Netty authority verify against peer host in server cert.

Author: kannanjgithub

netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java

@@ -81,17 +81,13 @@
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.EnumSet;
-import java.util.List;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.Executor;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.Nullable;
-import javax.net.ssl.ExtendedSSLSession;
-import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
@@ -197,28 +193,6 @@ public static FromChannelCredentialsResult from(ChannelCredentials creds) {
     }
   }
 
-  private static Optional<TrustManager> getX509ExtendedTrustManager(InputStream rootCerts)
-      throws GeneralSecurityException {
-    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
-    try {
-      ks.load(null, null);
-    } catch (IOException ex) {
-      // Shouldn't really happen, as we're not loading any data.
-      throw new GeneralSecurityException(ex);
-    }
-    X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);
-    for (X509Certificate cert : certs) {
-      X500Principal principal = cert.getSubjectX500Principal();
-      ks.setCertificateEntry(principal.getName("RFC2253"), cert);
-    }
-
-    TrustManagerFactory trustManagerFactory =
-        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-    trustManagerFactory.init(ks);
-    return Arrays.stream(trustManagerFactory.getTrustManagers())
-        .filter(trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
-  }
-
   public static FromServerCredentialsResult from(ServerCredentials creds) {
     if (creds instanceof TlsServerCredentials) {
       TlsServerCredentials tlsCreds = (TlsServerCredentials) creds;
@@ -297,6 +271,28 @@ public static FromServerCredentialsResult from(ServerCredentials creds) {
     }
   }
 
+  private static Optional<TrustManager> getX509ExtendedTrustManager(InputStream rootCerts)
+      throws GeneralSecurityException {
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    try {
+      ks.load(null, null);
+    } catch (IOException ex) {
+      // Shouldn't really happen, as we're not loading any data.
+      throw new GeneralSecurityException(ex);
+    }
+    X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);
+    for (X509Certificate cert : certs) {
+      X500Principal principal = cert.getSubjectX500Principal();
+      ks.setCertificateEntry(principal.getName("RFC2253"), cert);
+    }
+
+    TrustManagerFactory trustManagerFactory =
+        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+    trustManagerFactory.init(ks);
+    return Arrays.stream(trustManagerFactory.getTrustManagers())
+        .filter(trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
+  }
+
   public static final class FromChannelCredentialsResult {
     public final ProtocolNegotiator.ClientFactory negotiator;
     public final CallCredentials callCredentials;
@@ -650,7 +646,7 @@ boolean canVerifyAuthorityOverride() {
 
     public void verifyAuthorityAllowedForPeerCert(String authority)
         throws SSLPeerUnverifiedException, CertificateException {
-      SSLEngine sslEngineWrapper = new SSLEngineWrapper(sslEngine, authority);
+      SSLEngine sslEngineWrapper = new SslEngineWrapper(sslEngine, authority);
       // The typecasting of Certificate to X509Certificate should work because this method will only
       // be called when there is a X509ExtendedTrustManager available.
       Certificate[] peerCertificates = sslEngine.getSession().getPeerCertificates();
@@ -664,6 +660,11 @@ public void verifyAuthorityAllowedForPeerCert(String authority)
     public void setSslEngine(SSLEngine sslEngine) {
       this.sslEngine = sslEngine;
     }
+
+    @VisibleForTesting
+    boolean hasX509ExtendedTrustManager() {
+      return x509ExtendedTrustManager != null;
+    }
   }
 
   static final class ClientTlsHandler extends ProtocolNegotiationHandler {
@@ -1204,12 +1205,12 @@ protected final void fireProtocolNegotiationEvent(ChannelHandlerContext ctx) {
     }
   }
 
-  static final class SSLEngineWrapper extends SSLEngine {
+  static final class SslEngineWrapper extends SSLEngine {
 
     private final SSLEngine sslEngine;
     private final String peerHost;
 
-    SSLEngineWrapper(SSLEngine sslEngine, String peerHost) {
+    SslEngineWrapper(SSLEngine sslEngine, String peerHost) {
       this.sslEngine = sslEngine;
       this.peerHost = peerHost;
     }
@@ -1221,7 +1222,7 @@ public String getPeerHost() {
 
