grpc
/
grpc-java
mirror of https://github.com/grpc/grpc-java.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Test that a GRPC client rejects untrusted server certs.

This commit is contained in:
Matt Hildebrand 2016-02-29 14:39:46 -05:00 committed by Eric Anderson
parent 39659dce85
commit de72f6915d
1 changed files with 44 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
interop-testing/src/test/java/io/grpc/testing/integration/TlsTest.java
View File

@ -90,6 +90,7 @@ public class TlsTest {
public SslProvider sslProvider; public SslProvider sslProvider;
private int port = TestUtils.pickUnusedPort(); private int port = TestUtils.pickUnusedPort();
private ScheduledExecutorService executor;
private Server server; private Server server;
private ManagedChannel channel; private ManagedChannel channel;
private SslContextBuilder clientContextBuilder; private SslContextBuilder clientContextBuilder;
@ -236,6 +237,49 @@ public class TlsTest {
} }
/**
* Tests that a client configured using GrpcSslContexts refuses to talk to a server that has an
* an untrusted certificate.
*/
@Test
public void clientRejectsUntrustedServerCert() throws Exception {
// Create & start a server.
File serverCertFile = TestUtils.loadCert("badserver.pem");
File serverPrivateKeyFile = TestUtils.loadCert("badserver.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
server = serverBuilder(port, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
.addService(TestServiceGrpc.bindService(new TestServiceImpl(executor)))
.build()
.start();
// Create a client.
File clientCertChainFile = TestUtils.loadCert("client.pem");
File clientPrivateKeyFile = TestUtils.loadCert("client.key");
X509Certificate[] clientTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
channel = clientChannel(port, clientContextBuilder
.keyManager(clientCertChainFile, clientPrivateKeyFile)
.trustManager(clientTrustedCaCerts)
.build());
TestServiceGrpc.TestServiceBlockingStub client = TestServiceGrpc.newBlockingStub(channel);
// Check that the TLS handshake fails.
Empty request = Empty.getDefaultInstance();
try {
client.emptyCall(request);
fail("TLS handshake should have failed, but didn't; received RPC response");
} catch (StatusRuntimeException e) {
// GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
// javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
// Thus, reliably detecting the underlying cause is not feasible.
assertEquals(Status.Code.UNAVAILABLE, e.getStatus().getCode());
}
}
private ServerBuilder<?> serverBuilder(int port, File serverCertChainFile, private ServerBuilder<?> serverBuilder(int port, File serverCertChainFile,
File serverPrivateKeyFile, X509Certificate[] serverTrustedCaCerts) throws IOException { File serverPrivateKeyFile, X509Certificate[] serverTrustedCaCerts) throws IOException {
SslContextBuilder sslContextBuilder SslContextBuilder sslContextBuilder
@ -256,7 +300,4 @@ public class TlsTest {
.sslContext(sslContext) .sslContext(sslContext)
.build(); .build();
} }
private ScheduledExecutorService executor;
} }