All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.grpc.TlsChannelCredentials Maven / Gradle / Ivy

/*
 * Copyright 2020 The gRPC Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package io.grpc;

import com.google.common.io.ByteStreams;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.TrustManager;

/**
 * TLS credentials, providing server authentication and encryption. Consumers of this credential
 * must verify they understand the configuration via the {@link #incomprehensible
 * incomprehensible()} method. Unless overridden by a {@code Feature}, server verification should
 * use customary default root certificates.
 */
public final class TlsChannelCredentials extends ChannelCredentials {
  /** Use TLS with its defaults. */
  public static ChannelCredentials create() {
    return newBuilder().build();
  }

  private final boolean fakeFeature;
  private final byte[] certificateChain;
  private final byte[] privateKey;
  private final String privateKeyPassword;
  private final List keyManagers;
  private final byte[] rootCertificates;
  private final List trustManagers;

  TlsChannelCredentials(Builder builder) {
    fakeFeature = builder.fakeFeature;
    certificateChain = builder.certificateChain;
    privateKey = builder.privateKey;
    privateKeyPassword = builder.privateKeyPassword;
    keyManagers = builder.keyManagers;
    rootCertificates = builder.rootCertificates;
    trustManagers = builder.trustManagers;
  }

  /**
   * The certificate chain for the client's identity, as a new byte array. Generally should be
   * PEM-encoded. If {@code null}, some feature is providing key manager information via a different
   * method or no client identity is available.
   */
  public byte[] getCertificateChain() {
    if (certificateChain == null) {
      return null;
    }
    return Arrays.copyOf(certificateChain, certificateChain.length);
  }

  /**
   * The private key for the client's identity, as a new byte array. Generally should be in PKCS#8
   * format. If encrypted, {@link #getPrivateKeyPassword} is the decryption key. If unencrypted, the
   * password will be {@code null}. If {@code null}, some feature is providing key manager
   * information via a different method or no client identity is available.
   */
  public byte[] getPrivateKey() {
    if (privateKey == null) {
      return null;
    }
    return Arrays.copyOf(privateKey, privateKey.length);
  }

  /** Returns the password to decrypt the private key, or {@code null} if unencrypted. */
  public String getPrivateKeyPassword() {
    return privateKeyPassword;
  }

  /**
   * Returns the key manager list which provides the client's identity. Entries are scanned checking
   * for specific types, like {@link javax.net.ssl.X509KeyManager}. Only a single entry for a type
   * is used. Entries earlier in the list are higher priority. If {@code null}, key manager
   * information is provided via a different method or no client identity is available.
   */
  public List getKeyManagers() {
    return keyManagers;
  }

  /**
   * Root trust certificates for verifying the server's identity that override the system's
   * defaults. Generally PEM-encoded with multiple certificates concatenated.
   */
  public byte[] getRootCertificates() {
    if (rootCertificates == null) {
      return null;
    }
    return Arrays.copyOf(rootCertificates, rootCertificates.length);
  }

  /**
   * Returns the trust manager list which verifies the server's identity. Entries are scanned
   * checking for specific types, like {@link javax.net.ssl.X509TrustManager}. Only a single entry
   * for a type is used. Entries earlier in the list are higher priority. If {@code null}, trust
   * manager information is provided via the system's default or a different method.
   */
  public List getTrustManagers() {
    return trustManagers;
  }

  /**
   * Returns an empty set if this credential can be adequately understood via
   * the features listed, otherwise returns a hint of features that are lacking
   * to understand the configuration to be used for manual debugging.
   *
   * 

An "understood" feature does not imply the caller is able to fully * handle the feature. It simply means the caller understands the feature * enough to use the appropriate APIs to read the configuration. The caller * may support just a subset of a feature, in which case the caller would * need to look at the configuration to determine if only the supported * subset is used. * *

This method may not be as simple as a set difference. There may be * multiple features that can independently satisfy a piece of configuration. * If the configuration is incomprehensible, all such features would be * returned, even though only one may be necessary. * *

An empty set does not imply that the credentials are fully understood. * There may be optional configuration that can be ignored if not understood. * *

Since {@code Feature} is an {@code enum}, {@code understoodFeatures} * should generally be an {@link java.util.EnumSet}. {@code * understoodFeatures} will not be modified. * * @param understoodFeatures the features understood by the caller * @return empty set if the caller can adequately understand the configuration */ public Set incomprehensible(Set understoodFeatures) { Set incomprehensible = EnumSet.noneOf(Feature.class); if (fakeFeature) { requiredFeature(understoodFeatures, incomprehensible, Feature.FAKE); } if (rootCertificates != null || privateKey != null || keyManagers != null) { requiredFeature(understoodFeatures, incomprehensible, Feature.MTLS); } if (keyManagers != null || trustManagers != null) { requiredFeature(understoodFeatures, incomprehensible, Feature.CUSTOM_MANAGERS); } return Collections.unmodifiableSet(incomprehensible); } private static void requiredFeature( Set understoodFeatures, Set incomprehensible, Feature feature) { if (!understoodFeatures.contains(feature)) { incomprehensible.add(feature); } } @Override public ChannelCredentials withoutBearerTokens() { return this; } /** * Features to understand TLS configuration. Additional enum values may be added in the future. */ public enum Feature { /** * A feature that no consumer should understand. It should be used for unit testing to confirm * a call to {@link #incomprehensible incomprehensible()} is implemented properly. */ FAKE, /** * Client identity may be provided and server verification can be tuned. This feature requires * observing {@link #getCertificateChain}, {@link #getPrivateKey}, and {@link * #getPrivateKeyPassword} as well as {@link #getRootCertificates()}. The certificate chain and * private key are used to configure a key manager to provide the client's identity. If no * certificate chain and private key are provided the client will have no identity. The root * certificates are used to configure a trust manager for verifying the server's identity. If no * root certificates are provided the trust manager will default to the system's root * certificates. */ MTLS, /** * Key managers and trust managers may be specified as {@link KeyManager} and {@link * TrustManager} objects. This feature requires observing {@link #getKeyManagers()} and {@link * #getTrustManagers()}. Generally {@link #MTLS} should also be supported, as that is the more * common method of configuration. When a manager is non-{@code null}, then it is wholly * responsible for key or trust material and usage; there is no need to check other manager * sources like {@link #getCertificateChain()} or {@link #getPrivateKey()} (if {@code * KeyManager} is available), or {@link #getRootCertificates()} (if {@code TrustManager} is * available). * *

