diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0854d298e..5c5d5ea8d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -25,8 +25,8 @@ How to get your contributions merged smoothly and quickly. is a great place to start. These issues are well-documented and usually can be resolved with a single pull request. -- If you are adding a new file, make sure it has the copyright message template - at the top as a comment. You can copy over the message from an existing file +- If you are adding a new file, make sure it has the copyright message template + at the top as a comment. You can copy over the message from an existing file and update the year. - The grpc package should only depend on standard Go packages and a small number @@ -41,10 +41,10 @@ How to get your contributions merged smoothly and quickly. - Provide a good **PR description** as a record of **what** change is being made and **why** it was made. Link to a github issue if it exists. -- If you want to fix formatting or style, consider whether your changes are an - obvious improvement or might be considered a personal preference. If a style - change is based on preference, it likely will not be accepted. If it corrects - widely agreed-upon anti-patterns, then please do create a PR and explain the +- If you want to fix formatting or style, consider whether your changes are an + obvious improvement or might be considered a personal preference. If a style + change is based on preference, it likely will not be accepted. If it corrects + widely agreed-upon anti-patterns, then please do create a PR and explain the benefits of the change. - Unless your PR is trivial, you should expect there will be reviewer comments diff --git a/Documentation/server-reflection-tutorial.md b/Documentation/server-reflection-tutorial.md index 6c7dc6cd6..6bffaf0cd 100644 --- a/Documentation/server-reflection-tutorial.md +++ b/Documentation/server-reflection-tutorial.md @@ -103,7 +103,7 @@ The `list` command lists services exposed at a given port: - Describe all services The `describe` command inspects a service given its full name (in the format - of \.\). + of \.\). ```sh $ grpcurl -plaintext localhost:50051 describe helloworld.Greeter diff --git a/authz/grpc_authz_end2end_test.go b/authz/grpc_authz_end2end_test.go index 7b8ede27b..4e798f7ca 100644 --- a/authz/grpc_authz_end2end_test.go +++ b/authz/grpc_authz_end2end_test.go @@ -78,7 +78,7 @@ var authzTests = map[string]struct { "DeniesRPCMatchInDenyNoMatchInAllow": { authzPolicy: `{ "name": "authz", - "allow_rules": + "allow_rules": [ { "name": "allow_StreamingOutputCall", @@ -166,11 +166,11 @@ var authzTests = map[string]struct { "/grpc.testing.TestService/UnaryCall", "/grpc.testing.TestService/StreamingInputCall" ], - "headers": + "headers": [ { "key": "key-abc", - "values": + "values": [ "val-abc", "val-def" @@ -250,7 +250,7 @@ var authzTests = map[string]struct { [ { "name": "allow_StreamingOutputCall", - "request": + "request": { "paths": [ diff --git a/authz/grpc_authz_server_interceptors_test.go b/authz/grpc_authz_server_interceptors_test.go index ae74c896d..530c7db0a 100644 --- a/authz/grpc_authz_server_interceptors_test.go +++ b/authz/grpc_authz_server_interceptors_test.go @@ -57,9 +57,9 @@ func (s) TestNewStatic(t *testing.T) { wantErr: fmt.Errorf(`"name" is not present`), }, "ValidPolicyCreatesInterceptor": { - authzPolicy: `{ + authzPolicy: `{ "name": "authz", - "allow_rules": + "allow_rules": [ { "name": "allow_all" diff --git a/cmd/protoc-gen-go-grpc/protoc-gen-go-grpc_test.sh b/cmd/protoc-gen-go-grpc/protoc-gen-go-grpc_test.sh index 32e8e26ec..c70fd0fa6 100755 --- a/cmd/protoc-gen-go-grpc/protoc-gen-go-grpc_test.sh +++ b/cmd/protoc-gen-go-grpc/protoc-gen-go-grpc_test.sh @@ -15,7 +15,7 @@ # limitations under the License. # Uncomment to enable debugging. -# set -x +# set -x WORKDIR="$(dirname $0)" TEMPDIR=$(mktemp -d) @@ -24,7 +24,7 @@ trap "rm -rf ${TEMPDIR}" EXIT # Build protoc-gen-go-grpc binary and add to $PATH. pushd "${WORKDIR}" -go