xds: SNI SAN changes

api/src/main/java/io/grpc/EquivalentAddressGroup.java

@@ -55,6 +55,10 @@ public final class EquivalentAddressGroup {
    */
   public static final Attributes.Key<String> ATTR_LOCALITY_NAME =
       Attributes.Key.create("io.grpc.EquivalentAddressGroup.LOCALITY");
+  /** Name associated with individual address, if available (e.g., DNS name). */
+  @Attr
+  public static final Attributes.Key<String> ATTR_ADDRESS_NAME =
+      Attributes.Key.create("io.grpc.xds.XdsAttributes.addressName");
   private final List<SocketAddress> addrs;
   private final Attributes attrs;
 

core/src/main/java/io/grpc/internal/CertificateUtils.java

@@ -26,6 +26,7 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
+import java.util.List;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.security.auth.x500.X500Principal;
@@ -34,6 +35,16 @@
  * Contains certificate/key PEM file utility method(s) for internal usage.
  */
 public final class CertificateUtils {
+  private static Class<?> x509ExtendedTrustManagerClass;
+
+  static {
+    try {
+      x509ExtendedTrustManagerClass = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
+    } catch (ClassNotFoundException e) {
+      // Will disallow per-rpc authority override via call option.
+    }
+  }
+
   /**
    * Creates X509TrustManagers using the provided CA certs.
    */
@@ -71,6 +82,17 @@ public static TrustManager[] createTrustManager(InputStream rootCerts)
     return trustManagerFactory.getTrustManagers();
   }
 
+  public static TrustManager getX509ExtendedTrustManager(List<TrustManager> trustManagers) {
+    if (x509ExtendedTrustManagerClass != null) {
+      for (TrustManager trustManager : trustManagers) {
+        if (x509ExtendedTrustManagerClass.isInstance(trustManager)) {
+          return trustManager;
+        }
+      }
+    }
+    return null;
+  }
+
   private static X509Certificate[] getX509Certificates(InputStream inputStream)
           throws CertificateException {
     CertificateFactory factory = CertificateFactory.getInstance("X.509");

netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java

@@ -26,6 +26,8 @@
 import io.netty.handler.ssl.SslContext;
 import io.netty.util.AsciiString;
 import java.util.concurrent.Executor;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 
 /**
  * Internal accessor for {@link ProtocolNegotiators}.
@@ -38,13 +40,18 @@ private InternalProtocolNegotiators() {}
    * Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
    * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
    * may happen immediately, even before the TLS Handshake is complete.
-   * @param executorPool a dedicated {@link Executor} pool for time-consuming TLS tasks
+   *
+   * @param executorPool             a dedicated {@link Executor} pool for time-consuming TLS tasks
    */
   public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext,
           ObjectPool<? extends Executor> executorPool,
-          Optional<Runnable> handshakeCompleteRunnable) {
+          Optional<Runnable> handshakeCompleteRunnable,
+          TrustManager extendedX509TrustManager,
+          String sni,
+          boolean isXdsTarget) {
     final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.tls(sslContext,
-        executorPool, handshakeCompleteRunnable, null);
+        executorPool, handshakeCompleteRunnable, (X509TrustManager) extendedX509TrustManager, sni,
+        isXdsTarget);
     final class TlsNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {
 
       @Override
@@ -62,17 +69,19 @@ public void close() {
         negotiator.close();
       }
     }
-    
+
     return new TlsNegotiator();
   }
-  
+
   /**
    * Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
    * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
    * may happen immediately, even before the TLS Handshake is complete.
    */
-  public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext) {
-    return tls(sslContext, null, Optional.absent());
+  public static InternalProtocolNegotiator.ProtocolNegotiator tls(
+      SslContext sslContext, String sni, boolean isXdsTarget,
+      TrustManager extendedX509TrustManager) {
+    return tls(sslContext, null, Optional.absent(), extendedX509TrustManager, sni, isXdsTarget);
   }
 
