Fix tests and warnings on Java 17

SelfSignedCertificate is not available on Java 17 because OpenJdkSelfSignedCertGenerator is not available. This only impacted tests. AccessController is being removed, and these locations are doing simple reflection which is unlikely to require it even when a security policy is in effect. There's other places we do reflection without the AccessController, so either no security policies care or the users can update their policies to allow it.
2022-01-07 12:25:39 -08:00 · 2022-01-07 12:25:39 -08:00 · ac62c8b055
parent feab4e5449
commit ac62c8b055
8 changed files with 97 additions and 126 deletions
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        jre: [8, 11]
+        jre: [8, 11, 17]
      fail-fast: false # Should swap to true if we grow a large matrix
    steps:
--- a/core/src/main/java/io/grpc/internal/ProxyDetectorImpl.java
+++ b/core/src/main/java/io/grpc/internal/ProxyDetectorImpl.java
@ -135,7 +135,6 @@ class ProxyDetectorImpl implements ProxyDetector {
            Level.WARNING,
            "failed to create URL for Authenticator: {0} {1}", new Object[] {protocol, host});
      }
      // TODO(spencerfang): consider using java.security.AccessController here
      return Authenticator.requestPasswordAuthentication(
          host, addr, port, protocol, prompt, scheme, url, Authenticator.RequestorType.PROXY);
    }
@ -144,7 +143,6 @@ class ProxyDetectorImpl implements ProxyDetector {
      new Supplier<ProxySelector>() {
        @Override
        public ProxySelector get() {
          // TODO(spencerfang): consider using java.security.AccessController here
          return ProxySelector.getDefault();
        }
      };
--- a/netty/src/main/java/io/grpc/netty/JettyTlsUtil.java
+++ b/netty/src/main/java/io/grpc/netty/JettyTlsUtil.java
@ -17,8 +17,6 @@
 package io.grpc.netty;
 import java.lang.reflect.Method;
 import java.security.AccessController;
 import java.security.PrivilegedExceptionAction;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@ -42,13 +40,7 @@ final class JettyTlsUtil {
        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, null, null);
        SSLEngine engine = context.createSSLEngine();
-        Method getApplicationProtocol =
+        Method getApplicationProtocol = SSLEngine.class.getMethod("getApplicationProtocol");
            AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
              @Override
              public Method run() throws Exception {
                return SSLEngine.class.getMethod("getApplicationProtocol");
              }
            });
        getApplicationProtocol.invoke(engine);
        return null;
      } catch (Throwable t) {
--- a/netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java
+++ b/netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java
@ -68,6 +68,7 @@ import io.grpc.netty.ProtocolNegotiators.HostPort;
 import io.grpc.netty.ProtocolNegotiators.ServerTlsHandler;
 import io.grpc.netty.ProtocolNegotiators.WaitUntilActiveHandler;
 import io.grpc.testing.TlsTesting;
 import io.grpc.util.CertificateUtils;
 import io.netty.bootstrap.Bootstrap;
 import io.netty.bootstrap.ServerBootstrap;
 import io.netty.buffer.ByteBuf;
@ -107,16 +108,13 @@ import io.netty.handler.codec.http2.Http2Settings;
 import io.netty.handler.proxy.ProxyConnectException;
 import io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.SslHandler;
 import io.netty.handler.ssl.SslHandshakeCompletionEvent;
 import io.netty.handler.ssl.util.SelfSignedCertificate;
 import java.io.File;
 import java.io.InputStream;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.security.KeyStore;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.ArrayDeque;
 import java.util.Arrays;
@ -478,19 +476,26 @@ public class ProtocolNegotiatorsTest {
  @Test
  public void from_tls_managers() throws Exception {
    SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    keyStore.load(null);
-    keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
+    try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
         InputStream server1Key = TlsTesting.loadCert("server1.key")) {
      X509Certificate[] chain = CertificateUtils.getX509Certificates(server1Chain);
      keyStore.setKeyEntry("key", CertificateUtils.getPrivateKey(server1Key), new char[0], chain);
    }
    KeyManagerFactory keyManagerFactory =
        KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, new char[0]);
    KeyStore certStore = KeyStore.getInstance(KeyStore.getDefaultType());
    certStore.load(null);
    certStore.setCertificateEntry("mycert", cert.cert());
    TrustManagerFactory trustManagerFactory =
