In-progress changes to move authority verification to the ChannelHand…

…ler instead of the Protocol negotiator.
kannanjgithub · Jan 24, 2025 · 15c8161 · 15c8161
1 parent b8b70bf
commit 15c8161
Show file tree

Hide file tree

Showing 8 changed files with 105 additions and 70 deletions.
diff --git a/core/src/main/java/io/grpc/internal/AuthorityVerifier.java b/core/src/main/java/io/grpc/internal/AuthorityVerifier.java
@@ -0,0 +1,7 @@
+package io.grpc.internal;
+
+import io.grpc.Status;
+
+public interface AuthorityVerifier {
+  Status verifyAuthority(String authority);
+}
diff --git a/core/src/main/java/io/grpc/internal/GrpcAttributes.java b/core/src/main/java/io/grpc/internal/GrpcAttributes.java
@@ -42,5 +42,7 @@ public final class GrpcAttributes {
   public static final Attributes.Key<Attributes> ATTR_CLIENT_EAG_ATTRS =
       Attributes.Key.create("io.grpc.internal.GrpcAttributes.clientEagAttrs");
 
+  public static final Attributes.Key<AuthorityVerifier> ATTR_AUTHORITY_VERIFIER =
+          Attributes.Key.create("io.grpc.internal.GrpcAttributes.authorityVerifier");
   private GrpcAttributes() {}
 }
diff --git a/examples/build.gradle b/examples/build.gradle
@@ -45,7 +45,7 @@ dependencies {
 protobuf {
     protoc { artifact = "com.google.protobuf:protoc:${protocVersion}" }
     plugins {
-        grpc { artifact = "io.grpc:protoc-gen-grpc-java:${grpcVersion}" }
+        grpc { artifact = "io.grpc:protoc-gen-grpc-java:1.70.0" }
     }
     generateProtoTasks {
         all()*.plugins { grpc {} }

diff --git a/examples/example-tls/build.gradle b/examples/example-tls/build.gradle
@@ -34,7 +34,7 @@ dependencies {
 protobuf {
     protoc { artifact = "com.google.protobuf:protoc:${protocVersion}" }
     plugins {
-        grpc { artifact = "io.grpc:protoc-gen-grpc-java:${grpcVersion}" }
+        grpc { artifact = "io.grpc:protoc-gen-grpc-java:1.70.0" }
     }
     generateProtoTasks {
         all()*.plugins { grpc {} }

diff --git a/netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java b/netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java
@@ -170,7 +170,7 @@ public static ChannelHandler clientTlsHandler(
       ChannelHandler next, SslContext sslContext, String authority,
       ChannelLogger negotiationLogger) {
     return new ClientTlsHandler(next, sslContext, authority, null, negotiationLogger,
-        Optional.absent(), null);
+        Optional.absent(), null, null);
   }
 
   public static class ProtocolNegotiationHandler

diff --git a/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java b/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java
@@ -585,25 +585,6 @@ protected void userEventTriggered0(ChannelHandlerContext ctx, Object evt) throws
   }
 
   static final class ClientTlsProtocolNegotiator implements ProtocolNegotiator {
-    private static final Method checkServerTrustedMethod;
-
-    static {
-      Method method = null;
-      try {
-        Class<?> x509ExtendedTrustManagerClass =
-                Class.forName("javax.net.ssl.X509ExtendedTrustManager");
-        method = x509ExtendedTrustManagerClass.getMethod("checkServerTrusted",
-                X509Certificate[].class, String.class, SSLEngine.class);
-      } catch (ClassNotFoundException e) {
-        // Per-rpc authority overriding via call options will be disallowed.
-      } catch (NoSuchMethodException e) {
-        // Should never happen since X509ExtendedTrustManager was introduced in Android API level 24
-        // along with checkServerTrusted.
-      }
-      checkServerTrustedMethod = method;
-    }
-
-    private SSLEngine sslEngine;
 
     public ClientTlsProtocolNegotiator(SslContext sslContext,
         ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
@@ -633,7 +614,8 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
       ChannelHandler gnh = new GrpcNegotiationHandler(grpcHandler);
       ChannelLogger negotiationLogger = grpcHandler.getNegotiationLogger();
       ChannelHandler cth = new ClientTlsHandler(gnh, sslContext, grpcHandler.getAuthority(),
-          this.executor, negotiationLogger, handshakeCompleteRunnable, this);
+          this.executor, negotiationLogger, handshakeCompleteRunnable, this,
+              x509ExtendedTrustManager);
       return new WaitUntilActiveHandler(cth, negotiationLogger);
     }
 