build -o "${TEMPDIR}" . +go build -o "${TEMPDIR}" . PATH="${TEMPDIR}:${PATH}" popd @@ -38,7 +38,7 @@ GENFILE="${TEMPDIR}/examples/route_guide/routeguide/route_guide_grpc.pb.go" # diff is piped to [[ $? == 1 ]] to avoid exiting on diff but exit on error # (like if the file was not found). See man diff for more info. -DIFF=$(diff "${GOLDENFILE}" "${GENFILE}" || [[ $? == 1 ]]) +DIFF=$(diff "${GOLDENFILE}" "${GENFILE}" || [[ $? == 1 ]]) if [[ -n "${DIFF}" ]]; then echo -e "ERROR: Generated file differs from golden file:\n${DIFF}" echo -e "If you have made recent changes to protoc-gen-go-grpc," \ diff --git a/examples/features/advancedtls/README.md b/examples/features/advancedtls/README.md index 8f421a5bc..441fcafb9 100644 --- a/examples/features/advancedtls/README.md +++ b/examples/features/advancedtls/README.md @@ -16,7 +16,7 @@ The clients are designed to call these servers with varying configurations of cr ``` # Run the server $ go run server/main.go -credentials_directory $(pwd)/creds -# Run the clients from the `grpc-go/examples/features/advancedtls` directory +# Run the clients from the `grpc-go/examples/features/advancedtls` directory $ go run client/main.go -credentials_directory $(pwd)/creds ``` diff --git a/examples/features/advancedtls/creds/client_cert.pem b/examples/features/advancedtls/creds/client_cert.pem index 2555c37ee..77a9d13e4 100644 --- a/examples/features/advancedtls/creds/client_cert.pem +++ b/examples/features/advancedtls/creds/client_cert.pem @@ -49,15 +49,15 @@ Certificate: 6e:bb:bb Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: DE:03:BD:A3:0E:63:F4:97:C2:52:70:63:E8:BE:A9:DF:F1:9A:7B:56 - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: 50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment - X509v3 Subject Alternative Name: + X509v3 Subject Alternative Name: DNS:localhost, IP Address:0.0.0.0 Signature Algorithm: sha256WithRSAEncryption Signature Value: diff --git a/examples/features/advancedtls/creds/client_cert_revoked.pem b/examples/features/advancedtls/creds/client_cert_revoked.pem index c03fb198b..3812b9538 100644 --- a/examples/features/advancedtls/creds/client_cert_revoked.pem +++ b/examples/features/advancedtls/creds/client_cert_revoked.pem @@ -49,15 +49,15 @@ Certificate: 6e:bb:bb Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: DE:03:BD:A3:0E:63:F4:97:C2:52:70:63:E8:BE:A9:DF:F1:9A:7B:56 - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: 50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment - X509v3 Subject Alternative Name: + X509v3 Subject Alternative Name: DNS:localhost, IP Address:0.0.0.0 Signature Algorithm: sha256WithRSAEncryption Signature Value: diff --git a/examples/features/advancedtls/creds/server_cert.pem b/examples/features/advancedtls/creds/server_cert.pem index 9d1747bb6..2be81a6b2 100644 --- a/examples/features/advancedtls/creds/server_cert.pem +++ b/examples/features/advancedtls/creds/server_cert.pem @@ -49,15 +49,15 @@ Certificate: 03:71:c1 Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: 4C:57:E2:72:97:CF:DC:C4:B8:4E:DB:D4:C1:C6:3D:AE:EF:D7:0A:19 - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: 50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment - X509v3 Subject Alternative Name: + X509v3 Subject Alternative Name: DNS:localhost, IP Address:0.0.0.0 Signature Algorithm: sha256WithRSAEncryption Signature Value: diff --git a/examples/features/advancedtls/creds/server_cert_revoked.pem b/examples/features/advancedtls/creds/server_cert_revoked.pem index 70ab8d55c..fe0a64d08 100644 --- a/examples/features/advancedtls/creds/server_cert_revoked.pem +++ b/examples/features/advancedtls/creds/server_cert_revoked.pem @@ -49,15 +49,15 @@ Certificate: 03:71:c1 Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: 4C:57:E2:72:97:CF:DC:C4:B8:4E:DB:D4:C1:C6:3D:AE:EF:D7:0A:19 - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: 50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment - X509v3 Subject Alternative Name: + X509v3 Subject Alternative Name: DNS:localhost, IP Address:0.0.0.0 Signature Algorithm: sha256WithRSAEncryption Signature Value: diff --git a/examples/features/debugging/README.md b/examples/features/debugging/README.md index 543280e95..77c0f9812 100644 --- a/examples/features/debugging/README.md +++ b/examples/features/debugging/README.md @@ -3,12 +3,12 @@ Currently, grpc provides two major tools to help user debug issues, which are logging and channelz. ## Logs -gRPC has put substantial logging instruments on critical paths of gRPC to help users debug issues. +gRPC has put substantial logging instruments on critical paths of gRPC to help users debug issues. The [Log Levels](https://github.com/grpc/grpc-go/blob/master/Documentation/log_levels.md) doc describes what each log level means in the gRPC context. -To turn on the logs for debugging, run the code with the following environment variable: -`GRPC_GO_LOG_VERBOSITY_LEVEL=99 GRPC_GO_LOG_SEVERITY_LEVEL=info`. +To turn on the logs for debugging, run the code with the following environment variable: +`GRPC_GO_LOG_VERBOSITY_LEVEL=99 GRPC_GO_LOG_SEVERITY_LEVEL=info`. ## Channelz We also provide a runtime debugging tool, Channelz, to help users with live debugging. @@ -17,7 +17,7 @@ See the channelz blog post here ([link](https://grpc.io/blog/a-short-introductio details about how to use channelz service to debug live program. ## Try it -The example is able to showcase how logging and channelz can help with debugging. See the channelz +The example is able to showcase how logging and channelz can help with debugging. See the channelz blog post linked above for full explanation. ``` diff --git a/examples/features/encryption/README.md b/examples/features/encryption/README.md index 70dbd8e40..5bfcc0e3e 100644 --- a/examples/features/encryption/README.md +++ b/examples/features/encryption/README.md @@ -29,9 +29,9 @@ create grpc base on TLS. Refer to the [godoc](https://godoc.org/google.golang.org/grpc/credentials) for details. -In our example, we use the public/private keys created ahead: -* "server_cert.pem" contains the server certificate (public key). -* "server_key.pem" contains the server private key. +In our example, we use the public/private keys created ahead: +* "server_cert.pem" contains the server certificate (public key). +* "server_key.pem" contains the server private key. * "ca_cert.pem" contains the certificate (certificate authority) that can verify the server's certificate. @@ -56,7 +56,7 @@ And finally we make an RPC call over the created `grpc.ClientConn` to test the s connection based upon TLS is successfully up. ### ALTS -NOTE: ALTS currently needs special early access permission on GCP. You can ask +NOTE: ALTS currently needs special early access permission on GCP. You can ask about the detailed process in https://groups.google.com/forum/#!forum/grpc-io. ALTS is the Google's Application Layer Transport Security, which supports mutual @@ -93,12 +93,12 @@ allows users to configure mutual TLS at the connection level. In this example, we use the following public/private keys created ahead of time: -* "server_cert.pem" contains the server's certificate (public key). -* "server_key.pem" contains the server's private key. +* "server_cert.pem" contains the server's certificate (public key). +* "server_key.pem" contains the server's private key. * "ca_cert.pem" contains the certificate of the certificate authority that can verify the server's certificate. -* "client_cert.pem" contains the client's certificate (public key). -* "client_key.pem" contains the client's private key. +* "client_cert.pem" contains the client's certificate (public key). +* "client_key.pem" contains the client's private key. * "client_ca_cert.pem" contains the certificate of the certificate authority that can verify the client's certificate. diff --git a/examples/features/health/README.md b/examples/features/health/README.md index a92102a4e..69ee38135 100644 --- a/examples/features/health/README.md +++ b/examples/features/health/README.md @@ -3,7 +3,7 @@ gRPC provides a health library to communicate a system's health to their clients. It works by providing a service definition via the [health/v1](https://github.com/grpc/grpc-proto/blob/master/grpc/health/v1/health.proto) api. -By using the health library, clients can gracefully avoid using servers as they encounter issues. +By using the health library, clients can gracefully avoid using servers as they encounter issues. Most languages provide an implementation out of box, making it interoperable between systems. ## Try it @@ -30,7 +30,7 @@ This configuration indicates which backend `serviceName` should be inspected whe An empty string (`""`) typically indicates the overall health of a server should be reported. ```go -// import grpc/health to enable transparent client side checking +// import grpc/health to enable transparent client side checking import _ "google.golang.org/grpc/health" // set up appropriate service config @@ -59,6 +59,6 @@ This state is often seen at the start up of a server instance. Conversely, `NOT_SERVING` indicates the system is unable to service requests at the time. `SERVICE_UNKNOWN` communicates the `serviceName` requested by the client is not known by the server. -This status is only reported by the `Watch()` call. +This status is only reported by the `Watch()` call. A server may toggle its health using `healthServer.SetServingStatus("serviceName", servingStatus)`. diff --git a/examples/features/metadata_interceptor/README.md b/examples/features/metadata_interceptor/README.md index 93a6925d7..e4e132cb4 100644 --- a/examples/features/metadata_interceptor/README.md +++ b/examples/features/metadata_interceptor/README.md @@ -57,7 +57,7 @@ func (s *wrappedStream) Context() context.Context { } func SomeStreamInterceptor(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error { - // Get the incoming metadata from the RPC context, and add a new + // Get the incoming metadata from the RPC context, and add a new // key-value pair to it. md, ok := metadata.FromIncomingContext(ctx) md.Append("key1", "value1") diff --git a/examples/features/stats_monitoring/README.md b/examples/features/stats_monitoring/README.md index 21eb35f6b..06b1a8243 100644 --- a/examples/features/stats_monitoring/README.md +++ b/examples/features/stats_monitoring/README.md @@ -1,8 +1,8 @@ # Stats Monitoring Handler -This example demonstrates the use of the [`stats`](https://pkg.go.dev/google.golang.org/grpc/stats) package for reporting various -network and RPC stats. -_Note that all fields are READ-ONLY and the APIs of the `stats` package are +This example demonstrates the use of the [`stats`](https://pkg.go.dev/google.golang.org/grpc/stats) package for reporting various +network and RPC stats. +_Note that all fields are READ-ONLY and the APIs of the `stats` package are experimental_. ## Try it @@ -17,42 +17,42 @@ go run client/main.go ## Explanation -gRPC provides a mechanism to hook on to various events (phases) of the -request-response network cycle through the [`stats.Handler`](https://pkg.go.dev/google.golang.org/grpc/stats#Handler) interface. To access -these events, a concrete type that implements `stats.Handler` should be passed to -`grpc.WithStatsHandler()` on the client side and `grpc.StatsHandler()` on the +gRPC provides a mechanism to hook on to various events (phases) of the +request-response network cycle through the [`stats.Handler`](https://pkg.go.dev/google.golang.org/grpc/stats#Handler) interface. To access +these events, a concrete type that implements `stats.Handler` should be passed to +`grpc.WithStatsHandler()` on the client side and `grpc.StatsHandler()` on the server side. -The `HandleRPC(context.Context, RPCStats)` method on `stats.Handler` is called -multiple times during a request-response cycle, and various event stats are -passed to its `RPCStats` parameter (an interface). The concrete types that -implement this interface are: `*stats.Begin`, `*stats.InHeader`, `*stats.InPayload`, -`*stats.InTrailer`, `*stats.OutHeader`, `*stats.OutPayload`, `*stats.OutTrailer`, and +The `HandleRPC(context.Context, RPCStats)` method on `stats.Handler` is called +multiple times during a request-response cycle, and various event stats are +passed to its `RPCStats` parameter (an interface). The concrete types that +implement this interface are: `*stats.Begin`, `*stats.InHeader`, `*stats.InPayload`, +`*stats.InTrailer`, `*stats.OutHeader`, `*stats.OutPayload`, `*stats.OutTrailer`, and `*stats.End`. The order of these events differs on client and server. -Similarly, the `HandleConn(context.Context, ConnStats)` method on `stats.Handler` -is called twice, once at the beginning of the connection with `*stats.ConnBegin` +Similarly, the `HandleConn(context.Context, ConnStats)` method on `stats.Handler` +is called twice, once at the beginning of the connection with `*stats.ConnBegin` and once at the end with `*stats.ConnEnd`. -The [`stats.Handler`](https://pkg.go.dev/google.golang.org/grpc/stats#Handler) interface also provides -`TagRPC(context.Context, *RPCTagInfo) context.Context` and -`TagConn(context.Context, *ConnTagInfo) context.Context` methods. These methods +The [`stats.Handler`](https://pkg.go.dev/google.golang.org/grpc/stats#Handler) interface also provides +`TagRPC(context.Context, *RPCTagInfo) context.Context` and +`TagConn(context.Context, *ConnTagInfo) context.Context` methods. These methods are mainly used to attach network related information to the given context. -The `TagRPC(context.Context, *RPCTagInfo) context.Context` method returns a -context from which the context used for the rest lifetime of the RPC will be +The `TagRPC(context.Context, *RPCTagInfo) context.Context` method returns a +context from which the context used for the rest lifetime of the RPC will be derived. This behavior is consistent between the gRPC client and server. -The context returned from +The context returned from `TagConn(context.Context, *ConnTagInfo) context.Context` has varied lifespan: -- In the gRPC client: - The context used for the rest lifetime of the RPC will NOT be derived from - this context. Hence the information attached to this context can only be +- In the gRPC client: + The context used for the rest lifetime of the RPC will NOT be derived from + this context. Hence the information attached to this context can only be consumed by `HandleConn(context.Context, ConnStats)` method. -- In the gRPC server: - The context used for the rest lifetime of the RPC will be derived from +- In the gRPC server: + The context used for the rest lifetime of the RPC will be derived from this context. -NOTE: The [stats](https://pkg.go.dev/google.golang.org/grpc/stats) package should only be used for network monitoring purposes, +NOTE: The [stats](https://pkg.go.dev/google.golang.org/grpc/stats) package should only be used for network monitoring purposes, and not as an alternative to [interceptors](https://github.com/grpc/grpc-go/blob/master/examples/features/interceptor). diff --git a/scripts/vet.sh b/scripts/vet.sh index eefb31cfb..7f1ed98cb 100755 --- a/scripts/vet.sh +++ b/scripts/vet.sh @@ -67,6 +67,9 @@ not git grep "\"github.com/golang/protobuf/*" -- "*.go" ':(exclude)reflection/te # - Ensure all usages of grpc_testing package are renamed when importing. not git grep "\(import \|^\s*\)\"google.golang.org/grpc/interop/grpc_testing" -- "*.go" +# - Ensure that no trailing spaces are found. +not git grep '[[:blank:]]$' + # - Ensure all xds proto imports are renamed to *pb or *grpc. git grep '"github.com/envoyproxy/go-control-plane/envoy' -- '*.go' ':(exclude)*.pb.go' | not grep -v 'pb "\|grpc "' diff --git a/security/advancedtls/examples/credential_reloading_from_files/README.md b/security/advancedtls/examples/credential_reloading_from_files/README.md index be9e06e76..70c6242b5 100644 --- a/security/advancedtls/examples/credential_reloading_from_files/README.md +++ b/security/advancedtls/examples/credential_reloading_from_files/README.md @@ -1,15 +1,17 @@ # Credential Reloading From Files -Credential reloading is a feature supported in the advancedtls library. +Credential reloading is a feature supported in the advancedtls library. A very common way to achieve this is to reload from files. -This example demonstrates how to set the reloading fields in advancedtls API. +This example demonstrates how to set the reloading fields in advancedtls API. Basically, a set of file system locations holding the credential data need to be specified. Once the credential data needs to be updated, users just change the credential data in the file system, and gRPC will pick up the changes automatically. A couple of things to note: 1. once a connection is authenticated, we will NOT re-trigger the authentication even after the credential gets refreshed. - 2. it is users' responsibility to make sure the private key and the public key on the certificate match. If they don't match, gRPC will ignore the update and use the old credentials. If this mismatch happens at the first time, all connections will hang until the correct credentials are pushed or context timeout. + 2. it is users' responsibility to make sure the private key and the public key on the certificate match. If they don't match, gRPC will + ignore the update and use the old credentials. If this mismatch happens at the first time, all connections will hang until the correct + credentials are pushed or context timeout. ## Try it In directory `security/advancedtls/examples`: diff --git a/security/advancedtls/testdata/README.md b/security/advancedtls/testdata/README.md index 12a6c6b1c..17367497a 100644 --- a/security/advancedtls/testdata/README.md +++ b/security/advancedtls/testdata/README.md @@ -6,7 +6,7 @@ How to Generate Test Certificates Using OpenSSL ------------- Supposing we are going to create a `subject_cert.pem` that is trusted by `ca_cert.pem`, here are the -commands we run: +commands we run: 1. Generate the private key, `ca_key.pem`, and the cert `ca_cert.pem`, for the CA: @@ -14,12 +14,12 @@ commands we run: $ openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -nodes -days $DURATION_DAYS ``` -2. Generate a private key `subject_key.pem` for the subject: - +2. Generate a private key `subject_key.pem` for the subject: + ``` $ openssl genrsa -out subject_key.pem 4096 ``` - + 3. Generate a CSR `csr.pem` using `subject_key.pem`: ``` @@ -32,7 +32,7 @@ commands we run: ``` 4. Use `ca_key.pem` and `ca_cert.pem` to sign `csr.pem`, and get a certificate, `subject_cert.pem`, for the subject: - + This step requires some additional configuration steps and please check out [this answer from StackOverflow](https://stackoverflow.com/a/21340898) for more. ``` @@ -40,7 +40,7 @@ commands we run: ``` Please see an example configuration template at `openssl-ca.cnf`. 5. Verify the `subject_cert.pem` is trusted by `ca_cert.pem`: - + ``` $ openssl verify -verbose -CAfile ca_cert.pem subject_cert.pem diff --git a/security/advancedtls/testdata/another_client_cert_1.pem b/security/advancedtls/testdata/another_client_cert_1.pem index 603f9d772..32f5a3c91 100644 --- a/security/advancedtls/testdata/another_client_cert_1.pem +++ b/security/advancedtls/testdata/another_client_cert_1.pem @@ -49,14 +49,14 @@ Certificate: 55:60:25 Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: D5:43:51:8B:A8:4C:84:D0:C8:DE:29:14:1B:15:7A:62:01:ED:FF:EC - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: keyid:B4:19:08:1C:FC:10:23:C5:30:86:22:BC:CB:B1:5F:AD:EA:7A:5D:F1 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 61:a0:89:19:3e:e8:3d:35:bf:6e:5d:0c:d0:ec:36:85:d4:27: diff --git a/security/advancedtls/testdata/client_cert_1.pem b/security/advancedtls/testdata/client_cert_1.pem index ccba154c9..8a3534d2c 100644 --- a/security/advancedtls/testdata/client_cert_1.pem +++ b/security/advancedtls/testdata/client_cert_1.pem @@ -49,14 +49,14 @@ Certificate: 10:5f:bd Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: 7F:9D:9C:C6:86:DF:9E:07:93:94:EF:18:2D:0A:0A:50:AA:1F:A2:B7 - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: keyid:B4:19:08:1C:FC:10:23:C5:30:86:22:BC:CB:B1:5F:AD:EA:7A:5D:F1 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 31:b0:6d:25:5e:8e:9b:73:01:ac:08:b9:a6:70:8e:de:18:fd: diff --git a/security/advancedtls/testdata/client_cert_2.pem b/security/advancedtls/testdata/client_cert_2.pem index 3f5d64607..f39cff445 100644 --- a/security/advancedtls/testdata/client_cert_2.pem +++ b/security/advancedtls/testdata/client_cert_2.pem @@ -49,14 +49,14 @@ Certificate: f4:2a:0b Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: E0:27:7D:90:FC:81:7F:F3:EE:97:CE:65:A2:AD:D2:1E:CC:D5:2B:0F - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: keyid:63:88:EA:4D:D0:3E:EF:5E:F8:43:91:75:40:E4:16:AB:15:B3:32:B9 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 8c:81:8f:65:38:2c:db:69:34:26:47:62:b7:5d:4e:67:41:c2: diff --git a/security/advancedtls/testdata/crl/README.md b/security/advancedtls/testdata/crl/README.md index 5d3d50c48..2e76c8aa2 100644 --- a/security/advancedtls/testdata/crl/README.md +++ b/security/advancedtls/testdata/crl/README.md @@ -49,7 +49,7 @@ Certificate chain where the leaf is revoked ## Test Data for testing CRL providers functionality -To generate test data please run provider_create.sh script. All the files have +To generate test data please run provider_create.sh script. All the files have `provider_` prefix. We need to generate the following artifacts for testing CRL provider: @@ -59,34 +59,34 @@ We need to generate the following artifacts for testing CRL provider: * client cert signed by server CA * empty crl file * crl file containing information about revoked server cert -* crl file by 'malicious' CA which contains the same issuer with original CA +* crl file by 'malicious' CA which contains the same issuer with original CA -All the commands are provided in provider_create.sh script. Please find the +All the commands are provided in provider_create.sh script. Please find the description below. 1. The first two commands generate self signed CAs for client and server: - - provider_server_trust_key.pem - - provider_server_trust_cert.pem - - provider_client_trust_key.pem - - provider_client_trust_cert.pem + - provider_server_trust_key.pem + - provider_server_trust_cert.pem + - provider_client_trust_key.pem + - provider_client_trust_cert.pem 2. Generate client and server certs signed by the CAs above: - - provider_server_cert.pem + - provider_server_cert.pem - provider_client_cert.pem 3. The next 2 commands create 2 files needed for CRL issuing: - provider_crlnumber.txt - provider_index.txt -4. The next 3 commands generate an empty CRL file and a CRL file containing +4. The next 3 commands generate an empty CRL file and a CRL file containing revoked server cert: - - provider_crl_empty.pem - - provider_crl_server_revoked.pem + - provider_crl_empty.pem + - provider_crl_server_revoked.pem -5. The final section contains commands to generate CRL file by 'malicious' CA. -Note that we use Subject Key Identifier from previously created +5. The final section contains commands to generate CRL file by 'malicious' CA. +Note that we use Subject Key Identifier from previously created provider_client_trust_cert.pem to generate malicious certs / CRL. - provider_malicious_client_trust_key.pem - - provider_malicious_client_trust_cert.pem + - provider_malicious_client_trust_cert.pem - provider_malicious_crl_empty.pem diff --git a/security/advancedtls/testdata/server_cert_1.pem b/security/advancedtls/testdata/server_cert_1.pem index 73787f18f..e3902a956 100644 --- a/security/advancedtls/testdata/server_cert_1.pem +++ b/security/advancedtls/testdata/server_cert_1.pem @@ -49,14 +49,14 @@ Certificate: 17:b4:4b Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: C0:82:DA:FA:69:46:30:AE:FF:6F:CD:BB:93:49:94:A6:D0:E2:17:EB - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: keyid:5A:A5:DA:B1:99:D4:E5:0E:E6:1E:94:EA:FF:FC:62:E2:ED:09:F1:06 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 