+import io.grpc.internal.ManagedChannelImplBuilder;
 import io.grpc.internal.ManagedChannelImplBuilder.ChannelBuilderDefaultPortProvider;
 import io.grpc.internal.ManagedChannelImplBuilder.ClientTransportFactoryBuilder;
+import io.grpc.internal.ObjectPool;
 import io.grpc.internal.SharedResourceHolder.Resource;
+import io.grpc.internal.SharedResourcePool;
+import io.grpc.internal.TransportTracer;
 import io.grpc.okhttp.internal.CipherSuite;
 import io.grpc.okhttp.internal.ConnectionSpec;
 import io.grpc.okhttp.internal.Platform;
@@ -41,17 +65,22 @@
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.Set;
-import java.util.concurrent.*;
+import java.util.concurrent.Executor;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.CheckReturnValue;
 import javax.annotation.Nullable;
 import javax.net.SocketFactory;
-import javax.net.ssl.*;
-
-import static com.google.common.base.Preconditions.checkNotNull;
-import static io.grpc.internal.GrpcUtil.DEFAULT_KEEPALIVE_TIMEOUT_NANOS;
-import static io.grpc.internal.GrpcUtil.KEEPALIVE_TIME_NANOS_DISABLED;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
 
 /** Convenience class for building channels with the OkHttp transport. */
 @ExperimentalApi("https://github.com/grpc/grpc-java/issues/1785")

okhttp/src/test/java/io/grpc/okhttp/OkHttpChannelBuilderTest.java

@@ -34,6 +34,7 @@
 import io.grpc.InsecureChannelCredentials;
 import io.grpc.ManagedChannel;
 import io.grpc.TlsChannelCredentials;
+import io.grpc.internal.CertificateUtils;
 import io.grpc.internal.ClientTransportFactory;
 import io.grpc.internal.ClientTransportFactory.SwapChannelCredentialsResult;
 import io.grpc.internal.FakeClock;
@@ -212,7 +213,7 @@ public void sslSocketFactoryFrom_tls_mtls() throws Exception {
 
     TrustManager[] trustManagers;
     try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
-      trustManagers = OkHttpChannelBuilder.createTrustManager(ca);
+      trustManagers = CertificateUtils.createTrustManager(ca);
     }
 
     SSLContext serverContext = SSLContext.getInstance("TLS");
@@ -257,7 +258,7 @@ public void sslSocketFactoryFrom_tls_mtls_keyFile() throws Exception {
          InputStream ca = TlsTesting.loadCert("ca.pem")) {
       serverContext.init(
           OkHttpChannelBuilder.createKeyManager(server1Chain, server1Key),
-          OkHttpChannelBuilder.createTrustManager(ca),
+          CertificateUtils.createTrustManager(ca),
           null);
     }
     final SSLServerSocket serverListenSocket =