flasn4nt
/
grpc-java
mirror of https://github.com/grpc/grpc-java.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix tests and warnings on Java 17 

SelfSignedCertificate is not available on Java 17 because
OpenJdkSelfSignedCertGenerator is not available. This only impacted
tests.

AccessController is being removed, and these locations are doing simple
reflection which is unlikely to require it even when a security policy
is in effect. There's other places we do reflection without the
AccessController, so either no security policies care or the users can
update their policies to allow it.
This commit is contained in:
Eric Anderson 2022-01-07 12:25:39 -08:00
parent feab4e5449
commit ac62c8b055
8 changed files with 97 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/testing.yml vendored
View File

@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
jre: [8, 11]
jre: [8, 11, 17]
fail-fast: false # Should swap to true if we grow a large matrix
steps:

2
core/src/main/java/io/grpc/internal/ProxyDetectorImpl.java
View File

@ -135,7 +135,6 @@ class ProxyDetectorImpl implements ProxyDetector {
Level.WARNING,
"failed to create URL for Authenticator: {0} {1}", new Object[] {protocol, host});
}
// TODO(spencerfang): consider using java.security.AccessController here
return Authenticator.requestPasswordAuthentication(
host, addr, port, protocol, prompt, scheme, url, Authenticator.RequestorType.PROXY);
}
@ -144,7 +143,6 @@ class ProxyDetectorImpl implements ProxyDetector {
new Supplier<ProxySelector>() {
@Override
public ProxySelector get() {
// TODO(spencerfang): consider using java.security.AccessController here
return ProxySelector.getDefault();
}
};

10
netty/src/main/java/io/grpc/netty/JettyTlsUtil.java
View File

@ -17,8 +17,6 @@
package io.grpc.netty;
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
@ -42,13 +40,7 @@ final class JettyTlsUtil {
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, null, null);
SSLEngine engine = context.createSSLEngine();
Method getApplicationProtocol =
AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
@Override
public Method run() throws Exception {
return SSLEngine.class.getMethod("getApplicationProtocol");
}
});
Method getApplicationProtocol = SSLEngine.class.getMethod("getApplicationProtocol");
getApplicationProtocol.invoke(engine);
return null;
} catch (Throwable t) {

36
netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java
View File

@ -68,6 +68,7 @@ import io.grpc.netty.ProtocolNegotiators.HostPort;
import io.grpc.netty.ProtocolNegotiators.ServerTlsHandler;
import io.grpc.netty.ProtocolNegotiators.WaitUntilActiveHandler;
import io.grpc.testing.TlsTesting;
import io.grpc.util.CertificateUtils;
import io.netty.bootstrap.Bootstrap;
import io.netty.bootstrap.ServerBootstrap;
import io.netty.buffer.ByteBuf;
@ -107,16 +108,13 @@ import io.netty.handler.codec.http2.Http2Settings;
import io.netty.handler.proxy.ProxyConnectException;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.handler.ssl.util.SelfSignedCertificate;
import java.io.File;
import java.io.InputStream;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayDeque;
import java.util.Arrays;
@ -478,19 +476,26 @@ public class ProtocolNegotiatorsTest {
@Test
public void from_tls_managers() throws Exception {
SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
InputStream server1Key = TlsTesting.loadCert("server1.key")) {
X509Certificate[] chain = CertificateUtils.getX509Certificates(server1Chain);
keyStore.setKeyEntry("key", CertificateUtils.getPrivateKey(server1Key), new char[0], chain);
}
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, new char[0]);
KeyStore certStore = KeyStore.getInstance(KeyStore.getDefaultType());
certStore.load(null);
certStore.setCertificateEntry("mycert", cert.cert());
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
for (X509Certificate cert : CertificateUtils.getX509Certificates(ca)) {
certStore.setCertificateEntry(cert.getSubjectX500Principal().getName("RFC2253"), cert);
}
}
trustManagerFactory.init(certStore);
ServerCredentials serverCreds = TlsServerCredentials.newBuilder()
@ -504,8 +509,7 @@ public class ProtocolNegotiatorsTest {
.build();
InternalChannelz.Tls tls = expectSuccessfulHandshake(channelCreds, serverCreds);
assertThat(((X509Certificate) tls.remoteCert).getSubjectX500Principal().getName())
.isEqualTo("CN=" + TestUtils.TEST_SERVER_HOST);
cert.delete();
.isEqualTo("CN=*.test.google.com,O=Example\\, Co.,L=Chicago,ST=Illinois,C=US");
}
@Test
@ -1214,11 +1218,15 @@ public class ProtocolNegotiatorsTest {
@Test
public void clientTlsHandler_firesNegotiation() throws Exception {
SelfSignedCertificate cert = new SelfSignedCertificate("authority");
SslContext clientSslContext =
GrpcSslContexts.configure(SslContextBuilder.forClient().trustManager(cert.cert())).build();
SslContext serverSslContext =
GrpcSslContexts.configure(SslContextBuilder.forServer(cert.key(), cert.cert())).build();
SslContext clientSslContext;
try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
clientSslContext = GrpcSslContexts.forClient().trustManager(ca).build();
}
SslContext serverSslContext;
try (InputStream server1Key = TlsTesting.loadCert("server1.key");
InputStream server1Chain = TlsTesting.loadCert("server1.pem")) {
serverSslContext = GrpcSslContexts.forServer(server1Chain, server1Key).build();
}
FakeGrpcHttp2ConnectionHandler gh = FakeGrpcHttp2ConnectionHandler.newHandler();
ClientTlsProtocolNegotiator pn = new ClientTlsProtocolNegotiator(clientSslContext, null);
WriteBufferingAndExceptionHandler clientWbaeh =
@ -1404,7 +1412,7 @@ public class ProtocolNegotiatorsTest {
@Override
public String getAuthority() {
return "authority";
return "foo.test.google.fr";
}
}

