#20002

Committed 29 Sep 2025 04:21PM UTC coverage: 88.592% (+0.02%) from 88.575%

Build # #20002

Build Type

push

github

Committed by

web-flow

Commit Message

xds: xDS based SNI setting and SAN validation (#12378)

When using xDS credentials make SNI for the Tls handshake to be
configured via xDS, rather than use the channel authority as the SNI,
and make SAN validation to be able to use the SNI sent when so
instructed via xDS.

Implements A101.

Run Details

34877 of 39368 relevant lines covered (88.59%)

0.89 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

83.87

/../core/src/main/java/io/grpc/internal/CertificateUtils.java

/*
 * Copyright 2024 The gRPC Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package io.grpc.internal;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;

/**
 * Contains certificate/key PEM file utility method(s) for internal usage.
 */
public final class CertificateUtils {
  private static final Class<?> x509ExtendedTrustManagerClass;

  static {
    Class<?> x509ExtendedTrustManagerClass1;
    try {
      x509ExtendedTrustManagerClass1 = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
    } catch (ClassNotFoundException e) {
      x509ExtendedTrustManagerClass1 = null;
      // Will disallow per-rpc authority override via call option.
    }
    x509ExtendedTrustManagerClass = x509ExtendedTrustManagerClass1;
  }

  /**
   * Creates X509TrustManagers using the provided CA certs.
   */
  public static TrustManager[] createTrustManager(byte[] rootCerts)
      throws GeneralSecurityException {
    InputStream rootCertsStream = new ByteArrayInputStream(rootCerts);
    try {
      return CertificateUtils.createTrustManager(rootCertsStream);
    } finally {
      GrpcUtil.closeQuietly(rootCertsStream);
    }
  }

  /**
   * Creates X509TrustManagers using the provided input stream of CA certs.
   */
  public static TrustManager[] createTrustManager(InputStream rootCerts)
          throws GeneralSecurityException {
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    try {
      ks.load(null, null);
    } catch (IOException ex) {
      // Shouldn't really happen, as we're not loading any data.
      throw new GeneralSecurityException(ex);
    }
    X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);
    for (X509Certificate cert : certs) {
      X500Principal principal = cert.getSubjectX500Principal();
      ks.setCertificateEntry(principal.getName("RFC2253"), cert);
    }

    TrustManagerFactory trustManagerFactory =
            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    trustManagerFactory.init(ks);
    return trustManagerFactory.getTrustManagers();
  }

  public static X509TrustManager getX509ExtendedTrustManager(List<TrustManager> trustManagers) {
    if (x509ExtendedTrustManagerClass != null) {
      for (TrustManager trustManager : trustManagers) {
        if (x509ExtendedTrustManagerClass.isInstance(trustManager)) {
          return (X509TrustManager) trustManager;
        }
      }
    }
    return null;
  }

  private static X509Certificate[] getX509Certificates(InputStream inputStream)
          throws CertificateException {
    CertificateFactory factory = CertificateFactory.getInstance("X.509");
    Collection<? extends Certificate> certs = factory.generateCertificates(inputStream);
    return certs.toArray(new X509Certificate[0]);
  }
}

1	/*
2	* Copyright 2024 The gRPC Authors
3	*
4	* Licensed under the Apache License, Version 2.0 (the "License");
5	* you may not use this file except in compliance with the License.
6	* You may obtain a copy of the License at
7	*
8	* http://www.apache.org/licenses/LICENSE-2.0
9	*
10	* Unless required by applicable law or agreed to in writing, software
11	* distributed under the License is distributed on an "AS IS" BASIS,
12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	* See the License for the specific language governing permissions and
14	* limitations under the License.
15	*/
16
17	package io.grpc.internal;
18
19	import java.io.ByteArrayInputStream;
20	import java.io.IOException;
21	import java.io.InputStream;
22	import java.security.GeneralSecurityException;
23	import java.security.KeyStore;
24	import java.security.cert.Certificate;
25	import java.security.cert.CertificateException;
26	import java.security.cert.CertificateFactory;
27	import java.security.cert.X509Certificate;
28	import java.util.Collection;
29	import java.util.List;
30	import javax.net.ssl.TrustManager;
31	import javax.net.ssl.TrustManagerFactory;
32	import javax.net.ssl.X509TrustManager;
33	import javax.security.auth.x500.X500Principal;
34
35	/**
36	* Contains certificate/key PEM file utility method(s) for internal usage.
37	*/
38	public final class CertificateUtils {	×
39	private static final Class<?> x509ExtendedTrustManagerClass;
40
41	static {
42	Class<?> x509ExtendedTrustManagerClass1;
43	try {
44	x509ExtendedTrustManagerClass1 = Class.forName("javax.net.ssl.X509ExtendedTrustManager");	1✔
45	} catch (ClassNotFoundException e) {	×
46	x509ExtendedTrustManagerClass1 = null;	×
47	// Will disallow per-rpc authority override via call option.
48	}	1✔
49	x509ExtendedTrustManagerClass = x509ExtendedTrustManagerClass1;	1✔
50	}	1✔
51
52	/**
53	* Creates X509TrustManagers using the provided CA certs.
54	*/
55	public static TrustManager[] createTrustManager(byte[] rootCerts)
56	throws GeneralSecurityException {
57	InputStream rootCertsStream = new ByteArrayInputStream(rootCerts);	1✔
58	try {
59	return CertificateUtils.createTrustManager(rootCertsStream);	1✔
60	} finally {
61	GrpcUtil.closeQuietly(rootCertsStream);	1✔
62	}
63	}
64
65	/**
66	* Creates X509TrustManagers using the provided input stream of CA certs.
67	*/
68	public static TrustManager[] createTrustManager(InputStream rootCerts)
69	throws GeneralSecurityException {
70	KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());	1✔
71	try {
72	ks.load(null, null);	1✔
73	} catch (IOException ex) {	×
74	// Shouldn't really happen, as we're not loading any data.
75	throw new GeneralSecurityException(ex);	×
76	}	1✔
77	X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);	1✔
78	for (X509Certificate cert : certs) {	1✔
79	X500Principal principal = cert.getSubjectX500Principal();	1✔
80	ks.setCertificateEntry(principal.getName("RFC2253"), cert);	1✔
81	}
82
83	TrustManagerFactory trustManagerFactory =
84	TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());	1✔
85	trustManagerFactory.init(ks);	1✔
86	return trustManagerFactory.getTrustManagers();	1✔
87	}
88
89	public static X509TrustManager getX509ExtendedTrustManager(List<TrustManager> trustManagers) {
90	if (x509ExtendedTrustManagerClass != null) {	1✔
91	for (TrustManager trustManager : trustManagers) {	1✔
92	if (x509ExtendedTrustManagerClass.isInstance(trustManager)) {	1✔
93	return (X509TrustManager) trustManager;	1✔
94	}
95	}	1✔
96	}
97	return null;	1✔
98	}
99
100	private static X509Certificate[] getX509Certificates(InputStream inputStream)
101	throws CertificateException {
102	CertificateFactory factory = CertificateFactory.getInstance("X.509");	1✔
103	Collection<? extends Certificate> certs = factory.generateCertificates(inputStream);	1✔
104	return certs.toArray(new X509Certificate[0]);	1✔
105	}
106	}

grpc / grpc-java / #20002

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous