ok-http: Per-rpc call option authority verification

api/src/main/java/io/grpc/ManagedChannelRegistry.java

@@ -99,10 +99,10 @@ public int compare(ManagedChannelProvider o1, ManagedChannelProvider o2) {
   public static synchronized ManagedChannelRegistry getDefaultRegistry() {
     if (instance == null) {
       List<ManagedChannelProvider> providerList = ServiceProviders.loadAll(
-          ManagedChannelProvider.class,
-          getHardCodedClasses(),
-          ManagedChannelProvider.class.getClassLoader(),
-          new ManagedChannelPriorityAccessor());
+              ManagedChannelProvider.class,
+              getHardCodedClasses(),
+              ManagedChannelProvider.class.getClassLoader(),
+              new ManagedChannelPriorityAccessor());
       instance = new ManagedChannelRegistry();
       for (ManagedChannelProvider provider : providerList) {
         logger.fine("Service loader found " + provider);
@@ -157,7 +157,7 @@ ManagedChannelBuilder<?> newChannelBuilder(String target, ChannelCredentials cre
 
   @VisibleForTesting
   ManagedChannelBuilder<?> newChannelBuilder(NameResolverRegistry nameResolverRegistry,
-      String target, ChannelCredentials creds) {
+                                             String target, ChannelCredentials creds) {
     NameResolverProvider nameResolverProvider = null;
     try {
       URI uri = new URI(target);
@@ -167,23 +167,23 @@ ManagedChannelBuilder<?> newChannelBuilder(NameResolverRegistry nameResolverRegi
     }
     if (nameResolverProvider == null) {
       nameResolverProvider = nameResolverRegistry.getProviderForScheme(
-          nameResolverRegistry.getDefaultScheme());
+              nameResolverRegistry.getDefaultScheme());
     }
     Collection<Class<? extends SocketAddress>> nameResolverSocketAddressTypes
-        = (nameResolverProvider != null)
-        ? nameResolverProvider.getProducedSocketAddressTypes() :
-        Collections.emptySet();
+            = (nameResolverProvider != null)
+            ? nameResolverProvider.getProducedSocketAddressTypes() :
+            Collections.emptySet();
 
     List<ManagedChannelProvider> providers = providers();
     if (providers.isEmpty()) {
       throw new ProviderNotFoundException("No functional channel service provider found. "
-          + "Try adding a dependency on the grpc-okhttp, grpc-netty, or grpc-netty-shaded "
-          + "artifact");
+              + "Try adding a dependency on the grpc-okhttp, grpc-netty, or grpc-netty-shaded "
+              + "artifact");
     }
     StringBuilder error = new StringBuilder();
     for (ManagedChannelProvider provider : providers()) {
       Collection<Class<? extends SocketAddress>> channelProviderSocketAddressTypes
-          = provider.getSupportedSocketAddressTypes();
+              = provider.getSupportedSocketAddressTypes();
       if (!channelProviderSocketAddressTypes.containsAll(nameResolverSocketAddressTypes)) {
         error.append("; ");
         error.append(provider.getClass().getName());
@@ -192,7 +192,7 @@ ManagedChannelBuilder<?> newChannelBuilder(NameResolverRegistry nameResolverRegi
         continue;
       }
       ManagedChannelProvider.NewChannelBuilderResult result
-          = provider.newChannelBuilder(target, creds);
+              = provider.newChannelBuilder(target, creds);
       if (result.getChannelBuilder() != null) {
         return result.getChannelBuilder();
       }
@@ -205,7 +205,7 @@ ManagedChannelBuilder<?> newChannelBuilder(NameResolverRegistry nameResolverRegi
   }
 
   private static final class ManagedChannelPriorityAccessor
-      implements ServiceProviders.PriorityAccessor<ManagedChannelProvider> {
+          implements ServiceProviders.PriorityAccessor<ManagedChannelProvider> {
     @Override
     public boolean isAvailable(ManagedChannelProvider provider) {
       return provider.isAvailable();
@@ -225,4 +225,4 @@ public ProviderNotFoundException(String msg) {
       super(msg);
     }
   }
-}
+}

