XdsX509TrustManager changes for auto sni san validation.

Author: kannanjgithub

xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java

@@ -75,19 +75,22 @@ public static final class UpstreamTlsContext extends BaseTlsContext {
 
     private final String sni;
     private final boolean auto_host_sni;
+    private final boolean auto_sni_san_validation;
 
     @VisibleForTesting
     public UpstreamTlsContext(CommonTlsContext commonTlsContext) {
       super(commonTlsContext);
       this.sni = null;
       this.auto_host_sni = false;
+      this.auto_sni_san_validation = false;
     }
 
     @VisibleForTesting
     public UpstreamTlsContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext upstreamTlsContext) {
       super(upstreamTlsContext.getCommonTlsContext());
       this.sni = upstreamTlsContext.getSni();
       this.auto_host_sni = upstreamTlsContext.getAutoHostSni();
+      this.auto_sni_san_validation = upstreamTlsContext.getAutoSniSanValidation();
     }
 
     public static UpstreamTlsContext fromEnvoyProtoUpstreamTlsContext(
@@ -104,6 +107,10 @@ public boolean getAutoHostSni() {
       return auto_host_sni;
     }
 
+    public boolean getAutoSniSanValidation() {
+      return auto_sni_san_validation;
+    }
+
     @Override
     public String toString() {
       return "UpstreamTlsContext{" + "commonTlsContext=" + commonTlsContext + '}';

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java

@@ -32,14 +32,16 @@
 /** A client SslContext provider using CertificateProviderInstance to fetch secrets. */
 public final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {
 
+  private final String sniForSanMatching;
+
   CertProviderClientSslContextProvider(
-      Node node,
-      @Nullable Map<String, CertificateProviderInfo> certProviders,
-      CommonTlsContext.CertificateProviderInstance certInstance,
-      CommonTlsContext.CertificateProviderInstance rootCertInstance,
-      CertificateValidationContext staticCertValidationContext,
-      UpstreamTlsContext upstreamTlsContext,
-      String sni, CertificateProviderStore certificateProviderStore) {
+          Node node,
+          @Nullable Map<String, CertificateProviderInfo> certProviders,
+          CommonTlsContext.CertificateProviderInstance certInstance,
+          CommonTlsContext.CertificateProviderInstance rootCertInstance,
+          CertificateValidationContext staticCertValidationContext,
+          UpstreamTlsContext upstreamTlsContext,
+          String sniForSanMatching, CertificateProviderStore certificateProviderStore) {
     super(
         node,
         certProviders,
@@ -48,11 +50,12 @@ public final class CertProviderClientSslContextProvider extends CertProviderSslC
         staticCertValidationContext,
         upstreamTlsContext,
         certificateProviderStore);
+    this.sniForSanMatching = upstreamTlsContext.getAutoSniSanValidation()? sniForSanMatching : null;
   }
 
   @Override
   protected final SslContextBuilder getSslContextBuilder(
-          CertificateValidationContext certificateValidationContextdationContext)
+          CertificateValidationContext certificateValidationContext)
       throws CertStoreException {
     SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient();
     // Null rootCertInstance implies hasSystemRootCerts because of the check in
@@ -62,12 +65,12 @@ protected final SslContextBuilder getSslContextBuilder(
         sslContextBuilder = sslContextBuilder.trustManager(
           new XdsTrustManagerFactory(
               savedSpiffeTrustMap,
-              certificateValidationContextdationContext));
+              certificateValidationContext, sniForSanMatching));
       } else {
         sslContextBuilder = sslContextBuilder.trustManager(
             new XdsTrustManagerFactory(
                 savedTrustedRoots.toArray(new X509Certificate[0]),
-                certificateValidationContextdationContext));
+                certificateValidationContext, sniForSanMatching));
       }
     }
     if (isMtls()) {

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderServerSslContextProvider.java