        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
      for (X509Certificate cert : CertificateUtils.getX509Certificates(ca)) {
        certStore.setCertificateEntry(cert.getSubjectX500Principal().getName("RFC2253"), cert);
      }
    }
    trustManagerFactory.init(certStore);
    ServerCredentials serverCreds = TlsServerCredentials.newBuilder()
@ -504,8 +509,7 @@ public class ProtocolNegotiatorsTest {
        .build();
    InternalChannelz.Tls tls = expectSuccessfulHandshake(channelCreds, serverCreds);
    assertThat(((X509Certificate) tls.remoteCert).getSubjectX500Principal().getName())
-        .isEqualTo("CN=" + TestUtils.TEST_SERVER_HOST);
+        .isEqualTo("CN=*.test.google.com,O=Example\\, Co.,L=Chicago,ST=Illinois,C=US");
    cert.delete();
  }
  @Test
@ -1214,11 +1218,15 @@ public class ProtocolNegotiatorsTest {
  @Test
  public void clientTlsHandler_firesNegotiation() throws Exception {
-    SelfSignedCertificate cert = new SelfSignedCertificate("authority");
+    SslContext clientSslContext;
-    SslContext clientSslContext =
+    try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
-        GrpcSslContexts.configure(SslContextBuilder.forClient().trustManager(cert.cert())).build();
+      clientSslContext = GrpcSslContexts.forClient().trustManager(ca).build();
-    SslContext serverSslContext =
+    }
-        GrpcSslContexts.configure(SslContextBuilder.forServer(cert.key(), cert.cert())).build();
+    SslContext serverSslContext;
    try (InputStream server1Key = TlsTesting.loadCert("server1.key");
        InputStream server1Chain = TlsTesting.loadCert("server1.pem")) {
      serverSslContext = GrpcSslContexts.forServer(server1Chain, server1Key).build();
    }
    FakeGrpcHttp2ConnectionHandler gh = FakeGrpcHttp2ConnectionHandler.newHandler();
    ClientTlsProtocolNegotiator pn = new ClientTlsProtocolNegotiator(clientSslContext, null);
    WriteBufferingAndExceptionHandler clientWbaeh =
@ -1404,7 +1412,7 @@ public class ProtocolNegotiatorsTest {
    @Override
    public String getAuthority() {
-      return "authority";
+      return "foo.test.google.fr";
    }
  }
--- a/okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java
+++ b/okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java
@ -54,6 +54,7 @@ import io.grpc.okhttp.internal.TlsVersion;
 import io.grpc.util.CertificateUtils;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.security.GeneralSecurityException;
@ -667,21 +668,24 @@ public final class OkHttpChannelBuilder extends ForwardingChannelBuilder2<OkHttp
  static KeyManager[] createKeyManager(byte[] certChain, byte[] privateKey)
      throws GeneralSecurityException {
-    X509Certificate[] chain;
+    InputStream certChainStream = new ByteArrayInputStream(certChain);
-    ByteArrayInputStream inCertChain = new ByteArrayInputStream(certChain);
+    InputStream privateKeyStream = new ByteArrayInputStream(privateKey);
    try {
-      chain = CertificateUtils.getX509Certificates(inCertChain);
+      return createKeyManager(certChainStream, privateKeyStream);
    } finally {
-      GrpcUtil.closeQuietly(inCertChain);
+      GrpcUtil.closeQuietly(certChainStream);
      GrpcUtil.closeQuietly(privateKeyStream);
    }
  }
  static KeyManager[] createKeyManager(InputStream certChain, InputStream privateKey)
      throws GeneralSecurityException {
    X509Certificate[] chain = CertificateUtils.getX509Certificates(certChain);
    PrivateKey key;
    ByteArrayInputStream inPrivateKey = new ByteArrayInputStream(privateKey);
    try {
-      key = CertificateUtils.getPrivateKey(inPrivateKey);
+      key = CertificateUtils.getPrivateKey(privateKey);
    } catch (IOException uee) {
      throw new GeneralSecurityException("Unable to decode private key", uee);
    } finally {
      GrpcUtil.closeQuietly(inPrivateKey);
    }
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    try {
@ -699,6 +703,15 @@ public final class OkHttpChannelBuilder extends ForwardingChannelBuilder2<OkHttp
  }
  static TrustManager[] createTrustManager(byte[] rootCerts) throws GeneralSecurityException {
    InputStream rootCertsStream = new ByteArrayInputStream(rootCerts);
    try {
      return createTrustManager(rootCertsStream);
    } finally {
      GrpcUtil.closeQuietly(rootCertsStream);
    }
  }
  static TrustManager[] createTrustManager(InputStream rootCerts) throws GeneralSecurityException {
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    try {
      ks.load(null, null);
@ -706,13 +719,7 @@ public final class OkHttpChannelBuilder extends ForwardingChannelBuilder2<OkHttp
      // Shouldn't really happen, as we're not loading any data.
