kannanjgithub
diff --git a/‎core/src/main/java/io/grpc/internal/CertificateUtils.java‎
Lines changed: 22 additions & 0 deletions b/‎core/src/main/java/io/grpc/internal/CertificateUtils.java‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java‎
Lines changed: 9 additions & 5 deletions b/‎netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java‎
Lines changed: 2 additions & 18 deletions b/‎netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java‎
Lines changed: 2 additions & 18 deletions
diff --git a/‎s2a/src/main/java/io/grpc/s2a/internal/handshaker/S2AProtocolNegotiatorFactory.java‎
Lines changed: 1 addition & 1 deletion b/‎s2a/src/main/java/io/grpc/s2a/internal/handshaker/S2AProtocolNegotiatorFactory.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java‎
Lines changed: 28 additions & 19 deletions b/‎xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java‎
Lines changed: 28 additions & 19 deletions
diff --git a/‎xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java‎
Lines changed: 10 additions & 4 deletions b/‎xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java‎
Lines changed: 10 additions & 4 deletions
diff --git a/‎xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java‎
Lines changed: 9 additions & 4 deletions b/‎xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java‎
Lines changed: 4 additions & 2 deletions b/‎xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java‎
Lines changed: 4 additions & 2 deletions
@@ -26,6 +26,7 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
+import java.util.List;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.security.auth.x500.X500Principal;
@@ -34,6 +35,16 @@
  * Contains certificate/key PEM file utility method(s) for internal usage.
  */
 public final class CertificateUtils {
+  private static Class<?> x509ExtendedTrustManagerClass;
+
+  static {
+    try {
+      x509ExtendedTrustManagerClass = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
+    } catch (ClassNotFoundException e) {
+      // Will disallow per-rpc authority override via call option.
+    }
+  }
+
   /**
    * Creates X509TrustManagers using the provided CA certs.
    */
@@ -71,6 +82,17 @@ public static TrustManager[] createTrustManager(InputStream rootCerts)
     return trustManagerFactory.getTrustManagers();
   }
 
+  public static TrustManager getX509ExtendedTrustManager(List<TrustManager> trustManagers) {
+    if (x509ExtendedTrustManagerClass != null) {
+      for (TrustManager trustManager : trustManagers) {
+        if (x509ExtendedTrustManagerClass.isInstance(trustManager)) {
+          return trustManager;
+        }
+      }
+    }
+    return null;
+  }
+
   private static X509Certificate[] getX509Certificates(InputStream inputStream)
           throws CertificateException {
     CertificateFactory factory = CertificateFactory.getInstance("X.509");
 
@@ -25,6 +25,9 @@
 import io.netty.channel.ChannelHandler;
 import io.netty.handler.ssl.SslContext;
 import io.netty.util.AsciiString;
+
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 import java.util.concurrent.Executor;
 
 /**
@@ -39,15 +42,16 @@ private InternalProtocolNegotiators() {}
    * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
    * may happen immediately, even before the TLS Handshake is complete.
    *
-   * @param executorPool a dedicated {@link Executor} pool for time-consuming TLS tasks
-   * @param isXdsTarget
+   * @param executorPool             a dedicated {@link Executor} pool for time-consuming TLS tasks
    */
   public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext,
                                                                   ObjectPool<? extends Executor> executorPool,
                                                                   Optional<Runnable> handshakeCompleteRunnable,
+                                                                  TrustManager extendedX509TrustManager,
                                                                   String sni, boolean isXdsTarget) {
     final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.tls(sslContext,
-        executorPool, handshakeCompleteRunnable, null, sni, isXdsTarget);
+        executorPool, handshakeCompleteRunnable, (X509TrustManager) extendedX509TrustManager, sni,
+        isXdsTarget);
     final class TlsNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {
 
       @Override
@@ -75,8 +79,8 @@ public void close() {
    * may happen immediately, even before the TLS Handshake is complete.
    */
   public static InternalProtocolNegotiator.ProtocolNegotiator tls(
-      SslContext sslContext, String sni, boolean isXdsTarget) {
-    return tls(sslContext, null, Optional.absent(), sni, isXdsTarget);
+      SslContext sslContext, String sni, boolean isXdsTarget, TrustManager extendedX509TrustManager) {
+    return tls(sslContext, null, Optional.absent(), extendedX509TrustManager, sni, isXdsTarget);
   }
 
   /**
 
@@ -104,15 +104,6 @@ final class ProtocolNegotiators {
   private static final EnumSet<TlsServerCredentials.Feature> understoodServerTlsFeatures =
       EnumSet.of(
           TlsServerCredentials.Feature.MTLS, TlsServerCredentials.Feature.CUSTOM_MANAGERS);
-  private static Class<?> x509ExtendedTrustManagerClass;
-
-  static {
-    try {
-      x509ExtendedTrustManagerClass = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
-    } catch (ClassNotFoundException e) {
-      // Will disallow per-rpc authority override via call option.
-    }
-  }
 
   private ProtocolNegotiators() {
   }
@@ -149,15 +140,8 @@ public static FromChannelCredentialsResult from(ChannelCredentials creds) {
           trustManagers = Arrays.asList(tmf.getTrustManagers());
         }
         builder.trustManager(new FixedTrustManagerFactory(trustManagers));
-        TrustManager x509ExtendedTrustManager = null;
-        if (x509ExtendedTrustManagerClass != null) {
-          for (TrustManager trustManager : trustManagers) {
-            if (x509ExtendedTrustManagerClass.isInstance(trustManager)) {
-              x509ExtendedTrustManager = trustManager;
-              break;
-            }
-          }
-        }
+        TrustManager x509ExtendedTrustManager =
+            CertificateUtils.getX509ExtendedTrustManager(trustManagers);
         return FromChannelCredentialsResult.negotiator(tlsClientFactory(builder.build(),
             (X509TrustManager) x509ExtendedTrustManager));
       } catch (SSLException | GeneralSecurityException ex) {
 
@@ -259,7 +259,7 @@ public void run() {
                               s2aStub.close();
                             }
                           }),
-                          null, false)
+                          null, null, false)
                       .newHandler(grpcHandler);
 
               // Delegate the rest of the handshake to the TLS handler. and remove the 
 
@@ -30,17 +30,20 @@
 import java.io.IOException;
 import java.security.cert.CertStoreException;
 import java.security.cert.CertificateException;
+import java.util.AbstractMap;
 import java.util.ArrayList;
 import java.util.List;
 import javax.annotation.Nullable;
+import javax.net.ssl.TrustManager;
 
 /** Base class for dynamic {@link SslContextProvider}s. */
 @Internal
 public abstract class DynamicSslContextProvider extends SslContextProvider {
 
   protected final List<Callback> pendingCallbacks = new ArrayList<>();
   @Nullable protected final CertificateValidationContext staticCertificateValidationContext;
-  @Nullable protected SslContext sslContext;
+  @Nullable protected AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>
+      sslContextAndExtendedX509TrustManager;
 
   protected DynamicSslContextProvider(
       BaseTlsContext tlsContext, CertificateValidationContext staticCertValidationContext) {
@@ -49,14 +52,16 @@ protected DynamicSslContextProvider(
   }
 
   @Nullable
-  public SslContext getSslContext() {
-    return sslContext;
+  public AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> getSslContextAndExtendedX509TrustManager() {
+    return sslContextAndExtendedX509TrustManager;
   }
 
   protected abstract CertificateValidationContext generateCertificateValidationContext();
 
-  /** Gets a server or client side SslContextBuilder. */
-  protected abstract SslContextBuilder getSslContextBuilder(
+  /**
+   * Gets a server or client side SslContextBuilder.
+   */
+  protected abstract AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager> getSslContextBuilderAndExtendedX509TrustManager(
       CertificateValidationContext certificateValidationContext)
       throws CertificateException, IOException, CertStoreException;
 
