TrustManager to server name from SslEngine instead of from ProtocolNegotiator.

Author: kannanjgithub

api/src/main/java/io/grpc/EquivalentAddressGroup.java

@@ -55,10 +55,7 @@ public final class EquivalentAddressGroup {
    */
   public static final Attributes.Key<String> ATTR_LOCALITY_NAME =
       Attributes.Key.create("io.grpc.EquivalentAddressGroup.LOCALITY");
-  /** Name associated with individual address, if available (e.g., DNS name). */
-  @Attr
-  public static final Attributes.Key<String> ATTR_ADDRESS_NAME =
-      Attributes.Key.create("io.grpc.xds.XdsAttributes.addressName");
+
   private final List<SocketAddress> addrs;
   private final Attributes attrs;
 

xds/src/main/java/io/grpc/xds/ClusterImplLoadBalancer.java

@@ -53,6 +53,7 @@
 import io.grpc.xds.client.XdsClient;
 import io.grpc.xds.client.XdsLogger;
 import io.grpc.xds.client.XdsLogger.XdsLogLevel;
+import io.grpc.xds.internal.XdsInternalAttributes;
 import io.grpc.xds.internal.security.SecurityProtocolNegotiators;
 import io.grpc.xds.internal.security.SslContextProviderSupplier;
 import io.grpc.xds.orca.OrcaPerRequestUtil;
@@ -241,9 +242,9 @@ public Subchannel createSubchannel(CreateSubchannelArgs args) {
           .set(ATTR_CLUSTER_LOCALITY, localityAtomicReference);
       if (GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE", false)) {
         String hostname = args.getAddresses().get(0).getAttributes()
-            .get(EquivalentAddressGroup.ATTR_ADDRESS_NAME);
+            .get(XdsInternalAttributes.ATTR_ADDRESS_NAME);
         if (hostname != null) {
-          attrsBuilder.set(EquivalentAddressGroup.ATTR_ADDRESS_NAME, hostname);
+          attrsBuilder.set(XdsInternalAttributes.ATTR_ADDRESS_NAME, hostname);
         }
       }
       args = args.toBuilder().setAddresses(addresses).setAttributes(attrsBuilder.build()).build();
@@ -439,7 +440,7 @@ public PickResult pickSubchannel(PickSubchannelArgs args) {
             result = PickResult.withSubchannel(result.getSubchannel(),
                 result.getStreamTracerFactory(),
                 result.getSubchannel().getAttributes().get(
-                    EquivalentAddressGroup.ATTR_ADDRESS_NAME));
+                    XdsInternalAttributes.ATTR_ADDRESS_NAME));
           }
         }
         return result;

xds/src/main/java/io/grpc/xds/ClusterResolverLoadBalancer.java

@@ -47,6 +47,7 @@
 import io.grpc.xds.client.Locality;
 import io.grpc.xds.client.XdsLogger;
 import io.grpc.xds.client.XdsLogger.XdsLogLevel;
+import io.grpc.xds.internal.XdsInternalAttributes;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.util.ArrayList;
@@ -194,7 +195,7 @@ StatusOr<ClusterResolutionResult> edsUpdateToResult(
                     .set(XdsAttributes.ATTR_LOCALITY_WEIGHT,
                         localityLbInfo.localityWeight())
                     .set(XdsAttributes.ATTR_SERVER_WEIGHT, weight)
-                    .set(EquivalentAddressGroup.ATTR_ADDRESS_NAME, endpoint.hostname())
+                    .set(XdsInternalAttributes.ATTR_ADDRESS_NAME, endpoint.hostname())
                     .build();
             EquivalentAddressGroup eag;
             if (config.isHttp11ProxyAvailable()) {

xds/src/main/java/io/grpc/xds/internal/XdsInternalAttributes.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2022 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds.internal;
+
+import io.grpc.Attributes;
+import io.grpc.EquivalentAddressGroup;
+
+public final class XdsInternalAttributes {
+  /** Name associated with individual address, if available (e.g., DNS name). */
+  @EquivalentAddressGroup.Attr
+  public static final Attributes.Key<String> ATTR_ADDRESS_NAME =
+      Attributes.Key.create("io.grpc.xds.XdsAttributes.addressName");
+}

