/* * Copyright 2020 The gRPC Authors * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package io.grpc; import com.google.common.io.ByteStreams; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.EnumSet; import java.util.List; import java.util.Set; import javax.net.ssl.KeyManager; import javax.net.ssl.TrustManager; /** * TLS credentials, providing server authentication and encryption. Consumers of this credential * must verify they understand the configuration via the {@link #incomprehensible * incomprehensible()} method. Unless overridden by a {@code Feature}, server verification should * use customary default root certificates. */ public final class TlsChannelCredentials extends ChannelCredentials { /** Use TLS with its defaults. */ public static ChannelCredentials create() { return newBuilder().build(); } private final boolean fakeFeature; private final byte[] certificateChain; private final byte[] privateKey; private final String privateKeyPassword; private final List keyManagers; private final byte[] rootCertificates; private final List trustManagers; TlsChannelCredentials(Builder builder) { fakeFeature = builder.fakeFeature; certificateChain = builder.certificateChain; privateKey = builder.privateKey; privateKeyPassword = builder.privateKeyPassword; keyManagers = builder.keyManagers; rootCertificates = builder.rootCertificates; trustManagers = builder.trustManagers; } /** * The certificate chain for the client's identity, as a new byte array. Generally should be * PEM-encoded. If {@code null}, some feature is providing key manager information via a different * method or no client identity is available. */ public byte[] getCertificateChain() { if (certificateChain == null) { return null; } return Arrays.copyOf(certificateChain, certificateChain.length); } /** * The private key for the client's identity, as a new byte array. Generally should be in PKCS#8 * format. If encrypted, {@link #getPrivateKeyPassword} is the decryption key. If unencrypted, the * password will be {@code null}. If {@code null}, some feature is providing key manager * information via a different method or no client identity is available. */ public byte[] getPrivateKey() { if (privateKey == null) { return null; } return Arrays.copyOf(privateKey, privateKey.length); } /** Returns the password to decrypt the private key, or {@code null} if unencrypted. */ public String getPrivateKeyPassword() { return privateKeyPassword; } /** * Returns the key manager list which provides the client's identity. Entries are scanned checking * for specific types, like {@link javax.net.ssl.X509KeyManager}. Only a single entry for a type * is used. Entries earlier in the list are higher priority. If {@code null}, key manager * information is provided via a different method or no client identity is available. */ public List getKeyManagers() { return keyManagers; } /** * Root trust certificates for verifying the server's identity that override the system's * defaults. Generally PEM-encoded with multiple certificates concatenated. */ public byte[] getRootCertificates() { if (rootCertificates == null) { return null; } return Arrays.copyOf(rootCertificates, rootCertificates.length); } /** * Returns the trust manager list which verifies the server's identity. Entries are scanned * checking for specific types, like {@link javax.net.ssl.X509TrustManager}. Only a single entry * for a type is used. Entries earlier in the list are higher priority. If {@code null}, trust * manager information is provided via the system's default or a different method. */ public List getTrustManagers() { return trustManagers; } /** * Returns an empty set if this credential can be adequately understood via * the features listed, otherwise returns a hint of features that are lacking * to understand the configuration to be used for manual debugging. * *

An "understood" feature does not imply the caller is able to fully * handle the feature. It simply means the caller understands the feature * enough to use the appropriate APIs to read the configuration. The caller * may support just a subset of a feature, in which case the caller would * need to look at the configuration to determine if only the supported * subset is used. * *

This method may not be as simple as a set difference. There may be * multiple features that can independently satisfy a piece of configuration. * If the configuration is incomprehensible, all such features would be * returned, even though only one may be necessary. * *

An empty set does not imply that the credentials are fully understood. * There may be optional configuration that can be ignored if not understood. * *

Since {@code Feature} is an {@code enum}, {@code understoodFeatures} * should generally be an {@link java.util.EnumSet}. {@code * understoodFeatures} will not be modified. * * @param understoodFeatures the features understood by the caller * @return empty set if the caller can adequately understand the configuration */ public Set incomprehensible(Set understoodFeatures) { Set incomprehensible = EnumSet.noneOf(Feature.class); if (fakeFeature) { requiredFeature(understoodFeatures, incomprehensible, Feature.FAKE); } if (rootCertificates != null || privateKey != null || keyManagers != null) { requiredFeature(understoodFeatures, incomprehensible, Feature.MTLS); } if (keyManagers != null || trustManagers != null) { requiredFeature(understoodFeatures, incomprehensible, Feature.CUSTOM_MANAGERS); } return Collections.unmodifiableSet(incomprehensible); } private static void requiredFeature( Set understoodFeatures, Set incomprehensible, Feature feature) { if (!understoodFeatures.contains(feature)) { incomprehensible.add(feature); } } @Override public ChannelCredentials withoutBearerTokens() { return this; } /** * Features to understand TLS configuration. Additional enum values may be added in the future. */ public enum Feature { /** * A feature that no consumer should understand. It should be used for unit testing to confirm * a call to {@link #incomprehensible incomprehensible()} is implemented properly. */ FAKE, /** * Client identity may be provided and server verification can be tuned. This feature requires * observing {@link #getCertificateChain}, {@link #getPrivateKey}, and {@link * #getPrivateKeyPassword} as well as {@link #getRootCertificates()}. The certificate chain and * private key are used to configure a key manager to provide the client's identity. If no * certificate chain and private key are provided the client will have no identity. The root * certificates are used to configure a trust manager for verifying the server's identity. If no * root certificates are provided the trust manager will default to the system's root * certificates. */ MTLS, /** * Key managers and trust managers may be specified as {@link KeyManager} and {@link * TrustManager} objects. This feature requires observing {@link #getKeyManagers()} and {@link * #getTrustManagers()}. Generally {@link #MTLS} should also be supported, as that is the more * common method of configuration. When a manager is non-{@code null}, then it is wholly * responsible for key or trust material and usage; there is no need to check other manager * sources like {@link #getCertificateChain()} or {@link #getPrivateKey()} (if {@code * KeyManager} is available), or {@link #getRootCertificates()} (if {@code TrustManager} is * available). * *

