Merge from system root certs PR.

kannanjgithub · kannanjgithub · commit 9a817f8b4d00 · 2025-09-24T09:56:57.000Z
diff --git a/api/src/main/java/io/grpc/EquivalentAddressGroup.java b/api/src/main/java/io/grpc/EquivalentAddressGroup.java
@@ -55,6 +55,10 @@ public final class EquivalentAddressGroup {
    */
   public static final Attributes.Key<String> ATTR_LOCALITY_NAME =
       Attributes.Key.create("io.grpc.EquivalentAddressGroup.LOCALITY");
+  /** Name associated with individual address, if available (e.g., DNS name). */
+  @Attr
+  public static final Attributes.Key<String> ATTR_ADDRESS_NAME =
+      Attributes.Key.create("io.grpc.xds.XdsAttributes.addressName");
   private final List<SocketAddress> addrs;
   private final Attributes attrs;
 
diff --git a/xds/src/main/java/io/grpc/xds/ClusterImplLoadBalancer.java b/xds/src/main/java/io/grpc/xds/ClusterImplLoadBalancer.java
@@ -241,9 +241,9 @@ public Subchannel createSubchannel(CreateSubchannelArgs args) {
           .set(ATTR_CLUSTER_LOCALITY, localityAtomicReference);
       if (GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE", false)) {
         String hostname = args.getAddresses().get(0).getAttributes()
-            .get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME);
+            .get(EquivalentAddressGroup.ATTR_ADDRESS_NAME);
         if (hostname != null) {
-          attrsBuilder.set(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME, hostname);
+          attrsBuilder.set(EquivalentAddressGroup.ATTR_ADDRESS_NAME, hostname);
         }
       }
       args = args.toBuilder().setAddresses(addresses).setAttributes(attrsBuilder.build()).build();
@@ -439,7 +439,7 @@ public PickResult pickSubchannel(PickSubchannelArgs args) {
             result = PickResult.withSubchannel(result.getSubchannel(),
                 result.getStreamTracerFactory(),
                 result.getSubchannel().getAttributes().get(
-                    SecurityProtocolNegotiators.ATTR_ADDRESS_NAME));
+                    EquivalentAddressGroup.ATTR_ADDRESS_NAME));
           }
         }
         return result;
diff --git a/xds/src/main/java/io/grpc/xds/ClusterResolverLoadBalancer.java b/xds/src/main/java/io/grpc/xds/ClusterResolverLoadBalancer.java
@@ -195,7 +195,7 @@ StatusOr<ClusterResolutionResult> edsUpdateToResult(
                     .set(XdsAttributes.ATTR_LOCALITY_WEIGHT,
                         localityLbInfo.localityWeight())
                     .set(XdsAttributes.ATTR_SERVER_WEIGHT, weight)
-                    .set(XdsAttributes.ATTR_ADDRESS_NAME, endpoint.hostname())
+                    .set(EquivalentAddressGroup.ATTR_ADDRESS_NAME, endpoint.hostname())
                     .build();
             EquivalentAddressGroup eag;
             if (config.isHttp11ProxyAvailable()) {
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java b/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java
@@ -57,11 +57,6 @@
 @VisibleForTesting
 public final class SecurityProtocolNegotiators {
 
-  /** Name associated with individual address, if available (e.g., DNS name). */
-  @EquivalentAddressGroup.Attr
-  public static final Attributes.Key<String> ATTR_ADDRESS_NAME =
-      Attributes.Key.create("io.grpc.xds.XdsAttributes.addressName");
-
   // Prevent instantiation.
   private SecurityProtocolNegotiators() {
   }
@@ -155,7 +150,7 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
         return fallbackProtocolNegotiator.newHandler(grpcHandler);
       }
       return new ClientSecurityHandler(grpcHandler, localSslContextProviderSupplier,
-          grpcHandler.getEagAttributes().get(ATTR_ADDRESS_NAME));
+          grpcHandler.getEagAttributes().get(EquivalentAddressGroup.ATTR_ADDRESS_NAME));
     }
 