@@ -63,11 +63,11 @@ protected final SslContextBuilder getSslContextBuilder(
     if (isMtls() && savedSpiffeTrustMap != null) {
       trustManagerFactory = new XdsTrustManagerFactory(
           savedSpiffeTrustMap,
-          certificateValidationContextdationContext);
+          certificateValidationContextdationContext, null);
     } else if (isMtls()) {
       trustManagerFactory = new XdsTrustManagerFactory(
           savedTrustedRoots.toArray(new X509Certificate[0]),
-          certificateValidationContextdationContext);
+          certificateValidationContextdationContext, null);
     }
     setClientAuthValues(sslContextBuilder, trustManagerFactory);
     sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder);

xds/src/main/java/io/grpc/xds/internal/security/trust/XdsTrustManagerFactory.java

@@ -58,43 +58,46 @@ public XdsTrustManagerFactory(CertificateValidationContext certificateValidation
     this(
         getTrustedCaFromCertContext(certificateValidationContext),
         certificateValidationContext,
-        false);
+        false,
+        null);
   }
 
   public XdsTrustManagerFactory(
-          X509Certificate[] certs, CertificateValidationContext staticCertificateValidationContext)
+          X509Certificate[] certs, CertificateValidationContext staticCertificateValidationContext, String sniForSanMatching)
           throws CertStoreException {
-    this(certs, staticCertificateValidationContext, true);
+    this(certs, staticCertificateValidationContext, true, sniForSanMatching);
   }
 
   public XdsTrustManagerFactory(Map<String, List<X509Certificate>> spiffeTrustMap,
-      CertificateValidationContext staticCertificateValidationContext) throws CertStoreException {
-    this(spiffeTrustMap, staticCertificateValidationContext, true);
+                                CertificateValidationContext staticCertificateValidationContext, String sniForSanMatching) throws CertStoreException {
+    this(spiffeTrustMap, staticCertificateValidationContext, true, sniForSanMatching);
   }
 
   private XdsTrustManagerFactory(
       X509Certificate[] certs,
       CertificateValidationContext certificateValidationContext,
-      boolean validationContextIsStatic)
+      boolean validationContextIsStatic,
+      String sniForSanMatching)
       throws CertStoreException {
     if (validationContextIsStatic) {
       checkArgument(
           certificateValidationContext == null || !certificateValidationContext.hasTrustedCa(),
           "only static certificateValidationContext expected");
     }
-    xdsX509TrustManager = createX509TrustManager(certs, certificateValidationContext);
+    xdsX509TrustManager = createX509TrustManager(certs, certificateValidationContext, sniForSanMatching);
   }
 
   private XdsTrustManagerFactory(
       Map<String, List<X509Certificate>> spiffeTrustMap,
       CertificateValidationContext certificateValidationContext,
-      boolean validationContextIsStatic)
+      boolean validationContextIsStatic,
+      String sniForSanMatching)
       throws CertStoreException {
     if (validationContextIsStatic) {
       checkArgument(
           certificateValidationContext == null || !certificateValidationContext.hasTrustedCa(),
           "only static certificateValidationContext expected");
-      xdsX509TrustManager = createX509TrustManager(spiffeTrustMap, certificateValidationContext);
+      xdsX509TrustManager = createX509TrustManager(spiffeTrustMap, certificateValidationContext, sniForSanMatching);
     }
   }
 
@@ -121,21 +124,21 @@ private static X509Certificate[] getTrustedCaFromCertContext(
 
   @VisibleForTesting
   static XdsX509TrustManager createX509TrustManager(
-      X509Certificate[] certs, CertificateValidationContext certContext) throws CertStoreException {
-    return new XdsX509TrustManager(certContext, createTrustManager(certs));
+          X509Certificate[] certs, CertificateValidationContext certContext, String sniForSanMatching) throws CertStoreException {
+    return new XdsX509TrustManager(certContext, createTrustManager(certs), sniForSanMatching);
   }
 