@@ -644,47 +626,6 @@ public void close() {
       }
     }
 
-    @Override
-    public Status verifyAuthority(@Nonnull String authority) {
-      // sslEngine won't be set when creating ClientTlsHandler from InternalProtocolNegotiators
-      // for example.
-      if (sslEngine == null || x509ExtendedTrustManager == null) {
-        return Status.FAILED_PRECONDITION.withDescription(
-                "Can't allow authority override in rpc when SslEngine or X509ExtendedTrustManager"
-                        + " is not available");
-      }
-      Status peerVerificationStatus;
-      try {
-        verifyAuthorityAllowedForPeerCert(authority);
-        peerVerificationStatus = Status.OK;
-      } catch (SSLPeerUnverifiedException | CertificateException | InvocationTargetException
-               | IllegalAccessException | IllegalStateException e) {
-        peerVerificationStatus = Status.UNAVAILABLE.withDescription(
-                String.format("Peer hostname verification during rpc failed for authority '%s'",
-                authority)).withCause(e);
-      }
-      return peerVerificationStatus;
-    }
-
-    public void setSslEngine(SSLEngine sslEngine) {
-      this.sslEngine = sslEngine;
-    }
-
-    private void verifyAuthorityAllowedForPeerCert(String authority)
-            throws SSLPeerUnverifiedException, CertificateException, InvocationTargetException,
-            IllegalAccessException {
-      SSLEngine sslEngineWrapper = new SslEngineWrapper(sslEngine, authority);
-      // The typecasting of Certificate to X509Certificate should work because this method will only
-      // be called when using TLS and thus X509.
-      Certificate[] peerCertificates = sslEngine.getSession().getPeerCertificates();
-      X509Certificate[] x509PeerCertificates = new X509Certificate[peerCertificates.length];
-      for (int i = 0; i < peerCertificates.length; i++) {
-        x509PeerCertificates[i] = (X509Certificate) peerCertificates[i];
-      }
-      checkServerTrustedMethod.invoke(
-              x509ExtendedTrustManager, x509PeerCertificates, "RSA", sslEngineWrapper);
-    }
-
     @VisibleForTesting
     boolean hasX509ExtendedTrustManager() {
       return x509ExtendedTrustManager != null;
@@ -699,11 +640,13 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     private final ClientTlsProtocolNegotiator clientTlsProtocolNegotiator;
     private Executor executor;
     private final Optional<Runnable> handshakeCompleteRunnable;
+    private final X509TrustManager x509ExtendedTrustManager;
 
     ClientTlsHandler(ChannelHandler next, SslContext sslContext, String authority,
         Executor executor, ChannelLogger negotiationLogger,
         Optional<Runnable> handshakeCompleteRunnable,
-        ClientTlsProtocolNegotiator clientTlsProtocolNegotiator) {
+        ClientTlsProtocolNegotiator clientTlsProtocolNegotiator,
+         X509TrustManager x509ExtendedTrustManager) {
       super(next, negotiationLogger);
       this.sslContext = checkNotNull(sslContext, "sslContext");
       HostPort hostPort = parseAuthority(authority);
@@ -712,6 +655,7 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
       this.executor = executor;
       this.handshakeCompleteRunnable = handshakeCompleteRunnable;
       this.clientTlsProtocolNegotiator = clientTlsProtocolNegotiator;
+      this.x509ExtendedTrustManager = x509ExtendedTrustManager;
     }
 
     @Override
@@ -724,7 +668,12 @@ protected void handlerAdded0(ChannelHandlerContext ctx) {
       ctx.pipeline().addBefore(ctx.name(), /* name= */ null, this.executor != null
           ? new SslHandler(sslEngine, false, this.executor)
           : new SslHandler(sslEngine, false));
-      clientTlsProtocolNegotiator.setSslEngine(sslEngine);
+      ProtocolNegotiationEvent existingPne = getProtocolNegotiationEvent();
+      Attributes attrs = existingPne.getAttributes().toBuilder()
+              .set(GrpcAttributes.ATTR_AUTHORITY_VERIFIER, new X509AuthorityVerifier(
+                      sslEngine, x509ExtendedTrustManager))
+              .build();
+      replaceProtocolNegotiationEvent(existingPne.withAttributes(attrs));
     }
 