37
okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java
View File

@ -54,6 +54,7 @@ import io.grpc.okhttp.internal.TlsVersion;
import io.grpc.util.CertificateUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.GeneralSecurityException;
@ -667,21 +668,24 @@ public final class OkHttpChannelBuilder extends ForwardingChannelBuilder2<OkHttp
static KeyManager[] createKeyManager(byte[] certChain, byte[] privateKey)
throws GeneralSecurityException {
X509Certificate[] chain;
ByteArrayInputStream inCertChain = new ByteArrayInputStream(certChain);
InputStream certChainStream = new ByteArrayInputStream(certChain);
InputStream privateKeyStream = new ByteArrayInputStream(privateKey);
try {
chain = CertificateUtils.getX509Certificates(inCertChain);
return createKeyManager(certChainStream, privateKeyStream);
} finally {
GrpcUtil.closeQuietly(inCertChain);
GrpcUtil.closeQuietly(certChainStream);
GrpcUtil.closeQuietly(privateKeyStream);
}
}
static KeyManager[] createKeyManager(InputStream certChain, InputStream privateKey)
throws GeneralSecurityException {
X509Certificate[] chain = CertificateUtils.getX509Certificates(certChain);
PrivateKey key;
ByteArrayInputStream inPrivateKey = new ByteArrayInputStream(privateKey);
try {
key = CertificateUtils.getPrivateKey(inPrivateKey);
key = CertificateUtils.getPrivateKey(privateKey);
} catch (IOException uee) {
throw new GeneralSecurityException("Unable to decode private key", uee);
} finally {
GrpcUtil.closeQuietly(inPrivateKey);
}
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
try {
@ -699,6 +703,15 @@ public final class OkHttpChannelBuilder extends ForwardingChannelBuilder2<OkHttp
}
static TrustManager[] createTrustManager(byte[] rootCerts) throws GeneralSecurityException {
InputStream rootCertsStream = new ByteArrayInputStream(rootCerts);
try {
return createTrustManager(rootCertsStream);
} finally {
GrpcUtil.closeQuietly(rootCertsStream);
}
}
static TrustManager[] createTrustManager(InputStream rootCerts) throws GeneralSecurityException {
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
try {
ks.load(null, null);
@ -706,13 +719,7 @@ public final class OkHttpChannelBuilder extends ForwardingChannelBuilder2<OkHttp
// Shouldn't really happen, as we're not loading any data.
throw new GeneralSecurityException(ex);
}
X509Certificate[] certs;
ByteArrayInputStream in = new ByteArrayInputStream(rootCerts);
try {
certs = CertificateUtils.getX509Certificates(in);
} finally {
GrpcUtil.closeQuietly(in);
}
X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);
for (X509Certificate cert : certs) {
X500Principal principal = cert.getSubjectX500Principal();
ks.setCertificateEntry(principal.getName("RFC2253"), cert);

