Merge branch 'systemrootcerts-ignore-trusted-root-updates' into system-root-changes-needed

kannanjgithub · kannanjgithub · commit b8dba99217e3 · 2025-09-12T12:15:18.000Z
# Conflicts:
#	xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java
#	xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java
@@ -22,13 +22,25 @@
 import io.grpc.netty.GrpcSslContexts;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
 import io.grpc.xds.client.Bootstrapper.CertificateProviderInfo;
+import io.grpc.xds.internal.security.CommonTlsContextUtil;
 import io.grpc.xds.internal.security.trust.XdsTrustManagerFactory;
 import io.netty.handler.ssl.SslContextBuilder;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertStoreException;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
 import java.util.Map;
+import java.util.stream.Collectors;
 import javax.annotation.Nullable;
-import javax.net.ssl.SSLException;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 
 /** A client SslContext provider using CertificateProviderInstance to fetch secrets. */
 final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {
@@ -51,14 +63,14 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
         staticCertValidationContext,
         upstreamTlsContext,
         certificateProviderStore);
-    // Null rootCertInstance implies hasSystemRootCerts because of the check in
-    // CertProviderClientSslContextProviderFactory.
-    if (rootCertInstance == null && !isMtls()) {
+    if (rootCertInstance == null
+        && CommonTlsContextUtil.isUsingSystemRootCerts(tlsContext.getCommonTlsContext())
+        && !isMtls()) {
       try {
         // Instantiate sslContext so that addCallback will immediately update the callback with
         // the SslContext.
         sslContext = getSslContextBuilder(staticCertificateValidationContext).build();
-      } catch (SSLException | CertStoreException e) {
+      } catch (CertStoreException | CertificateException | IOException e) {
         throw new RuntimeException(e);
       }
     }
@@ -68,7 +80,7 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
   @Override
   protected final SslContextBuilder getSslContextBuilder(
           CertificateValidationContext certificateValidationContext)
-      throws CertStoreException {
+      throws CertificateException, IOException, CertStoreException {
     SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient();
     if (rootCertInstance != null) {
       if (savedSpiffeTrustMap != null) {
@@ -77,15 +89,35 @@ protected final SslContextBuilder getSslContextBuilder(
               savedSpiffeTrustMap,
               certificateValidationContext, sniForSanMatching));
       } else {
-        sslContextBuilder = sslContextBuilder.trustManager(
-            new XdsTrustManagerFactory(
-                savedTrustedRoots.toArray(new X509Certificate[0]),
-                certificateValidationContext, sniForSanMatching));
+        try {
+          sslContextBuilder = sslContextBuilder.trustManager(
+              new XdsTrustManagerFactory(
+                  getX509CertificatesFromSystemTrustStore(),
+                  certificateValidationContext));
+        } catch (KeyStoreException | NoSuchAlgorithmException e) {
+          throw new CertStoreException(e);
+        }
       }
     }
     if (isMtls()) {
       sslContextBuilder.keyManager(savedKey, savedCertChain);
     }
     return sslContextBuilder;
   }
+
+  private X509Certificate[] getX509CertificatesFromSystemTrustStore()
+      throws KeyStoreException, NoSuchAlgorithmException {
+    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
+        TrustManagerFactory.getDefaultAlgorithm());
+    trustManagerFactory.init((KeyStore) null);
+
+    List<TrustManager> trustManagers = Arrays.asList(trustManagerFactory.getTrustManagers());
+    List<X509Certificate> rootCerts = trustManagers.stream()
+        .filter(X509TrustManager.class::isInstance)
+        .map(X509TrustManager.class::cast)
+        .map(trustManager -> Arrays.asList(trustManager.getAcceptedIssuers()))
+        .flatMap(Collection::stream)
+        .collect(Collectors.toList());
+    return rootCerts.toArray(new X509Certificate[rootCerts.size()]);
+  }
 }
diff --git a/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java b/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java
@@ -37,6 +37,7 @@
 import com.google.common.util.concurrent.SettableFuture;
 import io.envoyproxy.envoy.config.core.v3.SocketAddress.Protocol;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
+import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
 import io.grpc.Attributes;
 import io.grpc.EquivalentAddressGroup;
 import io.grpc.Grpc;
@@ -117,6 +118,10 @@
 @RunWith(Parameterized.class)
 public class XdsSecurityClientServerTest {
 
+  // TODO: Change this is a specific domain after
+  // https://github.com/grpc/grpc-java/issues/12326 is fixed
+  private static final String SAN_TO_MATCH = "*.test.google.fr";
+
   @Parameter
   public Boolean enableSpiffe;
   private Boolean originalEnableSpiffe;
@@ -206,7 +211,8 @@ public void tlsClientServer_noClientAuthentication() throws Exception {
    * Uses common_tls_context.combined_validation_context in upstream_tls_context.
    */
   @Test
-  public void tlsClientServer_useSystemRootCerts_useCombinedValidationContext() throws Exception {
+  public void tlsClientServer_useSystemRootCerts_noMtls_useCombinedValidationContext()
+      throws Exception {
     Path trustStoreFilePath = getCacertFilePathForTestCa();
     try {
       setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
@@ -217,7 +223,7 @@ public void tlsClientServer_useSystemRootCerts_useCombinedValidationContext() th
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true);
+              CLIENT_PEM_FILE, true, SAN_TO_MATCH, false);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -233,7 +239,7 @@ public void tlsClientServer_useSystemRootCerts_useCombinedValidationContext() th
    * Uses common_tls_context.validation_context in upstream_tls_context.
    */
   @Test
-  public void tlsClientServer_useSystemRootCerts_validationContext() throws Exception {
+  public void tlsClientServer_useSystemRootCerts_noMtls_validationContext() throws Exception {
     Path trustStoreFilePath = getCacertFilePathForTestCa().toAbsolutePath();
     try {
       setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
@@ -244,7 +250,7 @@ public void tlsClientServer_useSystemRootCerts_validationContext() throws Except
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, false);
+              CLIENT_PEM_FILE, false, SAN_TO_MATCH, false);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -255,6 +261,62 @@ public void tlsClientServer_useSystemRootCerts_validationContext() throws Except
     }
   }
 
