grpc
/
grpc-java
mirror of https://github.com/grpc/grpc-java.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

advancedtls: change enum to use UPPER_SNAKE_CASE (#8446)

This commit is contained in:
ZhenLian 2021-08-25 16:13:09 -07:00 committed by GitHub
parent 8a5694b7f8
commit 3cb0696b1f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
core/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
View File

@ -171,13 +171,13 @@ public final class AdvancedTlsX509TrustManager extends X509ExtendedTrustManager
throw new CertificateException(
"Not enough information to validate peer. SSLEngine or Socket required.");
}
if (this.verification != Verification.InsecurelySkipAllVerification) {
if (this.verification != Verification.INSECURELY_SKIP_ALL_VERIFICATION) {
X509ExtendedTrustManager currentDelegateManager = this.delegateManager;
if (currentDelegateManager == null) {
throw new CertificateException("No trust roots configured");
}
if (checkingServer) {
String algorithm = this.verification == Verification.CertificateAndHostNameVerification
String algorithm = this.verification == Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION
? "HTTPS" : "";
if (sslEngine != null) {
SSLParameters sslParams = sslEngine.getSSLParameters();
@ -288,7 +288,7 @@ public final class AdvancedTlsX509TrustManager extends X509ExtendedTrustManager
// This is the DEFAULT and RECOMMENDED mode for most applications.
// Setting this on the client side will do the certificate and hostname verification, while
// setting this on the server side will only do the certificate verification.
CertificateAndHostNameVerification,
CERTIFICATE_AND_HOST_NAME_VERIFICATION,
// This SHOULD be chosen only when you know what the implication this will bring, and have a
// basic understanding about TLS.
// It SHOULD be accompanied with proper additional peer identity checks set through
@ -298,13 +298,13 @@ public final class AdvancedTlsX509TrustManager extends X509ExtendedTrustManager
// checkClientTrusted/checkServerTrusted with the {@code SSLEngine} parameter while doing
// verification.
// Setting this on either side will only do the certificate verification.
CertificateOnlyVerification,
CERTIFICATE_ONLY_VERIFICATION,
// Setting is very DANGEROUS. Please try to avoid this in a real production environment, unless
// you are a super advanced user intended to re-implement the whole verification logic on your
// own. A secure verification might include:
// 1. proper verification on the peer certificate chain
// 2. proper checks on the identity of the peer certificate
InsecurelySkipAllVerification,
INSECURELY_SKIP_ALL_VERIFICATION,
}
// Additional custom peer verification check.
@ -338,7 +338,7 @@ public final class AdvancedTlsX509TrustManager extends X509ExtendedTrustManager
public static final class Builder {
private Verification verification = Verification.CertificateAndHostNameVerification;
private Verification verification = Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION;
private SslSocketAndEnginePeerVerifier socketAndEnginePeerVerifier;
private Builder() {}

