xds: xDS based SNI setting and SAN validation

core/src/main/java/io/grpc/internal/CertificateUtils.java

@@ -26,14 +26,29 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
+import java.util.List;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 import javax.security.auth.x500.X500Principal;
 
 /**
  * Contains certificate/key PEM file utility method(s) for internal usage.
  */
 public final class CertificateUtils {
+  private static final Class<?> x509ExtendedTrustManagerClass;
+
+  static {
+    Class<?> x509ExtendedTrustManagerClass1;
+    try {
+      x509ExtendedTrustManagerClass1 = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
+    } catch (ClassNotFoundException e) {
+      x509ExtendedTrustManagerClass1 = null;
+      // Will disallow per-rpc authority override via call option.
+    }
+    x509ExtendedTrustManagerClass = x509ExtendedTrustManagerClass1;
+  }
+
   /**
    * Creates X509TrustManagers using the provided CA certs.
    */
@@ -71,6 +86,17 @@ public static TrustManager[] createTrustManager(InputStream rootCerts)
     return trustManagerFactory.getTrustManagers();
   }
 
+  public static X509TrustManager getX509ExtendedTrustManager(List<TrustManager> trustManagers) {
+    if (x509ExtendedTrustManagerClass != null) {
+      for (TrustManager trustManager : trustManagers) {
+        if (x509ExtendedTrustManagerClass.isInstance(trustManager)) {
+          return (X509TrustManager) trustManager;
+        }
+      }
+    }
+    return null;
+  }
+
   private static X509Certificate[] getX509Certificates(InputStream inputStream)
           throws CertificateException {
     CertificateFactory factory = CertificateFactory.getInstance("X.509");

netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java

@@ -26,6 +26,7 @@
 import io.netty.handler.ssl.SslContext;
 import io.netty.util.AsciiString;
 import java.util.concurrent.Executor;
+import javax.net.ssl.X509TrustManager;
 
 /**
  * Internal accessor for {@link ProtocolNegotiators}.
@@ -42,9 +43,11 @@ private InternalProtocolNegotiators() {}
    */
   public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext,
           ObjectPool<? extends Executor> executorPool,
-          Optional<Runnable> handshakeCompleteRunnable) {
+          Optional<Runnable> handshakeCompleteRunnable,
+          X509TrustManager extendedX509TrustManager,
+          String sni) {
     final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.tls(sslContext,
-        executorPool, handshakeCompleteRunnable, null);
+        executorPool, handshakeCompleteRunnable, extendedX509TrustManager, sni);
     final class TlsNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {
 
       @Override
@@ -62,17 +65,19 @@ public void close() {
         negotiator.close();
       }
     }
-    
+
     return new TlsNegotiator();
   }
-  
+
   /**
    * Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
    * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
    * may happen immediately, even before the TLS Handshake is complete.
    */
-  public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext) {
-    return tls(sslContext, null, Optional.absent());
+  public static InternalProtocolNegotiator.ProtocolNegotiator tls(
+      SslContext sslContext, String sni,
+      X509TrustManager extendedX509TrustManager) {
+    return tls(sslContext, null, Optional.absent(), extendedX509TrustManager, sni);
   }
 
   /**

netty/src/main/java/io/grpc/netty/NettyChannelBuilder.java

@@ -652,7 +652,7 @@ static ProtocolNegotiator createProtocolNegotiatorByType(
       case PLAINTEXT_UPGRADE:
         return ProtocolNegotiators.plaintextUpgrade();
       case TLS:
-        return ProtocolNegotiators.tls(sslContext, executorPool, Optional.absent(), null);
+        return ProtocolNegotiators.tls(sslContext, executorPool, Optional.absent(), null, null);
       default:
         throw new IllegalArgumentException("Unsupported negotiationType: " + negotiationType);
     }

netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java

@@ -102,15 +102,6 @@ final class ProtocolNegotiators {
   private static final EnumSet<TlsServerCredentials.Feature> understoodServerTlsFeatures =
       EnumSet.of(
           TlsServerCredentials.Feature.MTLS, TlsServerCredentials.Feature.CUSTOM_MANAGERS);
-  private static Class<?> x509ExtendedTrustManagerClass;
-
-  static {
-    try {
-      x509ExtendedTrustManagerClass = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
-    } catch (ClassNotFoundException e) {
-      // Will disallow per-rpc authority override via call option.
-    }
-  }
 
