From a40e4343f5f2bec03fb3ed22029ba3b15dd57d00 Mon Sep 17 00:00:00 2001 From: Eric Anderson Date: Mon, 9 Jan 2023 08:09:16 -0800 Subject: [PATCH] okhttp: Use normal server cert when testing trust checking Previously, untrustedServer_fails could have been failing for the same reason as unmatchedServerSubjectAlternativeNames_fails. The implementation could have been broken and not checking the cert chain but still checking the hostname. We'd either need to override the authority to match the badserver cert or use the normal server certificates. It is best to use the normal server certificates as mtls_succeeds confirms the configuration is correct and so our test is failing for the right reason. --- okhttp/src/test/java/io/grpc/okhttp/TlsTest.java | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/okhttp/src/test/java/io/grpc/okhttp/TlsTest.java b/okhttp/src/test/java/io/grpc/okhttp/TlsTest.java index cc86c81d97..9834d52adb 100644 --- a/okhttp/src/test/java/io/grpc/okhttp/TlsTest.java +++ b/okhttp/src/test/java/io/grpc/okhttp/TlsTest.java @@ -173,8 +173,8 @@ public class TlsTest { @Test public void untrustedServer_fails() throws Exception { ServerCredentials serverCreds; - try (InputStream serverCert = TlsTesting.loadCert("badserver.pem"); - InputStream serverPrivateKey = TlsTesting.loadCert("badserver.key"); + try (InputStream serverCert = TlsTesting.loadCert("server1.pem"); + InputStream serverPrivateKey = TlsTesting.loadCert("server1.key"); InputStream caCert = TlsTesting.loadCert("ca.pem")) { serverCreds = TlsServerCredentials.newBuilder() .keyManager(serverCert, serverPrivateKey) @@ -183,11 +183,9 @@ public class TlsTest { } ChannelCredentials channelCreds; try (InputStream clientCertChain = TlsTesting.loadCert("client.pem"); - InputStream clientPrivateKey = TlsTesting.loadCert("client.key"); - InputStream caCert = TlsTesting.loadCert("ca.pem")) { + InputStream clientPrivateKey = TlsTesting.loadCert("client.key")) { channelCreds = TlsChannelCredentials.newBuilder() .keyManager(clientCertChain, clientPrivateKey) - .trustManager(caCert) .build(); } Server server = grpcCleanupRule.register(server(serverCreds));