26
netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java
View File

@ -161,7 +161,7 @@ public class AdvancedTlsTest {
AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
serverKeyManager.updateIdentityCredentials(serverKey0, serverCert0);
AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.CertificateOnlyVerification)
.setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION)
.build();
serverTrustManager.updateTrustCredentials(caCert);
ServerCredentials serverCredentials = TlsServerCredentials.newBuilder()
@ -174,7 +174,7 @@ public class AdvancedTlsTest {
AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
clientKeyManager.updateIdentityCredentials(clientKey0, clientCert0);
AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.CertificateAndHostNameVerification)
.setVerification(Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION)
.build();
clientTrustManager.updateTrustCredentials(caCert);
ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder()
@ -198,7 +198,7 @@ public class AdvancedTlsTest {
serverKeyManager.updateIdentityCredentials(serverKey0, serverCert0);
// Set server's custom verification based on the information of clientCert0.
AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.CertificateOnlyVerification)
.setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION)
.setSslSocketAndEnginePeerVerifier(
new SslSocketAndEnginePeerVerifier() {
@Override
@ -238,7 +238,7 @@ public class AdvancedTlsTest {
clientKeyManager.updateIdentityCredentials(clientKey0, clientCert0);
// Set client's custom verification based on the information of serverCert0.
AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.CertificateOnlyVerification)
.setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION)
.setSslSocketAndEnginePeerVerifier(
new SslSocketAndEnginePeerVerifier() {
@Override
@ -289,7 +289,7 @@ public class AdvancedTlsTest {
// will configure the client to skip all checks later.
serverKeyManager.updateIdentityCredentials(serverKeyBad, serverCertBad);
AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.CertificateOnlyVerification)
.setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION)
.setSslSocketAndEnginePeerVerifier(
new SslSocketAndEnginePeerVerifier() {
@Override
@ -315,7 +315,7 @@ public class AdvancedTlsTest {
// Note this is very dangerous in production environment - only do so if you are confident on
// what you are doing!
AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.InsecurelySkipAllVerification)
.setVerification(Verification.INSECURELY_SKIP_ALL_VERIFICATION)
.setSslSocketAndEnginePeerVerifier(
new SslSocketAndEnginePeerVerifier() {
@Override
@ -350,7 +350,7 @@ public class AdvancedTlsTest {
Closeable serverKeyShutdown = serverKeyManager.updateIdentityCredentialsFromFile(serverKey0File,
serverCert0File, 100, TimeUnit.MILLISECONDS, executor);
AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.CertificateOnlyVerification)
.setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION)
.build();
Closeable serverTrustShutdown = serverTrustManager.updateTrustCredentialsFromFile(caCertFile,
100, TimeUnit.MILLISECONDS, executor);
@ -365,7 +365,7 @@ public class AdvancedTlsTest {
Closeable clientKeyShutdown = clientKeyManager.updateIdentityCredentialsFromFile(clientKey0File,
clientCert0File,100, TimeUnit.MILLISECONDS, executor);
AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.CertificateAndHostNameVerification)
.setVerification(Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION)
.build();
Closeable clientTrustShutdown = clientTrustManager.updateTrustCredentialsFromFile(caCertFile,
100, TimeUnit.MILLISECONDS, executor);
@ -407,7 +407,7 @@ public class AdvancedTlsTest {
@Test
public void trustManagerCheckTrustedWithSocketTest() throws Exception {
AdvancedTlsX509TrustManager tm = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.InsecurelySkipAllVerification).build();
.setVerification(Verification.INSECURELY_SKIP_ALL_VERIFICATION).build();
tm.updateTrustCredentials(caCert);
tm.checkClientTrusted(serverCert0, "RSA", new Socket());
tm.useSystemDefaultTrustCerts();
@ -420,7 +420,7 @@ public class AdvancedTlsTest {
exceptionRule.expectMessage(
"Not enough information to validate peer. SSLEngine or Socket required.");
AdvancedTlsX509TrustManager tm = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.InsecurelySkipAllVerification).build();
.setVerification(Verification.INSECURELY_SKIP_ALL_VERIFICATION).build();
tm.checkClientTrusted(serverCert0, "RSA");
}
@ -430,7 +430,7 @@ public class AdvancedTlsTest {
exceptionRule.expectMessage(
"Not enough information to validate peer. SSLEngine or Socket required.");
AdvancedTlsX509TrustManager tm = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.InsecurelySkipAllVerification).build();
.setVerification(Verification.INSECURELY_SKIP_ALL_VERIFICATION).build();
tm.checkServerTrusted(serverCert0, "RSA");
}
@ -440,7 +440,7 @@ public class AdvancedTlsTest {
exceptionRule.expectMessage(
"Want certificate verification but got null or empty certificates");
AdvancedTlsX509TrustManager tm = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.CertificateOnlyVerification)
.setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION)
.build();
tm.updateTrustCredentials(caCert);
tm.checkClientTrusted(null, "RSA", (SSLEngine) null);
@ -451,7 +451,7 @@ public class AdvancedTlsTest {
exceptionRule.expect(CertificateException.class);
exceptionRule.expectMessage("Bad Custom Verification");
AdvancedTlsX509TrustManager tm = AdvancedTlsX509TrustManager.newBuilder()
.setVerification(Verification.CertificateOnlyVerification)
.setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION)
.setSslSocketAndEnginePeerVerifier(
new SslSocketAndEnginePeerVerifier() {
@Override