下面列出了io.grpc.internal.testing.TestUtils#loadX509Cert ( ) 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
/**
* Creates and starts a new {@link TestServiceImpl} server.
*/
private Server newServer() throws CertificateException, IOException {
File serverCertChainFile = TestUtils.loadCert("server1.pem");
File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
SslContext sslContext =
GrpcSslContexts.forServer(serverCertChainFile, serverPrivateKeyFile)
.trustManager(serverTrustedCaCerts)
.clientAuth(ClientAuth.REQUIRE)
.build();
return NettyServerBuilder.forPort(0)
.sslContext(sslContext)
.addService(new TestServiceImpl(serverExecutor))
.build()
.start();
}
private ManagedChannel newClientChannel() throws CertificateException, IOException {
File clientCertChainFile = TestUtils.loadCert("client.pem");
File clientPrivateKeyFile = TestUtils.loadCert("client.key");
X509Certificate[] clientTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
SslContext sslContext =
GrpcSslContexts.forClient()
.keyManager(clientCertChainFile, clientPrivateKeyFile)
.trustManager(clientTrustedCaCerts)
.build();
return NettyChannelBuilder.forAddress("localhost", server.getPort())
.overrideAuthority(TestUtils.TEST_SERVER_HOST)
.negotiationType(NegotiationType.TLS)
.sslContext(sslContext)
.build();
}
@Test
public void testManagedChannelTLSSuccess() {
String certificate;
try {
X509Certificate[] trustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
certificate =
"-----BEGIN CERTIFICATE-----\n" +
Base64.getEncoder().encodeToString(trustedCaCerts[0].getEncoded()) + "\n" +
"-----END CERTIFICATE-----";
} catch (CertificateException | IOException e) {
throw new RuntimeException(e);
}
ManagedChannel channel = GrpcUtils.newManagedChannel("testhost", 8888, true, certificate);
// TODO: Verify that the certificate is correctly assigned to the channel
}
/**
* Creates and starts a new {@link TestServiceImpl} server.
*/
private Server newServer() throws CertificateException, IOException {
File serverCertChainFile = TestUtils.loadCert("server1.pem");
File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
SslContext sslContext =
GrpcSslContexts.forServer(serverCertChainFile, serverPrivateKeyFile)
.trustManager(serverTrustedCaCerts)
.clientAuth(ClientAuth.REQUIRE)
.build();
return NettyServerBuilder.forPort(0)
.sslContext(sslContext)
.addService(new TestServiceImpl(serverExecutor))
.build()
.start();
}
private ManagedChannel newClientChannel() throws CertificateException, IOException {
File clientCertChainFile = TestUtils.loadCert("client.pem");
File clientPrivateKeyFile = TestUtils.loadCert("client.key");
X509Certificate[] clientTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
SslContext sslContext =
GrpcSslContexts.forClient()
.keyManager(clientCertChainFile, clientPrivateKeyFile)
.trustManager(clientTrustedCaCerts)
.build();
return NettyChannelBuilder.forAddress("localhost", server.getPort())
.overrideAuthority(TestUtils.TEST_SERVER_HOST)
.negotiationType(NegotiationType.TLS)
.sslContext(sslContext)
.build();
}
/**
* Tests that a client and a server configured using GrpcSslContexts can successfully
* communicate with each other.
*/
@Test
public void basicClientServerIntegrationTest() throws Exception {
// Create & start a server.
File serverCertFile = TestUtils.loadCert("server1.pem");
File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
.addService(new SimpleServiceImpl())
.build()
.start();
// Create a client.
File clientCertChainFile = TestUtils.loadCert("client.pem");
File clientPrivateKeyFile = TestUtils.loadCert("client.key");
X509Certificate[] clientTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
channel = clientChannel(server.getPort(), clientContextBuilder
.keyManager(clientCertChainFile, clientPrivateKeyFile)
.trustManager(clientTrustedCaCerts)
.build());
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
// Send an actual request, via the full GRPC & network stack, and check that a proper
// response comes back.
client.unaryRpc(SimpleRequest.getDefaultInstance());
}
/**
* Tests that a server configured to require client authentication actually does require client
* authentication.
*/
@Test
public void noClientAuthFailure() throws Exception {
// Create & start a server.
File serverCertFile = TestUtils.loadCert("server1.pem");
File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
.addService(new SimpleServiceImpl())
.build()
.start();
// Create a client. It has no credentials.