   /**

netty/src/main/java/io/grpc/netty/NettyChannelBuilder.java

@@ -652,7 +652,8 @@ static ProtocolNegotiator createProtocolNegotiatorByType(
       case PLAINTEXT_UPGRADE:
         return ProtocolNegotiators.plaintextUpgrade();
       case TLS:
-        return ProtocolNegotiators.tls(sslContext, executorPool, Optional.absent(), null);
+        return ProtocolNegotiators.tls(
+            sslContext, executorPool, Optional.absent(), null, null, false);
       default:
         throw new IllegalArgumentException("Unsupported negotiationType: " + negotiationType);
     }

netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java

@@ -21,6 +21,7 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Optional;
 import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
 import com.google.errorprone.annotations.ForOverride;
 import io.grpc.Attributes;
 import io.grpc.CallCredentials;
@@ -102,15 +103,6 @@ final class ProtocolNegotiators {
   private static final EnumSet<TlsServerCredentials.Feature> understoodServerTlsFeatures =
       EnumSet.of(
           TlsServerCredentials.Feature.MTLS, TlsServerCredentials.Feature.CUSTOM_MANAGERS);
-  private static Class<?> x509ExtendedTrustManagerClass;
-
-  static {
-    try {
-      x509ExtendedTrustManagerClass = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
-    } catch (ClassNotFoundException e) {
-      // Will disallow per-rpc authority override via call option.
-    }
-  }
 
   private ProtocolNegotiators() {
   }
@@ -139,25 +131,18 @@ public static FromChannelCredentialsResult from(ChannelCredentials creds) {
           trustManagers = tlsCreds.getTrustManagers();
         } else if (tlsCreds.getRootCertificates() != null) {
           trustManagers = Arrays.asList(CertificateUtils.createTrustManager(
-                  new ByteArrayInputStream(tlsCreds.getRootCertificates())));
+                new ByteArrayInputStream(tlsCreds.getRootCertificates())));
         } else { // else use system default
           TrustManagerFactory tmf = TrustManagerFactory.getInstance(
               TrustManagerFactory.getDefaultAlgorithm());
           tmf.init((KeyStore) null);
           trustManagers = Arrays.asList(tmf.getTrustManagers());
         }
         builder.trustManager(new FixedTrustManagerFactory(trustManagers));
-        TrustManager x509ExtendedTrustManager = null;
-        if (x509ExtendedTrustManagerClass != null) {
-          for (TrustManager trustManager : trustManagers) {
-            if (x509ExtendedTrustManagerClass.isInstance(trustManager)) {
-              x509ExtendedTrustManager = trustManager;
-              break;
-            }
-          }
-        }
+        TrustManager x509ExtendedTrustManager =
+            CertificateUtils.getX509ExtendedTrustManager(trustManagers);
         return FromChannelCredentialsResult.negotiator(tlsClientFactory(builder.build(),
-                (X509TrustManager) x509ExtendedTrustManager));
+            (X509TrustManager) x509ExtendedTrustManager));
       } catch (SSLException | GeneralSecurityException ex) {
         log.log(Level.FINE, "Exception building SslContext", ex);
         return FromChannelCredentialsResult.error(
@@ -473,7 +458,7 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exc
         }
         SslHandler sslHandler = ctx.pipeline().get(SslHandler.class);
         if (!sslContext.applicationProtocolNegotiator().protocols().contains(
-                sslHandler.applicationProtocol())) {
+            sslHandler.applicationProtocol())) {
           logSslEngineDetails(Level.FINE, ctx, "TLS negotiation failed for new client.", null);
           ctx.fireExceptionCaught(unavailableException(
               "Failed protocol negotiation: Unable to find compatible protocol"));
@@ -579,20 +564,27 @@ static final class ClientTlsProtocolNegotiator implements ProtocolNegotiator {
 
     public ClientTlsProtocolNegotiator(SslContext sslContext,
         ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
-        X509TrustManager x509ExtendedTrustManager) {
+        X509TrustManager x509ExtendedTrustManager, String sni, boolean isXdsTarget) {
       this.sslContext = Preconditions.checkNotNull(sslContext, "sslContext");
       this.executorPool = executorPool;
       if (this.executorPool != null) {
         this.executor = this.executorPool.getObject();
       }
       this.handshakeCompleteRunnable = handshakeCompleteRunnable;
       this.x509ExtendedTrustManager = x509ExtendedTrustManager;
+      this.sni = sni;
+      this.isXdsTarget = isXdsTarget;
     }
 
     private final SslContext sslContext;
     private final ObjectPool<? extends Executor> executorPool;
     private final Optional<Runnable> handshakeCompleteRunnable;
     private final X509TrustManager x509ExtendedTrustManager;
+    private final String sni;
+    // For xds targets there may be no SNI determined, and no SNI may be sent in that case.
+    // Non xds-targets will always use channel authority for SNI. This field is used to handle
+    // the two cases differently.
+    private final boolean isXdsTarget;
     private Executor executor;
 
