AdvancedTls: add functions to load credentials from static files (#8525)

* AdvancedTls: add functions to load credentials from static files
grpc · Sep 17, 2021 · 838438c · 838438c
1 parent 38a554c
commit 838438c
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 0 deletions.
diff --git a/core/src/main/java/io/grpc/util/AdvancedTlsX509KeyManager.java b/core/src/main/java/io/grpc/util/AdvancedTlsX509KeyManager.java
@@ -141,6 +141,21 @@ public Closeable updateIdentityCredentialsFromFile(File keyFile, File certFile,
     };
   }
 
+  /**
+   * Updates the private key and certificate chains from the local file paths.
+   *
+   * @param keyFile  the file on disk holding the private key
+   * @param certFile  the file on disk holding the certificate chain
+   */
+  public void updateIdentityCredentialsFromFile(File keyFile, File certFile) throws IOException,
+      GeneralSecurityException {
+    UpdateResult newResult = readAndUpdate(keyFile, certFile, 0, 0);
+    if (!newResult.success) {
+      throw new GeneralSecurityException(
+          "Files were unmodified before their initial update. Probably a bug.");
+    }
+  }
+
   private static class KeyInfo {
     // The private key and the cert chain we will use to send to peers to prove our identity.
     final PrivateKey key;

diff --git a/core/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java b/core/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
@@ -255,6 +255,20 @@ public void run() {
     }
   }
 
+  /**
+   * Updates the trust certificates from a local file path.
+   *
+   * @param trustCertFile  the file on disk holding the trust certificates
+   */
+  public void updateTrustCredentialsFromFile(File trustCertFile) throws IOException,
+      GeneralSecurityException {
+    long updatedTime = readAndUpdate(trustCertFile, 0);
+    if (updatedTime == 0) {
+      throw new GeneralSecurityException(
+          "Files were unmodified before their initial update. Probably a bug.");
+    }
+  }
+
   /**
    * Reads the trust certificates specified in the path location, and update the key store if the
    * modified time has changed since last read.

diff --git a/netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java b/netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java
@@ -388,6 +388,44 @@ public void onFileReloadingKeyManagerTrustManagerTest() throws Exception {
     clientTrustShutdown.close();
   }
 
+  @Test
+  public void onFileLoadingKeyManagerTrustManagerTest() throws Exception {
+    // Create & start a server.
+    AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
+    serverKeyManager.updateIdentityCredentialsFromFile(serverKey0File, serverCert0File);
+    AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder()
+        .setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION)
+        .build();
+    serverTrustManager.updateTrustCredentialsFromFile(caCertFile);
+    ServerCredentials serverCredentials = TlsServerCredentials.newBuilder()
+        .keyManager(serverKeyManager).trustManager(serverTrustManager)
+        .clientAuth(ClientAuth.REQUIRE).build();
+    server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(
+        new SimpleServiceImpl()).build().start();
+    // Create a client to connect.
+    AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
+    clientKeyManager.updateIdentityCredentialsFromFile(clientKey0File, clientCert0File);
+    AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder()
+        .setVerification(Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION)
+        .build();
+    clientTrustManager.updateTrustCredentialsFromFile(caCertFile);
+    ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder()
+        .keyManager(clientKeyManager).trustManager(clientTrustManager).build();
+    channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials)
+        .overrideAuthority("foo.test.google.com.au").build();
+    // Start the connection.
+    try {
+      SimpleServiceGrpc.SimpleServiceBlockingStub client =
+          SimpleServiceGrpc.newBlockingStub(channel);
+      // Send an actual request, via the full GRPC & network stack, and check that a proper
+      // response comes back.
+      client.unaryRpc(SimpleRequest.getDefaultInstance());
+    } catch (StatusRuntimeException e) {
+      e.printStackTrace();
+      fail("Find error: " + e.getMessage());
+    }
+  }
+
   @Test
   public void onFileReloadingKeyManagerBadInitialContentTest() throws Exception {
     exceptionRule.expect(GeneralSecurityException.class);