More fixes for system root certs.

Author: kannanjgithub

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java

@@ -16,13 +16,10 @@
 
 package io.grpc.xds.internal.security.certprovider;
 
-import static java.util.Objects.requireNonNull;
-
 import io.envoyproxy.envoy.config.core.v3.Node;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance;
-import io.grpc.Status;
 import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
 import io.grpc.xds.client.Bootstrapper.CertificateProviderInfo;
 import io.grpc.xds.internal.security.CommonTlsContextUtil;
@@ -69,7 +66,7 @@ protected CertProviderSslContextProvider(
       CertificateProviderInfo certProviderInstanceConfig =
           getCertProviderConfig(certProviders, certInstance.getInstanceName());
       CertificateProvider.Watcher watcher = this;
-      if (!sharedCertInstance) {
+      if (!sharedCertInstance && !isUsingSystemRootCerts) {
         watcher = new IgnoreUpdatesWatcher(watcher, /* ignoreRootCertUpdates= */ true);
       }
       // TODO: Previously we'd hang if certProviderInstanceConfig were null or
@@ -156,9 +153,6 @@ public final void updateCertificate(PrivateKey key, List<X509Certificate> certCh
 
   @Override
   public final void updateTrustedRoots(List<X509Certificate> trustedRoots) {
-    if (isUsingSystemRootCerts) {
-      return;
-    }
     savedTrustedRoots = trustedRoots;
     updateSslContextWhenReady();
   }
@@ -190,7 +184,9 @@ private void updateSslContextWhenReady() {
 
   private void clearKeysAndCerts() {
     savedKey = null;
-    savedTrustedRoots = null;
+    if (!isUsingSystemRootCerts) {
+      savedTrustedRoots = null;
+    }
     savedSpiffeTrustMap = null;
     savedCertChain = null;
   }
@@ -200,10 +196,7 @@ protected final boolean isMtls() {
   }
 
   protected final boolean isRegularTlsAndClientSide() {
-    // We don't do (rootCertInstance != null || isUsingSystemRootCerts) here because of how this
-    // method is used. With the rootCertInstance being null when using system root certs, there
-    // is nothing to update in the SslContext
-    return rootCertInstance != null && certInstance == null;
+    return (rootCertInstance != null || isUsingSystemRootCerts) && certInstance == null;
   }
 
   protected final boolean isRegularTlsAndServerSide() {
@@ -229,41 +222,4 @@ interface NoExceptionCloseable extends Closeable {
     @Override
     void close();
   }
-
-  static final class IgnoreUpdatesWatcher implements CertificateProvider.Watcher {
-    private final CertificateProvider.Watcher delegate;
-    private final boolean ignoreRootCertUpdates;
-
-    public IgnoreUpdatesWatcher(
-        CertificateProvider.Watcher delegate, boolean ignoreRootCertUpdates) {
-      this.delegate = requireNonNull(delegate, "delegate");
-      this.ignoreRootCertUpdates = ignoreRootCertUpdates;
-    }
-
-    @Override
-    public void updateCertificate(PrivateKey key, List<X509Certificate> certChain) {
-      if (ignoreRootCertUpdates) {
-        delegate.updateCertificate(key, certChain);
-      }
-    }
-
-    @Override
-    public void updateTrustedRoots(List<X509Certificate> trustedRoots) {
-      if (!ignoreRootCertUpdates) {
-        delegate.updateTrustedRoots(trustedRoots);
-      }
-    }
-
-    @Override
-    public void updateSpiffeTrustMap(Map<String, List<X509Certificate>> spiffeTrustMap) {
-      if (!ignoreRootCertUpdates) {
-        delegate.updateSpiffeTrustMap(spiffeTrustMap);
-      }
-    }
-
-    @Override
-    public void onError(Status errorStatus) {
-      delegate.onError(errorStatus);
-    }
-  }
 }

xds/src/main/java/io/grpc/xds/internal/security/certprovider/IgnoreUpdatesWatcher.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2025 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds.internal.security.certprovider;
+
+import static java.util.Objects.requireNonNull;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.grpc.Status;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Map;
+
+public final class IgnoreUpdatesWatcher implements CertificateProvider.Watcher {
+  private final CertificateProvider.Watcher delegate;
+  private final boolean ignoreRootCertUpdates;
+
+  public IgnoreUpdatesWatcher(
+      CertificateProvider.Watcher delegate, boolean ignoreRootCertUpdates) {
+    this.delegate = requireNonNull(delegate, "delegate");
+    this.ignoreRootCertUpdates = ignoreRootCertUpdates;
+  }
+
+  @Override
+  public void updateCertificate(PrivateKey key, List<X509Certificate> certChain) {
+    if (ignoreRootCertUpdates) {
+      delegate.updateCertificate(key, certChain);
+    }
+  }
+
+  @Override
+  public void updateTrustedRoots(List<X509Certificate> trustedRoots) {
+    if (!ignoreRootCertUpdates) {
+      delegate.updateTrustedRoots(trustedRoots);
+    }
+  }
+
+  @Override
+  public void updateSpiffeTrustMap(Map<String, List<X509Certificate>> spiffeTrustMap) {
+    if (!ignoreRootCertUpdates) {
+      delegate.updateSpiffeTrustMap(spiffeTrustMap);
+    }
+  }
+
+  @Override
+  public void onError(Status errorStatus) {
+    delegate.onError(errorStatus);
+  }
+
+  @VisibleForTesting
+  public CertificateProvider.Watcher getDelegate() {
+    return delegate;
+  }
+}

xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java

@@ -282,10 +282,6 @@ public void tlsClientServer_useSystemRootCerts_mtls() throws Exception {
     }
   }
 