core/src/main/java/io/grpc/internal/CertificateUtils.java

@@ -0,0 +1,80 @@
+/*
+ * Copyright 2024 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.internal;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.security.auth.x500.X500Principal;
+
+/**
+ * Contains certificate/key PEM file utility method(s) for internal usage.
+ */
+public class CertificateUtils {
+  /**
+   * Creates X509TrustManagers using the provided CA certs.
+   */
+  public static TrustManager[] createTrustManager(byte[] rootCerts)
+      throws GeneralSecurityException {
+    InputStream rootCertsStream = new ByteArrayInputStream(rootCerts);
+    try {
+      return io.grpc.internal.CertificateUtils.createTrustManager(rootCertsStream);
+    } finally {
+      GrpcUtil.closeQuietly(rootCertsStream);
+    }
+  }
+
+  /**
+   * Creates X509TrustManagers using the provided input stream of CA certs.
+   */
+  public static TrustManager[] createTrustManager(InputStream rootCerts)
+          throws GeneralSecurityException {
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    try {
+      ks.load(null, null);
+    } catch (IOException ex) {
+      // Shouldn't really happen, as we're not loading any data.
+      throw new GeneralSecurityException(ex);
+    }
+    X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);
+    for (X509Certificate cert : certs) {
+      X500Principal principal = cert.getSubjectX500Principal();
+      ks.setCertificateEntry(principal.getName("RFC2253"), cert);
+    }
+
+    TrustManagerFactory trustManagerFactory =
+            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+    trustManagerFactory.init(ks);
+    return trustManagerFactory.getTrustManagers();
+  }
+
+  private static X509Certificate[] getX509Certificates(InputStream inputStream)
+          throws CertificateException {
+    CertificateFactory factory = CertificateFactory.getInstance("X.509");
+    Collection<? extends Certificate> certs = factory.generateCertificates(inputStream);
+    return certs.toArray(new X509Certificate[0]);
+  }
+}

examples/example-tls/build.gradle

@@ -28,6 +28,8 @@ def grpcVersion = '1.70.0-SNAPSHOT' // CURRENT_GRPC_VERSION
 def protocVersion = '3.25.5'
 
 dependencies {
+    implementation "io.grpc:grpc-api:${grpcVersion}"
+    implementation "io.grpc:grpc-okhttp:${grpcVersion}"
     implementation "io.grpc:grpc-protobuf:${grpcVersion}"
     implementation "io.grpc:grpc-stub:${grpcVersion}"
     compileOnly "org.apache.tomcat:annotations-api:6.0.53"

okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java

@@ -17,6 +17,7 @@
 package io.grpc.okhttp;
 
 import static com.google.common.base.Preconditions.checkNotNull;
+import static io.grpc.internal.CertificateUtils.createTrustManager;
 import static io.grpc.internal.GrpcUtil.DEFAULT_KEEPALIVE_TIMEOUT_NANOS;
 import static io.grpc.internal.GrpcUtil.KEEPALIVE_TIME_NANOS_DISABLED;
 
@@ -81,8 +82,6 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.security.auth.x500.X500Principal;
 
 /** Convenience class for building channels with the OkHttp transport. */
 @ExperimentalApi("https://github.com/grpc/grpc-java/issues/1785")
@@ -91,6 +90,7 @@ public final class OkHttpChannelBuilder extends ForwardingChannelBuilder2<OkHttp
   public static final int DEFAULT_FLOW_CONTROL_WINDOW = 65535;
 
   private final ManagedChannelImplBuilder managedChannelImplBuilder;
+  private final ChannelCredentials channelCredentials;
   private TransportTracer.Factory transportTracerFactory = TransportTracer.getDefaultFactory();
 
 
@@ -208,6 +208,7 @@ private OkHttpChannelBuilder(String target) {
         new OkHttpChannelTransportFactoryBuilder(),
         new OkHttpChannelDefaultPortProvider());
     this.freezeSecurityConfiguration = false;
+    this.channelCredentials = null;
   }
 
