okhttp: Per-rpc call option authority verification

core/src/main/java/io/grpc/internal/CertificateUtils.java

@@ -16,6 +16,7 @@
 
 package io.grpc.internal;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.GeneralSecurityException;
@@ -36,8 +37,21 @@ public final class CertificateUtils {
   /**
    * Creates X509TrustManagers using the provided CA certs.
    */
-  public static TrustManager[] createTrustManager(InputStream rootCerts)
+  public static TrustManager[] createTrustManager(byte[] rootCerts)
       throws GeneralSecurityException {
+    InputStream rootCertsStream = new ByteArrayInputStream(rootCerts);
+    try {
+      return CertificateUtils.createTrustManager(rootCertsStream);
+    } finally {
+      GrpcUtil.closeQuietly(rootCertsStream);
+    }
+  }
+
+  /**
+   * Creates X509TrustManagers using the provided input stream of CA certs.
+   */
+  public static TrustManager[] createTrustManager(InputStream rootCerts)
+          throws GeneralSecurityException {
     KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
     try {
       ks.load(null, null);
@@ -52,13 +66,13 @@ public static TrustManager[] createTrustManager(InputStream rootCerts)
     }
 
     TrustManagerFactory trustManagerFactory =
-        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
     trustManagerFactory.init(ks);
     return trustManagerFactory.getTrustManagers();
   }
 
   private static X509Certificate[] getX509Certificates(InputStream inputStream)
-      throws CertificateException {
+          throws CertificateException {
     CertificateFactory factory = CertificateFactory.getInstance("X.509");
     Collection<? extends Certificate> certs = factory.generateCertificates(inputStream);
     return certs.toArray(new X509Certificate[0]);

okhttp/src/main/java/io/grpc/okhttp/NoopSslSocket.java

@@ -0,0 +1,117 @@
+/*
+ * Copyright 2024 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.okhttp;
+
+import java.io.IOException;
+import javax.net.ssl.HandshakeCompletedListener;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+
+/** A no-op ssl socket, to facilitate overriding only the required methods in specific
+ * implementations.
+ */
+class NoopSslSocket extends SSLSocket {
+  @Override
+  public String[] getSupportedCipherSuites() {
+    return new String[0];
+  }
+
+  @Override
+  public String[] getEnabledCipherSuites() {
+    return new String[0];
+  }
+
+  @Override
+  public void setEnabledCipherSuites(String[] suites) {
+
+  }
+
+  @Override
+  public String[] getSupportedProtocols() {
+    return new String[0];
+  }
+
+  @Override
+  public String[] getEnabledProtocols() {
+    return new String[0];
+  }
+
+  @Override
+  public void setEnabledProtocols(String[] protocols) {
+
+  }
+
+  @Override
+  public SSLSession getSession() {
+    return null;
+  }
+
+  @Override
+  public void addHandshakeCompletedListener(HandshakeCompletedListener listener) {
+
+  }
+
+  @Override
+  public void removeHandshakeCompletedListener(HandshakeCompletedListener listener) {
+
+  }
+
+  @Override
+  public void startHandshake() throws IOException {
+
+  }
+
+  @Override
+  public void setUseClientMode(boolean mode) {
+
+  }
+
+  @Override
+  public boolean getUseClientMode() {
+    return false;
+  }
+
+  @Override
+  public void setNeedClientAuth(boolean need) {
+
+  }
+
+  @Override
+  public boolean getNeedClientAuth() {
+    return false;
+  }
+
+  @Override
+  public void setWantClientAuth(boolean want) {
+
+  }
+
+  @Override
+  public boolean getWantClientAuth() {
+    return false;
+  }
+
+  @Override
+  public void setEnableSessionCreation(boolean flag) {
+
+  }
+
+  @Override
+  public boolean getEnableSessionCreation() {
+    return false;
+  }
+}

okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java

@@ -17,6 +17,7 @@
 package io.grpc.okhttp;
 
 import static com.google.common.base.Preconditions.checkNotNull;
+import static io.grpc.internal.CertificateUtils.createTrustManager;
 import static io.grpc.internal.GrpcUtil.DEFAULT_KEEPALIVE_TIMEOUT_NANOS;
 import static io.grpc.internal.GrpcUtil.KEEPALIVE_TIME_NANOS_DISABLED;
 
