From c1ef8061d1fc8d5e1bf23cfe4fa449390ff29b27 Mon Sep 17 00:00:00 2001 From: Louis Ryan Date: Fri, 15 Jul 2016 12:02:53 -0700 Subject: [PATCH] Fix selection of security Provider to conscruct SSLContext Cleanup redundant API un TestUtils Fix TlsTest to be ignored on JKD7 correctly --- .../main/java/io/grpc/benchmarks/Utils.java | 5 +++- .../integration/TestServiceClient.java | 4 ++- .../testing/integration/Http2OkHttpTest.java | 5 ++-- .../io/grpc/testing/integration/TlsTest.java | 11 +++++++- .../io/grpc/okhttp/OkHttpChannelBuilder.java | 3 +-- .../main/java/io/grpc/testing/TestUtils.java | 25 ++----------------- 6 files changed, 22 insertions(+), 31 deletions(-) diff --git a/benchmarks/src/main/java/io/grpc/benchmarks/Utils.java b/benchmarks/src/main/java/io/grpc/benchmarks/Utils.java index 85a54e9eba..e500128a04 100644 --- a/benchmarks/src/main/java/io/grpc/benchmarks/Utils.java +++ b/benchmarks/src/main/java/io/grpc/benchmarks/Utils.java @@ -45,6 +45,7 @@ import io.grpc.netty.GrpcSslContexts; import io.grpc.netty.NegotiationType; import io.grpc.netty.NettyChannelBuilder; import io.grpc.okhttp.OkHttpChannelBuilder; +import io.grpc.okhttp.internal.Platform; import io.grpc.testing.TestUtils; import io.netty.channel.EventLoopGroup; import io.netty.channel.epoll.EpollDomainSocketChannel; @@ -148,7 +149,9 @@ public final class Utils { builder.overrideAuthority( GrpcUtil.authorityFromHostAndPort(authorityOverride, addr.getPort())); try { - factory = TestUtils.newSslSocketFactoryForCa(TestUtils.loadCert("ca.pem")); + factory = TestUtils.newSslSocketFactoryForCa( + Platform.get().getProvider(), + TestUtils.loadCert("ca.pem")); } catch (Exception e) { throw new RuntimeException(e); } diff --git a/interop-testing/src/main/java/io/grpc/testing/integration/TestServiceClient.java b/interop-testing/src/main/java/io/grpc/testing/integration/TestServiceClient.java index 4efdfe1d04..4cfb052962 100644 --- a/interop-testing/src/main/java/io/grpc/testing/integration/TestServiceClient.java +++ b/interop-testing/src/main/java/io/grpc/testing/integration/TestServiceClient.java @@ -39,6 +39,7 @@ import io.grpc.netty.GrpcSslContexts; import io.grpc.netty.NegotiationType; import io.grpc.netty.NettyChannelBuilder; import io.grpc.okhttp.OkHttpChannelBuilder; +import io.grpc.okhttp.internal.Platform; import io.grpc.testing.TestUtils; import io.netty.handler.ssl.SslContext; @@ -324,7 +325,8 @@ public class TestServiceClient { if (useTls) { try { SSLSocketFactory factory = useTestCa - ? TestUtils.newSslSocketFactoryForCa(TestUtils.loadCert("ca.pem")) + ? TestUtils.newSslSocketFactoryForCa(Platform.get().getProvider(), + TestUtils.loadCert("ca.pem")) : (SSLSocketFactory) SSLSocketFactory.getDefault(); builder.sslSocketFactory(factory); } catch (Exception e) { diff --git a/interop-testing/src/test/java/io/grpc/testing/integration/Http2OkHttpTest.java b/interop-testing/src/test/java/io/grpc/testing/integration/Http2OkHttpTest.java index 38f39e1da0..936cd1546a 100644 --- a/interop-testing/src/test/java/io/grpc/testing/integration/Http2OkHttpTest.java +++ b/interop-testing/src/test/java/io/grpc/testing/integration/Http2OkHttpTest.java @@ -61,7 +61,6 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.JUnit4; -import java.io.FileInputStream; import java.io.IOException; import javax.net.ssl.SSLPeerUnverifiedException; @@ -112,7 +111,7 @@ public class Http2OkHttpTest extends AbstractInteropTest { TestUtils.TEST_SERVER_HOST, getPort())); try { builder.sslSocketFactory(TestUtils.newSslSocketFactoryForCa(Platform.get().getProvider(), - new FileInputStream(TestUtils.loadCert("ca.pem")))); + TestUtils.loadCert("ca.pem"))); } catch (Exception e) { throw new RuntimeException(e); } @@ -153,7 +152,7 @@ public class Http2OkHttpTest extends AbstractInteropTest { "I.am.a.bad.hostname", getPort())); ManagedChannel channel = builder.sslSocketFactory( TestUtils.newSslSocketFactoryForCa(Platform.get().getProvider(), - new