X509Certificate[] clientTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
channel = clientChannel(server.getPort(), clientContextBuilder
.trustManager(clientTrustedCaCerts)
.build());
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
// Check that the TLS handshake fails.
try {
client.unaryRpc(SimpleRequest.getDefaultInstance());
fail("TLS handshake should have failed, but didn't; received RPC response");
} catch (StatusRuntimeException e) {
// GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
// javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
// Thus, reliably detecting the underlying cause is not feasible.
assertEquals(
Throwables.getStackTraceAsString(e),
Status.Code.UNAVAILABLE, e.getStatus().getCode());
}
}
/**
* Tests that a client configured using GrpcSslContexts refuses to talk to a server that has an
* an untrusted certificate.
*/
@Test
public void clientRejectsUntrustedServerCert() throws Exception {
// Create & start a server.
File serverCertFile = TestUtils.loadCert("badserver.pem");
File serverPrivateKeyFile = TestUtils.loadCert("badserver.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
.addService(new SimpleServiceImpl())
.build()
.start();
// Create a client.
File clientCertChainFile = TestUtils.loadCert("client.pem");
File clientPrivateKeyFile = TestUtils.loadCert("client.key");
X509Certificate[] clientTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
channel = clientChannel(server.getPort(), clientContextBuilder
.keyManager(clientCertChainFile, clientPrivateKeyFile)
.trustManager(clientTrustedCaCerts)
.build());
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
// Check that the TLS handshake fails.
try {
client.unaryRpc(SimpleRequest.getDefaultInstance());
fail("TLS handshake should have failed, but didn't; received RPC response");
} catch (StatusRuntimeException e) {
// GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
// javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
// Thus, reliably detecting the underlying cause is not feasible.
// TODO(carl-mastrangelo): eventually replace this with a hamcrest matcher.
assertEquals(
Throwables.getStackTraceAsString(e),
Status.Code.UNAVAILABLE, e.getStatus().getCode());
}
}
/** constructs CertificateValidationContext from pemFilePath and sets contents as inline-bytes. */
private static final CertificateValidationContext getCertContextFromPathAsInlineBytes(
String pemFilePath) throws IOException, CertificateException {
X509Certificate x509Cert = TestUtils.loadX509Cert(pemFilePath);
return CertificateValidationContext.newBuilder()
.setTrustedCa(
DataSource.newBuilder().setInlineBytes(ByteString.copyFrom(x509Cert.getEncoded())))
.build();
}
/**
* Tests that a client and a server configured using GrpcSslContexts can successfully
* communicate with each other.
*/
@Test
public void basicClientServerIntegrationTest() throws Exception {
// Create & start a server.
File serverCertFile = TestUtils.loadCert("server1.pem");
File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
.addService(new SimpleServiceImpl())
.build()
.start();
// Create a client.
File clientCertChainFile = TestUtils.loadCert("client.pem");
File clientPrivateKeyFile = TestUtils.loadCert("client.key");
X509Certificate[] clientTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
channel = clientChannel(server.getPort(), clientContextBuilder
.keyManager(clientCertChainFile, clientPrivateKeyFile)
.trustManager(clientTrustedCaCerts)
.build());
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
// Send an actual request, via the full GRPC & network stack, and check that a proper
// response comes back.
client.unaryRpc(SimpleRequest.getDefaultInstance());
}
/**
* Tests that a server configured to require client authentication actually does require client
* authentication.
*/
@Test
public void noClientAuthFailure() throws Exception {
// Create & start a server.
File serverCertFile = TestUtils.loadCert("server1.pem");
File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
.addService(new SimpleServiceImpl())
.build()
.start();
// Create a client. It has no credentials.
X509Certificate[] clientTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
channel = clientChannel(server.getPort(), clientContextBuilder
.trustManager(clientTrustedCaCerts)
.build());
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
// Check that the TLS handshake fails.
try {
client.unaryRpc(SimpleRequest.getDefaultInstance());
fail("TLS handshake should have failed, but didn't; received RPC response");
} catch (StatusRuntimeException e) {
// GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
// javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
// Thus, reliably detecting the underlying cause is not feasible.
assertEquals(
Throwables.getStackTraceAsString(e),
Status.Code.UNAVAILABLE, e.getStatus().getCode());
}
}
/**
* Tests that a client configured using GrpcSslContexts refuses to talk to a server that has an
* an untrusted certificate.
