Use X509TrustManager everywhere instead of TrustManager, and some other review comments.

Author: kannanjgithub

core/src/main/java/io/grpc/internal/CertificateUtils.java

@@ -29,6 +29,7 @@
 import java.util.List;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 import javax.security.auth.x500.X500Principal;
 
 /**
@@ -85,11 +86,11 @@ public static TrustManager[] createTrustManager(InputStream rootCerts)
     return trustManagerFactory.getTrustManagers();
   }
 
-  public static TrustManager getX509ExtendedTrustManager(List<TrustManager> trustManagers) {
+  public static X509TrustManager getX509ExtendedTrustManager(List<TrustManager> trustManagers) {
     if (x509ExtendedTrustManagerClass != null) {
       for (TrustManager trustManager : trustManagers) {
         if (x509ExtendedTrustManagerClass.isInstance(trustManager)) {
-          return trustManager;
+          return (X509TrustManager) trustManager;
         }
       }
     }

netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java

@@ -26,7 +26,6 @@
 import io.netty.handler.ssl.SslContext;
 import io.netty.util.AsciiString;
 import java.util.concurrent.Executor;
-import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
 /**
@@ -45,10 +44,10 @@ private InternalProtocolNegotiators() {}
   public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext,
           ObjectPool<? extends Executor> executorPool,
           Optional<Runnable> handshakeCompleteRunnable,
-          TrustManager extendedX509TrustManager,
+          X509TrustManager extendedX509TrustManager,
           String sni) {
     final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.tls(sslContext,
-        executorPool, handshakeCompleteRunnable, (X509TrustManager) extendedX509TrustManager, sni);
+        executorPool, handshakeCompleteRunnable, extendedX509TrustManager, sni);
     final class TlsNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {
 
       @Override
@@ -77,7 +76,7 @@ public void close() {
    */
   public static InternalProtocolNegotiator.ProtocolNegotiator tls(
       SslContext sslContext, String sni,
-      TrustManager extendedX509TrustManager) {
+      X509TrustManager extendedX509TrustManager) {
     return tls(sslContext, null, Optional.absent(), extendedX509TrustManager, sni);
   }
 

netty/src/main/java/io/grpc/netty/NettyChannelBuilder.java

@@ -652,8 +652,7 @@ static ProtocolNegotiator createProtocolNegotiatorByType(
       case PLAINTEXT_UPGRADE:
         return ProtocolNegotiators.plaintextUpgrade();
       case TLS:
-        return ProtocolNegotiators.tls(
-            sslContext, executorPool, Optional.absent(), null, null);
+        return ProtocolNegotiators.tls(sslContext, executorPool, Optional.absent(), null, null);
       default:
         throw new IllegalArgumentException("Unsupported negotiationType: " + negotiationType);
     }

xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java

@@ -34,15 +34,15 @@
 import java.util.ArrayList;
 import java.util.List;
 import javax.annotation.Nullable;
-import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 
 /** Base class for dynamic {@link SslContextProvider}s. */
 @Internal
 public abstract class DynamicSslContextProvider extends SslContextProvider {
 
   protected final List<Callback> pendingCallbacks = new ArrayList<>();
   @Nullable protected final CertificateValidationContext staticCertificateValidationContext;
-  @Nullable protected AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>
+  @Nullable protected AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager>
       sslContextAndTrustManager;
 
   protected DynamicSslContextProvider(
@@ -52,15 +52,15 @@ protected DynamicSslContextProvider(
   }
 
   @Nullable
-  public AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>
+  public AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager>
       getSslContextAndTrustManager() {
     return sslContextAndTrustManager;
   }
 
   protected abstract CertificateValidationContext generateCertificateValidationContext();
 
