Trust manager handling for system root certs.

kannanjgithub · kannanjgithub · commit e95725d9334f · 2025-09-11T12:00:50.000Z
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java
@@ -24,11 +24,22 @@
 import io.grpc.xds.client.Bootstrapper.CertificateProviderInfo;
 import io.grpc.xds.internal.security.trust.XdsTrustManagerFactory;
 import io.netty.handler.ssl.SslContextBuilder;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertStoreException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-import java.util.Map;
+import java.util.*;
+import java.util.stream.Collectors;
 import javax.annotation.Nullable;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 
 /** A client SslContext provider using CertificateProviderInstance to fetch secrets. */
 final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {
@@ -56,7 +67,7 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
         // Instantiate sslContext so that addCallback will immediately update the callback with
         // the SslContext.
         sslContext = getSslContextBuilder(staticCertificateValidationContext).build();
-      } catch (SSLException | CertStoreException e) {
+      } catch (CertStoreException | CertificateException | IOException e) {
         throw new RuntimeException(e);
       }
     }
@@ -65,7 +76,7 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
   @Override
   protected final SslContextBuilder getSslContextBuilder(
           CertificateValidationContext certificateValidationContextdationContext)
-      throws CertStoreException {
+      throws CertificateException, IOException, CertStoreException {
     SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient();
     if (rootCertInstance != null) {
       if (savedSpiffeTrustMap != null) {
@@ -79,10 +90,33 @@ protected final SslContextBuilder getSslContextBuilder(
                 savedTrustedRoots.toArray(new X509Certificate[0]),
                 certificateValidationContextdationContext));
       }
+    } else {
+      try {
+        sslContextBuilder = sslContextBuilder.trustManager(
+            new XdsTrustManagerFactory(
+                getX509CertificatesFromSystemTrustStore(),
+                certificateValidationContextdationContext));
+      } catch (KeyStoreException | NoSuchAlgorithmException e) {
+        throw new CertStoreException(e);
+      }
     }
     if (isMtls()) {
       sslContextBuilder.keyManager(savedKey, savedCertChain);
     }
     return sslContextBuilder;
   }
+
+  private X509Certificate[] getX509CertificatesFromSystemTrustStore() throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
+    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+    trustManagerFactory.init((KeyStore) null);
+
+    List<TrustManager> trustManagers = Arrays.asList(trustManagerFactory.getTrustManagers());
+    List<X509Certificate> rootCerts = trustManagers.stream()
+        .filter(X509TrustManager.class::isInstance)
+        .map(X509TrustManager.class::cast)
+        .map(trustManager -> Arrays.asList(trustManager.getAcceptedIssuers()))
+        .flatMap(Collection::stream)
+        .collect(Collectors.toList());
+    return rootCerts.toArray(new X509Certificate[rootCerts.size()]);
+  }
 }
diff --git a/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java b/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java
@@ -37,6 +37,7 @@
 import com.google.common.util.concurrent.SettableFuture;
 import io.envoyproxy.envoy.config.core.v3.SocketAddress.Protocol;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
+import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
 import io.grpc.Attributes;
 import io.grpc.EquivalentAddressGroup;
 import io.grpc.Grpc;
@@ -117,6 +118,10 @@
 @RunWith(Parameterized.class)
 public class XdsSecurityClientServerTest {
 
+  // TODO: Change this is a specific domain after
+  // https://github.com/grpc/grpc-java/issues/12326 is fixed
+  private static final String SAN_TO_MATCH = "*.test.google.fr";
+
   @Parameter
   public Boolean enableSpiffe;
   private Boolean originalEnableSpiffe;
@@ -217,7 +222,7 @@ public void tlsClientServer_useSystemRootCerts_useCombinedValidationContext() th
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true);
+              CLIENT_PEM_FILE, true, SAN_TO_MATCH);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -244,7 +249,7 @@ public void tlsClientServer_useSystemRootCerts_validationContext() throws Except
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, false);
+              CLIENT_PEM_FILE, false, SAN_TO_MATCH);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -255,6 +260,39 @@ public void tlsClientServer_useSystemRootCerts_validationContext() throws Except
     }
   }
 
+  /**
+   * Use system root ca cert for TLS channel - no mTLS.
+   * Subj Alt Names to match are specified in the validaton context.
+   */
+  @Test
+  public void tlsClientServer_useSystemRootCerts_failureToMatchSubjAltNames() throws Exception {
+    Path trustStoreFilePath = getCacertFilePathForTestCa();
+    try {
+      setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
+      DownstreamTlsContext downstreamTlsContext =
+          setBootstrapInfoAndBuildDownstreamTlsContext(SERVER_1_PEM_FILE, null, null, null, null,
+              null, false, false);
+      buildServerWithTlsContext(downstreamTlsContext);
+
+      UpstreamTlsContext upstreamTlsContext =
+          setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
+              CLIENT_PEM_FILE, true, "server1.test.google.in");
+
+      SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
+          getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
+      unaryRpc(/* requestMessage= */ "buddy", blockingStub);
+      fail("Expected handshake failure exception");
+    } catch (StatusRuntimeException e) {
+      assertThat(e.getCause()).isInstanceOf(SSLHandshakeException.class);
+      assertThat(e.getCause().getCause()).isInstanceOf(CertificateException.class);
+      assertThat(e.getCause().getCause().getMessage()).isEqualTo(
+          "Peer certificate SAN check failed");
+    } finally {
+      Files.deleteIfExists(trustStoreFilePath);
+      clearTrustStoreSystemProperties();
+    }
+  }
+
   /**
    * Use system root ca cert for TLS channel - mTLS.
    * Uses common_tls_context.combined_validation_context in upstream_tls_context.
@@ -266,12 +304,12 @@ public void tlsClientServer_useSystemRootCerts_requireClientAuth() throws Except
       setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
       DownstreamTlsContext downstreamTlsContext =
           setBootstrapInfoAndBuildDownstreamTlsContext(SERVER_1_PEM_FILE, null, null, null, null,
-              null, false, false);
+              null, false, true);
       buildServerWithTlsContext(downstreamTlsContext);
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true);
+              CLIENT_PEM_FILE, true, SAN_TO_MATCH);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -552,7 +590,7 @@ private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContext(String cli
   private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(
       String clientKeyFile,
       String clientPemFile,
-      boolean useCombinedValidationContext) {
+      boolean useCombinedValidationContext, String sanToMatch) {
     bootstrapInfoForClient = CommonBootstrapperTestUtils
         .buildBootstrapInfo("google_cloud_private_spiffe-client", clientKeyFile, clientPemFile,
             CA_PEM_FILE, null, null, null, null, null);
@@ -563,6 +601,9 @@ private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContextForUsingSys
           CertificateValidationContext.newBuilder()
               .setSystemRootCerts(
                   CertificateValidationContext.SystemRootCerts.newBuilder().build())
+              .addMatchSubjectAltNames(
+                  StringMatcher.newBuilder()
+                      .setExact(sanToMatch))
               .build());
     }
     return CommonTlsContextTestsUtil.buildNewUpstreamTlsContextForCertProviderInstance(