   private ProtocolNegotiators() {
   }
@@ -147,15 +138,8 @@ public static FromChannelCredentialsResult from(ChannelCredentials creds) {
           trustManagers = Arrays.asList(tmf.getTrustManagers());
         }
         builder.trustManager(new FixedTrustManagerFactory(trustManagers));
-        TrustManager x509ExtendedTrustManager = null;
-        if (x509ExtendedTrustManagerClass != null) {
-          for (TrustManager trustManager : trustManagers) {
-            if (x509ExtendedTrustManagerClass.isInstance(trustManager)) {
-              x509ExtendedTrustManager = trustManager;
-              break;
-            }
-          }
-        }
+        TrustManager x509ExtendedTrustManager =
+            CertificateUtils.getX509ExtendedTrustManager(trustManagers);
         return FromChannelCredentialsResult.negotiator(tlsClientFactory(builder.build(),
                 (X509TrustManager) x509ExtendedTrustManager));
       } catch (SSLException | GeneralSecurityException ex) {
@@ -579,20 +563,22 @@ static final class ClientTlsProtocolNegotiator implements ProtocolNegotiator {
 
     public ClientTlsProtocolNegotiator(SslContext sslContext,
         ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
-        X509TrustManager x509ExtendedTrustManager) {
+        X509TrustManager x509ExtendedTrustManager, String sni) {
       this.sslContext = Preconditions.checkNotNull(sslContext, "sslContext");
       this.executorPool = executorPool;
       if (this.executorPool != null) {
         this.executor = this.executorPool.getObject();
       }
       this.handshakeCompleteRunnable = handshakeCompleteRunnable;
       this.x509ExtendedTrustManager = x509ExtendedTrustManager;
+      this.sni = sni;
     }
 
     private final SslContext sslContext;
     private final ObjectPool<? extends Executor> executorPool;
     private final Optional<Runnable> handshakeCompleteRunnable;
     private final X509TrustManager x509ExtendedTrustManager;
+    private final String sni;
     private Executor executor;
 
     @Override
@@ -604,9 +590,17 @@ public AsciiString scheme() {
     public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
       ChannelHandler gnh = new GrpcNegotiationHandler(grpcHandler);
       ChannelLogger negotiationLogger = grpcHandler.getNegotiationLogger();
-      ChannelHandler cth = new ClientTlsHandler(gnh, sslContext, grpcHandler.getAuthority(),
-          this.executor, negotiationLogger, handshakeCompleteRunnable, this,
-              x509ExtendedTrustManager);
+      String authority;
+      if ("".equals(sni)) {
+        authority = null;
+      } else if (sni != null) {
+        authority = sni;
+      } else {
+        authority = grpcHandler.getAuthority();
+      }
+      ChannelHandler cth = new ClientTlsHandler(gnh, sslContext,
+          authority, this.executor, negotiationLogger, handshakeCompleteRunnable, this,
+          x509ExtendedTrustManager);
       return new WaitUntilActiveHandler(cth, negotiationLogger);
     }
 
@@ -630,28 +624,40 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     private final int port;
     private Executor executor;
     private final Optional<Runnable> handshakeCompleteRunnable;
-    private final X509TrustManager x509ExtendedTrustManager;
+    private final X509TrustManager x509TrustManager;
     private SSLEngine sslEngine;
 
     ClientTlsHandler(ChannelHandler next, SslContext sslContext, String authority,
         Executor executor, ChannelLogger negotiationLogger,
         Optional<Runnable> handshakeCompleteRunnable,
         ClientTlsProtocolNegotiator clientTlsProtocolNegotiator,
-         X509TrustManager x509ExtendedTrustManager) {
+        X509TrustManager x509TrustManager) {
       super(next, negotiationLogger);
       this.sslContext = Preconditions.checkNotNull(sslContext, "sslContext");
-      HostPort hostPort = parseAuthority(authority);
-      this.host = hostPort.host;
-      this.port = hostPort.port;
+      // TODO: For empty authority and fallback flag
+      // GRPC_USE_CHANNEL_AUTHORITY_IF_NO_SNI_APPLICABLE present, we should parse authority
+      // but prevent it from being used for SAN validation in the TrustManager.
+      if (authority != null) {
+        HostPort hostPort = parseAuthority(authority);
+        this.host = hostPort.host;
+        this.port = hostPort.port;
+      } else {
+        this.host = null;
+        this.port = 0;
+      }
       this.executor = executor;
       this.handshakeCompleteRunnable = handshakeCompleteRunnable;
-      this.x509ExtendedTrustManager = x509ExtendedTrustManager;
+      this.x509TrustManager = x509TrustManager;
     }
 
