Skip to content

Commit ac62c8b

Browse files
ejona86ejona86
committed
Fix tests and warnings on Java 17
SelfSignedCertificate is not available on Java 17 because OpenJdkSelfSignedCertGenerator is not available. This only impacted tests. AccessController is being removed, and these locations are doing simple reflection which is unlikely to require it even when a security policy is in effect. There's other places we do reflection without the AccessController, so either no security policies care or the users can update their policies to allow it.
1 parent feab4e5 commit ac62c8b

File tree

8 files changed

+98
-127
lines changed

8 files changed

+98
-127
lines changed

.github/workflows/testing.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ jobs:
1717
runs-on: ubuntu-latest
1818
strategy:
1919
matrix:
20-
jre: [8, 11]
20+
jre: [8, 11, 17]
2121
fail-fast: false # Should swap to true if we grow a large matrix
2222

2323
steps:

core/src/main/java/io/grpc/internal/ProxyDetectorImpl.java

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -135,7 +135,6 @@ public PasswordAuthentication requestPasswordAuthentication(
135135
Level.WARNING,
136136
"failed to create URL for Authenticator: {0} {1}", new Object[] {protocol, host});
137137
}
138-
// TODO(spencerfang): consider using java.security.AccessController here
139138
return Authenticator.requestPasswordAuthentication(
140139
host, addr, port, protocol, prompt, scheme, url, Authenticator.RequestorType.PROXY);
141140
}
@@ -144,7 +143,6 @@ public PasswordAuthentication requestPasswordAuthentication(
144143
new Supplier<ProxySelector>() {
145144
@Override
146145
public ProxySelector get() {
147-
// TODO(spencerfang): consider using java.security.AccessController here
148146
return ProxySelector.getDefault();
149147
}
150148
};

netty/src/main/java/io/grpc/netty/JettyTlsUtil.java

Lines changed: 1 addition & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,6 @@
1717
package io.grpc.netty;
1818

1919
import java.lang.reflect.Method;
20-
import java.security.AccessController;
21-
import java.security.PrivilegedExceptionAction;
2220
import javax.net.ssl.SSLContext;
2321
import javax.net.ssl.SSLEngine;
2422

@@ -42,13 +40,7 @@ static Throwable checkAlpnAvailability() {
4240
SSLContext context = SSLContext.getInstance("TLS");
4341
context.init(null, null, null);
4442
SSLEngine engine = context.createSSLEngine();
45-
Method getApplicationProtocol =
46-
AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
47-
@Override
48-
public Method run() throws Exception {
49-
return SSLEngine.class.getMethod("getApplicationProtocol");
50-
}
51-
});
43+
Method getApplicationProtocol = SSLEngine.class.getMethod("getApplicationProtocol");
5244
getApplicationProtocol.invoke(engine);
5345
return null;
5446
} catch (Throwable t) {

netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java

Lines changed: 22 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,7 @@
6868
import io.grpc.netty.ProtocolNegotiators.ServerTlsHandler;
6969
import io.grpc.netty.ProtocolNegotiators.WaitUntilActiveHandler;
7070
import io.grpc.testing.TlsTesting;
71+
import io.grpc.util.CertificateUtils;
7172
import io.netty.bootstrap.Bootstrap;
7273
import io.netty.bootstrap.ServerBootstrap;
7374
import io.netty.buffer.ByteBuf;
@@ -107,16 +108,13 @@
107108
import io.netty.handler.proxy.ProxyConnectException;
108109
import io.netty.handler.ssl.ApplicationProtocolConfig;
109110
import io.netty.handler.ssl.SslContext;
110-
import io.netty.handler.ssl.SslContextBuilder;
111111
import io.netty.handler.ssl.SslHandler;
112112
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
113-
import io.netty.handler.ssl.util.SelfSignedCertificate;
114113
import java.io.File;
115114
import java.io.InputStream;
116115
import java.net.InetSocketAddress;
117116
import java.net.SocketAddress;
118117
import java.security.KeyStore;
119-
import java.security.cert.Certificate;
120118
import java.security.cert.X509Certificate;
121119
import java.util.ArrayDeque;
122120
import java.util.Arrays;
@@ -478,19 +476,26 @@ public void from_tls_clientAuthOptional_clientCert() throws Exception {
478476