     @Override
     public SSLSession getHandshakeSession() {
-      return new FakeSSLSession(peerHost);
+      return new FakeSslSession(peerHost);
     }
 
     @Override
@@ -1352,10 +1353,10 @@ public boolean getEnableSessionCreation() {
     }
   }
 
-  static class FakeSSLSession implements SSLSession {
+  static class FakeSslSession implements SSLSession {
     private final String peerHost;
 
-    FakeSSLSession(String peerHost) {
+    FakeSslSession(String peerHost) {
       this.peerHost = peerHost;
     }
 
@@ -1370,8 +1371,9 @@ public SSLSessionContext getSessionContext() {
     }
 
     @Override
-    public javax.security.cert.X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
-      throw new UnsupportedOperationException("This method is deprecated and marked for removal. Use the getPeerCertificates() method instead.");
+    public javax.security.cert.X509Certificate[] getPeerCertificateChain() {
+      throw new UnsupportedOperationException("This method is deprecated and marked for removal. "
+          + "Use the getPeerCertificates() method instead.");
     }
 
     @Override

netty/src/test/java/io/grpc/netty/NettyClientTransportTest.java

@@ -59,9 +59,11 @@
 import io.grpc.internal.ClientStream;
 import io.grpc.internal.ClientStreamListener;
 import io.grpc.internal.ClientTransport;
+import io.grpc.internal.FailingClientStream;
 import io.grpc.internal.FakeClock;
 import io.grpc.internal.FixedObjectPool;
 import io.grpc.internal.GrpcUtil;
+import io.grpc.internal.InsightBuilder;
 import io.grpc.internal.ManagedClientTransport;
 import io.grpc.internal.ServerListener;
 import io.grpc.internal.ServerStream;
@@ -73,6 +75,7 @@
 import io.grpc.netty.NettyChannelBuilder.LocalSocketPicker;
 import io.grpc.netty.NettyTestUtil.TrackingObjectPoolForTest;
 import io.grpc.testing.TlsTesting;
+import io.grpc.util.CertificateUtils;
 import io.netty.buffer.ByteBuf;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelConfig;
@@ -100,7 +103,12 @@
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -114,6 +122,11 @@
 import javax.annotation.Nullable;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509ExtendedTrustManager;
+import javax.net.ssl.X509TrustManager;
+import javax.security.auth.x500.X500Principal;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Rule;
@@ -199,7 +212,7 @@ public void addDefaultUserAgent() throws Exception {
   }
 
   @Test
-  public void setSoLingerChannelOption() throws IOException {
+  public void setSoLingerChannelOption() throws IOException, GeneralSecurityException {
     startServer();
     Map<ChannelOption<?>, Object> channelOptions = new HashMap<>();
     // set SO_LINGER option
@@ -817,17 +830,86 @@ public void tlsNegotiationServerExecutorShouldSucceed() throws Exception {
     assertEquals(false, serverExecutorPool.isInUse());
   }
 