@@ -89,6 +90,7 @@ public final class OkHttpChannelBuilder extends ForwardingChannelBuilder2<OkHttp
   public static final int DEFAULT_FLOW_CONTROL_WINDOW = 65535;
 
   private final ManagedChannelImplBuilder managedChannelImplBuilder;
+  private final ChannelCredentials channelCredentials;
   private TransportTracer.Factory transportTracerFactory = TransportTracer.getDefaultFactory();
 
 
@@ -206,6 +208,7 @@ private OkHttpChannelBuilder(String target) {
         new OkHttpChannelTransportFactoryBuilder(),
         new OkHttpChannelDefaultPortProvider());
     this.freezeSecurityConfiguration = false;
+    this.channelCredentials = null;
   }
 
   OkHttpChannelBuilder(
@@ -218,6 +221,7 @@ private OkHttpChannelBuilder(String target) {
     this.sslSocketFactory = factory;
     this.negotiationType = factory == null ? NegotiationType.PLAINTEXT : NegotiationType.TLS;
     this.freezeSecurityConfiguration = true;
+    this.channelCredentials = channelCreds;
   }
 
   private final class OkHttpChannelTransportFactoryBuilder
@@ -534,7 +538,8 @@ OkHttpTransportFactory buildTransportFactory() {
         keepAliveWithoutCalls,
         maxInboundMetadataSize,
         transportTracerFactory,
-        useGetForSafeMethods);
+        useGetForSafeMethods,
+        channelCredentials);
   }
 
   OkHttpChannelBuilder disableCheckAuthority() {
@@ -777,6 +782,7 @@ static final class OkHttpTransportFactory implements ClientTransportFactory {
     private final boolean keepAliveWithoutCalls;
     final int maxInboundMetadataSize;
     final boolean useGetForSafeMethods;
+    private final ChannelCredentials channelCredentials;
     private boolean closed;
 
     private OkHttpTransportFactory(
@@ -794,7 +800,8 @@ private OkHttpTransportFactory(
         boolean keepAliveWithoutCalls,
         int maxInboundMetadataSize,
         TransportTracer.Factory transportTracerFactory,
-        boolean useGetForSafeMethods) {
+        boolean useGetForSafeMethods,
+        ChannelCredentials channelCredentials) {
       this.executorPool = executorPool;
       this.executor = executorPool.getObject();
       this.scheduledExecutorServicePool = scheduledExecutorServicePool;
@@ -812,6 +819,7 @@ private OkHttpTransportFactory(
       this.keepAliveWithoutCalls = keepAliveWithoutCalls;
       this.maxInboundMetadataSize = maxInboundMetadataSize;
       this.useGetForSafeMethods = useGetForSafeMethods;
+      this.channelCredentials = channelCredentials;
 
       this.transportTracerFactory =
           Preconditions.checkNotNull(transportTracerFactory, "transportTracerFactory");
@@ -839,7 +847,8 @@ public void run() {
           options.getUserAgent(),
           options.getEagAttributes(),
           options.getHttpConnectProxiedSocketAddress(),
-          tooManyPingsRunnable);
+          tooManyPingsRunnable,
+          channelCredentials);
       if (enableKeepAlive) {
         transport.enableKeepAlive(
             true, keepAliveTimeNanosState.get(), keepAliveTimeoutNanos, keepAliveWithoutCalls);
@@ -875,7 +884,8 @@ public SwapChannelCredentialsResult swapChannelCredentials(ChannelCredentials ch
           keepAliveWithoutCalls,
           maxInboundMetadataSize,
           transportTracerFactory,
-          useGetForSafeMethods);
+          useGetForSafeMethods,
+          channelCredentials);
       return new SwapChannelCredentialsResult(factory, result.callCredentials);
     }
 

okhttp/src/main/java/io/grpc/okhttp/OkHttpClientStream.java

@@ -409,7 +409,7 @@ private void streamReady(Metadata metadata, String path) {
               transport.isUsingPlaintext());
       // TODO(b/145386688): This access should be guarded by 'this.transport.lock'; instead found:
       // 'this.lock'
-      transport.streamReadyToStart(OkHttpClientStream.this);
+      transport.streamReadyToStart(OkHttpClientStream.this, authority);
     }
 
     Tag tag() {