-  /**
-   * Use system root ca cert for TLS channel - no mTLS.
-   * Subj Alt Names to match are specified in the validaton context.
-   */
   @Test
   public void tlsClientServer_useSystemRootCerts_failureToMatchSubjAltNames() throws Exception {
     Path trustStoreFilePath = getCacertFilePathForTestCa();
@@ -317,7 +313,6 @@ public void tlsClientServer_useSystemRootCerts_failureToMatchSubjAltNames() thro
 
   /**
    * Use system root ca cert for TLS channel - mTLS.
-   * Uses common_tls_context.combined_validation_context in upstream_tls_context.
    */
   @Test
   public void tlsClientServer_useSystemRootCerts_requireClientAuth() throws Exception {

xds/src/test/java/io/grpc/xds/internal/security/ClientSslContextProviderFactoryTest.java

@@ -37,6 +37,7 @@
 import io.grpc.xds.internal.security.certprovider.CertificateProviderProvider;
 import io.grpc.xds.internal.security.certprovider.CertificateProviderRegistry;
 import io.grpc.xds.internal.security.certprovider.CertificateProviderStore;
+import io.grpc.xds.internal.security.certprovider.IgnoreUpdatesWatcher;
 import io.grpc.xds.internal.security.certprovider.TestCertificateProvider;
 import org.junit.Before;
 import org.junit.Test;
@@ -84,7 +85,7 @@ public void createCertProviderClientSslContextProvider() throws XdsInitializatio
         clientSslContextProviderFactory.create(upstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], false);
     // verify that bootstrapInfo is cached...
     sslContextProvider =
         clientSslContextProviderFactory.create(upstreamTlsContext);
@@ -119,7 +120,7 @@ public void bothPresent_expectCertProviderClientSslContextProvider()
         clientSslContextProviderFactory.create(upstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], true);
   }
 
   @Test
@@ -145,7 +146,7 @@ public void createCertProviderClientSslContextProvider_onlyRootCert()
             clientSslContextProviderFactory.create(upstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], true);
   }
 
   @Test
@@ -179,7 +180,7 @@ public void createCertProviderClientSslContextProvider_withStaticContext()
             clientSslContextProviderFactory.create(upstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], true);
   }
 
   @Test
@@ -209,8 +210,8 @@ public void createCertProviderClientSslContextProvider_2providers()
         clientSslContextProviderFactory.create(upstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
-    verifyWatcher(sslContextProvider, watcherCaptor[1]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], true);
+    verifyWatcher(sslContextProvider, watcherCaptor[1], true);
   }
 
   @Test
@@ -246,8 +247,8 @@ public void createNewCertProviderClientSslContextProvider_withSans() {
         clientSslContextProviderFactory.create(upstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
-    verifyWatcher(sslContextProvider, watcherCaptor[1]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], true);
+    verifyWatcher(sslContextProvider, watcherCaptor[1], true);
   }
 
   @Test
@@ -280,7 +281,7 @@ public void createNewCertProviderClientSslContextProvider_onlyRootCert() {
         clientSslContextProviderFactory.create(upstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderClientSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], true);
   }
 
   static void createAndRegisterProviderProvider(
@@ -310,11 +311,18 @@ public CertificateProvider answer(InvocationOnMock invocation) throws Throwable
   }
 
   static void verifyWatcher(
-      SslContextProvider sslContextProvider, CertificateProvider.DistributorWatcher watcherCaptor) {
+      SslContextProvider sslContextProvider, CertificateProvider.DistributorWatcher watcherCaptor,
+      boolean usesDelegateWatcher) {
     assertThat(watcherCaptor).isNotNull();
     assertThat(watcherCaptor.getDownstreamWatchers()).hasSize(1);
-    assertThat(watcherCaptor.getDownstreamWatchers().iterator().next())
-        .isSameInstanceAs(sslContextProvider);
+    if (usesDelegateWatcher) {
+      assertThat(((IgnoreUpdatesWatcher) watcherCaptor.getDownstreamWatchers().iterator().next())
+          .getDelegate())
+          .isSameInstanceAs(sslContextProvider);
+    } else {
+      assertThat(watcherCaptor.getDownstreamWatchers().iterator().next())
+          .isSameInstanceAs(sslContextProvider);
+    }
   }
 
   static CommonTlsContext.Builder addFilenames(

xds/src/test/java/io/grpc/xds/internal/security/ServerSslContextProviderFactoryTest.java