     @Override
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java
@@ -22,16 +22,16 @@
 import io.grpc.netty.GrpcSslContexts;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
 import io.grpc.xds.client.Bootstrapper.CertificateProviderInfo;
+import io.grpc.xds.internal.security.CommonTlsContextUtil;
 import io.grpc.xds.internal.security.trust.XdsTrustManagerFactory;
 import io.netty.handler.ssl.SslContextBuilder;
 import java.security.cert.CertStoreException;
 import java.security.cert.X509Certificate;
 import java.util.AbstractMap;
 import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
 import java.util.Map;
 import javax.annotation.Nullable;
+import javax.net.ssl.TrustManager;
 
 /** A client SslContext provider using CertificateProviderInstance to fetch secrets. */
 final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {
@@ -56,30 +56,13 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
         upstreamTlsContext,
         certificateProviderStore);
     this.sniForSanMatching = upstreamTlsContext.getAutoSniSanValidation()? sniForSanMatching : null;
-    if (rootCertInstance == null
-        && CommonTlsContextUtil.isUsingSystemRootCerts(tlsContext.getCommonTlsContext())
-        && !isMtls()) {
-      try {
-        // Instantiate sslContext so that addCallback will immediately update the callback with
-        // the SslContext.
-        AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager> sslContextBuilderAndTm =
-            getSslContextBuilderAndExtendedX509TrustManager(staticCertificateValidationContext);
-        sslContextAndExtendedX509TrustManager = new AbstractMap.SimpleImmutableEntry(
-            sslContextBuilderAndTm.getKey().build(), sslContextBuilderAndTm.getValue());
-      } catch (CertStoreException | CertificateException | IOException e) {
-        throw new RuntimeException(e);
-      }
-    }
   }
 
   @Override
-  protected final SslContextBuilder getSslContextBuilder(
-          CertificateValidationContext certificateValidationContextdationContext)
-      throws CertStoreException {
   protected final AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager>
       getSslContextBuilderAndExtendedX509TrustManager(
           CertificateValidationContext certificateValidationContext)
-              throws CertificateException, IOException, CertStoreException {
+              throws CertStoreException {
     SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient();
     if (savedSpiffeTrustMap != null) {
       sslContextBuilder = sslContextBuilder.trustManager(
@@ -91,6 +74,7 @@ protected final SslContextBuilder getSslContextBuilder(
           new XdsTrustManagerFactory(
               savedTrustedRoots.toArray(new X509Certificate[0]),
               certificateValidationContext, sniForSanMatching));
+    }
     XdsTrustManagerFactory trustManagerFactory;
     if (rootCertInstance != null) {
       if (savedSpiffeTrustMap != null) {
diff --git a/xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java b/xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java
@@ -811,10 +811,10 @@ public void endpointAddressesAttachedWithClusterName() {
               new FixedResultPicker(PickResult.withSubchannel(subchannel)));
         }
       });
-      assertThat(subchannel.getAttributes().get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME)).isEqualTo(
+      assertThat(subchannel.getAttributes().get(EquivalentAddressGroup.ATTR_ADDRESS_NAME)).isEqualTo(
           "authority-host-name");
       for (EquivalentAddressGroup eag : subchannel.getAllAddresses()) {
-        assertThat(eag.getAttributes().get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME))
+        assertThat(eag.getAttributes().get(EquivalentAddressGroup.ATTR_ADDRESS_NAME))
             .isEqualTo("authority-host-name");
       }
 
@@ -863,9 +863,9 @@ public void endpointAddressesAttachedWithClusterName() {
       }
     });
     // Sub Channel wrapper args won't have the address name although addresses will.
-    assertThat(subchannel.getAttributes().get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME)).isNull();
+    assertThat(subchannel.getAttributes().get(EquivalentAddressGroup.ATTR_ADDRESS_NAME)).isNull();
     for (EquivalentAddressGroup eag : subchannel.getAllAddresses()) {
-      assertThat(eag.getAttributes().get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME))
+      assertThat(eag.getAttributes().get(EquivalentAddressGroup.ATTR_ADDRESS_NAME))
           .isEqualTo("authority-host-name");
     }
 