+  @Test
+  public void authorityOverrideInCallOptions_doesntMatchServerPeerHost_newStreamCreationFails()
+      throws IOException, InterruptedException, GeneralSecurityException {
+    startServer();
+    NettyClientTransport transport = newTransport(newNegotiator());
+    FakeClientTransportListener fakeClientTransportListener = new FakeClientTransportListener();
+    callMeMaybe(transport.start(fakeClientTransportListener));
+    synchronized (fakeClientTransportListener) {
+      fakeClientTransportListener.wait(10000);
+    }
+    assertThat(fakeClientTransportListener.isConnected).isTrue();
+
+    ClientStream stream = transport.newStream(
+        Rpc.METHOD, new Metadata(), CallOptions.DEFAULT.withAuthority("foo.test.google.in"),
+        new ClientStreamTracer[]{new ClientStreamTracer() {
+        }});
+
+    assertThat(stream).isInstanceOf(FailingClientStream.class);
+    InsightBuilder insightBuilder = new InsightBuilder();
+    stream.appendTimeoutInsight(insightBuilder);
+    assertThat(insightBuilder.toString()).contains(
+        "Status{code=INTERNAL, description=Peer hostname verification failed for authority, "
+            + "cause=null}");
+  }
+
+  @Test
+  public void authorityOverrideInCallOptions_matchesServerPeerHost_newStreamCreationSucceeds()
+      throws IOException, InterruptedException, GeneralSecurityException {
+    startServer();
+    NettyClientTransport transport = newTransport(newNegotiator());
+    FakeClientTransportListener fakeClientTransportListener = new FakeClientTransportListener();
+    callMeMaybe(transport.start(fakeClientTransportListener));
+    synchronized (fakeClientTransportListener) {
+      fakeClientTransportListener.wait(10000);
+    }
+    assertThat(fakeClientTransportListener.isConnected).isTrue();
+
+    ClientStream stream = transport.newStream(
+        Rpc.METHOD, new Metadata(), CallOptions.DEFAULT.withAuthority("zoo.test.google.fr"),
+        new ClientStreamTracer[]{new ClientStreamTracer() {
+        }});
+
+    assertThat(stream).isNotInstanceOf(FailingClientStream.class);
+  }
+
   private Throwable getRootCause(Throwable t) {
     if (t.getCause() == null) {
       return t;
     }
     return getRootCause(t.getCause());
   }
 
-  private ProtocolNegotiator newNegotiator() throws IOException {
+  private ProtocolNegotiator newNegotiator() throws IOException, GeneralSecurityException {
     InputStream caCert = TlsTesting.loadCert("ca.pem");
     SslContext clientContext = GrpcSslContexts.forClient().trustManager(caCert).build();
-    return ProtocolNegotiators.tls(clientContext, null);
+    return ProtocolNegotiators.tls(clientContext,
+        (X509ExtendedTrustManager) getX509ExtendedTrustManager(
+            TlsTesting.loadCert("ca.pem")).get());
+  }
+
+  private static Optional<TrustManager> getX509ExtendedTrustManager(InputStream rootCerts)
+      throws GeneralSecurityException {
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    try {
+      ks.load(null, null);
+    } catch (IOException ex) {
+      // Shouldn't really happen, as we're not loading any data.
+      throw new GeneralSecurityException(ex);
+    }
+    X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);
+    for (X509Certificate cert : certs) {
+      X500Principal principal = cert.getSubjectX500Principal();
+      ks.setCertificateEntry(principal.getName("RFC2253"), cert);
+    }
+
+    TrustManagerFactory trustManagerFactory =
+        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+    trustManagerFactory.init(ks);
+    return Arrays.stream(trustManagerFactory.getTrustManagers())
+        .filter(trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
   }
 
   private NettyClientTransport newTransport(ProtocolNegotiator negotiator) {
@@ -951,7 +1033,7 @@ private static class Rpc {
 
     Rpc(NettyClientTransport transport, Metadata headers) {
       stream = transport.newStream(
-          METHOD, headers, CallOptions.DEFAULT.withAuthority("wrong-authority"),
+          METHOD, headers, CallOptions.DEFAULT,
           new ClientStreamTracer[]{ new ClientStreamTracer() {} });
       stream.start(listener);
       stream.request(1);
@@ -1144,4 +1226,51 @@ public void log(ChannelLogLevel level, String message) {}
     @Override
     public void log(ChannelLogLevel level, String messageFormat, Object... args) {}
   }
+
+  static class FakeTrustManager implements X509TrustManager {
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s)
+        throws CertificateException {
+
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s)
+        throws CertificateException {
+
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+      return new X509Certificate[0];
+    }
+  }
+
+  static class FakeClientTransportListener implements ManagedClientTransport.Listener {
+    private boolean isConnected = false;
+
+    @Override
+    public void transportShutdown(Status s) {
+
+    }
+
+    @Override
+    public void transportTerminated() {
+
+    }
+
+    @Override
+    public void transportReady() {
+      isConnected = true;
+      synchronized (this) {
+        notify();
+      }
+    }
+
+    @Override
+    public void transportInUse(boolean inUse) {
+
+    }
+  }
 }