If other manager sources are available (e.g., {@code getPrivateKey() != null}), then they * may be alternative representations of the same configuration and the consumer is free to use * those alternative representations if it prefers. But before doing so it must first * check that it understands that alternative representation by using {@link #incomprehensible} * without the {@code CUSTOM_MANAGERS} feature. */ CUSTOM_MANAGERS, ; } /** Creates a builder for changing default configuration. */ public static Builder newBuilder() { return new Builder(); } /** Builder for {@link TlsChannelCredentials}. */ public static final class Builder { private boolean fakeFeature; private byte[] certificateChain; private byte[] privateKey; private String privateKeyPassword; private List keyManagers; private byte[] rootCertificates; private List trustManagers; private Builder() {} /** * Requires {@link Feature#FAKE} to be understood. For use in testing consumers of this * credential. */ public Builder requireFakeFeature() { fakeFeature = true; return this; } /** * Use the provided certificate chain and private key as the client's identity. Generally they * should be PEM-encoded and the key is an unencrypted PKCS#8 key (file headers have "BEGIN * CERTIFICATE" and "BEGIN PRIVATE KEY"). */ public Builder keyManager(File certChain, File privateKey) throws IOException { return keyManager(certChain, privateKey, null); } /** * Use the provided certificate chain and possibly-encrypted private key as the client's * identity. Generally they should be PEM-encoded and the key is a PKCS#8 key. If the private * key is unencrypted, then password must be {@code null}. */ public Builder keyManager(File certChain, File privateKey, String privateKeyPassword) throws IOException { InputStream certChainIs = new FileInputStream(certChain); try { InputStream privateKeyIs = new FileInputStream(privateKey); try { return keyManager(certChainIs, privateKeyIs, privateKeyPassword); } finally { privateKeyIs.close(); } } finally { certChainIs.close(); } } /** * Use the provided certificate chain and private key as the client's identity. Generally they * should be PEM-encoded and the key is an unencrypted PKCS#8 key (file headers have "BEGIN * CERTIFICATE" and "BEGIN PRIVATE KEY"). */ public Builder keyManager(InputStream certChain, InputStream privateKey) throws IOException { return keyManager(certChain, privateKey, null); } /** * Use the provided certificate chain and possibly-encrypted private key as the client's * identity. Generally they should be PEM-encoded and the key is a PKCS#8 key. If the private * key is unencrypted, then password must be {@code null}. */ public Builder keyManager( InputStream certChain, InputStream privateKey, String privateKeyPassword) throws IOException { byte[] certChainBytes = ByteStreams.toByteArray(certChain); byte[] privateKeyBytes = ByteStreams.toByteArray(privateKey); clearKeyManagers(); this.certificateChain = certChainBytes; this.privateKey = privateKeyBytes; this.privateKeyPassword = privateKeyPassword; return this; } /** * Have the provided key manager select the client's identity. Although multiple are allowed, * only the first instance implementing a particular interface is used. So generally there will * just be a single entry and it implements {@link javax.net.ssl.X509KeyManager}. */ public Builder keyManager(KeyManager... keyManagers) { List keyManagerList = Collections.unmodifiableList(new ArrayList<>( Arrays.asList(keyManagers))); clearKeyManagers(); this.keyManagers = keyManagerList; return this; } private void clearKeyManagers() { this.certificateChain = null; this.privateKey = null; this.privateKeyPassword = null; this.keyManagers = null; } /** * Use the provided root certificates to verify the server's identity instead of the system's * default. Generally they should be PEM-encoded with all the certificates concatenated together * (file header has "BEGIN CERTIFICATE", and would occur once per certificate). */ public Builder trustManager(File rootCerts) throws IOException { InputStream rootCertsIs = new FileInputStream(rootCerts); try { return trustManager(rootCertsIs); } finally { rootCertsIs.close(); } } /** * Use the provided root certificates to verify the server's identity instead of the system's * default. Generally they should be PEM-encoded with all the certificates concatenated together * (file header has "BEGIN CERTIFICATE", and would occur once per certificate). */ public Builder trustManager(InputStream rootCerts) throws IOException { byte[] rootCertsBytes = ByteStreams.toByteArray(rootCerts); clearTrustManagers(); this.rootCertificates = rootCertsBytes; return this; } /** * Have the provided trust manager verify the server's identity instead of the system's default. * Although multiple are allowed, only the first instance implementing a particular interface is * used. So generally there will just be a single entry and it implements {@link * javax.net.ssl.X509TrustManager}. */ public Builder trustManager(TrustManager... trustManagers) { List trustManagerList = Collections.unmodifiableList(new ArrayList<>( Arrays.asList(trustManagers))); clearTrustManagers(); this.trustManagers = trustManagerList; return this; } private void clearTrustManagers() { this.rootCertificates = null; this.trustManagers = null; } /** Construct the credentials. */ public ChannelCredentials build() { return new TlsChannelCredentials(this); } } }





© 2015 - 2024 Weber Informatics LLC | Privacy Policy