Style fixes.

kannanjgithub · kannanjgithub · commit 3f536824758b · 2025-09-26T11:17:46.000Z
diff --git a/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java b/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java
@@ -21,7 +21,6 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Optional;
 import com.google.common.base.Preconditions;
-import com.google.common.base.Strings;
 import com.google.errorprone.annotations.ForOverride;
 import io.grpc.Attributes;
 import io.grpc.CallCredentials;
@@ -592,7 +591,7 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
       ChannelHandler gnh = new GrpcNegotiationHandler(grpcHandler);
       ChannelLogger negotiationLogger = grpcHandler.getNegotiationLogger();
       ChannelHandler cth = new ClientTlsHandler(gnh, sslContext,
-          sni != null? sni : grpcHandler.getAuthority(),
+          sni != null ? sni : grpcHandler.getAuthority(),
           this.executor, negotiationLogger, handshakeCompleteRunnable, null,
           x509ExtendedTrustManager);
       return new WaitUntilActiveHandler(cth, negotiationLogger);
diff --git a/xds/src/main/java/io/grpc/xds/XdsAttributes.java b/xds/src/main/java/io/grpc/xds/XdsAttributes.java
@@ -88,10 +88,10 @@ final class XdsAttributes {
   static final Attributes.Key<Long> ATTR_SERVER_WEIGHT =
       Attributes.Key.create("io.grpc.xds.XdsAttributes.serverWeight");
 
-   /** Name associated with individual address, if available (e.g., DNS name). */
-    @EquivalentAddressGroup.Attr
-    static final Attributes.Key<String> ATTR_ADDRESS_NAME =
-        Attributes.Key.create("io.grpc.xds.XdsAttributes.addressName");
+  /** Name associated with individual address, if available (e.g., DNS name). */
+  @EquivalentAddressGroup.Attr
+  static final Attributes.Key<String> ATTR_ADDRESS_NAME =
+      Attributes.Key.create("io.grpc.xds.XdsAttributes.addressName");
 
   /**
    * Filter chain match for network filters.
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/ClientSslContextProviderFactory.java b/xds/src/main/java/io/grpc/xds/internal/security/ClientSslContextProviderFactory.java
@@ -20,7 +20,6 @@
 import io.grpc.xds.client.Bootstrapper.BootstrapInfo;
 import io.grpc.xds.internal.security.ReferenceCountingMap.ValueFactory;
 import io.grpc.xds.internal.security.certprovider.CertProviderClientSslContextProviderFactory;
-import java.util.AbstractMap;
 
 /** Factory to create client-side SslContextProvider from UpstreamTlsContext. */
 final class ClientSslContextProviderFactory
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java
@@ -53,15 +53,15 @@ protected DynamicSslContextProvider(
 
   @Nullable
   public AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>
-  getSslContextAndTrustManager() {
+      getSslContextAndTrustManager() {
     return sslContextAndTrustManager;
   }
 
   protected abstract CertificateValidationContext generateCertificateValidationContext();
 
   /** Gets a server or client side SslContextBuilder. */
   protected abstract AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager>
-  getSslContextBuilderAndTrustManager(
+      getSslContextBuilderAndTrustManager(
           CertificateValidationContext certificateValidationContext)
       throws CertificateException, IOException, CertStoreException;
 
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java b/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java
@@ -21,7 +21,6 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
 import io.grpc.Attributes;
-import io.grpc.EquivalentAddressGroup;
 import io.grpc.Grpc;
 import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.ObjectPool;
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java b/xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java
@@ -26,9 +26,7 @@
 import io.grpc.xds.TlsContextManager;
 import io.netty.handler.ssl.SslContext;
 import java.util.AbstractMap;
-import java.util.HashSet;
 import java.util.Objects;
-import java.util.Set;
 import javax.net.ssl.TrustManager;
 