@@ -1019,7 +1019,7 @@ public String toString() {
         // Unique but arbitrary string
         .set(EquivalentAddressGroup.ATTR_LOCALITY_NAME, locality.toString());
     if (authorityHostname != null) {
-      attributes.set(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME, authorityHostname);
+      attributes.set(EquivalentAddressGroup.ATTR_ADDRESS_NAME, authorityHostname);
     }
     EquivalentAddressGroup eag = new EquivalentAddressGroup(new FakeSocketAddress(name),
         attributes.build());
diff --git a/xds/src/test/java/io/grpc/xds/ClusterResolverLoadBalancerTest.java b/xds/src/test/java/io/grpc/xds/ClusterResolverLoadBalancerTest.java
@@ -408,7 +408,7 @@ public void edsClustersEndpointHostname_addedToAddressAttribute() {
 
     assertThat(
         childBalancer.addresses.get(0).getAttributes()
-            .get(XdsAttributes.ATTR_ADDRESS_NAME)).isEqualTo("hostname1");
+            .get(EquivalentAddressGroup.ATTR_ADDRESS_NAME)).isEqualTo("hostname1");
   }
 
   @Test
@@ -897,7 +897,7 @@ public void onlyLogicalDnsCluster_endpointsResolved() {
             newInetSocketAddress("127.0.2.1", 9000), newInetSocketAddress("127.0.2.2", 9000)))),
         childBalancer.addresses);
     assertThat(childBalancer.addresses.get(0).getAttributes()
-        .get(XdsAttributes.ATTR_ADDRESS_NAME)).isEqualTo(DNS_HOST_NAME + ":9000");
+        .get(EquivalentAddressGroup.ATTR_ADDRESS_NAME)).isEqualTo(DNS_HOST_NAME + ":9000");
   }
 