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -33,6 +33,7 @@
 import io.grpc.netty.ProtocolNegotiationEvent;
 import io.grpc.xds.EnvoyServerProtoData;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
+import io.grpc.xds.internal.XdsInternalAttributes;
 import io.grpc.xds.internal.security.trust.CertificateUtils;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerAdapter;
@@ -150,7 +151,7 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
         return fallbackProtocolNegotiator.newHandler(grpcHandler);
       }
       return new ClientSecurityHandler(grpcHandler, localSslContextProviderSupplier,
-          grpcHandler.getEagAttributes().get(EquivalentAddressGroup.ATTR_ADDRESS_NAME));
+          grpcHandler.getEagAttributes().get(XdsInternalAttributes.ATTR_ADDRESS_NAME));
     }
 
     @Override

xds/src/main/java/io/grpc/xds/internal/security/trust/XdsTrustManagerFactory.java

@@ -130,7 +130,7 @@ private static X509Certificate[] getTrustedCaFromCertContext(
   static XdsX509TrustManager createX509TrustManager(
       X509Certificate[] certs, CertificateValidationContext certContext, String sniForSanMatching)
       throws CertStoreException {
-    return new XdsX509TrustManager(certContext, createTrustManager(certs), sniForSanMatching);
+    return new XdsX509TrustManager(certContext, createTrustManager(certs));
   }
 
   @VisibleForTesting
@@ -144,7 +144,7 @@ static XdsX509TrustManager createX509TrustManager(
       delegates.put(entry.getKey(), createTrustManager(
           entry.getValue().toArray(new X509Certificate[0])));
     }
-    return new XdsX509TrustManager(certContext, delegates, sniForSanMatching);
+    return new XdsX509TrustManager(certContext, delegates);
   }
 
   private static X509ExtendedTrustManager createTrustManager(X509Certificate[] certs)

xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java

@@ -23,6 +23,7 @@
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.Lists;
 import com.google.re2j.Pattern;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.envoyproxy.envoy.type.matcher.v3.RegexMatcher;
@@ -32,6 +33,7 @@
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashSet;
@@ -40,6 +42,8 @@
 import java.util.Map;
 import java.util.Set;
 import javax.annotation.Nullable;
+import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSocket;
@@ -61,30 +65,21 @@ final class XdsX509TrustManager extends X509ExtendedTrustManager implements X509
   private final X509ExtendedTrustManager delegate;
   private final Map<String, X509ExtendedTrustManager> spiffeTrustMapDelegates;
   private final CertificateValidationContext certContext;
-  private final String sniForSanMatching;
 
   XdsX509TrustManager(@Nullable CertificateValidationContext certContext,
                       X509ExtendedTrustManager delegate) {
-    this(certContext, delegate, null);
-  }
-
-  XdsX509TrustManager(@Nullable CertificateValidationContext certContext,
-                      X509ExtendedTrustManager delegate, @Nullable String sniForSanMatching) {
     checkNotNull(delegate, "delegate");
     this.certContext = certContext;
     this.delegate = delegate;
     this.spiffeTrustMapDelegates = null;
-    this.sniForSanMatching = sniForSanMatching;
   }
 
   XdsX509TrustManager(@Nullable CertificateValidationContext certContext,
-      Map<String, X509ExtendedTrustManager> spiffeTrustMapDelegates,
-      @Nullable String sniForSanMatching) {
+      Map<String, X509ExtendedTrustManager> spiffeTrustMapDelegates) {
     checkNotNull(spiffeTrustMapDelegates, "spiffeTrustMapDelegates");
     this.spiffeTrustMapDelegates = ImmutableMap.copyOf(spiffeTrustMapDelegates);
     this.certContext = certContext;
     this.delegate = null;
-    this.sniForSanMatching = sniForSanMatching;
   }
 
