Java Code Examples for io.grpc.internal.testing.TestUtils#loadX509Cert()

The following examples show how to use io.grpc.internal.testing.TestUtils#loadX509Cert() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ConcurrencyTest.java    From grpc-nebula-java with Apache License 2.0 6 votes vote down vote up
/**
 * Creates and starts a new {@link TestServiceImpl} server.
 */
private Server newServer() throws CertificateException, IOException {
  File serverCertChainFile = TestUtils.loadCert("server1.pem");
  File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
  X509Certificate[] serverTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };

  SslContext sslContext =
      GrpcSslContexts.forServer(serverCertChainFile, serverPrivateKeyFile)
                     .trustManager(serverTrustedCaCerts)
                     .clientAuth(ClientAuth.REQUIRE)
                     .build();

  return NettyServerBuilder.forPort(0)
      .sslContext(sslContext)
      .addService(new TestServiceImpl(serverExecutor))
      .build()
      .start();
}
 
Example 2
Source File: ConcurrencyTest.java    From grpc-nebula-java with Apache License 2.0 6 votes vote down vote up
private ManagedChannel newClientChannel() throws CertificateException, IOException {
  File clientCertChainFile = TestUtils.loadCert("client.pem");
  File clientPrivateKeyFile = TestUtils.loadCert("client.key");
  X509Certificate[] clientTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };

  SslContext sslContext =
      GrpcSslContexts.forClient()
                     .keyManager(clientCertChainFile, clientPrivateKeyFile)
                     .trustManager(clientTrustedCaCerts)
                     .build();

  return NettyChannelBuilder.forAddress("localhost", server.getPort())
      .overrideAuthority(TestUtils.TEST_SERVER_HOST)
      .negotiationType(NegotiationType.TLS)
      .sslContext(sslContext)
      .build();
}
 
Example 3
Source File: GrpcUtilsTest.java    From gcp-token-broker with Apache License 2.0 6 votes vote down vote up
@Test
public void testManagedChannelTLSSuccess() {
    String certificate;
    try {
        X509Certificate[] trustedCaCerts = {
            TestUtils.loadX509Cert("ca.pem")
        };
        certificate =
            "-----BEGIN CERTIFICATE-----\n" +
            Base64.getEncoder().encodeToString(trustedCaCerts[0].getEncoded()) + "\n" +
            "-----END CERTIFICATE-----";
    } catch (CertificateException | IOException e) {
        throw new RuntimeException(e);
    }
    ManagedChannel channel = GrpcUtils.newManagedChannel("testhost", 8888, true, certificate);
    // TODO: Verify that the certificate is correctly assigned to the channel
}
 
Example 4
Source File: ConcurrencyTest.java    From grpc-java with Apache License 2.0 6 votes vote down vote up
/**
 * Creates and starts a new {@link TestServiceImpl} server.
 */
private Server newServer() throws CertificateException, IOException {
  File serverCertChainFile = TestUtils.loadCert("server1.pem");
  File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
  X509Certificate[] serverTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };

  SslContext sslContext =
      GrpcSslContexts.forServer(serverCertChainFile, serverPrivateKeyFile)
                     .trustManager(serverTrustedCaCerts)
                     .clientAuth(ClientAuth.REQUIRE)
                     .build();

  return NettyServerBuilder.forPort(0)
      .sslContext(sslContext)
      .addService(new TestServiceImpl(serverExecutor))
      .build()
      .start();
}
 
Example 5
Source File: ConcurrencyTest.java    From grpc-java with Apache License 2.0 6 votes vote down vote up
private ManagedChannel newClientChannel() throws CertificateException, IOException {
  File clientCertChainFile = TestUtils.loadCert("client.pem");
  File clientPrivateKeyFile = TestUtils.loadCert("client.key");
  X509Certificate[] clientTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };

  SslContext sslContext =
      GrpcSslContexts.forClient()
                     .keyManager(clientCertChainFile, clientPrivateKeyFile)
                     .trustManager(clientTrustedCaCerts)
                     .build();

  return NettyChannelBuilder.forAddress("localhost", server.getPort())
      .overrideAuthority(TestUtils.TEST_SERVER_HOST)
      .negotiationType(NegotiationType.TLS)
      .sslContext(sslContext)
      .build();
}
 
Example 6
Source File: TlsTest.java    From grpc-nebula-java with Apache License 2.0 5 votes vote down vote up
/**
 * Tests that a client and a server configured using GrpcSslContexts can successfully
 * communicate with each other.
 */
@Test
public void basicClientServerIntegrationTest() throws Exception {
  // Create & start a server.
  File serverCertFile = TestUtils.loadCert("server1.pem");
  File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
  X509Certificate[] serverTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
      .addService(new SimpleServiceImpl())
      .build()
      .start();

  // Create a client.
  File clientCertChainFile = TestUtils.loadCert("client.pem");
  File clientPrivateKeyFile = TestUtils.loadCert("client.key");
  X509Certificate[] clientTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  channel = clientChannel(server.getPort(), clientContextBuilder
      .keyManager(clientCertChainFile, clientPrivateKeyFile)
      .trustManager(clientTrustedCaCerts)
      .build());
  SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);

  // Send an actual request, via the full GRPC & network stack, and check that a proper
  // response comes back.
  client.unaryRpc(SimpleRequest.getDefaultInstance());
}
 
Example 7
Source File: TlsTest.java    From grpc-nebula-java with Apache License 2.0 5 votes vote down vote up
/**
 * Tests that a server configured to require client authentication actually does require client
 * authentication.
 */
@Test
public void noClientAuthFailure() throws Exception {
  // Create & start a server.
  File serverCertFile = TestUtils.loadCert("server1.pem");
  File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
  X509Certificate[] serverTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
      .addService(new SimpleServiceImpl())
      .build()
      .start();

  // Create a client. It has no credentials.
  X509Certificate[] clientTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  channel = clientChannel(server.getPort(), clientContextBuilder
      .trustManager(clientTrustedCaCerts)
      .build());
  SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);

  // Check that the TLS handshake fails.
  try {
    client.unaryRpc(SimpleRequest.getDefaultInstance());
    fail("TLS handshake should have failed, but didn't; received RPC response");
  } catch (StatusRuntimeException e) {
    // GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
    // javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
    // Thus, reliably detecting the underlying cause is not feasible.
    assertEquals(
        Throwables.getStackTraceAsString(e),
        Status.Code.UNAVAILABLE, e.getStatus().getCode());
  }
}
 
Example 8
Source File: TlsTest.java    From grpc-nebula-java with Apache License 2.0 5 votes vote down vote up
/**
 * Tests that a client configured using GrpcSslContexts refuses to talk to a server that has an
 * an untrusted certificate.
 */
@Test
public void clientRejectsUntrustedServerCert() throws Exception {
  // Create & start a server.
  File serverCertFile = TestUtils.loadCert("badserver.pem");
  File serverPrivateKeyFile = TestUtils.loadCert("badserver.key");
  X509Certificate[] serverTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
      .addService(new SimpleServiceImpl())
      .build()
      .start();

  // Create a client.
  File clientCertChainFile = TestUtils.loadCert("client.pem");
  File clientPrivateKeyFile = TestUtils.loadCert("client.key");
  X509Certificate[] clientTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  channel = clientChannel(server.getPort(), clientContextBuilder
      .keyManager(clientCertChainFile, clientPrivateKeyFile)
      .trustManager(clientTrustedCaCerts)
      .build());
  SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);

  // Check that the TLS handshake fails.
  try {
    client.unaryRpc(SimpleRequest.getDefaultInstance());
    fail("TLS handshake should have failed, but didn't; received RPC response");
  } catch (StatusRuntimeException e) {
    // GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
    // javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
    // Thus, reliably detecting the underlying cause is not feasible.
    // TODO(carl-mastrangelo): eventually replace this with a hamcrest matcher.
    assertEquals(
        Throwables.getStackTraceAsString(e),
        Status.Code.UNAVAILABLE, e.getStatus().getCode());
  }
}
 