      throw new GeneralSecurityException(ex);
    }
-    X509Certificate[] certs;
+    X509Certificate[] certs = CertificateUtils.getX509Certificates(rootCerts);
    ByteArrayInputStream in = new ByteArrayInputStream(rootCerts);
    try {
      certs = CertificateUtils.getX509Certificates(in);
    } finally {
      GrpcUtil.closeQuietly(in);
    }
    for (X509Certificate cert : certs) {
      X500Principal principal = cert.getSubjectX500Principal();
      ks.setCertificateEntry(principal.getName("RFC2253"), cert);
--- a/okhttp/src/test/java/io/grpc/okhttp/OkHttpChannelBuilderTest.java
+++ b/okhttp/src/test/java/io/grpc/okhttp/OkHttpChannelBuilderTest.java
@ -39,23 +39,20 @@ import io.grpc.internal.ClientTransportFactory.SwapChannelCredentialsResult;
 import io.grpc.internal.FakeClock;
 import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.SharedResourceHolder;
 import io.grpc.internal.testing.TestUtils;
 import io.grpc.testing.GrpcCleanupRule;
 import io.grpc.testing.TlsTesting;
-import io.netty.handler.ssl.util.SelfSignedCertificate;
+import java.io.InputStream;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.security.KeyStore;
 import java.security.cert.Certificate;
 import java.util.concurrent.ScheduledExecutorService;
 import javax.net.SocketFactory;
-import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.TrustManager;
 import javax.security.auth.x500.X500Principal;
 import org.junit.Rule;
 import org.junit.Test;
@ -168,16 +165,12 @@ public class OkHttpChannelBuilderTest {
  @Test
  public void sslSocketFactoryFrom_tls_customRoots() throws Exception {
    SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    keyStore.load(null);
    keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
    KeyManagerFactory keyManagerFactory =
        KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, new char[0]);
    SSLContext serverContext = SSLContext.getInstance("TLS");
-    serverContext.init(keyManagerFactory.getKeyManagers(), null, null);
+    try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
         InputStream server1Key = TlsTesting.loadCert("server1.key")) {
      serverContext.init(
          OkHttpChannelBuilder.createKeyManager(server1Chain, server1Key), null, null);
    }
    final SSLServerSocket serverListenSocket =
        (SSLServerSocket) serverContext.getServerSocketFactory().createServerSocket(0);
    final SettableFuture<SSLSocket> serverSocket = SettableFuture.create();
@ -194,9 +187,12 @@ public class OkHttpChannelBuilderTest {
      }
    }).start();
-    ChannelCredentials creds = TlsChannelCredentials.newBuilder()
+    ChannelCredentials creds;
-        .trustManager(cert.certificate())
+    try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
      creds = TlsChannelCredentials.newBuilder()
        .trustManager(ca)
        .build();
    }
    OkHttpChannelBuilder.SslSocketFactoryResult result =
        OkHttpChannelBuilder.sslSocketFactoryFrom(creds);
    SSLSocket socket =
@ -208,24 +204,19 @@ public class OkHttpChannelBuilderTest {
  @Test
  public void sslSocketFactoryFrom_tls_mtls() throws Exception {
-    SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
+    KeyManager[] keyManagers;
-    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+    try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
-    keyStore.load(null);
+         InputStream server1Key = TlsTesting.loadCert("server1.key")) {
-    keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
+      keyManagers = OkHttpChannelBuilder.createKeyManager(server1Chain, server1Key);
-    KeyManagerFactory keyManagerFactory =
+    }
        KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, new char[0]);
-    KeyStore certStore = KeyStore.getInstance(KeyStore.getDefaultType());
+    TrustManager[] trustManagers;
-    certStore.load(null);