 /**
@@ -104,8 +102,8 @@ private void releaseSslContextProvider(SslContextProvider toRelease) {
   private SslContextProvider getSslContextProvider() {
     return tlsContext instanceof UpstreamTlsContext
         ? tlsContextManager.findOrCreateClientSslContextProvider((UpstreamTlsContext) tlsContext)
-        : tlsContextManager.findOrCreateServerSslContextProvider
-            ((DownstreamTlsContext) tlsContext);
+        : tlsContextManager.findOrCreateServerSslContextProvider(
+            (DownstreamTlsContext) tlsContext);
   }
 
   @VisibleForTesting public boolean isShutdown() {
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/TlsContextManagerImpl.java b/xds/src/main/java/io/grpc/xds/internal/security/TlsContextManagerImpl.java
@@ -71,8 +71,6 @@ public SslContextProvider findOrCreateServerSslContextProvider(
   public SslContextProvider findOrCreateClientSslContextProvider(
       UpstreamTlsContext upstreamTlsContext) {
     checkNotNull(upstreamTlsContext, "upstreamTlsContext");
-    CommonTlsContext.Builder builder = upstreamTlsContext.getCommonTlsContext().toBuilder();
-    upstreamTlsContext = new UpstreamTlsContext(builder.build());
     return mapForClients.get(upstreamTlsContext);
   }
 
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java
@@ -55,20 +55,22 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
 
   @Override
   protected final AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager>
-  getSslContextBuilderAndTrustManager(
+      getSslContextBuilderAndTrustManager(
           CertificateValidationContext certificateValidationContext)
               throws CertStoreException {
     SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient();
     if (savedSpiffeTrustMap != null) {
       sslContextBuilder = sslContextBuilder.trustManager(
         new XdsTrustManagerFactory(
             savedSpiffeTrustMap,
-            certificateValidationContext, ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation()));
+            certificateValidationContext,
+            ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation()));
     } else if (savedTrustedRoots != null) {
       sslContextBuilder = sslContextBuilder.trustManager(
           new XdsTrustManagerFactory(
               savedTrustedRoots.toArray(new X509Certificate[0]),
-              certificateValidationContext, ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation()));
+              certificateValidationContext,
+              ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation()));
     } else {
       // Should be impossible because of the check in CertProviderClientSslContextProviderFactory
       throw new IllegalStateException("There must be trusted roots or a SPIFFE trust map");
@@ -77,12 +79,14 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
     if (savedSpiffeTrustMap != null) {
       trustManagerFactory = new XdsTrustManagerFactory(
           savedSpiffeTrustMap,
-          certificateValidationContext, ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation());
+          certificateValidationContext,
+          ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation());
       sslContextBuilder = sslContextBuilder.trustManager(trustManagerFactory);
     } else {
       trustManagerFactory = new XdsTrustManagerFactory(
           savedTrustedRoots.toArray(new X509Certificate[0]),
-          certificateValidationContext, ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation());
+          certificateValidationContext,
+          ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation());
       sslContextBuilder = sslContextBuilder.trustManager(trustManagerFactory);
     }
     if (isMtls()) {
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderServerSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderServerSslContextProvider.java
@@ -58,7 +58,7 @@ final class CertProviderServerSslContextProvider extends CertProviderSslContextP
 
   @Override
   protected final AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager>
-  getSslContextBuilderAndTrustManager(
+      getSslContextBuilderAndTrustManager(
           CertificateValidationContext certificateValidationContextdationContext)
           throws CertStoreException, CertificateException, IOException {
     SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(savedKey, savedCertChain);
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java b/xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java
@@ -233,21 +233,25 @@ void verifySubjectAltNameInChain(X509Certificate[] peerCertChain,
   public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
       throws CertificateException {
     chooseDelegate(chain).checkClientTrusted(chain, authType, socket);
-    verifySubjectAltNameInChain(chain, new ArrayList<>());
+    verifySubjectAltNameInChain(chain, certContext != null
+        ? certContext.getMatchSubjectAltNamesList() : new ArrayList<>());
   }
 