+  @Test
+  public void tlsClientServer_useSystemRootCerts_mtls() throws Exception {
+    Path trustStoreFilePath = getCacertFilePathForTestCa();
+    try {
+      setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
+      DownstreamTlsContext downstreamTlsContext =
+          setBootstrapInfoAndBuildDownstreamTlsContext(SERVER_1_PEM_FILE, null, null, null, null,
+              null, false, true);
+      buildServerWithTlsContext(downstreamTlsContext);
+
+      UpstreamTlsContext upstreamTlsContext =
+          setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
+              CLIENT_PEM_FILE, true, SAN_TO_MATCH, true);
+
+      SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
+          getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
+      assertThat(unaryRpc(/* requestMessage= */ "buddy", blockingStub)).isEqualTo("Hello buddy");
+    } finally {
+      Files.deleteIfExists(trustStoreFilePath);
+      clearTrustStoreSystemProperties();
+    }
+  }
+
+  /**
+   * Use system root ca cert for TLS channel - no mTLS.
+   * Subj Alt Names to match are specified in the validaton context.
+   */
+  @Test
+  public void tlsClientServer_useSystemRootCerts_failureToMatchSubjAltNames() throws Exception {
+    Path trustStoreFilePath = getCacertFilePathForTestCa();
+    try {
+      setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
+      DownstreamTlsContext downstreamTlsContext =
+          setBootstrapInfoAndBuildDownstreamTlsContext(SERVER_1_PEM_FILE, null, null, null, null,
+              null, false, false);
+      buildServerWithTlsContext(downstreamTlsContext);
+
+      UpstreamTlsContext upstreamTlsContext =
+          setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
+              CLIENT_PEM_FILE, true, "server1.test.google.in", false);
+
+      SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
+          getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
+      unaryRpc(/* requestMessage= */ "buddy", blockingStub);
+      fail("Expected handshake failure exception");
+    } catch (StatusRuntimeException e) {
+      assertThat(e.getCause()).isInstanceOf(SSLHandshakeException.class);
+      assertThat(e.getCause().getCause()).isInstanceOf(CertificateException.class);
+      assertThat(e.getCause().getCause().getMessage()).isEqualTo(
+          "Peer certificate SAN check failed");
+    } finally {
+      Files.deleteIfExists(trustStoreFilePath);
+      clearTrustStoreSystemProperties();
+    }
+  }
+
   /**
    * Use system root ca cert for TLS channel - mTLS.
    * Uses common_tls_context.combined_validation_context in upstream_tls_context.
@@ -266,12 +328,12 @@ public void tlsClientServer_useSystemRootCerts_requireClientAuth() throws Except
       setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
       DownstreamTlsContext downstreamTlsContext =
           setBootstrapInfoAndBuildDownstreamTlsContext(SERVER_1_PEM_FILE, null, null, null, null,
-              null, false, false);
+              null, false, true);
       buildServerWithTlsContext(downstreamTlsContext);
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true);
+              CLIENT_PEM_FILE, true, SAN_TO_MATCH, false);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -549,21 +611,26 @@ private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContext(String cli
         .buildUpstreamTlsContext("google_cloud_private_spiffe-client", hasIdentityCert, null, false);
   }
 
+  @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
   private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(
       String clientKeyFile,
       String clientPemFile,
-      boolean useCombinedValidationContext) {
+      boolean useCombinedValidationContext, String sanToMatch, boolean isMtls) {
     bootstrapInfoForClient = CommonBootstrapperTestUtils
         .buildBootstrapInfo("google_cloud_private_spiffe-client", clientKeyFile, clientPemFile,
             CA_PEM_FILE, null, null, null, null, null);
     if (useCombinedValidationContext) {
       return CommonTlsContextTestsUtil.buildUpstreamTlsContextForCertProviderInstance(
-          "google_cloud_private_spiffe-client", "ROOT", null,
+          isMtls ? "google_cloud_private_spiffe-client" : null,
+          isMtls ? "ROOT" : null, null,
           null, null,
           CertificateValidationContext.newBuilder()
               .setSystemRootCerts(
                   CertificateValidationContext.SystemRootCerts.newBuilder().build())
-              .build(), null, false);
+              .addMatchSubjectAltNames(
+                  StringMatcher.newBuilder()
+                      .setExact(sanToMatch))
+              .build());
     }
     return CommonTlsContextTestsUtil.buildNewUpstreamTlsContextForCertProviderInstance(
         "google_cloud_private_spiffe-client", "ROOT", null,