+    try (InputStream ca = TlsTesting.loadCert("ca.pem")) {
-    certStore.setCertificateEntry("mycert", cert.cert());
+      trustManagers = OkHttpChannelBuilder.createTrustManager(ca);
-    TrustManagerFactory trustManagerFactory =
+    }
        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    trustManagerFactory.init(certStore);
    SSLContext serverContext = SSLContext.getInstance("TLS");
-    serverContext.init(
+    serverContext.init(keyManagers, trustManagers, null);
        keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
    final SSLServerSocket serverListenSocket =
        (SSLServerSocket) serverContext.getServerSocketFactory().createServerSocket(0);
    serverListenSocket.setNeedClientAuth(true);
@ -244,8 +235,8 @@ public class OkHttpChannelBuilderTest {
    }).start();
    ChannelCredentials creds = TlsChannelCredentials.newBuilder()
-        .keyManager(keyManagerFactory.getKeyManagers())
+        .keyManager(keyManagers)
-        .trustManager(trustManagerFactory.getTrustManagers())
+        .trustManager(trustManagers)
        .build();
    OkHttpChannelBuilder.SslSocketFactoryResult result =
        OkHttpChannelBuilder.sslSocketFactoryFrom(creds);
@ -253,31 +244,22 @@ public class OkHttpChannelBuilderTest {
        (SSLSocket) result.factory.createSocket("localhost", serverListenSocket.getLocalPort());
    socket.getSession(); // Force handshake
    assertThat(((X500Principal) serverSocket.get().getSession().getPeerPrincipal()).getName())
-        .isEqualTo("CN=" + TestUtils.TEST_SERVER_HOST);
+        .isEqualTo("CN=*.test.google.com,O=Example\\, Co.,L=Chicago,ST=Illinois,C=US");
    socket.close();
    serverSocket.get().close();
  }
  @Test
  public void sslSocketFactoryFrom_tls_mtls_keyFile() throws Exception {
    SelfSignedCertificate cert = new SelfSignedCertificate(TestUtils.TEST_SERVER_HOST);
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    keyStore.load(null);
    keyStore.setKeyEntry("mykey", cert.key(), new char[0], new Certificate[] {cert.cert()});
    KeyManagerFactory keyManagerFactory =
        KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, new char[0]);
    KeyStore certStore = KeyStore.getInstance(KeyStore.getDefaultType());
    certStore.load(null);
    certStore.setCertificateEntry("mycert", cert.cert());
    TrustManagerFactory trustManagerFactory =
        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    trustManagerFactory.init(certStore);
    SSLContext serverContext = SSLContext.getInstance("TLS");
    try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
         InputStream server1Key = TlsTesting.loadCert("server1.key");
         InputStream ca = TlsTesting.loadCert("ca.pem")) {
      serverContext.init(
-        keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
+          OkHttpChannelBuilder.createKeyManager(server1Chain, server1Key),
          OkHttpChannelBuilder.createTrustManager(ca),
          null);
    }
    final SSLServerSocket serverListenSocket =
        (SSLServerSocket) serverContext.getServerSocketFactory().createServerSocket(0);
    serverListenSocket.setNeedClientAuth(true);
@ -295,17 +277,22 @@ public class OkHttpChannelBuilderTest {
      }
    }).start();
-    ChannelCredentials creds = TlsChannelCredentials.newBuilder()
+    ChannelCredentials creds;
-        .keyManager(cert.certificate(), cert.privateKey())
+    try (InputStream server1Chain = TlsTesting.loadCert("server1.pem");
-        .trustManager(cert.certificate())
+         InputStream server1Key = TlsTesting.loadCert("server1.key");
         InputStream ca = TlsTesting.loadCert("ca.pem")) {
      creds = TlsChannelCredentials.newBuilder()
          .keyManager(server1Chain, server1Key)
          .trustManager(ca)
          .build();
    }
    OkHttpChannelBuilder.SslSocketFactoryResult result =
        OkHttpChannelBuilder.sslSocketFactoryFrom(creds);