479477
@Test
480478
public void from_tls_managers() throws Exception {
481-
SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
482479
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
483480
keyStore.load(null);
484-
keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
481+
try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
482+
InputStream server1Key = TlsTesting.loadCert("server1.key")) {
483+
X509Certificate[] chain = CertificateUtils.getX509Certificates(server1Chain);
484+
keyStore.setKeyEntry("key", CertificateUtils.getPrivateKey(server1Key), new char[0], chain);
485+
}
485486
KeyManagerFactory keyManagerFactory =
486487
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
487488
keyManagerFactory.init(keyStore, new char[0]);
488489

489490
KeyStore certStore = KeyStore.getInstance(KeyStore.getDefaultType());
490491
certStore.load(null);
491-
certStore.setCertificateEntry("mycert", cert.cert());
492492
TrustManagerFactory trustManagerFactory =
493493
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
494+
try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
495+
for (X509Certificate cert : CertificateUtils.getX509Certificates(ca)) {
496+
certStore.setCertificateEntry(cert.getSubjectX500Principal().getName("RFC2253"), cert);
497+
}
498+
}
494499
trustManagerFactory.init(certStore);
495500

496501
ServerCredentials serverCreds = TlsServerCredentials.newBuilder()
@@ -504,8 +509,7 @@ public void from_tls_managers() throws Exception {
504509
.build();
505510
InternalChannelz.Tls tls = expectSuccessfulHandshake(channelCreds, serverCreds);
506511
assertThat(((X509Certificate) tls.remoteCert).getSubjectX500Principal().getName())
507-
.isEqualTo("CN=" + TestUtils.TEST_SERVER_HOST);
508-
cert.delete();
512+
.isEqualTo("CN=*.test.google.com,O=Example\\, Co.,L=Chicago,ST=Illinois,C=US");
509513
}
510514

511515
@Test
@@ -1214,11 +1218,15 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) {
12141218

12151219
@Test
12161220
public void clientTlsHandler_firesNegotiation() throws Exception {
1217-
SelfSignedCertificate cert = new SelfSignedCertificate("authority");
1218-
SslContext clientSslContext =
1219-
GrpcSslContexts.configure(SslContextBuilder.forClient().trustManager(cert.cert())).build();
1220-
SslContext serverSslContext =
1221-
GrpcSslContexts.configure(SslContextBuilder.forServer(cert.key(), cert.cert())).build();
1221+
SslContext clientSslContext;
1222+
try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
1223+
clientSslContext = GrpcSslContexts.forClient().trustManager(ca).build();
1224+
}
1225+
SslContext serverSslContext;
1226+
try (InputStream server1Key = TlsTesting.loadCert("server1.key");
1227+
InputStream server1Chain = TlsTesting.loadCert("server1.pem")) {
1228+
serverSslContext = GrpcSslContexts.forServer(server1Chain, server1Key).build();
1229+
}
12221230
FakeGrpcHttp2ConnectionHandler gh = FakeGrpcHttp2ConnectionHandler.newHandler();
12231231
ClientTlsProtocolNegotiator pn = new ClientTlsProtocolNegotiator(clientSslContext, null);
12241232
WriteBufferingAndExceptionHandler clientWbaeh =
@@ -1404,7 +1412,7 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
14041412

14051413
@Override
14061414
public String getAuthority() {
1407-
return "authority";
1415+
return "foo.test.google.fr";
14081416
}
14091417
}
14101418

okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java

Lines changed: 22 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@
5454
import io.grpc.util.CertificateUtils;
5555
import java.io.ByteArrayInputStream;
5656
import java.io.IOException;
57+
import java.io.InputStream;
5758
import java.net.InetSocketAddress;
5859
import java.net.SocketAddress;
5960
import java.security.GeneralSecurityException;
@@ -667,21 +668,24 @@ static SslSocketFactoryResult sslSocketFactoryFrom(ChannelCredentials creds) {
667668