   /** Gets a server or client side SslContextBuilder. */
-  protected abstract AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager>
+  protected abstract AbstractMap.SimpleImmutableEntry<SslContextBuilder, X509TrustManager>
       getSslContextBuilderAndTrustManager(
           CertificateValidationContext certificateValidationContext)
       throws CertificateException, IOException, CertStoreException;
@@ -70,7 +70,7 @@ protected final void updateSslContext() {
     try {
       CertificateValidationContext localCertValidationContext =
           generateCertificateValidationContext();
-      AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager> sslContextBuilderAndTm =
+      AbstractMap.SimpleImmutableEntry<SslContextBuilder, X509TrustManager> sslContextBuilderAndTm =
           getSslContextBuilderAndTrustManager(localCertValidationContext);
       CommonTlsContext commonTlsContext = getCommonTlsContext();
       if (commonTlsContext != null && commonTlsContext.getAlpnProtocolsCount() > 0) {
@@ -84,7 +84,7 @@ protected final void updateSslContext() {
         sslContextBuilderAndTm.getKey().applicationProtocolConfig(apn);
       }
       List<Callback> pendingCallbacksCopy;
-      AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>
+      AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager>
           sslContextAndExtendedX09TrustManagerCopy;
       synchronized (pendingCallbacks) {
         sslContextAndTrustManager = new AbstractMap.SimpleImmutableEntry<>(
@@ -101,11 +101,11 @@ protected final void updateSslContext() {
 
   protected final void callPerformCallback(
           Callback callback,
-          final AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTmCopy) {
+          final AbstractMap.SimpleImmutableEntry<SslContext,X509TrustManager> sslContextAndTmCopy) {
     performCallback(
         new SslContextGetter() {
           @Override
-          public AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> get() {
+          public AbstractMap.SimpleImmutableEntry<SslContext,X509TrustManager> get() {
             return sslContextAndTmCopy;
           }
         },
@@ -117,7 +117,7 @@ public AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> get() {
   public final void addCallback(Callback callback) {
     checkNotNull(callback, "callback");
     // if there is a computed sslContext just send it
-    AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextCopy = null;
+    AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager> sslContextCopy = null;
     synchronized (pendingCallbacks) {
       if (sslContextAndTrustManager != null) {
         sslContextCopy = sslContextAndTrustManager;
@@ -131,7 +131,7 @@ public final void addCallback(Callback callback) {
   }
 
   private final void makePendingCallbacks(
-      AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>
+      AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager>
           sslContextAndExtendedX509TrustManagerCopy,
       List<Callback> pendingCallbacksCopy) {
     for (Callback callback : pendingCallbacksCopy) {

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -48,7 +48,7 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.Nullable;
-import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 
 /**
  * Provides client and server side gRPC {@link ProtocolNegotiator}s to provide the SSL
@@ -237,7 +237,7 @@ protected void handlerAdded0(final ChannelHandlerContext ctx) {
 
             @Override
             public void updateSslContextAndExtendedX509TrustManager(
-                AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTm) {
+                AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager> sslContextAndTm) {
               if (ctx.isRemoved()) {
                 return;
               }
@@ -383,7 +383,7 @@ protected void handlerAdded0(final ChannelHandlerContext ctx) {
 
             @Override
             public void updateSslContextAndExtendedX509TrustManager(
-                AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTm) {
+                AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager> sslContextAndTm) {
               ChannelHandler handler = InternalProtocolNegotiators.serverTls(
                   sslContextAndTm.getKey()).newHandler(grpcHandler);
 

xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java

@@ -34,7 +34,7 @@
 import java.security.cert.CertificateException;
 import java.util.AbstractMap;
 import java.util.concurrent.Executor;
-import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 
 /**
  * A SslContextProvider is a "container" or provider of SslContext. This is used by gRPC-xds to
@@ -60,7 +60,7 @@ protected Callback(Executor executor) {
 
     /** Informs callee of new/updated SslContext. */
     @VisibleForTesting public abstract void updateSslContextAndExtendedX509TrustManager(
-        AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContext);
+        AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager> sslContext);
 