FileInputStream(TestUtils.loadCert("ca.pem")))).build(); + TestUtils.loadCert("ca.pem"))).build(); TestServiceGrpc.TestServiceBlockingStub blockingStub = TestServiceGrpc.newBlockingStub(channel); diff --git a/interop-testing/src/test/java/io/grpc/testing/integration/TlsTest.java b/interop-testing/src/test/java/io/grpc/testing/integration/TlsTest.java index f8f8d3259c..30ff9e78ce 100644 --- a/interop-testing/src/test/java/io/grpc/testing/integration/TlsTest.java +++ b/interop-testing/src/test/java/io/grpc/testing/integration/TlsTest.java @@ -65,12 +65,15 @@ import org.junit.runners.Parameterized.Parameters; import java.io.File; import java.io.IOException; +import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; +import javax.net.ssl.SSLContext; + /** * Integration tests for GRPC's TLS support. @@ -97,11 +100,17 @@ public class TlsTest { private SslContextBuilder clientContextBuilder; @Before - public void setUp() { + public void setUp() throws NoSuchAlgorithmException { executor = Executors.newSingleThreadScheduledExecutor(); if (sslProvider == SslProvider.OPENSSL) { Assume.assumeTrue(OpenSsl.isAvailable()); } + if (sslProvider == SslProvider.JDK) { + Assume.assumeTrue(Arrays.asList( + SSLContext.getDefault().getSupportedSSLParameters().getCipherSuites()) + .contains("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")); + + } clientContextBuilder = GrpcSslContexts.configure(SslContextBuilder.forClient(), sslProvider); } diff --git a/okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java b/okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java index 80c09b683d..66e3af9488 100644 --- a/okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java +++ b/okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java @@ -271,8 +271,7 @@ public class OkHttpChannelBuilder extends case TLS: try { if (sslSocketFactory == null) { - SSLContext sslContext = SSLContext.getInstance("TLS", Platform.get().getProvider()); - sslContext.init(null, null, null); + SSLContext sslContext = SSLContext.getInstance("Default", Platform.get().getProvider()); sslSocketFactory = sslContext.getSocketFactory(); } return sslSocketFactory; diff --git a/testing/src/main/java/io/grpc/testing/TestUtils.java b/testing/src/main/java/io/grpc/testing/TestUtils.java index 452479d142..61c38bf407 100644 --- a/testing/src/main/java/io/grpc/testing/TestUtils.java +++ b/testing/src/main/java/io/grpc/testing/TestUtils.java @@ -52,7 +52,6 @@ import java.net.UnknownHostException; import java.security.KeyStore; import java.security.NoSuchAlgorithmException; import java.security.Provider; -import java.security.Security; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; @@ -233,36 +232,16 @@ public class TestUtils { } } - /** - * Creates an SSLSocketFactory which contains {@code certChainFile} as its only root certificate. - */ - public static SSLSocketFactory newSslSocketFactoryForCa(File certChainFile) throws Exception { - InputStream is = new FileInputStream(certChainFile); - try { - return newSslSocketFactoryForCa(is); - } finally { - is.close(); - } - } - - /** - * Creates an SSLSocketFactory which contains {@code certChainFile} as its only root certificate. - */ - public static SSLSocketFactory newSslSocketFactoryForCa( - InputStream certChain) throws Exception { - return newSslSocketFactoryForCa(Security.getProviders()[0], certChain); - } - /** * Creates an SSLSocketFactory which contains {@code certChainFile} as its only root certificate. */ public static SSLSocketFactory newSslSocketFactoryForCa(Provider provider, - InputStream certChain) throws Exception { + File certChainFile) throws Exception { KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null, null); CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate) cf.generateCertificate( - new BufferedInputStream(certChain)); + new BufferedInputStream(new FileInputStream(certChainFile))); X500Principal principal = cert.getSubjectX500Principal(); ks.setCertificateEntry(principal.getName("RFC2253"), cert);