   @Override
   public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine)
       throws CertificateException {
     chooseDelegate(chain).checkClientTrusted(chain, authType, sslEngine);
-    verifySubjectAltNameInChain(chain, new ArrayList<>());
+    verifySubjectAltNameInChain(chain, certContext != null
+        ? certContext.getMatchSubjectAltNamesList() : new ArrayList<>());
   }
 
   @Override
+  @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
   public void checkClientTrusted(X509Certificate[] chain, String authType)
       throws CertificateException {
     chooseDelegate(chain).checkClientTrusted(chain, authType);
-    verifySubjectAltNameInChain(chain, new ArrayList<>());
+    verifySubjectAltNameInChain(chain, certContext != null
+        ? certContext.getMatchSubjectAltNamesList() : new ArrayList<>());
   }
 
   @Override
@@ -264,7 +268,7 @@ public void checkServerTrusted(X509Certificate[] chain, String authType, Socket
       }
       sniMatchers = getAutoSniSanMatchers(sslParams);
     }
-    if (sniMatchers.isEmpty()) {
+    if (sniMatchers.isEmpty() && certContext != null) {
       sniMatchers = certContext.getMatchSubjectAltNamesList();
     }
     chooseDelegate(chain).checkServerTrusted(chain, authType, socket);
@@ -282,18 +286,20 @@ public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngi
       sslEngine.setSSLParameters(sslParams);
       sniMatchers = getAutoSniSanMatchers(sslParams);
     }
-    if (sniMatchers.isEmpty()) {
+    if (sniMatchers.isEmpty() && certContext != null) {
       sniMatchers = certContext.getMatchSubjectAltNamesList();
     }
     chooseDelegate(chain).checkServerTrusted(chain, authType, sslEngine);
     verifySubjectAltNameInChain(chain, sniMatchers);
   }
 
   @Override
+  @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
   public void checkServerTrusted(X509Certificate[] chain, String authType)
       throws CertificateException {
     chooseDelegate(chain).checkServerTrusted(chain, authType);
-    verifySubjectAltNameInChain(chain, new ArrayList<>());
+    verifySubjectAltNameInChain(chain, certContext != null
+        ? certContext.getMatchSubjectAltNamesList() : new ArrayList<>());
   }
 
   private List<StringMatcher> getAutoSniSanMatchers(SSLParameters sslParams) {
@@ -312,6 +318,7 @@ private List<StringMatcher> getAutoSniSanMatchers(SSLParameters sslParams) {
     }
     return sniNamesToMatch;
   }
+
   private X509ExtendedTrustManager chooseDelegate(X509Certificate[] chain)
       throws CertificateException {
     if (spiffeTrustMapDelegates != null) {
diff --git a/xds/src/test/java/io/grpc/xds/CdsLoadBalancer2Test.java b/xds/src/test/java/io/grpc/xds/CdsLoadBalancer2Test.java
@@ -117,7 +117,7 @@ public class CdsLoadBalancer2Test {
   private static final String EDS_SERVICE_NAME = "backend-service-1.googleapis.com";
   private static final String NODE_ID = "node-id";
   private final io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext =
-      CommonTlsContextTestsUtil.buildUpstreamTlsContext("cert-instance-name", true, null, false);
+      CommonTlsContextTestsUtil.buildUpstreamTlsContext("cert-instance-name", true, "", false);
   private static final Cluster EDS_CLUSTER = Cluster.newBuilder()
       .setName(CLUSTER)
       .setType(Cluster.DiscoveryType.EDS)
diff --git a/xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java b/xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java
@@ -881,7 +881,8 @@ public void endpointAddressesAttachedWithClusterName() {
   @Test
   public void endpointAddressesAttachedWithTlsConfig_securityEnabledByDefault() {
     UpstreamTlsContext upstreamTlsContext =
-        CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe", true, null, false);
+        CommonTlsContextTestsUtil.buildUpstreamTlsContext(
+            "google_cloud_private_spiffe", true, "", false);
     LoadBalancerProvider weightedTargetProvider = new WeightedTargetLoadBalancerProvider();
     WeightedTargetConfig weightedTargetConfig =
         buildWeightedTargetConfig(ImmutableMap.of(locality, 10));
@@ -925,8 +926,8 @@ public void endpointAddressesAttachedWithTlsConfig_securityEnabledByDefault() {
     }
 