     /** Informs callee of an exception that was generated. */
     @VisibleForTesting protected abstract void onException(Throwable throwable);
@@ -122,7 +122,7 @@ protected final void performCallback(
           @Override
           public void run() {
             try {
-              AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTm =
+              AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager> sslContextAndTm =
                   sslContextGetter.get();
               callback.updateSslContextAndExtendedX509TrustManager(sslContextAndTm);
             } catch (Throwable e) {
@@ -134,6 +134,6 @@ public void run() {
 
   /** Allows implementations to compute or get SslContext. */
   protected interface SslContextGetter {
-    AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> get() throws Exception;
+    AbstractMap.SimpleImmutableEntry<SslContext,X509TrustManager> get() throws Exception;
   }
 }

xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java

@@ -27,7 +27,7 @@
 import io.netty.handler.ssl.SslContext;
 import java.util.AbstractMap;
 import java.util.Objects;
-import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 
 /**
  * Enables Client or server side to initialize this object with the received {@link BaseTlsContext}
@@ -70,7 +70,7 @@ public synchronized void updateSslContext(
 
             @Override
             public void updateSslContextAndExtendedX509TrustManager(
-                AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTm) {
+                AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager> sslContextAndTm) {
               callback.updateSslContextAndExtendedX509TrustManager(sslContextAndTm);
               releaseSslContextProvider(toRelease);
             }

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java

@@ -30,7 +30,7 @@
 import java.util.Arrays;
 import java.util.Map;
 import javax.annotation.Nullable;
-import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 
 /** A client SslContext provider using CertificateProviderInstance to fetch secrets. */
 final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {
@@ -54,7 +54,7 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
   }
 
   @Override
-  protected final AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager>
+  protected final AbstractMap.SimpleImmutableEntry<SslContextBuilder, X509TrustManager>
       getSslContextBuilderAndTrustManager(
           CertificateValidationContext certificateValidationContext)
               throws CertStoreException {

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderServerSslContextProvider.java

@@ -33,7 +33,7 @@
 import java.util.AbstractMap;
 import java.util.Map;
 import javax.annotation.Nullable;
-import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 
 /** A server SslContext provider using CertificateProviderInstance to fetch secrets. */
 final class CertProviderServerSslContextProvider extends CertProviderSslContextProvider {
@@ -57,7 +57,7 @@ final class CertProviderServerSslContextProvider extends CertProviderSslContextP
   }
 
   @Override
-  protected final AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager>
+  protected final AbstractMap.SimpleImmutableEntry<SslContextBuilder, X509TrustManager>
       getSslContextBuilderAndTrustManager(
           CertificateValidationContext certificateValidationContextdationContext)
           throws CertStoreException, CertificateException, IOException {

xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java

@@ -41,7 +41,7 @@
 import java.util.List;
 import java.util.concurrent.Executor;
 import javax.annotation.Nullable;
-import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 
 /** Utility class for client and server ssl provider tests. */
 public class CommonTlsContextTestsUtil {
@@ -405,7 +405,7 @@ private static CommonTlsContext.Builder addNewCertificateValidationContext(
 
   /** Perform some simple checks on sslContext. */
   public static void doChecksOnSslContext(boolean server,
-      AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTm,
+      AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager> sslContextAndTm,
       List<String> expectedApnProtos) {
     if (server) {
       assertThat(sslContextAndTm.getKey().isServer()).isTrue();
@@ -438,7 +438,7 @@ public static TestCallback getValueThruCallback(SslContextProvider provider, Exe
 
   public static class TestCallback extends SslContextProvider.Callback {
 
-    public AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> updatedSslContext;
+    public AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager> updatedSslContext;
     public Throwable updatedThrowable;
 
     public TestCallback(Executor executor) {
@@ -447,7 +447,7 @@ public TestCallback(Executor executor) {
 
     @Override
     public void updateSslContextAndExtendedX509TrustManager(
-        AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContext) {
+        AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager> sslContext) {
       updatedSslContext = sslContext;
     }