    SSLSocket socket =
        (SSLSocket) result.factory.createSocket("localhost", serverListenSocket.getLocalPort());
    socket.getSession(); // Force handshake
    assertThat(((X500Principal) serverSocket.get().getSession().getPeerPrincipal()).getName())
-        .isEqualTo("CN=" + TestUtils.TEST_SERVER_HOST);
+        .isEqualTo("CN=*.test.google.com,O=Example\\, Co.,L=Chicago,ST=Illinois,C=US");
    socket.close();
    serverSocket.get().close();
  }
--- a/okhttp/third_party/okhttp/main/java/io/grpc/okhttp/internal/Platform.java
+++ b/okhttp/third_party/okhttp/main/java/io/grpc/okhttp/internal/Platform.java
@ -28,11 +28,8 @@ import java.lang.reflect.Proxy;
 import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.net.SocketException;
 import java.security.AccessController;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.security.Provider;
 import java.security.Security;
 import java.util.ArrayList;
@ -218,41 +215,21 @@ public class Platform {
      SSLContext context = SSLContext.getInstance("TLS", sslProvider);
      context.init(null, null, null);
      SSLEngine engine = context.createSSLEngine();
-      Method getEngineApplicationProtocol =
+      Method getEngineApplicationProtocol = SSLEngine.class.getMethod("getApplicationProtocol");
          AccessController.doPrivileged(
              new PrivilegedExceptionAction<Method>() {
                @Override
                public Method run() throws Exception {
                  return SSLEngine.class.getMethod("getApplicationProtocol");
                }
              });
      getEngineApplicationProtocol.invoke(engine);
      Method setApplicationProtocols =
-          AccessController.doPrivileged(
+          SSLParameters.class.getMethod("setApplicationProtocols", String[].class);
-              new PrivilegedExceptionAction<Method>() {
+      Method getApplicationProtocol = SSLSocket.class.getMethod("getApplicationProtocol");
                @Override
                public Method run() throws Exception {
                  return SSLParameters.class.getMethod("setApplicationProtocols", String[].class);
                }
              });
      Method getApplicationProtocol =
          AccessController.doPrivileged(
              new PrivilegedExceptionAction<Method>() {
                @Override
                public Method run() throws Exception {
                  return SSLSocket.class.getMethod("getApplicationProtocol");
                }
              });
      return new JdkAlpnPlatform(sslProvider, setApplicationProtocols, getApplicationProtocol);
    } catch (NoSuchAlgorithmException ignored) {
      // On older Java
    } catch (KeyManagementException ignored) {
      // On older Java
    } catch (PrivilegedActionException ignored) {
      // On older Java
    } catch (IllegalAccessException ignored) {
      // On older Java
    } catch (NoSuchMethodException ignored) {
      // On older Java
    } catch (InvocationTargetException ignored) {
      // On older Java
    }
--- a/xds/src/test/java/io/grpc/xds/SharedCallCounterMapTest.java
+++ b/xds/src/test/java/io/grpc/xds/SharedCallCounterMapTest.java
@ -54,6 +54,7 @@ public class SharedCallCounterMapTest {
    final CounterReference ref = counters.get(CLUSTER).get(EDS_SERVICE_NAME);
    counter = null;
    GcFinalization.awaitDone(new FinalizationPredicate() {
      @SuppressWarnings("deprecation") // Use refersTo(null) once we require Java 17+
      @Override
      public boolean isDone() {
        return ref.isEnqueued();
@ -71,6 +72,7 @@ public class SharedCallCounterMapTest {
    assertThat(counter.get()).isEqualTo(0);
    counter = null;
    GcFinalization.awaitDone(new FinalizationPredicate() {
      @SuppressWarnings("deprecation") // Use refersTo(null) once we require Java 17+
      @Override
      public boolean isDone() {
        return ref.isEnqueued();