     @Override
     @IgnoreJRERequirement
     protected void handlerAdded0(ChannelHandlerContext ctx) {
-      sslEngine = sslContext.newEngine(ctx.alloc(), host, port);
+      if (host != null) {
+        sslEngine = sslContext.newEngine(ctx.alloc(), host, port);
+      } else {
+        sslEngine = sslContext.newEngine(ctx.alloc());
+      }
       SSLParameters sslParams = sslEngine.getSSLParameters();
       sslParams.setEndpointIdentificationAlgorithm("HTTPS");
       sslEngine.setSSLParameters(sslParams);
@@ -709,7 +715,7 @@ private void propagateTlsComplete(ChannelHandlerContext ctx, SSLSession session)
           .set(GrpcAttributes.ATTR_SECURITY_LEVEL, SecurityLevel.PRIVACY_AND_INTEGRITY)
           .set(Grpc.TRANSPORT_ATTR_SSL_SESSION, session)
           .set(GrpcAttributes.ATTR_AUTHORITY_VERIFIER, new X509AuthorityVerifier(
-              sslEngine, x509ExtendedTrustManager))
+              sslEngine, x509TrustManager))
           .build();
       replaceProtocolNegotiationEvent(existingPne.withAttributes(attrs).withSecurity(security));
       if (handshakeCompleteRunnable.isPresent()) {
@@ -746,13 +752,14 @@ static HostPort parseAuthority(String authority) {
    * Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
    * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
    * may happen immediately, even before the TLS Handshake is complete.
+   *
    * @param executorPool a dedicated {@link Executor} pool for time-consuming TLS tasks
    */
   public static ProtocolNegotiator tls(SslContext sslContext,
       ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
-      X509TrustManager x509ExtendedTrustManager) {
+      X509TrustManager x509ExtendedTrustManager, String sni) {
     return new ClientTlsProtocolNegotiator(sslContext, executorPool, handshakeCompleteRunnable,
-        x509ExtendedTrustManager);
+        x509ExtendedTrustManager, sni);
   }
 
   /**
@@ -762,7 +769,7 @@ public static ProtocolNegotiator tls(SslContext sslContext,
    */
   public static ProtocolNegotiator tls(SslContext sslContext,
       X509TrustManager x509ExtendedTrustManager) {
-    return tls(sslContext, null, Optional.absent(), x509ExtendedTrustManager);
+    return tls(sslContext, null, Optional.absent(), x509ExtendedTrustManager, null);
   }
 
   public static ProtocolNegotiator.ClientFactory tlsClientFactory(SslContext sslContext,

netty/src/test/java/io/grpc/netty/NettyClientTransportTest.java

@@ -877,7 +877,7 @@ public void tlsNegotiationServerExecutorShouldSucceed() throws Exception {
         .keyManager(clientCert, clientKey)
         .build();
     ProtocolNegotiator negotiator = ProtocolNegotiators.tls(clientContext, clientExecutorPool,
-        Optional.absent(), null);
+        Optional.absent(), null, null);
     // after starting the client, the Executor in the client pool should be used
     assertEquals(true, clientExecutorPool.isInUse());
     final NettyClientTransport transport = newTransport(negotiator);

netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java

@@ -1026,7 +1026,7 @@ public void clientTlsHandler_closeDuringNegotiation() throws Exception {
   private ClientTlsProtocolNegotiator getClientTlsProtocolNegotiator() throws SSLException {
     return new ClientTlsProtocolNegotiator(GrpcSslContexts.forClient().trustManager(
         TlsTesting.loadCert("ca.pem")).build(),
-        null, Optional.absent(), null);
+        null, Optional.absent(), null, "");
   }
 
   @Test
@@ -1277,7 +1277,7 @@ public void clientTlsHandler_firesNegotiation() throws Exception {
     }
     FakeGrpcHttp2ConnectionHandler gh = FakeGrpcHttp2ConnectionHandler.newHandler();
     ClientTlsProtocolNegotiator pn = new ClientTlsProtocolNegotiator(clientSslContext,
-        null, Optional.absent(), null);
+        null, Optional.absent(), null, null);
     WriteBufferingAndExceptionHandler clientWbaeh =
         new WriteBufferingAndExceptionHandler(pn.newHandler(gh));
 

s2a/src/main/java/io/grpc/s2a/internal/handshaker/S2AProtocolNegotiatorFactory.java

@@ -38,7 +38,6 @@
 import io.grpc.netty.InternalProtocolNegotiator.ProtocolNegotiator;
 import io.grpc.netty.InternalProtocolNegotiators;
 import io.grpc.netty.InternalProtocolNegotiators.ProtocolNegotiationHandler;
-import io.grpc.s2a.internal.handshaker.S2AIdentity;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerAdapter;
 import io.netty.channel.ChannelHandlerContext;
@@ -259,7 +258,8 @@ public void onSuccess(SslContext sslContext) {
                             public void run() {
                               s2aStub.close();
                             }
-                          }))
+                          }),
+                          null, null)
                       .newHandler(grpcHandler);
 
               // Delegate the rest of the handshake to the TLS handler. and remove the 

xds/src/main/java/io/grpc/xds/ClusterImplLoadBalancer.java

@@ -53,6 +53,7 @@
 import io.grpc.xds.client.XdsClient;
 import io.grpc.xds.client.XdsLogger;
 import io.grpc.xds.client.XdsLogger.XdsLogLevel;
+import io.grpc.xds.internal.XdsInternalAttributes;
 import io.grpc.xds.internal.security.SecurityProtocolNegotiators;
 import io.grpc.xds.internal.security.SslContextProviderSupplier;
 import io.grpc.xds.orca.OrcaPerRequestUtil;
@@ -117,12 +118,12 @@ public Status acceptResolvedAddresses(ResolvedAddresses resolvedAddresses) {
     logger.log(XdsLogLevel.DEBUG, "Received resolution result: {0}", resolvedAddresses);
     Attributes attributes = resolvedAddresses.getAttributes();
     if (xdsClientPool == null) {
-      xdsClientPool = attributes.get(XdsAttributes.XDS_CLIENT_POOL);
+      xdsClientPool = attributes.get(io.grpc.xds.XdsAttributes.XDS_CLIENT_POOL);
       assert xdsClientPool != null;
       xdsClient = xdsClientPool.getObject();
     }
     if (callCounterProvider == null) {
-      callCounterProvider = attributes.get(XdsAttributes.CALL_COUNTER_PROVIDER);
+      callCounterProvider = attributes.get(io.grpc.xds.XdsAttributes.CALL_COUNTER_PROVIDER);
     }
 
     ClusterImplConfig config =
@@ -241,9 +242,9 @@ public Subchannel createSubchannel(CreateSubchannelArgs args) {
           .set(ATTR_CLUSTER_LOCALITY, localityAtomicReference);
       if (GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE", false)) {
         String hostname = args.getAddresses().get(0).getAttributes()
-            .get(XdsAttributes.ATTR_ADDRESS_NAME);
+            .get(XdsInternalAttributes.ATTR_ADDRESS_NAME);
         if (hostname != null) {
-          attrsBuilder.set(XdsAttributes.ATTR_ADDRESS_NAME, hostname);
+          attrsBuilder.set(XdsInternalAttributes.ATTR_ADDRESS_NAME, hostname);
         }
       }
       args = args.toBuilder().setAddresses(addresses).setAttributes(attrsBuilder.build()).build();
@@ -292,7 +293,7 @@ private List<EquivalentAddressGroup> withAdditionalAttributes(
       List<EquivalentAddressGroup> newAddresses = new ArrayList<>();
       for (EquivalentAddressGroup eag : addresses) {
         Attributes.Builder attrBuilder = eag.getAttributes().toBuilder().set(
-            XdsAttributes.ATTR_CLUSTER_NAME, cluster);
+            io.grpc.xds.XdsAttributes.ATTR_CLUSTER_NAME, cluster);
         if (sslContextProviderSupplier != null) {
           attrBuilder.set(
               SecurityProtocolNegotiators.ATTR_SSL_CONTEXT_PROVIDER_SUPPLIER,
@@ -304,7 +305,7 @@ private List<EquivalentAddressGroup> withAdditionalAttributes(
     }
 
     private ClusterLocality createClusterLocalityFromAttributes(Attributes addressAttributes) {
-      Locality locality = addressAttributes.get(XdsAttributes.ATTR_LOCALITY);
+      Locality locality = addressAttributes.get(io.grpc.xds.XdsAttributes.ATTR_LOCALITY);
       String localityName = addressAttributes.get(EquivalentAddressGroup.ATTR_LOCALITY_NAME);
 
       // Endpoint addresses resolved by ClusterResolverLoadBalancer should always contain
@@ -438,7 +439,7 @@ public PickResult pickSubchannel(PickSubchannelArgs args) {
             result = PickResult.withSubchannel(result.getSubchannel(),
                 result.getStreamTracerFactory(),
                 result.getSubchannel().getAttributes().get(
-                    XdsAttributes.ATTR_ADDRESS_NAME));
+                    XdsInternalAttributes.ATTR_ADDRESS_NAME));
           }
         }
         return result;