Example 9
Source File: SdsTrustManagerFactoryTest.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
/** constructs CertificateValidationContext from pemFilePath and sets contents as inline-bytes. */
private static final CertificateValidationContext getCertContextFromPathAsInlineBytes(
    String pemFilePath) throws IOException, CertificateException {
  X509Certificate x509Cert = TestUtils.loadX509Cert(pemFilePath);
  return CertificateValidationContext.newBuilder()
      .setTrustedCa(
          DataSource.newBuilder().setInlineBytes(ByteString.copyFrom(x509Cert.getEncoded())))
      .build();
}
 
Example 10
Source File: TlsTest.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
/**
 * Tests that a client and a server configured using GrpcSslContexts can successfully
 * communicate with each other.
 */
@Test
public void basicClientServerIntegrationTest() throws Exception {
  // Create & start a server.
  File serverCertFile = TestUtils.loadCert("server1.pem");
  File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
  X509Certificate[] serverTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
      .addService(new SimpleServiceImpl())
      .build()
      .start();

  // Create a client.
  File clientCertChainFile = TestUtils.loadCert("client.pem");
  File clientPrivateKeyFile = TestUtils.loadCert("client.key");
  X509Certificate[] clientTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  channel = clientChannel(server.getPort(), clientContextBuilder
      .keyManager(clientCertChainFile, clientPrivateKeyFile)
      .trustManager(clientTrustedCaCerts)
      .build());
  SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);

  // Send an actual request, via the full GRPC & network stack, and check that a proper
  // response comes back.
  client.unaryRpc(SimpleRequest.getDefaultInstance());
}
 
Example 11
Source File: TlsTest.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
/**
 * Tests that a server configured to require client authentication actually does require client
 * authentication.
 */
@Test
public void noClientAuthFailure() throws Exception {
  // Create & start a server.
  File serverCertFile = TestUtils.loadCert("server1.pem");
  File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
  X509Certificate[] serverTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
      .addService(new SimpleServiceImpl())
      .build()
      .start();

  // Create a client. It has no credentials.
  X509Certificate[] clientTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  channel = clientChannel(server.getPort(), clientContextBuilder
      .trustManager(clientTrustedCaCerts)
      .build());
  SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);

  // Check that the TLS handshake fails.
  try {
    client.unaryRpc(SimpleRequest.getDefaultInstance());
    fail("TLS handshake should have failed, but didn't; received RPC response");
  } catch (StatusRuntimeException e) {
    // GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
    // javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
    // Thus, reliably detecting the underlying cause is not feasible.
    assertEquals(
        Throwables.getStackTraceAsString(e),
        Status.Code.UNAVAILABLE, e.getStatus().getCode());
  }
}
 
Example 12
Source File: TlsTest.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
/**
 * Tests that a client configured using GrpcSslContexts refuses to talk to a server that has an
 * an untrusted certificate.
 */
@Test
public void clientRejectsUntrustedServerCert() throws Exception {
  // Create & start a server.
  File serverCertFile = TestUtils.loadCert("badserver.pem");
  File serverPrivateKeyFile = TestUtils.loadCert("badserver.key");
  X509Certificate[] serverTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
      .addService(new SimpleServiceImpl())
      .build()
      .start();

  // Create a client.
  File clientCertChainFile = TestUtils.loadCert("client.pem");
  File clientPrivateKeyFile = TestUtils.loadCert("client.key");
  X509Certificate[] clientTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  channel = clientChannel(server.getPort(), clientContextBuilder
      .keyManager(clientCertChainFile, clientPrivateKeyFile)
      .trustManager(clientTrustedCaCerts)
      .build());
  SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);