   private static boolean verifyDnsNameInPattern(
@@ -213,15 +208,10 @@ private static void verifySubjectAltNameInLeaf(
    * This is called from various check*Trusted methods.
    */
   @VisibleForTesting
-  void verifySubjectAltNameInChain(X509Certificate[] peerCertChain) throws CertificateException {
+  void verifySubjectAltNameInChain(X509Certificate[] peerCertChain, List<StringMatcher> verifyList) throws CertificateException {
     if (certContext == null) {
       return;
     }
-    @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
-    List<StringMatcher> verifyList =
-        CertificateUtils.isXdsSniEnabled && !Strings.isNullOrEmpty(sniForSanMatching)
-            ? ImmutableList.of(StringMatcher.newBuilder().setExact(sniForSanMatching).build())
-            : certContext.getMatchSubjectAltNamesList();
     if (verifyList.isEmpty()) {
       return;
     }
@@ -233,24 +223,27 @@ void verifySubjectAltNameInChain(X509Certificate[] peerCertChain) throws Certifi
   }
 
   @Override
+  @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
   public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
       throws CertificateException {
     chooseDelegate(chain).checkClientTrusted(chain, authType, socket);
-    verifySubjectAltNameInChain(chain);
+    verifySubjectAltNameInChain(chain, certContext.getMatchSubjectAltNamesList());
   }
 
   @Override
+  @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
   public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine)
       throws CertificateException {
     chooseDelegate(chain).checkClientTrusted(chain, authType, sslEngine);
-    verifySubjectAltNameInChain(chain);
+    verifySubjectAltNameInChain(chain, certContext.getMatchSubjectAltNamesList());
   }
 
   @Override
+  @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
   public void checkClientTrusted(X509Certificate[] chain, String authType)
       throws CertificateException {
     chooseDelegate(chain).checkClientTrusted(chain, authType);
-    verifySubjectAltNameInChain(chain);
+    verifySubjectAltNameInChain(chain, certContext.getMatchSubjectAltNamesList());
   }
 
   @Override
@@ -265,7 +258,22 @@ public void checkServerTrusted(X509Certificate[] chain, String authType, Socket
       }
     }
     chooseDelegate(chain).checkServerTrusted(chain, authType, socket);
-    verifySubjectAltNameInChain(chain);
+    List<StringMatcher> sniMatchers = null;
+    if (CertificateUtils.isXdsSniEnabled) {
+      List<SNIServerName> serverNames = ((SSLSocket) socket).getSSLParameters().getServerNames();
+      if (serverNames != null) {
+        for (SNIServerName name : serverNames) {
+          if (name instanceof SNIHostName) {
+            sniMatchers = new ArrayList<>();
+            sniMatchers.add(StringMatcher.newBuilder().setExact(((SNIHostName) name).getAsciiName()).build());
+          }
+        }
+      }
+    }
+    if (sniMatchers == null) {
+      sniMatchers = certContext.getMatchSubjectAltNamesList();
+    }
+    verifySubjectAltNameInChain(chain, sniMatchers);
   }
 
   @Override

xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java

@@ -77,6 +77,7 @@
 import io.grpc.xds.client.Stats.ClusterStats;
 import io.grpc.xds.client.Stats.UpstreamLocalityStats;
 import io.grpc.xds.client.XdsClient;
+import io.grpc.xds.internal.XdsInternalAttributes;
 import io.grpc.xds.internal.security.CommonTlsContextTestsUtil;
 import io.grpc.xds.internal.security.SecurityProtocolNegotiators;
 import io.grpc.xds.internal.security.SslContextProvider;
@@ -811,10 +812,10 @@ public void endpointAddressesAttachedWithClusterName() {
               new FixedResultPicker(PickResult.withSubchannel(subchannel)));
         }
       });
-      assertThat(subchannel.getAttributes().get(EquivalentAddressGroup.ATTR_ADDRESS_NAME)).isEqualTo(
+      assertThat(subchannel.getAttributes().get(XdsInternalAttributes.ATTR_ADDRESS_NAME)).isEqualTo(
           "authority-host-name");
       for (EquivalentAddressGroup eag : subchannel.getAllAddresses()) {
-        assertThat(eag.getAttributes().get(EquivalentAddressGroup.ATTR_ADDRESS_NAME))
+        assertThat(eag.getAttributes().get(XdsInternalAttributes.ATTR_ADDRESS_NAME))
             .isEqualTo("authority-host-name");
       }
 