668669
static KeyManager[] createKeyManager(byte[] certChain, byte[] privateKey)
669670
throws GeneralSecurityException {
670-
X509Certificate[] chain;
671-
ByteArrayInputStream inCertChain = new ByteArrayInputStream(certChain);
671+
InputStream certChainStream = new ByteArrayInputStream(certChain);
672+
InputStream privateKeyStream = new ByteArrayInputStream(privateKey);
672673
try {
673-
chain = CertificateUtils.getX509Certificates(inCertChain);
674+
return createKeyManager(certChainStream, privateKeyStream);
674675
} finally {
675-
GrpcUtil.closeQuietly(inCertChain);
676+
GrpcUtil.closeQuietly(certChainStream);
677+
GrpcUtil.closeQuietly(privateKeyStream);
676678
}
679+
}
680+
681+
static KeyManager[] createKeyManager(InputStream certChain, InputStream privateKey)
682+
throws GeneralSecurityException {
683+
X509Certificate[] chain = CertificateUtils.getX509Certificates(certChain);
677684
PrivateKey key;
678-
ByteArrayInputStream inPrivateKey = new ByteArrayInputStream(privateKey);
679685
try {
680-
key = CertificateUtils.getPrivateKey(inPrivateKey);
686+
key = CertificateUtils.getPrivateKey(privateKey);
681687
} catch (IOException uee) {
682688
throw new GeneralSecurityException("Unable to decode private key", uee);
683-
} finally {
684-
GrpcUtil.closeQuietly(inPrivateKey);
685689
}
686690
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
687691
try {
@@ -699,20 +703,23 @@ static KeyManager[] createKeyManager(byte[] certChain, byte[] privateKey)
699703
}
700704

701705
static TrustManager[] createTrustManager(byte[] rootCerts) throws GeneralSecurityException {
706+
InputStream rootCertsStream = new ByteArrayInputStream(rootCerts);
707+
try {
708+
return createTrustManager(rootCertsStream);
709+
} finally {
710+
GrpcUtil.closeQuietly(rootCertsStream);
711+
}
712+
}
713+
714+
static TrustManager[] createTrustManager(InputStream rootCerts) throws GeneralSecurityException {
702715
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
703716
try {
704717
ks.load(null, null);
705718
} catch (IOException ex) {
706719
// Shouldn't really happen, as we're not loading any data.
707720
throw new GeneralSecurityException(ex);
708721
}
709-
X509Certificate[] certs;
710-
ByteArrayInputStream in = new ByteArrayInputStream(rootCerts);
711-
try {
712-
certs = CertificateUtils.getX509Certificates(in);
713-
} finally {
714-
GrpcUtil.closeQuietly(in);
715-
}
722+
X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);
716723
for (X509Certificate cert : certs) {
717724
X500Principal principal = cert.getSubjectX500Principal();
718725
ks.setCertificateEntry(principal.getName("RFC2253"), cert);

okhttp/src/test/java/io/grpc/okhttp/OkHttpChannelBuilderTest.java

Lines changed: 45 additions & 58 deletions
Original file line numberDiff line numberDiff line change
@@ -39,23 +39,20 @@
3939
import io.grpc.internal.FakeClock;
4040
import io.grpc.internal.GrpcUtil;
4141
import io.grpc.internal.SharedResourceHolder;
42-
import io.grpc.internal.testing.TestUtils;
4342
import io.grpc.testing.GrpcCleanupRule;
4443
import io.grpc.testing.TlsTesting;
45-
import io.netty.handler.ssl.util.SelfSignedCertificate;
44+
import java.io.InputStream;
4645
import java.net.InetAddress;
4746
import java.net.InetSocketAddress;
4847
import java.net.Socket;
49-
import java.security.KeyStore;
50-
import java.security.cert.Certificate;
5148
import java.util.concurrent.ScheduledExecutorService;
5249
import javax.net.SocketFactory;
53-
import javax.net.ssl.KeyManagerFactory;
50+
import javax.net.ssl.KeyManager;
5451
import javax.net.ssl.SSLContext;
5552
import javax.net.ssl.SSLServerSocket;
5653
import javax.net.ssl.SSLSocket;
5754
import javax.net.ssl.SSLSocketFactory;
58-
import javax.net.ssl.TrustManagerFactory;
55+
import javax.net.ssl.TrustManager;
5956
import javax.security.auth.x500.X500Principal;
6057
import org.junit.Rule;
6158
import org.junit.Test;
@@ -168,16 +165,12 @@ public void sslSocketFactoryFrom_unsupportedTls() {
168165