If other manager sources are available (e.g., {@code getPrivateKey() != null}), then they * may be alternative representations of the same configuration and the consumer is free to use * those alternative representations if it prefers. But before doing so it must first * check that it understands that alternative representation by using {@link #incomprehensible} * without the {@code CUSTOM_MANAGERS} feature. */ CUSTOM_MANAGERS, ; } /** Creates a builder for changing default configuration. */ public static Builder newBuilder() { return new Builder(); } /** Builder for {@link TlsChannelCredentials}. */ public static final class Builder { private boolean fakeFeature; private byte[] certificateChain; private byte[] privateKey; private String privateKeyPassword; private List keyManagers; private byte[] rootCertificates; private List trustManagers; private Builder() {} /** * Requires {@link Feature#FAKE} to be understood. For use in testing consumers of this * credential. */ public Builder requireFakeFeature() { fakeFeature = true; return this; } /** * Use the provided certificate chain and private key as the client's identity. Generally they * should be PEM-encoded and the key is an unencrypted PKCS#8 key (file headers have "BEGIN * CERTIFICATE" and "BEGIN PRIVATE KEY"). */ public Builder keyManager(File certChain, File privateKey) throws IOException { return keyManager(certChain, privateKey, null); } /** * Use the provided certificate chain and possibly-encrypted private key as the client's * identity. Generally they should be PEM-encoded and the key is a PKCS#8 key. If the private * key is unencrypted, then password must be {@code null}. */ public Builder keyManager(File certChain, File privateKey, String privateKeyPassword) throws IOException { InputStream certChainIs = new FileInputStream(certChain); try { InputStream privateKeyIs = new FileInputStream(privateKey); try { return keyManager(certChainIs, privateKeyIs, privateKeyPassword); } finally { privateKeyIs.close(); } } finally { certChainIs.close(); } } /** * Use the provided certificate chain and private key as the client's identity. Generally they * should be PEM-encoded and the key is an unencrypted PKCS#8 key (file headers have "BEGIN * CERTIFICATE" and "BEGIN PRIVATE KEY"). */ public Builder keyManager(InputStream certChain, InputStream privateKey) throws IOException { return keyManager(certChain, privateKey, null); } /** * Use the provided certificate chain and possibly-encrypted private key as the client's * identity. Generally they should be PEM-encoded and the key is a PKCS#8 key. If the private * key is unencrypted, then password must be {@code null}. */ public Builder keyManager( InputStream certChain, InputStream privateKey, String privateKeyPassword) throws IOException { byte[] certChainBytes = ByteStreams.toByteArray(certChain); byte[] privateKeyBytes = ByteStreams.toByteArray(privateKey); clearKeyManagers(); this.certificateChain = certChainBytes; this.privateKey = privateKeyBytes; this.privateKeyPassword = privateKeyPassword; return this; } /** * Have the provided key manager select the client's identity. Although multiple are allowed, * only the first instance implementing a particular interface is used. So generally there will * just be a single entry and it implements {@link javax.net.ssl.X509KeyManager}. */ public Builder keyManager(KeyManager... keyManagers) { List keyManagerList = Collections.unmodifiableList(new ArrayList<>( Arrays.asList(keyManagers))); clearKeyManagers(); this.keyManagers = keyManagerList; return this; } private void clearKeyManagers() { this.certificateChain = null; this.privateKey = null; this.privateKeyPassword = null; this.keyManagers = null; } /** * Use the provided root certificates to verify the server's identity instead of the system's * default. Generally they should be PEM-encoded with all the certificates concatenated together * (file header has "BEGIN CERTIFICATE", and would occur once per certificate). */ public Builder trustManager(File rootCerts) throws IOException { InputStream rootCertsIs = new FileInputStream(rootCerts); try { return trustManager(rootCertsIs); } finally { rootCertsIs.close(); } } /** * Use the provided root certificates to verify the server's identity instead of the system's * default. Generally they should be PEM-encoded with all the certificates concatenated together * (file header has "BEGIN CERTIFICATE", and would occur once per certificate). */ public Builder trustManager(InputStream rootCerts) throws IOException { byte[] rootCertsBytes = ByteStreams.toByteArray(rootCerts); clearTrustManagers(); this.rootCertificates = rootCertsBytes; return this; } /** * Have the provided trust manager verify the server's identity instead of the system's default. * Although multiple are allowed, only the first instance implementing a particular interface is * used. So generally there will just be a single entry and it implements {@link * javax.net.ssl.X509TrustManager}. */ public Builder trustManager(TrustManager... trustManagers) { List trustManagerList = Collections.unmodifiableList(new ArrayList<>( Arrays.asList(trustManagers))); clearTrustManagers(); this.trustManagers = trustManagerList; return this; } private void clearTrustManagers() { this.rootCertificates = null; this.trustManagers = null; } /** Construct the credentials. */ public ChannelCredentials build() { return new TlsChannelCredentials(this); } } }