Merge branch 'clientsidenormaltls-systemrootcert-handle' into systemrootcerts-ignore-trusted-root-updates

kannanjgithub · kannanjgithub · commit ae74a9e70f52 · 2025-09-09T09:08:40.000Z
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java
@@ -158,12 +158,12 @@ private void updateSslContextWhenReady() {
         updateSslContext();
         clearKeysAndCerts();
       }
-    } else if (isClientSideTls()) {
+    } else if (isNormalTlsAndClientSide()) {
       if (savedTrustedRoots != null || savedSpiffeTrustMap != null) {
         updateSslContext();
         clearKeysAndCerts();
       }
-    } else if (isServerSideTls()) {
+    } else if (isNormalTlsAndServerSide()) {
       if (savedKey != null) {
         updateSslContext();
         clearKeysAndCerts();
@@ -182,11 +182,13 @@ protected final boolean isMtls() {
     return certInstance != null && (rootCertInstance != null || isUsingSystemRootCerts);
   }
 
-  protected final boolean isClientSideTls() {
+  protected final boolean isNormalTlsAndClientSide() {
+    // We don't do (rootCertInstance != null || isUsingSystemRootCerts) here because of where this method is called
+    // from. With the rootCertInstance being null when using system root certs, there is nothing to update.
     return rootCertInstance != null && certInstance == null;
   }
 
-  protected final boolean isServerSideTls() {
+  protected final boolean isNormalTlsAndServerSide() {
     return certInstance != null && rootCertInstance == null;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -158,12 +158,12 @@ private void updateSslContextWhenReady() {`
`158`	`158`	`updateSslContext();`
`159`	`159`	`clearKeysAndCerts();`
`160`	`160`	`}`
`161`		`- } else if (isClientSideTls()) {`
	`161`	`+ } else if (isNormalTlsAndClientSide()) {`
`162`	`162`	`if (savedTrustedRoots != null \|\| savedSpiffeTrustMap != null) {`
`163`	`163`	`updateSslContext();`
`164`	`164`	`clearKeysAndCerts();`
`165`	`165`	`}`
`166`		`- } else if (isServerSideTls()) {`
	`166`	`+ } else if (isNormalTlsAndServerSide()) {`
`167`	`167`	`if (savedKey != null) {`
`168`	`168`	`updateSslContext();`
`169`	`169`	`clearKeysAndCerts();`
`@@ -182,11 +182,13 @@ protected final boolean isMtls() {`
`182`	`182`	`return certInstance != null && (rootCertInstance != null \|\| isUsingSystemRootCerts);`
`183`	`183`	`}`
`184`	`184`
`185`		`- protected final boolean isClientSideTls() {`
	`185`	`+ protected final boolean isNormalTlsAndClientSide() {`
	`186`	`+ // We don't do (rootCertInstance != null \|\| isUsingSystemRootCerts) here because of where this method is called`
	`187`	`+ // from. With the rootCertInstance being null when using system root certs, there is nothing to update.`
`186`	`188`	`return rootCertInstance != null && certInstance == null;`
`187`	`189`	`}`
`188`	`190`
`189`		`- protected final boolean isServerSideTls() {`
	`191`	`+ protected final boolean isNormalTlsAndServerSide() {`
`190`	`192`	`return certInstance != null && rootCertInstance == null;`
`191`	`193`	`}`
`192`	`194`