169166
@Test
170167
public void sslSocketFactoryFrom_tls_customRoots() throws Exception {
171-
SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
172-
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
173-
keyStore.load(null);
174-
keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
175-
KeyManagerFactory keyManagerFactory =
176-
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
177-
keyManagerFactory.init(keyStore, new char[0]);
178-
179168
SSLContext serverContext = SSLContext.getInstance("TLS");
180-
serverContext.init(keyManagerFactory.getKeyManagers(), null, null);
169+
try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
170+
InputStream server1Key = TlsTesting.loadCert("server1.key")) {
171+
serverContext.init(
172+
OkHttpChannelBuilder.createKeyManager(server1Chain, server1Key), null, null);
173+
}
181174
final SSLServerSocket serverListenSocket =
182175
(SSLServerSocket) serverContext.getServerSocketFactory().createServerSocket(0);
183176
final SettableFuture<SSLSocket> serverSocket = SettableFuture.create();
@@ -194,9 +187,12 @@ public void sslSocketFactoryFrom_tls_customRoots() throws Exception {
194187
}
195188
}).start();
196189

197-
ChannelCredentials creds = TlsChannelCredentials.newBuilder()
198-
.trustManager(cert.certificate())
190+
ChannelCredentials creds;
191+
try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
192+
creds = TlsChannelCredentials.newBuilder()
193+
.trustManager(ca)
199194
.build();
195+
}
200196
OkHttpChannelBuilder.SslSocketFactoryResult result =
201197
OkHttpChannelBuilder.sslSocketFactoryFrom(creds);
202198
SSLSocket socket =
@@ -208,24 +204,19 @@ public void sslSocketFactoryFrom_tls_customRoots() throws Exception {
208204

209205
@Test
210206
public void sslSocketFactoryFrom_tls_mtls() throws Exception {
211-
SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
212-
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
213-
keyStore.load(null);
214-
keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
215-
KeyManagerFactory keyManagerFactory =
216-
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
217-
keyManagerFactory.init(keyStore, new char[0]);
218-
219-
KeyStore certStore = KeyStore.getInstance(KeyStore.getDefaultType());
220-
certStore.load(null);
221-
certStore.setCertificateEntry("mycert", cert.cert());
222-
TrustManagerFactory trustManagerFactory =
223-
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
224-
trustManagerFactory.init(certStore);
207+
KeyManager[] keyManagers;
208+
try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
209+
InputStream server1Key = TlsTesting.loadCert("server1.key")) {
210+
keyManagers = OkHttpChannelBuilder.createKeyManager(server1Chain, server1Key);
211+
}
212+
213+
TrustManager[] trustManagers;
214+
try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
215+
trustManagers = OkHttpChannelBuilder.createTrustManager(ca);
216+
}
225217

226218
SSLContext serverContext = SSLContext.getInstance("TLS");
227-
serverContext.init(
228-
keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
219+
serverContext.init(keyManagers, trustManagers, null);
229220
final SSLServerSocket serverListenSocket =
230221
(SSLServerSocket) serverContext.getServerSocketFactory().createServerSocket(0);
231222
serverListenSocket.setNeedClientAuth(true);
@@ -244,40 +235,31 @@ public void sslSocketFactoryFrom_tls_mtls() throws Exception {
244235
}).start();
245236