   @Test
@@ -995,7 +995,7 @@ public void config_equalsTester() {
     ServerInfo lrsServerInfo =
         ServerInfo.create("lrs.googleapis.com", InsecureChannelCredentials.create());
     UpstreamTlsContext tlsContext =
-        CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe", true);
+        CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe", true, null, false);
     DiscoveryMechanism edsDiscoveryMechanism1 =
         DiscoveryMechanism.forEds(CLUSTER, EDS_SERVICE_NAME, lrsServerInfo, 100L, tlsContext,
             Collections.emptyMap(), null);
diff --git a/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java b/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java
@@ -85,7 +85,6 @@
 import java.net.Inet4Address;
 import java.net.InetSocketAddress;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.KeyStore;
@@ -840,7 +839,7 @@ private SimpleServiceGrpc.SimpleServiceBlockingStub getBlockingStub(
                 upstreamTlsContext, tlsContextManagerForClient))
         : Attributes.newBuilder();
     if (addrNameAttribute != null) {
-      sslContextAttributesBuilder.set(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME, addrNameAttribute);
+      sslContextAttributesBuilder.set(EquivalentAddressGroup.ATTR_ADDRESS_NAME, addrNameAttribute);
     }
     sslContextAttributes = sslContextAttributesBuilder.build();
     fakeNameResolverFactory.setServers(
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/ClientSslContextProviderFactoryTest.java b/xds/src/test/java/io/grpc/xds/internal/security/ClientSslContextProviderFactoryTest.java
@@ -87,13 +87,13 @@ public void createCertProviderClientSslContextProvider() throws XdsInitializatio
             new ClientSslContextProviderFactory(
                     bootstrapInfo, certProviderClientSslContextProviderFactory);
     SslContextProvider sslContextProvider =
-        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry(upstreamTlsContext, SNI));
+        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, SNI));
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
     verifyWatcher(sslContextProvider, watcherCaptor[0], false);
     // verify that bootstrapInfo is cached...
     sslContextProvider =
-        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry(upstreamTlsContext, SNI));
+        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, SNI));
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
   }
@@ -120,7 +120,7 @@ public void bothPresent_expectCertProviderClientSslContextProvider()
             new ClientSslContextProviderFactory(
                     bootstrapInfo, certProviderClientSslContextProviderFactory);
     SslContextProvider sslContextProvider =
-        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry(upstreamTlsContext, SNI));
+        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, SNI));
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
     verifyWatcher(sslContextProvider, watcherCaptor[0], true);
@@ -146,7 +146,7 @@ public void createCertProviderClientSslContextProvider_onlyRootCert()
             new ClientSslContextProviderFactory(
                     bootstrapInfo, certProviderClientSslContextProviderFactory);
     SslContextProvider sslContextProvider =
-            clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry(upstreamTlsContext, SNI));
+            clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, SNI));
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
     verifyWatcher(sslContextProvider, watcherCaptor[0], true);
@@ -180,7 +180,7 @@ public void createCertProviderClientSslContextProvider_withStaticContext()
             new ClientSslContextProviderFactory(bootstrapInfo,
                     certProviderClientSslContextProviderFactory);
     SslContextProvider sslContextProvider =
-            clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry(upstreamTlsContext, SNI));
+            clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, SNI));
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
     verifyWatcher(sslContextProvider, watcherCaptor[0], true);
@@ -210,7 +210,7 @@ public void createCertProviderClientSslContextProvider_2providers()
             new ClientSslContextProviderFactory(
                     bootstrapInfo, certProviderClientSslContextProviderFactory);
     SslContextProvider sslContextProvider =
-        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry(upstreamTlsContext, SNI));
+        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, SNI));
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
     verifyWatcher(sslContextProvider, watcherCaptor[0], true);
@@ -247,7 +247,7 @@ public void createNewCertProviderClientSslContextProvider_withSans() {
         new ClientSslContextProviderFactory(
             bootstrapInfo, certProviderClientSslContextProviderFactory);
     SslContextProvider sslContextProvider =
-        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry(upstreamTlsContext, SNI));
+        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, SNI));
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
     verifyWatcher(sslContextProvider, watcherCaptor[0], true);
@@ -281,7 +281,7 @@ public void createNewCertProviderClientSslContextProvider_onlyRootCert() {
         new ClientSslContextProviderFactory(
             bootstrapInfo, certProviderClientSslContextProviderFactory);
     SslContextProvider sslContextProvider =
-        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry(upstreamTlsContext, SNI));
+        clientSslContextProviderFactory.create(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, SNI));
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
     verifyWatcher(sslContextProvider, watcherCaptor[0], true);
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java b/xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java
@@ -36,6 +36,7 @@
 import io.grpc.Attributes;
 import io.grpc.ChannelLogger;
 import io.grpc.ChannelLogger.ChannelLogLevel;
+import io.grpc.EquivalentAddressGroup;
 import io.grpc.internal.FakeClock;
 import io.grpc.internal.TestUtils.NoopChannelLogger;
 import io.grpc.netty.GrpcHttp2ConnectionHandler;
@@ -165,7 +166,7 @@ public void clientSecurityProtocolNegotiatorNewHandler_autoHostSni_hostnameIsPas
               Attributes.newBuilder()
                   .set(SecurityProtocolNegotiators.ATTR_SSL_CONTEXT_PROVIDER_SUPPLIER,
                       new SslContextProviderSupplier(upstreamTlsContext, mockTlsContextManager))
-                  .set(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME, FAKE_AUTHORITY)
+                  .set(EquivalentAddressGroup.ATTR_ADDRESS_NAME, FAKE_AUTHORITY)
                   .build());
       ChannelHandler newHandler = pn.newHandler(mockHandler);
       assertThat(newHandler).isNotNull();
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/SslContextProviderSupplierTest.java b/xds/src/test/java/io/grpc/xds/internal/security/SslContextProviderSupplierTest.java
@@ -93,7 +93,8 @@ public void get_updateSecret() {
     SslContextProvider.Callback capturedCallback = callbackCaptor.getValue();
     assertThat(capturedCallback).isNotNull();
     AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> mockSslContextAndTm =
-        mock(AbstractMap.SimpleImmutableEntry.class);
+        (AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>)
+            mock(AbstractMap.SimpleImmutableEntry.class);
     capturedCallback.updateSslContextAndExtendedX509TrustManager(mockSslContextAndTm);
     verify(mockCallback, times(1)).updateSslContextAndExtendedX509TrustManager(eq(mockSslContextAndTm));
     verify(mockTlsContextManager, times(1))
@@ -118,7 +119,8 @@ public void autoHostSniFalse_usesSniFromUpstreamTlsContext() {
     SslContextProvider.Callback capturedCallback = callbackCaptor.getValue();
     assertThat(capturedCallback).isNotNull();
     AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> mockSslContextAndTm =
-        mock(AbstractMap.SimpleImmutableEntry.class);
+        (AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>)
+            mock(AbstractMap.SimpleImmutableEntry.class);
     capturedCallback.updateSslContextAndExtendedX509TrustManager(mockSslContextAndTm);
     verify(mockCallback, times(1))
         .updateSslContextAndExtendedX509TrustManager(eq(mockSslContextAndTm));
@@ -174,7 +176,8 @@ public void systemRootCertsWithMtls_callbackExecutedFromProvider() {
     SslContextProvider.Callback capturedCallback = callbackCaptor.getValue();
     assertThat(capturedCallback).isNotNull();
     AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> mockSslContextAndTm =
-        mock(AbstractMap.SimpleImmutableEntry.class);
+        (AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>)
+            mock(AbstractMap.SimpleImmutableEntry.class);
     capturedCallback.updateSslContextAndExtendedX509TrustManager(mockSslContextAndTm);
     verify(mockCallback, times(1))
         .updateSslContextAndExtendedX509TrustManager(eq(mockSslContextAndTm));
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/TlsContextManagerTest.java b/xds/src/test/java/io/grpc/xds/internal/security/TlsContextManagerTest.java
@@ -169,7 +169,7 @@ public void createClientSslContextProvider_releaseInstance() {
     TlsContextManagerImpl tlsContextManagerImpl =
         new TlsContextManagerImpl(mockClientFactory, mockServerFactory);
     SslContextProvider mockProvider = mock(SslContextProvider.class);
-    when(mockClientFactory.create(new AbstractMap.SimpleImmutableEntry(upstreamTlsContext, SNI)))
+    when(mockClientFactory.create(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, SNI)))
         .thenReturn(mockProvider);
     SslContextProvider clientSecretProvider =
         tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext, SNI);