@@ -78,7 +78,7 @@ public void createCertProviderServerSslContextProvider() throws XdsInitializatio
         serverSslContextProviderFactory.create(downstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderServerSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], false);
     // verify that bootstrapInfo is cached...
     sslContextProvider =
         serverSslContextProviderFactory.create(downstreamTlsContext);
@@ -117,7 +117,7 @@ public void bothPresent_expectCertProviderServerSslContextProvider()
         serverSslContextProviderFactory.create(downstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderServerSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], true);
   }
 
   @Test
@@ -144,7 +144,7 @@ public void createCertProviderServerSslContextProvider_onlyCertInstance()
             serverSslContextProviderFactory.create(downstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderServerSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], true);
   }
 
   @Test
@@ -179,7 +179,7 @@ public void createCertProviderServerSslContextProvider_withStaticContext()
             serverSslContextProviderFactory.create(downstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderServerSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], false);
   }
 
   @Test
@@ -210,8 +210,8 @@ public void createCertProviderServerSslContextProvider_2providers()
         serverSslContextProviderFactory.create(downstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderServerSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
-    verifyWatcher(sslContextProvider, watcherCaptor[1]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], true);
+    verifyWatcher(sslContextProvider, watcherCaptor[1], true);
   }
 
   @Test
@@ -249,7 +249,7 @@ public void createNewCertProviderServerSslContextProvider_withSans()
         serverSslContextProviderFactory.create(downstreamTlsContext);
     assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
         "CertProviderServerSslContextProvider");
-    verifyWatcher(sslContextProvider, watcherCaptor[0]);
-    verifyWatcher(sslContextProvider, watcherCaptor[1]);
+    verifyWatcher(sslContextProvider, watcherCaptor[0], true);
+    verifyWatcher(sslContextProvider, watcherCaptor[1], true);
   }
 }

xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java

@@ -235,22 +235,16 @@ public void testProviderForClient_systemRootCerts_mtls() throws Exception {
 
     assertThat(provider.savedKey).isNull();
     assertThat(provider.savedCertChain).isNull();
-    assertThat(provider.savedTrustedRoots).isNull();
-    assertThat(provider.getSslContext()).isNull();
-
-    // now generate root cert update, will get ignored because of systemRootCerts config
-    watcherCaptor[0].updateTrustedRoots(ImmutableList.of(getCertFromResourceName(CA_PEM_FILE)));
+    assertThat(provider.savedTrustedRoots).isNotNull();
     assertThat(provider.getSslContext()).isNull();
-    assertThat(provider.savedKey).isNull();
-    assertThat(provider.savedCertChain).isNull();
-    assertThat(provider.savedTrustedRoots).isNull();
 
     // now generate cert update
     watcherCaptor[0].updateCertificate(
         CommonCertProviderTestUtils.getPrivateKey(CLIENT_KEY_FILE),
         ImmutableList.of(getCertFromResourceName(CLIENT_PEM_FILE)));
     assertThat(provider.savedKey).isNull();
     assertThat(provider.savedCertChain).isNull();
+    assertThat(provider.savedTrustedRoots).isNotNull();
     assertThat(provider.getSslContext()).isNotNull();
 
     TestCallback testCallback =
@@ -261,23 +255,13 @@ public void testProviderForClient_systemRootCerts_mtls() throws Exception {
         CommonTlsContextTestsUtil.getValueThruCallback(provider);
     assertThat(testCallback1.updatedSslContext).isSameInstanceAs(testCallback.updatedSslContext);
 
-    // just do root cert update: sslContext should still be the same, will get ignored because of
-    // systemRootCerts config
-    watcherCaptor[0].updateTrustedRoots(
-        ImmutableList.of(getCertFromResourceName(SERVER_0_PEM_FILE)));
-    assertThat(provider.savedKey).isNull();
-    assertThat(provider.savedCertChain).isNull();
-    assertThat(provider.savedTrustedRoots).isNull();
-    testCallback1 = CommonTlsContextTestsUtil.getValueThruCallback(provider);
-    assertThat(testCallback1.updatedSslContext).isSameInstanceAs(testCallback.updatedSslContext);
-
     // now update id cert: sslContext should be updated i.e. different from the previous one
     watcherCaptor[0].updateCertificate(
         CommonCertProviderTestUtils.getPrivateKey(SERVER_1_KEY_FILE),
         ImmutableList.of(getCertFromResourceName(SERVER_1_PEM_FILE)));
     assertThat(provider.savedKey).isNull();
     assertThat(provider.savedCertChain).isNull();
-    assertThat(provider.savedTrustedRoots).isNull();
+    assertThat(provider.savedTrustedRoots).isNotNull();
     assertThat(provider.getSslContext()).isNotNull();
     testCallback1 = CommonTlsContextTestsUtil.getValueThruCallback(provider);
     assertThat(testCallback1.updatedSslContext).isNotSameInstanceAs(testCallback.updatedSslContext);