36:fd:cf:ec:f5:20:4b:52:dc:2e:38:f3:92:b1:e4:b6:a1:06: diff --git a/security/advancedtls/testdata/server_cert_1.txt b/security/advancedtls/testdata/server_cert_1.txt index 5367569d0..f6c1ec91e 100644 --- a/security/advancedtls/testdata/server_cert_1.txt +++ b/security/advancedtls/testdata/server_cert_1.txt @@ -49,14 +49,14 @@ Certificate: 17:b4:4b Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: C0:82:DA:FA:69:46:30:AE:FF:6F:CD:BB:93:49:94:A6:D0:E2:17:EB - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: keyid:5A:A5:DA:B1:99:D4:E5:0E:E6:1E:94:EA:FF:FC:62:E2:ED:09:F1:06 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 36:fd:cf:ec:f5:20:4b:52:dc:2e:38:f3:92:b1:e4:b6:a1:06: diff --git a/security/advancedtls/testdata/server_cert_2.pem b/security/advancedtls/testdata/server_cert_2.pem index bb0132edb..3312b03f7 100644 --- a/security/advancedtls/testdata/server_cert_2.pem +++ b/security/advancedtls/testdata/server_cert_2.pem @@ -49,14 +49,14 @@ Certificate: 52:25:f3 Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: 74:BD:18:0B:32:AF:D0:51:8E:4C:4C:8D:B2:F6:4E:B8:6D:AB:BD:BA - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: keyid:01:74:A9:44:61:3D:7A:BB:C2:32:CD:D0:ED:20:DA:3A:C4:C6:02:E8 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption b5:63:0c:d8:ed:af:74:2d:4c:94:36:41:05:2a:f2:ef:45:e5: diff --git a/security/advancedtls/testdata/server_cert_2.txt b/security/advancedtls/testdata/server_cert_2.txt index 8962204ff..dc69bedda 100644 --- a/security/advancedtls/testdata/server_cert_2.txt +++ b/security/advancedtls/testdata/server_cert_2.txt @@ -49,14 +49,14 @@ Certificate: 52:25:f3 Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: 74:BD:18:0B:32:AF:D0:51:8E:4C:4C:8D:B2:F6:4E:B8:6D:AB:BD:BA - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: keyid:01:74:A9:44:61:3D:7A:BB:C2:32:CD:D0:ED:20:DA:3A:C4:C6:02:E8 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption b5:63:0c:d8:ed:af:74:2d:4c:94:36:41:05:2a:f2:ef:45:e5: @@ -88,4 +88,3 @@ Certificate: 1d:b5:cc:6f:14:21:c4:89:07:9b:81:1d:9a:79:ff:bf:fd:ce: e4:77:11:0f:47:21:dc:d9:79:f3:40:26:56:5c:b4:86:32:8e: 28:b9:14:e7:b3:fe:86:47 - \ No newline at end of file diff --git a/security/advancedtls/testdata/server_cert_3.txt b/security/advancedtls/testdata/server_cert_3.txt index e62c99cbf..2b24d79c1 100644 --- a/security/advancedtls/testdata/server_cert_3.txt +++ b/security/advancedtls/testdata/server_cert_3.txt @@ -33,14 +33,14 @@ Certificate: ac:cd Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: keyid:6E:1B:8B:C9:34:74:E7:7B:8D:2A:4F:41:0E:98:50:30:14:01:16:B1 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment - X509v3 Subject Alternative Name: + X509v3 Subject Alternative Name: DNS:google.com, DNS:apple.com, DNS:amazon.com Signature Algorithm: sha256WithRSAEncryption 9f:96:96:1c:41:cd:4c:39:9c:80:2d:b9:a0:4b:42:8f:e2:24: diff --git a/security/advancedtls/testdata/server_cert_localhost_1.pem b/security/advancedtls/testdata/server_cert_localhost_1.pem index b6364f23a..5ec212542 100644 --- a/security/advancedtls/testdata/server_cert_localhost_1.pem +++ b/security/advancedtls/testdata/server_cert_localhost_1.pem @@ -49,16 +49,16 @@ Certificate: 41:ba:07 Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: F3:DC:6A:5B:B7:CE:E9:E1:4D:3E:C4:AE:B7:8E:39:E3:6D:CA:AF:C7 - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: keyid:5A:A5:DA:B1:99:D4:E5:0E:E6:1E:94:EA:FF:FC:62:E2:ED:09:F1:06 - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment - X509v3 Subject Alternative Name: + X509v3 Subject Alternative Name: DNS:localhost Signature Algorithm: sha256WithRSAEncryption 54:13:3d:55:d3:4b:d8:85:f0:54:a8:33:5c:a1:9f:87:79:31: diff --git a/xds/internal/test/e2e/run.sh b/xds/internal/test/e2e/run.sh index ae3158b68..d4f38336c 100755 --- a/xds/internal/test/e2e/run.sh +++ b/xds/internal/test/e2e/run.sh @@ -3,4 +3,4 @@ mkdir binaries go build -o ./binaries/client ../../../../interop/xds/client/ go build -o ./binaries/server ../../../../interop/xds/server/ -go test . +go test .