     // Config with a new UpstreamTlsContext.
-    upstreamTlsContext =
-        CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe1", true, null, false);
+    upstreamTlsContext = CommonTlsContextTestsUtil.buildUpstreamTlsContext(
+        "google_cloud_private_spiffe1", true, "", false);
     config = new ClusterImplConfig(CLUSTER, EDS_SERVICE_NAME, LRS_SERVER_INFO,
         null, Collections.<DropOverload>emptyList(),
         GracefulSwitchLoadBalancer.createLoadBalancingPolicyConfig(
diff --git a/xds/src/test/java/io/grpc/xds/ClusterResolverLoadBalancerTest.java b/xds/src/test/java/io/grpc/xds/ClusterResolverLoadBalancerTest.java
@@ -996,7 +996,7 @@ public void config_equalsTester() {
         ServerInfo.create("lrs.googleapis.com", InsecureChannelCredentials.create());
     UpstreamTlsContext tlsContext =
         CommonTlsContextTestsUtil.buildUpstreamTlsContext(
-            "google_cloud_private_spiffe", true, null, false);
+            "google_cloud_private_spiffe", true, "", false);
     DiscoveryMechanism edsDiscoveryMechanism1 =
         DiscoveryMechanism.forEds(CLUSTER, EDS_SERVICE_NAME, lrsServerInfo, 100L, tlsContext,
             Collections.emptyMap(), null);
diff --git a/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java b/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java
@@ -221,7 +221,7 @@ public void tlsClientServer_useSystemRootCerts_noMtls_useCombinedValidationConte
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, SNI_IN_UTC, false, null, false, false);
+              CLIENT_PEM_FILE, true, SNI_IN_UTC, false, "", false, false);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -271,7 +271,7 @@ public void tlsClientServer_useSystemRootCerts_mtls() throws Exception {
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, SNI_IN_UTC, true, null, false, false);
+              CLIENT_PEM_FILE, true, SNI_IN_UTC, true, "", false, false);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -295,7 +295,7 @@ public void tlsClientServer_noAutoSniValidation_failureToMatchSubjAltNames()
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, "server1.test.google.in", false, null, false, false);
+              CLIENT_PEM_FILE, true, "server1.test.google.in", false, "", false, false);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -379,7 +379,7 @@ public void tlsClientServer_autoSniValidation_sniFromHostname()
   }
 
   @Test
-  public void tlsClientServer_autoSniValidation_noSNIApplicable_usesMatcherFromCmnVdnCtx()
+  public void tlsClientServer_autoSniValidation_noSniApplicable_usesMatcherFromCmnVdnCtx()
       throws Exception {
     CertificateUtils.isXdsSniEnabled = true;
     Path trustStoreFilePath = getCacertFilePathForTestCa();
@@ -424,7 +424,7 @@ public void tlsClientServer_useSystemRootCerts_requireClientAuth() throws Except
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, SNI_IN_UTC, false, null, false, false);
+              CLIENT_PEM_FILE, true, SNI_IN_UTC, false, "", false, false);
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
       assertThat(unaryRpc(/* requestMessage= */ "buddy", blockingStub)).isEqualTo("Hello buddy");
@@ -698,7 +698,7 @@ private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContext(String cli
         .buildBootstrapInfo("google_cloud_private_spiffe-client", clientKeyFile, clientPemFile,
             CA_PEM_FILE, null, null, null, null, spiffeFile);
     return CommonTlsContextTestsUtil
-        .buildUpstreamTlsContext("google_cloud_private_spiffe-client", hasIdentityCert, null, false);
+        .buildUpstreamTlsContext("google_cloud_private_spiffe-client", hasIdentityCert, "", false);
   }
 
   @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
@@ -813,14 +813,16 @@ private SimpleServiceGrpc.SimpleServiceBlockingStub getBlockingStub(
     return getBlockingStub(upstreamTlsContext, overrideAuthority, overrideAuthority);
   }
 
-  // Two separate parameters for overrideAuthority and addrAttribute is for the SAN SNI validation test
-  // tlsClientServer_useSystemRootCerts_sni_san_validation_from_hostname that uses hostname passed for SNI.
-  // foo.test.google.fr is used for virtual host matching via authority but it can't be used
-  // for SNI in this testcase because foo.test.google.fr needs wildcard matching to match against *.test.google.fr
-  // in the certificate SNI, which isn't implemented yet (https://github.com/grpc/grpc-java/pull/12345 implements it)
+  // Two separate parameters for overrideAuthority and addrAttribute is for the SAN SNI validation
+  // test tlsClientServer_useSystemRootCerts_sni_san_validation_from_hostname that uses hostname
+  // passed for SNI. foo.test.google.fr is used for virtual host matching via authority but it
+  // can't be used for SNI in this testcase because foo.test.google.fr needs wildcard matching to
+  // match against *.test.google.fr in the certificate SNI, which isn't implemented yet
+  // (https://github.com/grpc/grpc-java/pull/12345 implements it)
   // so use an exact match SAN such as waterzooi.test.google.be for SNI for this testcase.
   private SimpleServiceGrpc.SimpleServiceBlockingStub getBlockingStub(
-      final UpstreamTlsContext upstreamTlsContext, String overrideAuthority, String addrNameAttribute) {
+      final UpstreamTlsContext upstreamTlsContext, String overrideAuthority,
+      String addrNameAttribute) {
     ManagedChannelBuilder<?> channelBuilder =
         Grpc.newChannelBuilder(
             "sectest://localhost:" + port,
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java b/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java b/xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/SslContextProviderSupplierTest.java b/xds/src/test/java/io/grpc/xds/internal/security/SslContextProviderSupplierTest.java
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/TlsContextManagerTest.java b/xds/src/test/java/io/grpc/xds/internal/security/TlsContextManagerTest.java
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/trust/XdsX509TrustManagerTest.java b/xds/src/test/java/io/grpc/xds/internal/security/trust/XdsX509TrustManagerTest.java

Original file line number	Diff line number	Diff line change
`@@ -71,8 +71,6 @@ public SslContextProvider findOrCreateServerSslContextProvider(`
`71`	`71`	`public SslContextProvider findOrCreateClientSslContextProvider(`
`72`	`72`	`UpstreamTlsContext upstreamTlsContext) {`
`73`	`73`	`checkNotNull(upstreamTlsContext, "upstreamTlsContext");`
`74`		`- CommonTlsContext.Builder builder = upstreamTlsContext.getCommonTlsContext().toBuilder();`
`75`		`- upstreamTlsContext = new UpstreamTlsContext(builder.build());`
`76`	`74`	`return mapForClients.get(upstreamTlsContext);`
`77`	`75`	`}`
`78`	`76`
Original file line number	Diff line number	Diff line change
`@@ -233,21 +233,25 @@ void verifySubjectAltNameInChain(X509Certificate[] peerCertChain,`
`233`	`233`	`public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)`
`234`	`234`	`throws CertificateException {`
`235`	`235`	`chooseDelegate(chain).checkClientTrusted(chain, authType, socket);`
`236`		`- verifySubjectAltNameInChain(chain, new ArrayList<>());`
	`236`	`+ verifySubjectAltNameInChain(chain, certContext != null`
	`237`	`+ ? certContext.getMatchSubjectAltNamesList() : new ArrayList<>());`
`237`	`238`	`}`
`238`	`239`
`239`	`240`	`@Override`
`240`	`241`	`public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine)`
`241`	`242`	`throws CertificateException {`
`242`	`243`	`chooseDelegate(chain).checkClientTrusted(chain, authType, sslEngine);`
`243`		`- verifySubjectAltNameInChain(chain, new ArrayList<>());`
	`244`	`+ verifySubjectAltNameInChain(chain, certContext != null`
	`245`	`+ ? certContext.getMatchSubjectAltNamesList() : new ArrayList<>());`
`244`	`246`	`}`
`245`	`247`
`246`	`248`	`@Override`
	`249`	`+ @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names`
`247`	`250`	`public void checkClientTrusted(X509Certificate[] chain, String authType)`
`248`	`251`	`throws CertificateException {`
`249`	`252`	`chooseDelegate(chain).checkClientTrusted(chain, authType);`
`250`		`- verifySubjectAltNameInChain(chain, new ArrayList<>());`
	`253`	`+ verifySubjectAltNameInChain(chain, certContext != null`
	`254`	`+ ? certContext.getMatchSubjectAltNamesList() : new ArrayList<>());`
`251`	`255`	`}`
`252`	`256`
`253`	`257`	`@Override`
`@@ -264,7 +268,7 @@ public void checkServerTrusted(X509Certificate[] chain, String authType, Socket`
`264`	`268`	`}`
`265`	`269`	`sniMatchers = getAutoSniSanMatchers(sslParams);`
`266`	`270`	`}`
`267`		`- if (sniMatchers.isEmpty()) {`
	`271`	`+ if (sniMatchers.isEmpty() && certContext != null) {`
`268`	`272`	`sniMatchers = certContext.getMatchSubjectAltNamesList();`
`269`	`273`	`}`
`270`	`274`	`chooseDelegate(chain).checkServerTrusted(chain, authType, socket);`
`@@ -282,18 +286,20 @@ public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngi`
`282`	`286`	`sslEngine.setSSLParameters(sslParams);`
`283`	`287`	`sniMatchers = getAutoSniSanMatchers(sslParams);`
`284`	`288`	`}`
`285`		`- if (sniMatchers.isEmpty()) {`
	`289`	`+ if (sniMatchers.isEmpty() && certContext != null) {`
`286`	`290`	`sniMatchers = certContext.getMatchSubjectAltNamesList();`
`287`	`291`	`}`
`288`	`292`	`chooseDelegate(chain).checkServerTrusted(chain, authType, sslEngine);`
`289`	`293`	`verifySubjectAltNameInChain(chain, sniMatchers);`
`290`	`294`	`}`
`291`	`295`
`292`	`296`	`@Override`
	`297`	`+ @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names`
`293`	`298`	`public void checkServerTrusted(X509Certificate[] chain, String authType)`
`294`	`299`	`throws CertificateException {`
`295`	`300`	`chooseDelegate(chain).checkServerTrusted(chain, authType);`
`296`		`- verifySubjectAltNameInChain(chain, new ArrayList<>());`
	`301`	`+ verifySubjectAltNameInChain(chain, certContext != null`
	`302`	`+ ? certContext.getMatchSubjectAltNamesList() : new ArrayList<>());`
`297`	`303`	`}`
`298`	`304`
`299`	`305`	`private List<StringMatcher> getAutoSniSanMatchers(SSLParameters sslParams) {`
`@@ -312,6 +318,7 @@ private List<StringMatcher> getAutoSniSanMatchers(SSLParameters sslParams) {`
`312`	`318`	`}`
`313`	`319`	`return sniNamesToMatch;`
`314`	`320`	`}`
	`321`	`+`
`315`	`322`	`private X509ExtendedTrustManager chooseDelegate(X509Certificate[] chain)`
`316`	`323`	`throws CertificateException {`
`317`	`324`	`if (spiffeTrustMapDelegates != null) {`