101
okhttp/src/test/java/io/grpc/okhttp/OkHttpChannelBuilderTest.java
View File

@ -39,23 +39,20 @@ import io.grpc.internal.ClientTransportFactory.SwapChannelCredentialsResult;
import io.grpc.internal.FakeClock;
import io.grpc.internal.GrpcUtil;
import io.grpc.internal.SharedResourceHolder;
import io.grpc.internal.testing.TestUtils;
import io.grpc.testing.GrpcCleanupRule;
import io.grpc.testing.TlsTesting;
import io.netty.handler.ssl.util.SelfSignedCertificate;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.concurrent.ScheduledExecutorService;
import javax.net.SocketFactory;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.TrustManager;
import javax.security.auth.x500.X500Principal;
import org.junit.Rule;
import org.junit.Test;
@ -168,16 +165,12 @@ public class OkHttpChannelBuilderTest {
@Test
public void sslSocketFactoryFrom_tls_customRoots() throws Exception {
SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, new char[0]);
SSLContext serverContext = SSLContext.getInstance("TLS");
serverContext.init(keyManagerFactory.getKeyManagers(), null, null);
try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
InputStream server1Key = TlsTesting.loadCert("server1.key")) {
serverContext.init(
OkHttpChannelBuilder.createKeyManager(server1Chain, server1Key), null, null);
}
final SSLServerSocket serverListenSocket =
(SSLServerSocket) serverContext.getServerSocketFactory().createServerSocket(0);
final SettableFuture<SSLSocket> serverSocket = SettableFuture.create();
@ -194,9 +187,12 @@ public class OkHttpChannelBuilderTest {
}
}).start();
ChannelCredentials creds = TlsChannelCredentials.newBuilder()
.trustManager(cert.certificate())
ChannelCredentials creds;
try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
creds = TlsChannelCredentials.newBuilder()
.trustManager(ca)
.build();
}
OkHttpChannelBuilder.SslSocketFactoryResult result =
OkHttpChannelBuilder.sslSocketFactoryFrom(creds);
SSLSocket socket =
@ -208,24 +204,19 @@ public class OkHttpChannelBuilderTest {
@Test
public void sslSocketFactoryFrom_tls_mtls() throws Exception {
SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, new char[0]);
KeyManager[] keyManagers;
try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
InputStream server1Key = TlsTesting.loadCert("server1.key")) {
keyManagers = OkHttpChannelBuilder.createKeyManager(server1Chain, server1Key);
}
KeyStore certStore = KeyStore.getInstance(KeyStore.getDefaultType());
certStore.load(null);
certStore.setCertificateEntry("mycert", cert.cert());
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(certStore);
TrustManager[] trustManagers;
try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
trustManagers = OkHttpChannelBuilder.createTrustManager(ca);
}
SSLContext serverContext = SSLContext.getInstance("TLS");
serverContext.init(
keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
serverContext.init(keyManagers, trustManagers, null);
final SSLServerSocket serverListenSocket =
(SSLServerSocket) serverContext.getServerSocketFactory().createServerSocket(0);
serverListenSocket.setNeedClientAuth(true);
@ -244,8 +235,8 @@ public class OkHttpChannelBuilderTest {
}).start();
ChannelCredentials creds = TlsChannelCredentials.newBuilder()
.keyManager(keyManagerFactory.getKeyManagers())
.trustManager(trustManagerFactory.getTrustManagers())
.keyManager(keyManagers)
.trustManager(trustManagers)
.build();
OkHttpChannelBuilder.SslSocketFactoryResult result =
OkHttpChannelBuilder.sslSocketFactoryFrom(creds);
@ -253,31 +244,22 @@ public class OkHttpChannelBuilderTest {
(SSLSocket) result.factory.createSocket("localhost", serverListenSocket.getLocalPort());
socket.getSession(); // Force handshake
assertThat(((X500Principal) serverSocket.get().getSession().getPeerPrincipal()).getName())
.isEqualTo("CN=" + TestUtils.TEST_SERVER_HOST);
.isEqualTo("CN=*.test.google.com,O=Example\\, Co.,L=Chicago,ST=Illinois,C=US");
socket.close();
serverSocket.get().close();
}
@Test
public void sslSocketFactoryFrom_tls_mtls_keyFile() throws Exception {
SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, new char[0]);
KeyStore certStore = KeyStore.getInstance(KeyStore.getDefaultType());
certStore.load(null);
certStore.setCertificateEntry("mycert", cert.cert());
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(certStore);
SSLContext serverContext = SSLContext.getInstance("TLS");
serverContext.init(
keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
InputStream server1Key = TlsTesting.loadCert("server1.key");
InputStream ca = TlsTesting.loadCert("ca.pem")) {
serverContext.init(
OkHttpChannelBuilder.createKeyManager(server1Chain, server1Key),
OkHttpChannelBuilder.createTrustManager(ca),
null);
}
final SSLServerSocket serverListenSocket =
(SSLServerSocket) serverContext.getServerSocketFactory().createServerSocket(0);
serverListenSocket.setNeedClientAuth(true);
@ -295,17 +277,22 @@ public class OkHttpChannelBuilderTest {
}
}).start();
ChannelCredentials creds = TlsChannelCredentials.newBuilder()
.keyManager(cert.certificate(), cert.privateKey())
.trustManager(cert.certificate())
.build();
ChannelCredentials creds;
try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
InputStream server1Key = TlsTesting.loadCert("server1.key");
InputStream ca = TlsTesting.loadCert("ca.pem")) {
creds = TlsChannelCredentials.newBuilder()
.keyManager(server1Chain, server1Key)
.trustManager(ca)
.build();
}
OkHttpChannelBuilder.SslSocketFactoryResult result =
OkHttpChannelBuilder.sslSocketFactoryFrom(creds);
SSLSocket socket =
(SSLSocket) result.factory.createSocket("localhost", serverListenSocket.getLocalPort());
socket.getSession(); // Force handshake
assertThat(((X500Principal) serverSocket.get().getSession().getPeerPrincipal()).getName())
.isEqualTo("CN=" + TestUtils.TEST_SERVER_HOST);
.isEqualTo("CN=*.test.google.com,O=Example\\, Co.,L=Chicago,ST=Illinois,C=US");
socket.close();
serverSocket.get().close();
}