*/
@Test
public void clientRejectsUntrustedServerCert() throws Exception {
// Create & start a server.
File serverCertFile = TestUtils.loadCert("badserver.pem");
File serverPrivateKeyFile = TestUtils.loadCert("badserver.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
.addService(new SimpleServiceImpl())
.build()
.start();
// Create a client.
File clientCertChainFile = TestUtils.loadCert("client.pem");
File clientPrivateKeyFile = TestUtils.loadCert("client.key");
X509Certificate[] clientTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
channel = clientChannel(server.getPort(), clientContextBuilder
.keyManager(clientCertChainFile, clientPrivateKeyFile)
.trustManager(clientTrustedCaCerts)
.build());
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
// Check that the TLS handshake fails.
try {
client.unaryRpc(SimpleRequest.getDefaultInstance());
fail("TLS handshake should have failed, but didn't; received RPC response");
} catch (StatusRuntimeException e) {
// GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
// javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
// Thus, reliably detecting the underlying cause is not feasible.
// TODO(carl-mastrangelo): eventually replace this with a hamcrest matcher.
assertEquals(
Throwables.getStackTraceAsString(e),
Status.Code.UNAVAILABLE, e.getStatus().getCode());
}
}
/**
* Tests that a server configured to require client authentication refuses to accept connections
* from a client that has an untrusted certificate.
*/
@Test
public void serverRejectsUntrustedClientCert() throws Exception {
// Create & start a server. It requires client authentication and trusts only the test CA.
File serverCertFile = TestUtils.loadCert("server1.pem");
File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
.addService(new SimpleServiceImpl())
.build()
.start();
// Create a client. Its credentials come from a CA that the server does not trust. The client
// trusts both test CAs, so we can be sure that the handshake failure is due to the server
// rejecting the client's cert, not the client rejecting the server's cert.
File clientCertChainFile = TestUtils.loadCert("badclient.pem");
File clientPrivateKeyFile = TestUtils.loadCert("badclient.key");
X509Certificate[] clientTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
channel = clientChannel(server.getPort(), clientContextBuilder
.keyManager(clientCertChainFile, clientPrivateKeyFile)
.trustManager(clientTrustedCaCerts)
.build());
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
// Check that the TLS handshake fails.
try {
client.unaryRpc(SimpleRequest.getDefaultInstance());
fail("TLS handshake should have failed, but didn't; received RPC response");
} catch (StatusRuntimeException e) {
// GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
// javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
// Thus, reliably detecting the underlying cause is not feasible.
assertEquals(
Throwables.getStackTraceAsString(e),
Status.Code.UNAVAILABLE, e.getStatus().getCode());
}
}
/**
* Tests that a server configured to require client authentication refuses to accept connections
* from a client that has an untrusted certificate.
*/
@Test
public void serverRejectsUntrustedClientCert() throws Exception {
// Create & start a server. It requires client authentication and trusts only the test CA.
File serverCertFile = TestUtils.loadCert("server1.pem");
File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
X509Certificate[] serverTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
.addService(new SimpleServiceImpl())
.build()
.start();
// Create a client. Its credentials come from a CA that the server does not trust. The client
// trusts both test CAs, so we can be sure that the handshake failure is due to the server
// rejecting the client's cert, not the client rejecting the server's cert.
File clientCertChainFile = TestUtils.loadCert("badclient.pem");
File clientPrivateKeyFile = TestUtils.loadCert("badclient.key");
X509Certificate[] clientTrustedCaCerts = {
TestUtils.loadX509Cert("ca.pem")
};
channel = clientChannel(server.getPort(), clientContextBuilder
.keyManager(clientCertChainFile, clientPrivateKeyFile)
.trustManager(clientTrustedCaCerts)
.build());
SimpleServiceGrpc.SimpleServiceBlockingStub client = SimpleServiceGrpc.newBlockingStub(channel);
// Check that the TLS handshake fails.
try {
client.unaryRpc(SimpleRequest.getDefaultInstance());
fail("TLS handshake should have failed, but didn't; received RPC response");
} catch (StatusRuntimeException e) {
// GRPC reports this situation by throwing a StatusRuntimeException that wraps either a
// javax.net.ssl.SSLHandshakeException or a java.nio.channels.ClosedChannelException.
// Thus, reliably detecting the underlying cause is not feasible.
assertEquals(
Throwables.getStackTraceAsString(e),
Status.Code.UNAVAILABLE, e.getStatus().getCode());
}
}