@@ -65,7 +70,8 @@ protected final void updateSslContext() {
     try {
       CertificateValidationContext localCertValidationContext =
           generateCertificateValidationContext();
-      SslContextBuilder sslContextBuilder = getSslContextBuilder(localCertValidationContext);
+      AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager> sslContextBuilderAndTm =
+          getSslContextBuilderAndExtendedX509TrustManager(localCertValidationContext);
       CommonTlsContext commonTlsContext = getCommonTlsContext();
       if (commonTlsContext != null && commonTlsContext.getAlpnProtocolsCount() > 0) {
         List<String> alpnList = commonTlsContext.getAlpnProtocolsList();
@@ -75,29 +81,30 @@ protected final void updateSslContext() {
                 ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
                 ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
                 alpnList);
-        sslContextBuilder.applicationProtocolConfig(apn);
+        sslContextBuilderAndTm.getKey().applicationProtocolConfig(apn);
       }
       List<Callback> pendingCallbacksCopy;
-      SslContext sslContextCopy;
+      AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndExtendedX09TrustManagerCopy;
       synchronized (pendingCallbacks) {
-        sslContext = sslContextBuilder.build();
-        sslContextCopy = sslContext;
+        sslContextAndExtendedX509TrustManager = new AbstractMap.SimpleImmutableEntry<>(
+            sslContextBuilderAndTm.getKey().build(), sslContextBuilderAndTm.getValue());
+        sslContextAndExtendedX09TrustManagerCopy = sslContextAndExtendedX509TrustManager;
         pendingCallbacksCopy = clonePendingCallbacksAndClear();
       }
-      makePendingCallbacks(sslContextCopy, pendingCallbacksCopy);
+      makePendingCallbacks(sslContextAndExtendedX09TrustManagerCopy, pendingCallbacksCopy);
     } catch (Exception e) {
       onError(Status.fromThrowable(e));
       throw new RuntimeException(e);
     }
   }
 
   protected final void callPerformCallback(
-          Callback callback, final SslContext sslContextCopy) {
+          Callback callback, final AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTmCopy) {
     performCallback(
         new SslContextGetter() {
           @Override
-          public SslContext get() {
-            return sslContextCopy;
+          public AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> get() {
+            return sslContextAndTmCopy;
           }
         },
         callback
@@ -108,10 +115,10 @@ public SslContext get() {
   public final void addCallback(Callback callback) {
     checkNotNull(callback, "callback");
     // if there is a computed sslContext just send it
-    SslContext sslContextCopy = null;
+    AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextCopy = null;
     synchronized (pendingCallbacks) {
-      if (sslContext != null) {
-        sslContextCopy = sslContext;
+      if (sslContextAndExtendedX509TrustManager != null) {
+        sslContextCopy = sslContextAndExtendedX509TrustManager;
       } else {
         pendingCallbacks.add(callback);
       }
@@ -122,9 +129,11 @@ public final void addCallback(Callback callback) {
   }
 
   private final void makePendingCallbacks(
-      SslContext sslContextCopy, List<Callback> pendingCallbacksCopy) {
+      AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>
+          sslContextAndExtendedX509TrustManagerCopy,
+      List<Callback> pendingCallbacksCopy) {
     for (Callback callback : pendingCallbacksCopy) {
-      callPerformCallback(callback, sslContextCopy);
+      callPerformCallback(callback, sslContextAndExtendedX509TrustManagerCopy);
     }
   }
 
 
@@ -41,12 +41,14 @@
 import io.netty.handler.ssl.SslContext;
 import io.netty.util.AsciiString;
 import java.security.cert.CertStoreException;
+import java.util.AbstractMap;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.Executor;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.Nullable;
+import javax.net.ssl.TrustManager;
 
 /**
  * Provides client and server side gRPC {@link ProtocolNegotiator}s to provide the SSL
@@ -240,7 +242,8 @@ protected void handlerAdded0(final ChannelHandlerContext ctx) {
           new SslContextProvider.Callback(ctx.executor()) {
 