Original file line number	Diff line number	Diff line change
`@@ -241,9 +241,9 @@ public Subchannel createSubchannel(CreateSubchannelArgs args) {`
`241`	`241`	`.set(ATTR_CLUSTER_LOCALITY, localityAtomicReference);`
`242`	`242`	`if (GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE", false)) {`
`243`	`243`	`String hostname = args.getAddresses().get(0).getAttributes()`
`244`		`- .get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME);`
	`244`	`+ .get(EquivalentAddressGroup.ATTR_ADDRESS_NAME);`
`245`	`245`	`if (hostname != null) {`
`246`		`- attrsBuilder.set(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME, hostname);`
	`246`	`+ attrsBuilder.set(EquivalentAddressGroup.ATTR_ADDRESS_NAME, hostname);`
`247`	`247`	`}`
`248`	`248`	`}`
`249`	`249`	`args = args.toBuilder().setAddresses(addresses).setAttributes(attrsBuilder.build()).build();`
`@@ -439,7 +439,7 @@ public PickResult pickSubchannel(PickSubchannelArgs args) {`
`439`	`439`	`result = PickResult.withSubchannel(result.getSubchannel(),`
`440`	`440`	`result.getStreamTracerFactory(),`
`441`	`441`	`result.getSubchannel().getAttributes().get(`
`442`		`- SecurityProtocolNegotiators.ATTR_ADDRESS_NAME));`
	`442`	`+ EquivalentAddressGroup.ATTR_ADDRESS_NAME));`
`443`	`443`	`}`
`444`	`444`	`}`
`445`	`445`	`return result;`
Original file line number	Diff line number	Diff line change
`@@ -57,11 +57,6 @@`
`57`	`57`	`@VisibleForTesting`
`58`	`58`	`public final class SecurityProtocolNegotiators {`
`59`	`59`
`60`		`- /** Name associated with individual address, if available (e.g., DNS name). */`
`61`		`- @EquivalentAddressGroup.Attr`
`62`		`- public static final Attributes.Key<String> ATTR_ADDRESS_NAME =`
`63`		`- Attributes.Key.create("io.grpc.xds.XdsAttributes.addressName");`
`64`		`-`
`65`	`60`	`// Prevent instantiation.`
`66`	`61`	`private SecurityProtocolNegotiators() {`
`67`	`62`	`}`
`@@ -155,7 +150,7 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {`
`155`	`150`	`return fallbackProtocolNegotiator.newHandler(grpcHandler);`
`156`	`151`	`}`
`157`	`152`	`return new ClientSecurityHandler(grpcHandler, localSslContextProviderSupplier,`
`158`		`- grpcHandler.getEagAttributes().get(ATTR_ADDRESS_NAME));`
	`153`	`+ grpcHandler.getEagAttributes().get(EquivalentAddressGroup.ATTR_ADDRESS_NAME));`
`159`	`154`	`}`
`160`	`155`
`161`	`156`	`@Override`