246237
ChannelCredentials creds = TlsChannelCredentials.newBuilder()
247-
.keyManager(keyManagerFactory.getKeyManagers())
248-
.trustManager(trustManagerFactory.getTrustManagers())
238+
.keyManager(keyManagers)
239+
.trustManager(trustManagers)
249240
.build();
250241
OkHttpChannelBuilder.SslSocketFactoryResult result =
251242
OkHttpChannelBuilder.sslSocketFactoryFrom(creds);
252243
SSLSocket socket =
253244
(SSLSocket) result.factory.createSocket("localhost", serverListenSocket.getLocalPort());
254245
socket.getSession(); // Force handshake
255246
assertThat(((X500Principal) serverSocket.get().getSession().getPeerPrincipal()).getName())
256-
.isEqualTo("CN=" + TestUtils.TEST_SERVER_HOST);
247+
.isEqualTo("CN=*.test.google.com,O=Example\\, Co.,L=Chicago,ST=Illinois,C=US");
257248
socket.close();
258249
serverSocket.get().close();
259250
}
260251

261252
@Test
262253
public void sslSocketFactoryFrom_tls_mtls_keyFile() throws Exception {
263-
SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
264-
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
265-
keyStore.load(null);
266-
keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
267-
KeyManagerFactory keyManagerFactory =
268-
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
269-
keyManagerFactory.init(keyStore, new char[0]);
270-
271-
KeyStore certStore = KeyStore.getInstance(KeyStore.getDefaultType());
272-
certStore.load(null);
273-
certStore.setCertificateEntry("mycert", cert.cert());
274-
TrustManagerFactory trustManagerFactory =
275-
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
276-
trustManagerFactory.init(certStore);
277-
278254
SSLContext serverContext = SSLContext.getInstance("TLS");
279-
serverContext.init(
280-
keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
255+
try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
256+
InputStream server1Key = TlsTesting.loadCert("server1.key");
257+
InputStream ca = TlsTesting.loadCert("ca.pem")) {
258+
serverContext.init(
259+
OkHttpChannelBuilder.createKeyManager(server1Chain, server1Key),
260+
OkHttpChannelBuilder.createTrustManager(ca),
261+
null);
262+
}
281263
final SSLServerSocket serverListenSocket =
282264
(SSLServerSocket) serverContext.getServerSocketFactory().createServerSocket(0);
283265
serverListenSocket.setNeedClientAuth(true);
@@ -295,17 +277,22 @@ public void sslSocketFactoryFrom_tls_mtls_keyFile() throws Exception {
295277
}
296278
}).start();
297279

298-
ChannelCredentials creds = TlsChannelCredentials.newBuilder()
299-
.keyManager(cert.certificate(), cert.privateKey())
300-
.trustManager(cert.certificate())
301-
.build();
280+
ChannelCredentials creds;
281+
try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
282+
InputStream server1Key = TlsTesting.loadCert("server1.key");
283+
InputStream ca = TlsTesting.loadCert("ca.pem")) {
284+
creds = TlsChannelCredentials.newBuilder()
285+
.keyManager(server1Chain, server1Key)
286+
.trustManager(ca)
287+
.build();
288+
}
302289
OkHttpChannelBuilder.SslSocketFactoryResult result =
303290
OkHttpChannelBuilder.sslSocketFactoryFrom(creds);
304291
SSLSocket socket =
305292
(SSLSocket) result.factory.createSocket("localhost", serverListenSocket.getLocalPort());
306293
socket.getSession(); // Force handshake
307294
assertThat(((X500Principal) serverSocket.get().getSession().getPeerPrincipal()).getName())
308-
.isEqualTo("CN=" + TestUtils.TEST_SERVER_HOST);
295+
.isEqualTo("CN=*.test.google.com,O=Example\\, Co.,L=Chicago,ST=Illinois,C=US");
309296
socket.close();
310297
serverSocket.get().close();
311298
}

0 commit comments

Comments
 (0)