   @VisibleForTesting
   static XdsX509TrustManager createX509TrustManager(
-      Map<String, List<X509Certificate>> spiffeTrustMapFile,
-      CertificateValidationContext certContext) throws CertStoreException {
+          Map<String, List<X509Certificate>> spiffeTrustMapFile,
+          CertificateValidationContext certContext, String sniForSanMatching) throws CertStoreException {
     checkNotNull(spiffeTrustMapFile, "spiffeTrustMapFile");
     Map<String, X509ExtendedTrustManager> delegates = new HashMap<>();
     for (Map.Entry<String, List<X509Certificate>> entry:spiffeTrustMapFile.entrySet()) {
       delegates.put(entry.getKey(), createTrustManager(
           entry.getValue().toArray(new X509Certificate[0])));
     }
-    return new XdsX509TrustManager(certContext, delegates);
+    return new XdsX509TrustManager(certContext, delegates, sniForSanMatching);
   }
 
   private static X509ExtendedTrustManager createTrustManager(X509Certificate[] certs)

xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java

@@ -61,34 +61,29 @@ final class XdsX509TrustManager extends X509ExtendedTrustManager implements X509
   private final X509ExtendedTrustManager delegate;
   private final Map<String, X509ExtendedTrustManager> spiffeTrustMapDelegates;
   private final CertificateValidationContext certContext;
-  private final String sni;
+  private final String sniForSanMatching;
 
   XdsX509TrustManager(@Nullable CertificateValidationContext certContext,
                       X509ExtendedTrustManager delegate) {
     this(certContext, delegate, null);
   }
 
   XdsX509TrustManager(@Nullable CertificateValidationContext certContext,
-                      X509ExtendedTrustManager delegate, @Nullable String sni) {
+                      X509ExtendedTrustManager delegate, @Nullable String sniForSanMatching) {
     checkNotNull(delegate, "delegate");
     this.certContext = certContext;
     this.delegate = delegate;
     this.spiffeTrustMapDelegates = null;
-    this.sni = sni;
+    this.sniForSanMatching = sniForSanMatching;
   }
 
   XdsX509TrustManager(@Nullable CertificateValidationContext certContext,
-                      Map<String, X509ExtendedTrustManager> spiffeTrustMapDelegates) {
-    this(certContext, spiffeTrustMapDelegates, null);
-  }
-
-  XdsX509TrustManager(@Nullable CertificateValidationContext certContext,
-                      Map<String, X509ExtendedTrustManager> spiffeTrustMapDelegates, @Nullable String sni) {
+                      Map<String, X509ExtendedTrustManager> spiffeTrustMapDelegates, @Nullable String sniForSanMatching) {
     checkNotNull(spiffeTrustMapDelegates, "spiffeTrustMapDelegates");
     this.spiffeTrustMapDelegates = ImmutableMap.copyOf(spiffeTrustMapDelegates);
     this.certContext = certContext;
     this.delegate = null;
-    this.sni = sni;
+    this.sniForSanMatching = sniForSanMatching;
   }
 
   private static boolean verifyDnsNameInPattern(
@@ -222,7 +217,9 @@ void verifySubjectAltNameInChain(X509Certificate[] peerCertChain) throws Certifi
       return;
     }
     @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
-    List<StringMatcher> verifyList = sni != null? ImmutableList.of(StringMatcher.newBuilder().setExact(sni).build()) : certContext.getMatchSubjectAltNamesList();
+    List<StringMatcher> verifyList = !Strings.isNullOrEmpty(sniForSanMatching)
+            ? ImmutableList.of(StringMatcher.newBuilder().setExact(sniForSanMatching).build())
+            : certContext.getMatchSubjectAltNamesList();
     if (verifyList.isEmpty()) {
       return;
     }

xds/src/test/java/io/grpc/xds/internal/security/trust/XdsTrustManagerFactoryTest.java