   OkHttpChannelBuilder(
@@ -220,6 +221,7 @@ private OkHttpChannelBuilder(String target) {
     this.sslSocketFactory = factory;
     this.negotiationType = factory == null ? NegotiationType.PLAINTEXT : NegotiationType.TLS;
     this.freezeSecurityConfiguration = true;
+    this.channelCredentials = channelCreds;
   }
 
   private final class OkHttpChannelTransportFactoryBuilder
@@ -536,7 +538,8 @@ OkHttpTransportFactory buildTransportFactory() {
         keepAliveWithoutCalls,
         maxInboundMetadataSize,
         transportTracerFactory,
-        useGetForSafeMethods);
+        useGetForSafeMethods,
+        channelCredentials);
   }
 
   OkHttpChannelBuilder disableCheckAuthority() {
@@ -702,35 +705,6 @@ static KeyManager[] createKeyManager(InputStream certChain, InputStream privateK
     return keyManagerFactory.getKeyManagers();
   }
 
-  static TrustManager[] createTrustManager(byte[] rootCerts) throws GeneralSecurityException {
-    InputStream rootCertsStream = new ByteArrayInputStream(rootCerts);
-    try {
-      return createTrustManager(rootCertsStream);
-    } finally {
-      GrpcUtil.closeQuietly(rootCertsStream);
-    }
-  }
-
-  static TrustManager[] createTrustManager(InputStream rootCerts) throws GeneralSecurityException {
-    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
-    try {
-      ks.load(null, null);
-    } catch (IOException ex) {
-      // Shouldn't really happen, as we're not loading any data.
-      throw new GeneralSecurityException(ex);
-    }
-    X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);
-    for (X509Certificate cert : certs) {
-      X500Principal principal = cert.getSubjectX500Principal();
-      ks.setCertificateEntry(principal.getName("RFC2253"), cert);
-    }
-
-    TrustManagerFactory trustManagerFactory =
-        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-    trustManagerFactory.init(ks);
-    return trustManagerFactory.getTrustManagers();
-  }
-
   static Collection<Class<? extends SocketAddress>> getSupportedSocketAddressTypes() {
     return Collections.singleton(InetSocketAddress.class);
   }
@@ -799,6 +773,7 @@ static final class OkHttpTransportFactory implements ClientTransportFactory {
     private final boolean keepAliveWithoutCalls;
     final int maxInboundMetadataSize;
     final boolean useGetForSafeMethods;
+    private final ChannelCredentials channelCredentials;
     private boolean closed;
 
     private OkHttpTransportFactory(
@@ -816,7 +791,8 @@ private OkHttpTransportFactory(
         boolean keepAliveWithoutCalls,
         int maxInboundMetadataSize,
         TransportTracer.Factory transportTracerFactory,
-        boolean useGetForSafeMethods) {
+        boolean useGetForSafeMethods,
+        ChannelCredentials channelCredentials) {
       this.executorPool = executorPool;
       this.executor = executorPool.getObject();
       this.scheduledExecutorServicePool = scheduledExecutorServicePool;
@@ -834,6 +810,7 @@ private OkHttpTransportFactory(
       this.keepAliveWithoutCalls = keepAliveWithoutCalls;
       this.maxInboundMetadataSize = maxInboundMetadataSize;
       this.useGetForSafeMethods = useGetForSafeMethods;
+      this.channelCredentials = channelCredentials;
 
       this.transportTracerFactory =
           Preconditions.checkNotNull(transportTracerFactory, "transportTracerFactory");
@@ -861,7 +838,8 @@ public void run() {
           options.getUserAgent(),
           options.getEagAttributes(),
           options.getHttpConnectProxiedSocketAddress(),
-          tooManyPingsRunnable);
+          tooManyPingsRunnable,
+          channelCredentials);
       if (enableKeepAlive) {
         transport.enableKeepAlive(
             true, keepAliveTimeNanosState.get(), keepAliveTimeoutNanos, keepAliveWithoutCalls);
@@ -897,7 +875,8 @@ public SwapChannelCredentialsResult swapChannelCredentials(ChannelCredentials ch
           keepAliveWithoutCalls,
           maxInboundMetadataSize,
           transportTracerFactory,
-          useGetForSafeMethods);
+          useGetForSafeMethods,
+          channelCredentials);
       return new SwapChannelCredentialsResult(factory, result.callCredentials);
     }