Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AdvancedTls: add functions to load credentials from static files #8525

Merged
merged 4 commits into from Sep 17, 2021
Merged

AdvancedTls: add functions to load credentials from static files #8525

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
72c3725
fix a flaky test in advanced tls
ZhenLian Sep 2, 2021
49fd3f3
add the code to do a blocking call
ZhenLian Sep 3, 2021
5d55c27
AdvancedTls: add functions to load credentials from static files
ZhenLian Sep 14, 2021
92da916
change the function name; update comments
ZhenLian Sep 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
16 changes: 16 additions & 0 deletions core/src/main/java/io/grpc/util/AdvancedTlsX509KeyManager.java
View file
Open in desktop
Expand Up @@ -141,6 +141,22 @@ public Closeable updateIdentityCredentialsFromFile(File keyFile, File certFile,
};
}

/**
* Loads the private key and certificate chains from the local file paths. The contents are only
* read at the construction time and won't be updated afterwards.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"construction time" doesn't seem right.

*
* @param keyFile the file on disk holding the private key
* @param certFile the file on disk holding the certificate chain
*/
public void loadIdentityCredentialsFromFile(File keyFile, File certFile) throws IOException,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems this should also be named with "update" in its name. Update vs load isn't a useful distinction, especially since updateIdentityCredentials() is also one-shot.

GeneralSecurityException {
UpdateResult newResult = readAndUpdate(keyFile, certFile, 0, 0);
if (!newResult.success) {
throw new GeneralSecurityException(
"Files were unmodified before their initial update. Probably a bug.");
}
}

private static class KeyInfo {
// The private key and the cert chain we will use to send to peers to prove our identity.
final PrivateKey key;
Expand Down
15 changes: 15 additions & 0 deletions core/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
View file
Open in desktop
Expand Up @@ -255,6 +255,21 @@ public void run() {
}
}

/**
* Loads the trust certificates from a local file path. The contents are only read at the
* construction time and won't be updated afterwards.
*
* @param trustCertFile the file on disk holding the trust certificates
*/
public void loadTrustCredentialsFromFile(File trustCertFile) throws IOException,
GeneralSecurityException {
long updatedTime = readAndUpdate(trustCertFile, 0);
if (updatedTime == 0) {
throw new GeneralSecurityException(
"Files were unmodified before their initial update. Probably a bug.");
}
}

/**
* Reads the trust certificates specified in the path location, and update the key store if the
* modified time has changed since last read.
Expand Down
38 changes: 38 additions & 0 deletions netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java
View file
Open in desktop
Expand Up @@ -388,6 +388,44 @@ public void onFileReloadingKeyManagerTrustManagerTest() throws Exception {
clientTrustShutdown.close();
}

@Test
public void onFileLoadingKeyManagerTrustManagerTest() throws Exception {
// Create & start a server.
AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
serverKeyManager.loadIdentityCredentialsFromFile(serverKey0File, serverCert0File);
AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION)
.build();
serverTrustManager.loadTrustCredentialsFromFile(caCertFile);
ServerCredentials serverCredentials = TlsServerCredentials.newBuilder()
.keyManager(serverKeyManager).trustManager(serverTrustManager)
.clientAuth(ClientAuth.REQUIRE).build();
server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(
new SimpleServiceImpl()).build().start();
// Create a client to connect.
AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
clientKeyManager.loadIdentityCredentialsFromFile(clientKey0File, clientCert0File);
AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION)
.build();
clientTrustManager.loadTrustCredentialsFromFile(caCertFile);
ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder()
.keyManager(clientKeyManager).trustManager(clientTrustManager).build();
channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials)
.overrideAuthority("foo.test.google.com.au").build();
// Start the connection.
try {
SimpleServiceGrpc.SimpleServiceBlockingStub client =
SimpleServiceGrpc.newBlockingStub(channel);
// Send an actual request, via the full GRPC & network stack, and check that a proper
// response comes back.
client.unaryRpc(SimpleRequest.getDefaultInstance());
} catch (StatusRuntimeException e) {
e.printStackTrace();
fail("Find error: " + e.getMessage());
}
}

@Test
public void onFileReloadingKeyManagerBadInitialContentTest() throws Exception {
exceptionRule.expect(GeneralSecurityException.class);
Expand Down