@@ -91,7 +91,7 @@ public void constructor_fromRootCert()
     CertificateValidationContext staticValidationContext = buildStaticValidationContext("san1",
         "san2");
     XdsTrustManagerFactory factory =
-        new XdsTrustManagerFactory(new X509Certificate[]{x509Cert}, staticValidationContext);
+        new XdsTrustManagerFactory(new X509Certificate[]{x509Cert}, staticValidationContext, null);
     assertThat(factory).isNotNull();
     TrustManager[] tms = factory.getTrustManagers();
     assertThat(tms).isNotNull();
@@ -115,7 +115,7 @@ public void constructor_fromSpiffeTrustMap()
         "san2");
     // Single domain and single cert
     XdsTrustManagerFactory factory = new XdsTrustManagerFactory(ImmutableMap
-        .of("example.com", ImmutableList.of(x509Cert)), staticValidationContext);
+        .of("example.com", ImmutableList.of(x509Cert)), staticValidationContext, null);
     assertThat(factory).isNotNull();
     TrustManager[] tms = factory.getTrustManagers();
     assertThat(tms).isNotNull();
@@ -131,7 +131,7 @@ public void constructor_fromSpiffeTrustMap()
     X509Certificate anotherCert = TestUtils.loadX509Cert(CLIENT_PEM_FILE);
     factory = new XdsTrustManagerFactory(ImmutableMap
         .of("example.com", ImmutableList.of(x509Cert),
-            "google.com", ImmutableList.of(x509Cert, anotherCert)), staticValidationContext);
+            "google.com", ImmutableList.of(x509Cert, anotherCert)), staticValidationContext, null);
     assertThat(factory).isNotNull();
     tms = factory.getTrustManagers();
     assertThat(tms).isNotNull();
@@ -154,7 +154,7 @@ public void constructorRootCert_checkServerTrusted()
     CertificateValidationContext staticValidationContext = buildStaticValidationContext("san1",
         "waterzooi.test.google.be");
     XdsTrustManagerFactory factory =
-        new XdsTrustManagerFactory(new X509Certificate[]{x509Cert}, staticValidationContext);
+        new XdsTrustManagerFactory(new X509Certificate[]{x509Cert}, staticValidationContext, null);
     XdsX509TrustManager xdsX509TrustManager = (XdsX509TrustManager) factory.getTrustManagers()[0];
     X509Certificate[] serverChain =
         CertificateUtils.toX509Certificates(TlsTesting.loadCert(SERVER_1_PEM_FILE));
@@ -167,7 +167,7 @@ public void constructorRootCert_nonStaticContext_throwsException()
     X509Certificate x509Cert = TestUtils.loadX509Cert(CA_PEM_FILE);
     try {
       new XdsTrustManagerFactory(
-              new X509Certificate[] {x509Cert}, getCertContextFromPath(CA_PEM_FILE));
+              new X509Certificate[] {x509Cert}, getCertContextFromPath(CA_PEM_FILE), null);
       Assert.fail("no exception thrown");
     } catch (IllegalArgumentException expected) {
       assertThat(expected)
@@ -183,7 +183,7 @@ public void constructorRootCert_checkServerTrusted_throwsException()
     CertificateValidationContext staticValidationContext = buildStaticValidationContext("san1",
         "san2");
     XdsTrustManagerFactory factory =
-        new XdsTrustManagerFactory(new X509Certificate[]{x509Cert}, staticValidationContext);
+        new XdsTrustManagerFactory(new X509Certificate[]{x509Cert}, staticValidationContext, null);
     XdsX509TrustManager xdsX509TrustManager = (XdsX509TrustManager) factory.getTrustManagers()[0];
     X509Certificate[] serverChain =
         CertificateUtils.toX509Certificates(TlsTesting.loadCert(SERVER_1_PEM_FILE));
@@ -204,7 +204,7 @@ public void constructorRootCert_checkClientTrusted_throwsException()
     CertificateValidationContext staticValidationContext = buildStaticValidationContext("san1",
         "san2");
     XdsTrustManagerFactory factory =
-        new XdsTrustManagerFactory(new X509Certificate[]{x509Cert}, staticValidationContext);
+        new XdsTrustManagerFactory(new X509Certificate[]{x509Cert}, staticValidationContext, null);
     XdsX509TrustManager xdsX509TrustManager = (XdsX509TrustManager) factory.getTrustManagers()[0];
     X509Certificate[] clientChain =
         CertificateUtils.toX509Certificates(TlsTesting.loadCert(SERVER_1_PEM_FILE));