Package io.grpc.util

Class AdvancedTlsX509TrustManager

  • All Implemented Interfaces:
    javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager

    public final class AdvancedTlsX509TrustManager
    extends javax.net.ssl.X509ExtendedTrustManager
    AdvancedTlsX509TrustManager is an X509ExtendedTrustManager that allows users to configure advanced TLS features, such as root certificate reloading and peer cert custom verification. The basic instantiation pattern is new Builder().build().useSystemDefaultTrustCerts();

    For Android users: this class is only supported in API level 24 and above.

    • Method Detail

      • checkClientTrusted

        public void checkClientTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType)
                                throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • checkClientTrusted

        public void checkClientTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       java.net.Socket socket)
                                throws java.security.cert.CertificateException
        Specified by:
        checkClientTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • checkClientTrusted

        public void checkClientTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       javax.net.ssl.SSLEngine engine)
                                throws java.security.cert.CertificateException
        Specified by:
        checkClientTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • checkServerTrusted

        public void checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       javax.net.ssl.SSLEngine engine)
                                throws java.security.cert.CertificateException
        Specified by:
        checkServerTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • checkServerTrusted

        public void checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType)
                                throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • checkServerTrusted

        public void checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       java.net.Socket socket)
                                throws java.security.cert.CertificateException
        Specified by:
        checkServerTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • getAcceptedIssuers

        public java.security.cert.X509Certificate[] getAcceptedIssuers()
      • useSystemDefaultTrustCerts

        public void useSystemDefaultTrustCerts()
                                        throws java.security.cert.CertificateException,
                                               java.security.KeyStoreException,
                                               java.security.NoSuchAlgorithmException
        Uses the default trust certificates stored on user's local system. After this is used, functions that will provide new credential data(e.g. updateTrustCredentials) should not be called.
        Throws:
        java.security.cert.CertificateException
        java.security.KeyStoreException
        java.security.NoSuchAlgorithmException
      • createDelegateTrustManager

        private static javax.net.ssl.X509ExtendedTrustManager createDelegateTrustManager​(java.security.KeyStore keyStore)
                                                                                  throws java.security.cert.CertificateException,
                                                                                         java.security.KeyStoreException,
                                                                                         java.security.NoSuchAlgorithmException
        Throws:
        java.security.cert.CertificateException
        java.security.KeyStoreException
        java.security.NoSuchAlgorithmException
      • checkTrusted

        private void checkTrusted​(java.security.cert.X509Certificate[] chain,
                                  java.lang.String authType,
                                  javax.net.ssl.SSLEngine sslEngine,
                                  java.net.Socket socket,
                                  boolean checkingServer)
                           throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • updateTrustCredentials

        public void updateTrustCredentials​(java.security.cert.X509Certificate[] trustCerts)
                                    throws java.io.IOException,
                                           java.security.GeneralSecurityException
        Updates the current cached trust certificates as well as the key store.
        Parameters:
        trustCerts - the trust certificates that are going to be used
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException
      • updateTrustCredentials

        public void updateTrustCredentials​(java.io.File trustCertFile)
                                    throws java.io.IOException,
                                           java.security.GeneralSecurityException
        Updates the trust certificates from a local file path.
        Parameters:
        trustCertFile - the file on disk holding the trust certificates
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException
      • updateTrustCredentials

        public AdvancedTlsX509TrustManager.Closeable updateTrustCredentials​(java.io.File trustCertFile,
                                                                            long period,
                                                                            java.util.concurrent.TimeUnit unit,
                                                                            java.util.concurrent.ScheduledExecutorService executor)
                                                                     throws java.io.IOException,
                                                                            java.security.GeneralSecurityException
        Schedules a ScheduledExecutorService to read trust certificates from a local file path periodically, and updates the cached trust certs if there is an update. You must close the returned Closeable before calling this method again or other update methods (useSystemDefaultTrustCerts(), updateTrustCredentials(X509Certificate[]), updateTrustCredentialsFromFile(File)). Before scheduling the task, the method synchronously reads and updates trust certificates once. If the provided period is less than 1 minute, it is automatically adjusted to 1 minute.
        Parameters:
        trustCertFile - the file on disk holding the trust certificates
        period - the period between successive read-and-update executions
        unit - the time unit of the initialDelay and period parameters
        executor - the executor service we use to read and update the credentials
        Returns:
        an object that caller should close when the file refreshes are not needed
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException
      • updateTrustCredentialsFromFile

        @Deprecated
        @InlineMe(replacement="this.updateTrustCredentials(trustCertFile, period, unit, executor)")
        @ExperimentalApi("https://github.com/grpc/grpc-java/issues/8024")
        public AdvancedTlsX509TrustManager.Closeable updateTrustCredentialsFromFile​(java.io.File trustCertFile,
                                                                                    long period,
                                                                                    java.util.concurrent.TimeUnit unit,
                                                                                    java.util.concurrent.ScheduledExecutorService executor)
                                                                             throws java.io.IOException,
                                                                                    java.security.GeneralSecurityException
        Schedules a ScheduledExecutorService to read trust certificates from a local file path periodically, and updates the cached trust certs if there is an update. You must close the returned Closeable before calling this method again or other update methods (useSystemDefaultTrustCerts(), updateTrustCredentials(X509Certificate[]), updateTrustCredentialsFromFile(File)). Before scheduling the task, the method synchronously reads and updates trust certificates once. If the provided period is less than 1 minute, it is automatically adjusted to 1 minute.
        Parameters:
        trustCertFile - the file on disk holding the trust certificates
        period - the period between successive read-and-update executions
        unit - the time unit of the initialDelay and period parameters
        executor - the executor service we use to read and update the credentials
        Returns:
        an object that caller should close when the file refreshes are not needed
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException
      • updateTrustCredentialsFromFile

        @Deprecated
        @InlineMe(replacement="this.updateTrustCredentials(trustCertFile)")
        @ExperimentalApi("https://github.com/grpc/grpc-java/issues/8024")
        public void updateTrustCredentialsFromFile​(java.io.File trustCertFile)
                                            throws java.io.IOException,
                                                   java.security.GeneralSecurityException
        Updates the trust certificates from a local file path.
        Parameters:
        trustCertFile - the file on disk holding the trust certificates
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException
      • readAndUpdate

        private long readAndUpdate​(java.io.File trustCertFile,
                                   long oldTime)
                            throws java.io.IOException,
                                   java.security.GeneralSecurityException
        Reads the trust certificates specified in the path location, and updates the key store if the modified time has changed since last read.
        Parameters:
        trustCertFile - the file on disk holding the trust certificates
        oldTime - the time when the trust file is modified during last execution
        Returns:
        oldTime if failed or the modified time is not changed, otherwise the new modified time
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException