Save changes.

kannanjgithub · kannanjgithub · commit 40769980a023 · 2025-09-08T06:14:52.000Z
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java
@@ -138,6 +138,9 @@ public final void updateCertificate(PrivateKey key, List<X509Certificate> certCh
 
   @Override
   public final void updateTrustedRoots(List<X509Certificate> trustedRoots) {
+    if (isUsingSystemRootCerts) {
+      return;
+    }
     savedTrustedRoots = trustedRoots;
     updateSslContextWhenReady();
   }
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java b/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java
@@ -229,9 +229,6 @@ private static CommonTlsContext.Builder addCertificateValidationContext(
       String rootInstanceName,
       String rootCertName,
       CertificateValidationContext staticCertValidationContext) {
-    if (staticCertValidationContext == null && rootInstanceName == null) {
-      return builder;
-    }
     CertificateValidationContext.Builder contextBuilder;
     if (staticCertValidationContext == null) {
       contextBuilder = CertificateValidationContext.newBuilder();
@@ -243,6 +240,10 @@ private static CommonTlsContext.Builder addCertificateValidationContext(
           .setInstanceName(rootInstanceName)
           .setCertificateName(rootCertName));
       builder.setValidationContext(contextBuilder.build());
+    } else {
+      builder.setValidationContext(contextBuilder.setSystemRootCerts(
+          CertificateValidationContext.SystemRootCerts.getDefaultInstance())
+              .build());
     }
     return builder.setCombinedValidationContext(CombinedCertificateValidationContext.newBuilder()
         .setDefaultValidationContext(contextBuilder));
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java
@@ -173,6 +173,63 @@ public void testProviderForClient_mtls() throws Exception {
     assertThat(testCallback1.updatedSslContext).isNotSameInstanceAs(testCallback.updatedSslContext);
   }
 
+  @Test
+  public void testProviderForClient_systemRootCerts() throws Exception {
+    final CertificateProvider.DistributorWatcher[] watcherCaptor =
+            new CertificateProvider.DistributorWatcher[1];
+    TestCertificateProvider.createAndRegisterProviderProvider(
+            certificateProviderRegistry, watcherCaptor, "testca", 0);
+    CertProviderClientSslContextProvider provider =
+            getSslContextProvider(
+                    "gcp_id",
+                    null,
+                    CommonBootstrapperTestUtils.getTestBootstrapInfo(),
+                    /* alpnProtocols= */ null,
+                    /* staticCertValidationContext= */ null);
+
+    assertThat(provider.savedKey).isNull();
+    assertThat(provider.savedCertChain).isNull();
+    assertThat(provider.savedTrustedRoots).isNull();
+    assertThat(provider.getSslContext()).isNull();
+
+    // now generate cert update, updates SslContext
+    watcherCaptor[0].updateCertificate(
+            CommonCertProviderTestUtils.getPrivateKey(CLIENT_KEY_FILE),
+            ImmutableList.of(getCertFromResourceName(CLIENT_PEM_FILE)));
+    assertThat(provider.savedKey).isNull();
+    assertThat(provider.savedCertChain).isNull();
+    assertThat(provider.getSslContext()).isNotNull();
+
+    TestCallback testCallback =
+            CommonTlsContextTestsUtil.getValueThruCallback(provider);
+
+    doChecksOnSslContext(false, testCallback.updatedSslContext, /* expectedApnProtos= */ null);
+    TestCallback testCallback1 =
+            CommonTlsContextTestsUtil.getValueThruCallback(provider);
+    assertThat(testCallback1.updatedSslContext).isSameInstanceAs(testCallback.updatedSslContext);
+
+    // just do root cert update: trusted roots is not updated (because of system root certs config)
+    // and sslContext should still be the same
+    watcherCaptor[0].updateTrustedRoots(
+            ImmutableList.of(getCertFromResourceName(SERVER_0_PEM_FILE)));
+    assertThat(provider.savedKey).isNull();
+    assertThat(provider.savedCertChain).isNull();
+    assertThat(provider.savedTrustedRoots).isNull();
+    testCallback1 = CommonTlsContextTestsUtil.getValueThruCallback(provider);
+    assertThat(testCallback1.updatedSslContext).isSameInstanceAs(testCallback.updatedSslContext);
+
+    // now update id cert: sslContext should be updated i.e.different from the previous one
+    watcherCaptor[0].updateCertificate(
+            CommonCertProviderTestUtils.getPrivateKey(SERVER_1_KEY_FILE),
+            ImmutableList.of(getCertFromResourceName(SERVER_1_PEM_FILE)));
+    assertThat(provider.savedKey).isNull();
+    assertThat(provider.savedCertChain).isNull();
+    assertThat(provider.savedTrustedRoots).isNull();
+    assertThat(provider.getSslContext()).isNotNull();
+    testCallback1 = CommonTlsContextTestsUtil.getValueThruCallback(provider);
+    assertThat(testCallback1.updatedSslContext).isNotSameInstanceAs(testCallback.updatedSslContext);
+  }
+
   @Test
   public void testProviderForClient_mtls_newXds() throws Exception {
     final CertificateProvider.DistributorWatcher[] watcherCaptor =

Original file line number	Diff line number	Diff line change
`@@ -138,6 +138,9 @@ public final void updateCertificate(PrivateKey key, List<X509Certificate> certCh`
`138`	`138`
`139`	`139`	`@Override`
`140`	`140`	`public final void updateTrustedRoots(List<X509Certificate> trustedRoots) {`
	`141`	`+ if (isUsingSystemRootCerts) {`
	`142`	`+ return;`
	`143`	`+ }`
`141`	`144`	`savedTrustedRoots = trustedRoots;`
`142`	`145`	`updateSslContextWhenReady();`
`143`	`146`	`}`