     @Override
@@ -604,9 +596,10 @@ public AsciiString scheme() {
     public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
       ChannelHandler gnh = new GrpcNegotiationHandler(grpcHandler);
       ChannelLogger negotiationLogger = grpcHandler.getNegotiationLogger();
-      ChannelHandler cth = new ClientTlsHandler(gnh, sslContext, grpcHandler.getAuthority(),
-          this.executor, negotiationLogger, handshakeCompleteRunnable, this,
-              x509ExtendedTrustManager);
+      ChannelHandler cth = new ClientTlsHandler(gnh, sslContext,
+          isXdsTarget ? sni : grpcHandler.getAuthority(),
+          this.executor, negotiationLogger, handshakeCompleteRunnable, null,
+          x509ExtendedTrustManager);
       return new WaitUntilActiveHandler(cth, negotiationLogger);
     }
 
@@ -633,16 +626,21 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     private final X509TrustManager x509ExtendedTrustManager;
     private SSLEngine sslEngine;
 
-    ClientTlsHandler(ChannelHandler next, SslContext sslContext, String authority,
+    ClientTlsHandler(ChannelHandler next, SslContext sslContext, String sniHostPort,
         Executor executor, ChannelLogger negotiationLogger,
         Optional<Runnable> handshakeCompleteRunnable,
         ClientTlsProtocolNegotiator clientTlsProtocolNegotiator,
-         X509TrustManager x509ExtendedTrustManager) {
+        X509TrustManager x509ExtendedTrustManager) {
       super(next, negotiationLogger);
       this.sslContext = Preconditions.checkNotNull(sslContext, "sslContext");
-      HostPort hostPort = parseAuthority(authority);
-      this.host = hostPort.host;
-      this.port = hostPort.port;
+      if (!Strings.isNullOrEmpty(sniHostPort)) {
+        HostPort hostPort = parseAuthority(sniHostPort);
+        this.host = hostPort.host;
+        this.port = hostPort.port;
+      } else {
+        this.host = null;
+        this.port = 0;
+      }
       this.executor = executor;
       this.handshakeCompleteRunnable = handshakeCompleteRunnable;
       this.x509ExtendedTrustManager = x509ExtendedTrustManager;
@@ -651,7 +649,11 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     @Override
     @IgnoreJRERequirement
     protected void handlerAdded0(ChannelHandlerContext ctx) {
-      sslEngine = sslContext.newEngine(ctx.alloc(), host, port);
+      if (host != null) {
+        sslEngine = sslContext.newEngine(ctx.alloc(), host, port);
+      } else {
+        sslEngine = sslContext.newEngine(ctx.alloc());
+      }
       SSLParameters sslParams = sslEngine.getSSLParameters();
       sslParams.setEndpointIdentificationAlgorithm("HTTPS");
       sslEngine.setSSLParameters(sslParams);
@@ -746,13 +748,14 @@ static HostPort parseAuthority(String authority) {
    * Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
    * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
    * may happen immediately, even before the TLS Handshake is complete.
+   *
    * @param executorPool a dedicated {@link Executor} pool for time-consuming TLS tasks
    */
   public static ProtocolNegotiator tls(SslContext sslContext,
       ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
-      X509TrustManager x509ExtendedTrustManager) {
+      X509TrustManager x509ExtendedTrustManager, String sni, boolean isXdsTarget) {
     return new ClientTlsProtocolNegotiator(sslContext, executorPool, handshakeCompleteRunnable,
-        x509ExtendedTrustManager);
+        x509ExtendedTrustManager, sni, isXdsTarget);
   }
 