     @Override

diff --git a/netty/src/main/java/io/grpc/netty/X509AuthorityVerifier.java b/netty/src/main/java/io/grpc/netty/X509AuthorityVerifier.java
@@ -0,0 +1,77 @@
+package io.grpc.netty;
+
+import io.grpc.Status;
+import io.grpc.internal.AuthorityVerifier;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import javax.annotation.Nonnull;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.X509TrustManager;
+
+public class X509AuthorityVerifier implements AuthorityVerifier {
+  private final SSLEngine sslEngine;
+  private final X509TrustManager x509ExtendedTrustManager;
+
+  private static final Method checkServerTrustedMethod;
+
+  static {
+    Method method = null;
+    try {
+      Class<?> x509ExtendedTrustManagerClass =
+              Class.forName("javax.net.ssl.X509ExtendedTrustManager");
+      method = x509ExtendedTrustManagerClass.getMethod("checkServerTrusted",
+              X509Certificate[].class, String.class, SSLEngine.class);
+    } catch (ClassNotFoundException e) {
+      // Per-rpc authority overriding via call options will be disallowed.
+    } catch (NoSuchMethodException e) {
+      // Should never happen since X509ExtendedTrustManager was introduced in Android API level 24
+      // along with checkServerTrusted.
+    }
+    checkServerTrustedMethod = method;
+  }
+
+  public X509AuthorityVerifier(SSLEngine sslEngine, X509TrustManager x509ExtendedTrustManager) {
+    this.sslEngine = sslEngine;
+    this.x509ExtendedTrustManager = x509ExtendedTrustManager;
+  }
+
+  public Status verifyAuthority(@Nonnull String authority) {
+    // sslEngine won't be set when creating ClientTlsHandler from InternalProtocolNegotiators
+    // for example.
+    if (sslEngine == null || x509ExtendedTrustManager == null) {
+      return Status.FAILED_PRECONDITION.withDescription(
+              "Can't allow authority override in rpc when SslEngine or X509ExtendedTrustManager"
+                      + " is not available");
+    }
+    Status peerVerificationStatus;
+    try {
+      verifyAuthorityAllowedForPeerCert(authority);
+      peerVerificationStatus = Status.OK;
+    } catch (SSLPeerUnverifiedException | CertificateException | InvocationTargetException
+             | IllegalAccessException | IllegalStateException e) {
+      peerVerificationStatus = Status.UNAVAILABLE.withDescription(
+              String.format("Peer hostname verification during rpc failed for authority '%s'",
+                      authority)).withCause(e);
+    }
+    return peerVerificationStatus;
+  }
+
+  private void verifyAuthorityAllowedForPeerCert(String authority)
+          throws SSLPeerUnverifiedException, CertificateException, InvocationTargetException,
+          IllegalAccessException {
+    SSLEngine sslEngineWrapper = new ProtocolNegotiators.SslEngineWrapper(sslEngine, authority);
+    // The typecasting of Certificate to X509Certificate should work because this method will only
+    // be called when using TLS and thus X509.
+    Certificate[] peerCertificates = sslEngine.getSession().getPeerCertificates();
+    X509Certificate[] x509PeerCertificates = new X509Certificate[peerCertificates.length];
+    for (int i = 0; i < peerCertificates.length; i++) {
+      x509PeerCertificates[i] = (X509Certificate) peerCertificates[i];
+    }
+    checkServerTrustedMethod.invoke(
+            x509ExtendedTrustManager, x509PeerCertificates, "RSA", sslEngineWrapper);
+  }
+}
diff --git a/netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java b/netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java
@@ -921,7 +921,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator());
+        getClientTlsProtocolNegotiator(), null);
     pipeline.addLast(handler);
     pipeline.replace(SslHandler.class, null, goodSslHandler);
     pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
@@ -960,7 +960,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator());
+        getClientTlsProtocolNegotiator(), null);
     pipeline.addLast(handler);
     pipeline.replace(SslHandler.class, null, goodSslHandler);
     pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
@@ -985,7 +985,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator());
+        getClientTlsProtocolNegotiator(), null);
     pipeline.addLast(handler);
 
     final AtomicReference<Throwable> error = new AtomicReference<>();
@@ -1014,7 +1014,7 @@ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
   public void clientTlsHandler_closeDuringNegotiation() throws Exception {
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", null, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator());
+        getClientTlsProtocolNegotiator(), null);
     pipeline.addLast(new WriteBufferingAndExceptionHandler(handler));
     ChannelFuture pendingWrite = channel.writeAndFlush(NettyClientHandler.NOOP_MESSAGE);