In-progress changes that used ExtendedSSLSession.

Author: kannanjgithub

examples/example-tls/build.gradle

@@ -74,8 +74,6 @@ application {
     applicationDistribution.into('bin') {
         from(helloWorldTlsServer)
         from(helloWorldTlsClient)
-        filePermissions {
-            unix(0755)
-        }
+        fileMode = 0755
     }
 }

examples/example-tls/src/main/java/io/grpc/examples/helloworldtls/HelloWorldClientTls.java

@@ -16,6 +16,7 @@
 
 package io.grpc.examples.helloworldtls;
 
+import io.grpc.CallOptions;
 import io.grpc.Channel;
 import io.grpc.Grpc;
 import io.grpc.ManagedChannel;
@@ -52,7 +53,9 @@ public void greet(String name) {
         HelloRequest request = HelloRequest.newBuilder().setName(name).build();
         HelloReply response;
         try {
-            response = blockingStub.sayHello(request);
+            // response = blockingStub.sayHello(request);
+            response = io.grpc.stub.ClientCalls.blockingUnaryCall(
+                blockingStub.getChannel(), GreeterGrpc.getSayHelloMethod(), CallOptions.DEFAULT.withAuthority("localhost"), request);
         } catch (StatusRuntimeException e) {
             logger.log(Level.WARNING, "RPC failed: {0}", e.getStatus());
             return;

netty/build.gradle

@@ -18,7 +18,8 @@ tasks.named("jar").configure {
 dependencies {
     api project(':grpc-api'),
             libraries.netty.codec.http2
-    implementation project(':grpc-core'),
+    implementation project(':grpc-util'),
+            project(':grpc-core'),
             libs.netty.handler.proxy,
             libraries.guava,
             libraries.errorprone.annotations,

netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java

@@ -44,7 +44,7 @@ public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslCo
           ObjectPool<? extends Executor> executorPool,
           Optional<Runnable> handshakeCompleteRunnable) {
     final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.tls(sslContext,
-        executorPool, handshakeCompleteRunnable);
+        executorPool, handshakeCompleteRunnable, null);
     final class TlsNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {
 
       @Override
@@ -170,7 +170,7 @@ public static ChannelHandler clientTlsHandler(
       ChannelHandler next, SslContext sslContext, String authority,
       ChannelLogger negotiationLogger) {
     return new ClientTlsHandler(next, sslContext, authority, null, negotiationLogger,
-        Optional.empty());
+        Optional.empty(), null);
   }
 
   public static class ProtocolNegotiationHandler

netty/src/main/java/io/grpc/netty/NettyChannelBuilder.java

@@ -652,7 +652,7 @@ static ProtocolNegotiator createProtocolNegotiatorByType(
       case PLAINTEXT_UPGRADE:
         return ProtocolNegotiators.plaintextUpgrade();
       case TLS:
-        return ProtocolNegotiators.tls(sslContext, executorPool, Optional.empty());
+        return ProtocolNegotiators.tls(sslContext, executorPool, Optional.empty(), null);
       default:
         throw new IllegalArgumentException("Unsupported negotiationType: " + negotiationType);
     }

netty/src/main/java/io/grpc/netty/NettyClientTransport.java

@@ -45,6 +45,7 @@
 import io.grpc.internal.StatsTraceContext;
 import io.grpc.internal.TransportTracer;
 import io.grpc.netty.NettyChannelBuilder.LocalSocketPicker;
+import io.grpc.netty.ProtocolNegotiators.ClientTlsProtocolNegotiator;
 import io.netty.bootstrap.Bootstrap;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelFactory;
@@ -60,15 +61,20 @@
 import io.netty.util.concurrent.GenericFutureListener;
 import java.net.SocketAddress;
 import java.nio.channels.ClosedChannelException;
+import java.security.cert.CertificateException;
 import java.util.Map;
 import java.util.concurrent.Executor;
 import java.util.concurrent.TimeUnit;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import javax.annotation.Nullable;
+import javax.net.ssl.SSLPeerUnverifiedException;
 
 /**
  * A Netty-based {@link ConnectionClientTransport} implementation.
  */
 class NettyClientTransport implements ConnectionClientTransport {
+  private static final Logger logger = Logger.getLogger(NettyClientTransport.class.getName());
 
   private final InternalLogId logId;
   private final Map<ChannelOption<?>, ?> channelOptions;
@@ -194,6 +200,23 @@ public ClientStream newStream(
     if (channel == null) {
       return new FailingClientStream(statusExplainingWhyTheChannelIsNull, tracers);
     }
+    if (negotiator instanceof ClientTlsProtocolNegotiator && callOptions.getAuthority() != null) {
+      ClientTlsProtocolNegotiator clientTlsProtocolNegotiator =
+          (ClientTlsProtocolNegotiator) negotiator;
+      if (!clientTlsProtocolNegotiator.canVerifyAuthorityOverride()) {
+        return new FailingClientStream(Status.INTERNAL.withDescription(
+            "Can't allow authority override in rpc when X509ExtendedTrustManager is not available"),
+            tracers);
+      }
+      try {
+        clientTlsProtocolNegotiator.verifyAuthorityAllowedForPeerCert(callOptions.getAuthority());
+      } catch (SSLPeerUnverifiedException | CertificateException e) {
+        logger.log(Level.FINE, "Peer hostname verification failed for authority '{}'.",
+            callOptions.getAuthority());
+        return new FailingClientStream(Status.INTERNAL.withDescription(
+            "Peer hostname verification failed for authority"), tracers);
+      }
+    }
     StatsTraceContext statsTraceCtx =
         StatsTraceContext.newClientContext(tracers, getAttributes(), headers);
     return new NettyClientStream(

netty/src/main/java/io/grpc/netty/NettySslContextChannelCredentials.java

@@ -34,6 +34,6 @@ public static ChannelCredentials create(SslContext sslContext) {
     Preconditions.checkArgument(sslContext.isClient(),
         "Server SSL context can not be used for client channel");
     GrpcSslContexts.ensureAlpnAndH2Enabled(sslContext.applicationProtocolNegotiator());
-    return NettyChannelCredentials.create(ProtocolNegotiators.tlsClientFactory(sslContext));
+    return NettyChannelCredentials.create(ProtocolNegotiators.tlsClientFactory(sslContext, null));
   }
 }