@@ -863,9 +864,9 @@ public void endpointAddressesAttachedWithClusterName() {
       }
     });
     // Sub Channel wrapper args won't have the address name although addresses will.
-    assertThat(subchannel.getAttributes().get(EquivalentAddressGroup.ATTR_ADDRESS_NAME)).isNull();
+    assertThat(subchannel.getAttributes().get(XdsInternalAttributes.ATTR_ADDRESS_NAME)).isNull();
     for (EquivalentAddressGroup eag : subchannel.getAllAddresses()) {
-      assertThat(eag.getAttributes().get(EquivalentAddressGroup.ATTR_ADDRESS_NAME))
+      assertThat(eag.getAttributes().get(XdsInternalAttributes.ATTR_ADDRESS_NAME))
           .isEqualTo("authority-host-name");
     }
 
@@ -1019,7 +1020,7 @@ public String toString() {
         // Unique but arbitrary string
         .set(EquivalentAddressGroup.ATTR_LOCALITY_NAME, locality.toString());
     if (authorityHostname != null) {
-      attributes.set(EquivalentAddressGroup.ATTR_ADDRESS_NAME, authorityHostname);
+      attributes.set(XdsInternalAttributes.ATTR_ADDRESS_NAME, authorityHostname);
     }
     EquivalentAddressGroup eag = new EquivalentAddressGroup(new FakeSocketAddress(name),
         attributes.build());

xds/src/test/java/io/grpc/xds/ClusterResolverLoadBalancerTest.java

@@ -102,6 +102,7 @@
 import io.grpc.xds.WrrLocalityLoadBalancer.WrrLocalityConfig;
 import io.grpc.xds.client.Bootstrapper.ServerInfo;
 import io.grpc.xds.client.XdsClient;
+import io.grpc.xds.internal.XdsInternalAttributes;
 import io.grpc.xds.internal.security.CommonTlsContextTestsUtil;
 import java.net.InetSocketAddress;
 import java.net.URI;
@@ -408,7 +409,7 @@ public void edsClustersEndpointHostname_addedToAddressAttribute() {
 
     assertThat(
         childBalancer.addresses.get(0).getAttributes()
-            .get(EquivalentAddressGroup.ATTR_ADDRESS_NAME)).isEqualTo("hostname1");
+            .get(XdsInternalAttributes.ATTR_ADDRESS_NAME)).isEqualTo("hostname1");
   }
 
   @Test
@@ -897,7 +898,7 @@ public void onlyLogicalDnsCluster_endpointsResolved() {
             newInetSocketAddress("127.0.2.1", 9000), newInetSocketAddress("127.0.2.2", 9000)))),
         childBalancer.addresses);
     assertThat(childBalancer.addresses.get(0).getAttributes()
-        .get(EquivalentAddressGroup.ATTR_ADDRESS_NAME)).isEqualTo(DNS_HOST_NAME + ":9000");
+        .get(XdsInternalAttributes.ATTR_ADDRESS_NAME)).isEqualTo(DNS_HOST_NAME + ":9000");
   }
 
   @Test

xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java

@@ -71,6 +71,7 @@
 import io.grpc.xds.client.Bootstrapper;
 import io.grpc.xds.client.CommonBootstrapperTestUtils;
 import io.grpc.xds.internal.Matchers.HeaderMatcher;
+import io.grpc.xds.internal.XdsInternalAttributes;
 import io.grpc.xds.internal.security.CommonTlsContextTestsUtil;
 import io.grpc.xds.internal.security.SecurityProtocolNegotiators;
 import io.grpc.xds.internal.security.SslContextProviderSupplier;
@@ -839,7 +840,7 @@ private SimpleServiceGrpc.SimpleServiceBlockingStub getBlockingStub(
                 upstreamTlsContext, tlsContextManagerForClient))
         : Attributes.newBuilder();
     if (addrNameAttribute != null) {
-      sslContextAttributesBuilder.set(EquivalentAddressGroup.ATTR_ADDRESS_NAME, addrNameAttribute);
+      sslContextAttributesBuilder.set(XdsInternalAttributes.ATTR_ADDRESS_NAME, addrNameAttribute);
     }
     sslContextAttributes = sslContextAttributesBuilder.build();
     fakeNameResolverFactory.setServers(