@Override protected ManagedChannel createChannel() { try { final int port = server.getPort(); return OkHttpChannelBuilder .forAddress("localhost", port) .negotiationType(NegotiationType.TLS) .maxInboundMessageSize(16 * 1024 * 1024) .connectionSpec(ConnectionSpec.MODERN_TLS) .overrideAuthority("example.com:" + port) .sslSocketFactory(TestUtils.newSslSocketFactoryForCa( Platform.get().getProvider(), ssc.certificate())) .build(); } catch (Exception ex) { throw new RuntimeException(ex); } }
/** * Override {@link Platform}'s configureTlsExtensions for Android older than 5.0, since OkHttp * (2.3+) only support such function for Android 5.0+. */ @Override protected void configureTlsExtensions( SSLSocket sslSocket, String hostname, List<Protocol> protocols) { // Enable SNI and session tickets. if (hostname != null) { SET_USE_SESSION_TICKETS.invokeOptionalWithoutCheckedException(sslSocket, true); SET_HOSTNAME.invokeOptionalWithoutCheckedException(sslSocket, hostname); } Object[] parameters = {Platform.concatLengthPrefixed(protocols)}; if (platform.getTlsExtensionType() == TlsExtensionType.ALPN_AND_NPN) { SET_ALPN_PROTOCOLS.invokeWithoutCheckedException(sslSocket, parameters); } if (platform.getTlsExtensionType() != TlsExtensionType.NONE) { SET_NPN_PROTOCOLS.invokeWithoutCheckedException(sslSocket, parameters); } else { throw new RuntimeException("We can not do TLS handshake on this Android version, please" + " install the Google Play Services Dynamic Security Provider to use TLS"); } }
private OkHttpChannelBuilder createChannelBuilder() { OkHttpChannelBuilder builder = OkHttpChannelBuilder.forAddress("localhost", getPort()) .maxInboundMessageSize(AbstractInteropTest.MAX_MESSAGE_SIZE) .connectionSpec(new ConnectionSpec.Builder(OkHttpChannelBuilder.DEFAULT_CONNECTION_SPEC) .cipherSuites(TestUtils.preferredTestCiphers().toArray(new String[0])) .tlsVersions(ConnectionSpec.MODERN_TLS.tlsVersions().toArray(new TlsVersion[0])) .build()) .overrideAuthority(GrpcUtil.authorityFromHostAndPort( TestUtils.TEST_SERVER_HOST, getPort())); io.grpc.internal.TestingAccessor.setStatsImplementation( builder, createClientCensusStatsModule()); try { builder.sslSocketFactory(TestUtils.newSslSocketFactoryForCa(Platform.get().getProvider(), TestUtils.loadCert("ca.pem"))); } catch (Exception e) { throw new RuntimeException(e); } return builder; }
@VisibleForTesting @Nullable SSLSocketFactory createSocketFactory() { switch (negotiationType) { case TLS: try { if (sslSocketFactory == null) { SSLContext sslContext; if (GrpcUtil.IS_RESTRICTED_APPENGINE) { // The following auth code circumvents the following AccessControlException: // access denied ("java.util.PropertyPermission" "javax.net.ssl.keyStore" "read") // Conscrypt will attempt to load the default KeyStore if a trust manager is not // provided, which is forbidden on AppEngine sslContext = SSLContext.getInstance("TLS", Platform.get().getProvider()); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init((KeyStore) null); sslContext.init( null, trustManagerFactory.getTrustManagers(), // Use an algorithm that doesn't need /dev/urandom SecureRandom.getInstance("SHA1PRNG", Platform.get().getProvider())); } else { sslContext = SSLContext.getInstance("Default", Platform.get().getProvider()); } sslSocketFactory = sslContext.getSocketFactory(); } return sslSocketFactory; } catch (GeneralSecurityException gse) { throw new RuntimeException("TLS Provider failure", gse); } case PLAINTEXT: return null; default: throw new RuntimeException("Unknown negotiation type: " + negotiationType); } }
@Test public void negotiate_noSelectedProtocol() throws Exception { Platform platform = mock(Platform.class); OkHttpProtocolNegotiator negotiator = new OkHttpProtocolNegotiator(platform); thrown.expect(RuntimeException.class); thrown.expectMessage("protocol negotiation failed"); negotiator.negotiate(sock, "hostname", ImmutableList.of(Protocol.HTTP_2)); }
private static OkHttpChannelBuilder newOkhttpClientChannel( SocketAddress address, boolean tls, boolean testca, @Nullable String authorityOverride) { InetSocketAddress addr = (InetSocketAddress) address; OkHttpChannelBuilder builder = OkHttpChannelBuilder.forAddress(addr.getHostName(), addr.getPort()); if (tls) { builder.negotiationType(io.grpc.okhttp.NegotiationType.TLS); SSLSocketFactory factory; if (testca) { builder.overrideAuthority( GrpcUtil.authorityFromHostAndPort(authorityOverride, addr.getPort())); try { factory = TestUtils.newSslSocketFactoryForCa( Platform.get().getProvider(), TestUtils.loadCert("ca.pem")); } catch (Exception e) { throw new RuntimeException(e); } } else { factory = (SSLSocketFactory) SSLSocketFactory.getDefault(); } builder.sslSocketFactory(factory); } else { builder.negotiationType(io.grpc.okhttp.NegotiationType.PLAINTEXT); } return builder; }
@VisibleForTesting OkHttpProtocolNegotiator(Platform platform) { this.platform = checkNotNull(platform, "platform"); }
AndroidNegotiator(Platform platform) { super(platform); }
@Override protected ManagedChannel createChannel() { AbstractManagedChannelImplBuilder<?> builder; if (!useOkHttp) { SslContext sslContext = null; if (useTestCa) { try { sslContext = GrpcSslContexts.forClient().trustManager( TestUtils.loadCert("ca.pem")).build(); } catch (Exception ex) { throw new RuntimeException(ex); } } NettyChannelBuilder nettyBuilder = NettyChannelBuilder.forAddress(serverHost, serverPort) .flowControlWindow(65 * 1024) .negotiationType(useTls ? NegotiationType.TLS : NegotiationType.PLAINTEXT) .sslContext(sslContext); if (serverHostOverride != null) { nettyBuilder.overrideAuthority(serverHostOverride); } if (fullStreamDecompression) { nettyBuilder.enableFullStreamDecompression(); } builder = nettyBuilder; } else { OkHttpChannelBuilder okBuilder = OkHttpChannelBuilder.forAddress(serverHost, serverPort); if (serverHostOverride != null) { // Force the hostname to match the cert the server uses. okBuilder.overrideAuthority( GrpcUtil.authorityFromHostAndPort(serverHostOverride, serverPort)); } if (useTls) { try { SSLSocketFactory factory = useTestCa ? TestUtils.newSslSocketFactoryForCa(Platform.get().getProvider(), TestUtils.loadCert("ca.pem")) : (SSLSocketFactory) SSLSocketFactory.getDefault(); okBuilder.sslSocketFactory(factory); } catch (Exception e) { throw new RuntimeException(e); } } else { okBuilder.usePlaintext(true); } if (fullStreamDecompression) { okBuilder.enableFullStreamDecompression(); } builder = okBuilder; } io.grpc.internal.TestingAccessor.setStatsImplementation( builder, createClientCensusStatsModule()); return builder.build(); }