             @Override
-            public void updateSslContext(SslContext sslContext) {
+            public void updateSslContextAndExtendedX509TrustManager(
+                AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTm) {
               if (ctx.isRemoved()) {
                 return;
               }
@@ -249,7 +252,9 @@ public void updateSslContext(SslContext sslContext) {
                   "ClientSecurityHandler.updateSslContext authority={0}, ctx.name={1}",
                   new Object[]{grpcHandler.getAuthority(), ctx.name()});
               ChannelHandler handler =
-                  InternalProtocolNegotiators.tls(sslContext, sni, true).newHandler(grpcHandler);
+                  InternalProtocolNegotiators.tls(
+                      sslContextAndTm.getKey(), sni, true, sslContextAndTm.getValue())
+                      .newHandler(grpcHandler);
 
               // Delegate rest of handshake to TLS handler
               ctx.pipeline().addAfter(ctx.name(), null, handler);
@@ -383,9 +388,10 @@ protected void handlerAdded0(final ChannelHandlerContext ctx) {
           new SslContextProvider.Callback(ctx.executor()) {
 
             @Override
-            public void updateSslContext(SslContext sslContext) {
+            public void updateSslContextAndExtendedX509TrustManager(
+                AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTm) {
               ChannelHandler handler =
-                  InternalProtocolNegotiators.serverTls(sslContext).newHandler(grpcHandler);
+                  InternalProtocolNegotiators.serverTls(sslContextAndTm.getKey()).newHandler(grpcHandler);
 
               // Delegate rest of handshake to TLS handler
               if (!ctx.isRemoved()) {
 
@@ -29,9 +29,12 @@
 import io.netty.handler.ssl.ClientAuth;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
+
+import javax.net.ssl.TrustManager;
 import java.io.IOException;
 import java.security.cert.CertStoreException;
 import java.security.cert.CertificateException;
+import java.util.AbstractMap;
 import java.util.concurrent.Executor;
 
 /**
@@ -59,7 +62,8 @@ protected Callback(Executor executor) {
     }
 
     /** Informs callee of new/updated SslContext. */
-    @VisibleForTesting public abstract void updateSslContext(SslContext sslContext);
+    @VisibleForTesting public abstract void updateSslContextAndExtendedX509TrustManager(
+        AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContext);
 
     /** Informs callee of an exception that was generated. */
     @VisibleForTesting protected abstract void onException(Throwable throwable);
@@ -121,8 +125,9 @@ protected final void performCallback(
           @Override
           public void run() {
             try {
-              SslContext sslContext = sslContextGetter.get();
-              callback.updateSslContext(sslContext);
+              AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTm =
+                  sslContextGetter.get();
+              callback.updateSslContextAndExtendedX509TrustManager(sslContextAndTm);
             } catch (Throwable e) {
               callback.onException(e);
             }
@@ -132,6 +137,6 @@ public void run() {
 
   /** Allows implementations to compute or get SslContext. */
   protected interface SslContextGetter {
-    SslContext get() throws Exception;
+    AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> get() throws Exception;
   }
 }
@@ -24,6 +24,8 @@
 import io.grpc.xds.TlsContextManager;
 import io.netty.handler.ssl.SslContext;
 
+import javax.net.ssl.TrustManager;
+import java.util.AbstractMap;
 import java.util.HashSet;
 import java.util.Objects;
 import java.util.Set;
@@ -70,8 +72,8 @@ public synchronized void updateSslContext(final SslContextProvider.Callback call
           new SslContextProvider.Callback(callback.getExecutor()) {
 
           @Override
-          public void updateSslContext(SslContext sslContext) {
-            callback.updateSslContext(sslContext);
+          public void updateSslContextAndExtendedX509TrustManager(AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTm) {
+            callback.updateSslContextAndExtendedX509TrustManager(sslContextAndTm);
             releaseSslContextProvider(toRelease, sni);
           }
Original file line number	Diff line number	Diff line change
`@@ -259,7 +259,7 @@ public void run() {`
`259`	`259`	`s2aStub.close();`
`260`	`260`	`}`
`261`	`261`	`}),`
`262`		`- null, false)`
	`262`	`+ null, null, false)`
`263`	`263`	`.newHandler(grpcHandler);`
`264`	`264`
`265`	`265`	`// Delegate the rest of the handshake to the TLS handler. and remove the`