   /**
@@ -762,7 +765,7 @@ public static ProtocolNegotiator tls(SslContext sslContext,
    */
   public static ProtocolNegotiator tls(SslContext sslContext,
       X509TrustManager x509ExtendedTrustManager) {
-    return tls(sslContext, null, Optional.absent(), x509ExtendedTrustManager);
+    return tls(sslContext, null, Optional.absent(), x509ExtendedTrustManager, null, false);
   }
 
   public static ProtocolNegotiator.ClientFactory tlsClientFactory(SslContext sslContext,
@@ -1060,8 +1063,8 @@ static final class PlaintextHandler extends ProtocolNegotiationHandler {
     protected void protocolNegotiationEventTriggered(ChannelHandlerContext ctx) {
       ProtocolNegotiationEvent existingPne = getProtocolNegotiationEvent();
       Attributes attrs = existingPne.getAttributes().toBuilder()
-              .set(GrpcAttributes.ATTR_AUTHORITY_VERIFIER, (authority) -> Status.OK)
-              .build();
+            .set(GrpcAttributes.ATTR_AUTHORITY_VERIFIER, (authority) -> Status.OK)
+            .build();
       replaceProtocolNegotiationEvent(existingPne.withAttributes(attrs));
       fireProtocolNegotiationEvent(ctx);
     }
@@ -1221,4 +1224,4 @@ public String getPeerHost() {
       return peerHost;
     }
   }
-}
+}

netty/src/test/java/io/grpc/netty/NettyClientTransportTest.java

@@ -877,7 +877,7 @@ public void tlsNegotiationServerExecutorShouldSucceed() throws Exception {
         .keyManager(clientCert, clientKey)
         .build();
     ProtocolNegotiator negotiator = ProtocolNegotiators.tls(clientContext, clientExecutorPool,
-        Optional.absent(), null);
+        Optional.absent(), null, null, false);
     // after starting the client, the Executor in the client pool should be used
     assertEquals(true, clientExecutorPool.isInUse());
     final NettyClientTransport transport = newTransport(negotiator);

netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java

@@ -918,7 +918,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null);
+        null, null);
     pipeline.addLast(handler);
     pipeline.replace(SslHandler.class, null, goodSslHandler);
     pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
@@ -957,7 +957,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null);
+        null, null);
     pipeline.addLast(handler);
     pipeline.replace(SslHandler.class, null, goodSslHandler);
     pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
@@ -982,7 +982,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null);
+        null, null);
     pipeline.addLast(handler);
 
     final AtomicReference<Throwable> error = new AtomicReference<>();
@@ -1011,7 +1011,7 @@ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
   public void clientTlsHandler_closeDuringNegotiation() throws Exception {
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", null, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null);
+        null, null);
     pipeline.addLast(new WriteBufferingAndExceptionHandler(handler));
     ChannelFuture pendingWrite = channel.writeAndFlush(NettyClientHandler.NOOP_MESSAGE);
 
@@ -1023,12 +1023,6 @@ public void clientTlsHandler_closeDuringNegotiation() throws Exception {
         .isEqualTo(Status.Code.UNAVAILABLE);
   }
 
-  private ClientTlsProtocolNegotiator getClientTlsProtocolNegotiator() throws SSLException {
-    return new ClientTlsProtocolNegotiator(GrpcSslContexts.forClient().trustManager(
-        TlsTesting.loadCert("ca.pem")).build(),
-        null, Optional.absent(), null);
-  }
-
   @Test
   public void engineLog() {
     ChannelHandler handler = new ServerTlsHandler(grpcHandler, sslContext, null);
@@ -1277,7 +1271,7 @@ public void clientTlsHandler_firesNegotiation() throws Exception {
     }
     FakeGrpcHttp2ConnectionHandler gh = FakeGrpcHttp2ConnectionHandler.newHandler();
     ClientTlsProtocolNegotiator pn = new ClientTlsProtocolNegotiator(clientSslContext,
-        null, Optional.absent(), null);
+        null, Optional.absent(), null, null, false);
     WriteBufferingAndExceptionHandler clientWbaeh =
         new WriteBufferingAndExceptionHandler(pn.newHandler(gh));
 

s2a/src/main/java/io/grpc/s2a/internal/handshaker/S2AProtocolNegotiatorFactory.java

@@ -38,7 +38,6 @@
 import io.grpc.netty.InternalProtocolNegotiator.ProtocolNegotiator;
 import io.grpc.netty.InternalProtocolNegotiators;
 import io.grpc.netty.InternalProtocolNegotiators.ProtocolNegotiationHandler;
-import io.grpc.s2a.internal.handshaker.S2AIdentity;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerAdapter;
 import io.netty.channel.ChannelHandlerContext;
@@ -259,7 +258,8 @@ public void onSuccess(SslContext sslContext) {
                             public void run() {
                               s2aStub.close();
                             }
-                          }))
+                          }),
+                          null, null, false)
                       .newHandler(grpcHandler);
 
               // Delegate the rest of the handshake to the TLS handler. and remove the