33
okhttp/third_party/okhttp/main/java/io/grpc/okhttp/internal/Platform.java vendored
View File

@ -28,11 +28,8 @@ import java.lang.reflect.Proxy;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketException;
import java.security.AccessController;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.Provider;
import java.security.Security;
import java.util.ArrayList;
@ -218,41 +215,21 @@ public class Platform {
SSLContext context = SSLContext.getInstance("TLS", sslProvider);
context.init(null, null, null);
SSLEngine engine = context.createSSLEngine();
Method getEngineApplicationProtocol =
AccessController.doPrivileged(
new PrivilegedExceptionAction<Method>() {
@Override
public Method run() throws Exception {
return SSLEngine.class.getMethod("getApplicationProtocol");
}
});
Method getEngineApplicationProtocol = SSLEngine.class.getMethod("getApplicationProtocol");
getEngineApplicationProtocol.invoke(engine);
Method setApplicationProtocols =
AccessController.doPrivileged(
new PrivilegedExceptionAction<Method>() {
@Override
public Method run() throws Exception {
return SSLParameters.class.getMethod("setApplicationProtocols", String[].class);
}
});
Method getApplicationProtocol =
AccessController.doPrivileged(
new PrivilegedExceptionAction<Method>() {
@Override
public Method run() throws Exception {
return SSLSocket.class.getMethod("getApplicationProtocol");
}
});
SSLParameters.class.getMethod("setApplicationProtocols", String[].class);
Method getApplicationProtocol = SSLSocket.class.getMethod("getApplicationProtocol");
return new JdkAlpnPlatform(sslProvider, setApplicationProtocols, getApplicationProtocol);
} catch (NoSuchAlgorithmException ignored) {
// On older Java
} catch (KeyManagementException ignored) {
// On older Java
} catch (PrivilegedActionException ignored) {
// On older Java
} catch (IllegalAccessException ignored) {
// On older Java
} catch (NoSuchMethodException ignored) {
// On older Java
} catch (InvocationTargetException ignored) {
// On older Java
}

2
xds/src/test/java/io/grpc/xds/SharedCallCounterMapTest.java
View File

@ -54,6 +54,7 @@ public class SharedCallCounterMapTest {
final CounterReference ref = counters.get(CLUSTER).get(EDS_SERVICE_NAME);
counter = null;
GcFinalization.awaitDone(new FinalizationPredicate() {
@SuppressWarnings("deprecation") // Use refersTo(null) once we require Java 17+
@Override
public boolean isDone() {
return ref.isEnqueued();
@ -71,6 +72,7 @@ public class SharedCallCounterMapTest {
assertThat(counter.get()).isEqualTo(0);
counter = null;
GcFinalization.awaitDone(new FinalizationPredicate() {
@SuppressWarnings("deprecation") // Use refersTo(null) once we require Java 17+
@Override
public boolean isDone() {
return ref.isEnqueued();