  // Check that the TLS handshake fails.
  try {
    client.unaryRpc(SimpleRequest.getDefaultInstance());
    fail("TLS handshake should have failed, but didn't; received RPC response");
  } catch (StatusRuntimeException e) {
    // GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
    // javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
    // Thus, reliably detecting the underlying cause is not feasible.
    // TODO(carl-mastrangelo): eventually replace this with a hamcrest matcher.
    assertEquals(
        Throwables.getStackTraceAsString(e),
        Status.Code.UNAVAILABLE, e.getStatus().getCode());
  }
}
 
Example 13
Source File: TlsTest.java    From grpc-nebula-java with Apache License 2.0 4 votes vote down vote up
/**
 * Tests that a server configured to require client authentication refuses to accept connections
 * from a client that has an untrusted certificate.
 */
@Test
public void serverRejectsUntrustedClientCert() throws Exception {
  // Create & start a server. It requires client authentication and trusts only the test CA.
  File serverCertFile = TestUtils.loadCert("server1.pem");
  File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
  X509Certificate[] serverTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
      .addService(new SimpleServiceImpl())
      .build()
      .start();

  // Create a client. Its credentials come from a CA that the server does not trust. The client
  // trusts both test CAs, so we can be sure that the handshake failure is due to the server
  // rejecting the client's cert, not the client rejecting the server's cert.
  File clientCertChainFile = TestUtils.loadCert("badclient.pem");
  File clientPrivateKeyFile = TestUtils.loadCert("badclient.key");
  X509Certificate[] clientTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  channel = clientChannel(server.getPort(), clientContextBuilder
      .keyManager(clientCertChainFile, clientPrivateKeyFile)
      .trustManager(clientTrustedCaCerts)
      .build());
  SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);

  // Check that the TLS handshake fails.
  try {
    client.unaryRpc(SimpleRequest.getDefaultInstance());
    fail("TLS handshake should have failed, but didn't; received RPC response");
  } catch (StatusRuntimeException e) {
    // GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
    // javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
    // Thus, reliably detecting the underlying cause is not feasible.
    assertEquals(
        Throwables.getStackTraceAsString(e),
        Status.Code.UNAVAILABLE, e.getStatus().getCode());
  }
}
 
Example 14
Source File: TlsTest.java    From grpc-java with Apache License 2.0 4 votes vote down vote up
/**
 * Tests that a server configured to require client authentication refuses to accept connections
 * from a client that has an untrusted certificate.
 */
@Test
public void serverRejectsUntrustedClientCert() throws Exception {
  // Create & start a server. It requires client authentication and trusts only the test CA.
  File serverCertFile = TestUtils.loadCert("server1.pem");
  File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
  X509Certificate[] serverTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
      .addService(new SimpleServiceImpl())
      .build()
      .start();

  // Create a client. Its credentials come from a CA that the server does not trust. The client
  // trusts both test CAs, so we can be sure that the handshake failure is due to the server
  // rejecting the client's cert, not the client rejecting the server's cert.
  File clientCertChainFile = TestUtils.loadCert("badclient.pem");
  File clientPrivateKeyFile = TestUtils.loadCert("badclient.key");
  X509Certificate[] clientTrustedCaCerts = {
    TestUtils.loadX509Cert("ca.pem")
  };
  channel = clientChannel(server.getPort(), clientContextBuilder
      .keyManager(clientCertChainFile, clientPrivateKeyFile)
      .trustManager(clientTrustedCaCerts)
      .build());
  SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);

  // Check that the TLS handshake fails.
  try {
    client.unaryRpc(SimpleRequest.getDefaultInstance());
    fail("TLS handshake should have failed, but didn't; received RPC response");
  } catch (StatusRuntimeException e) {
    // GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
    // javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
    // Thus, reliably detecting the underlying cause is not feasible.
    assertEquals(
        Throwables.getStackTraceAsString(e),
        Status.Code.UNAVAILABLE, e.getStatus().getCode());
  }
}