core,netty: InputStream support in SslContextBuilder

Also update unit tests to stop writing certs to temp files.

Fixes grpc#1881

Author: zpencer

benchmarks/src/main/java/io/grpc/benchmarks/Utils.java

@@ -154,8 +154,8 @@ private static NettyChannelBuilder newNettyClientChannel(Transport transport,
       builder.negotiationType(NegotiationType.TLS);
       SslContext sslContext = null;
       if (testca) {
-        File cert = TestUtils.loadCert("ca.pem");
-        SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient().trustManager(cert);
+        SslContextBuilder sslContextBuilder =
+            GrpcSslContexts.forClient().trustManager(TestUtils.loadCert("ca.pem"));
         if (transport == Transport.NETTY_NIO) {
           sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder, SslProvider.JDK);
         } else {

benchmarks/src/main/java/io/grpc/benchmarks/driver/LoadServer.java

@@ -39,7 +39,6 @@
 import io.grpc.internal.testing.TestUtils;
 import io.netty.buffer.ByteBuf;
 import io.netty.buffer.PooledByteBufAllocator;
-import java.io.File;
 import java.lang.management.ManagementFactory;
 import java.util.List;
 import java.util.concurrent.ExecutorService;
@@ -115,9 +114,8 @@ final class LoadServer {
       }
     }
     if (config.hasSecurityParams()) {
-      File cert = TestUtils.loadCert("server1.pem");
-      File key = TestUtils.loadCert("server1.key");
-      serverBuilder.useTransportSecurity(cert, key);
+      serverBuilder.useTransportSecurity(
+          TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
     }
     benchmarkService = new AsyncServer.BenchmarkServiceImpl();
     if (config.getServerType() == Control.ServerType.ASYNC_GENERIC_SERVER) {

benchmarks/src/main/java/io/grpc/benchmarks/qps/AsyncServer.java

@@ -37,7 +37,6 @@
 import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.SslProvider;
 import io.netty.util.concurrent.DefaultThreadFactory;
-import java.io.File;
 import java.io.IOException;
 import java.util.Iterator;
 import java.util.concurrent.ForkJoinPool;
@@ -99,9 +98,8 @@ static Server newServer(ServerConfiguration config) throws IOException {
       System.out.println("Using fake CA for TLS certificate.\n"
           + "Run the Java client with --tls --testca");
 
-      File cert = TestUtils.loadCert("server1.pem");
-      File key = TestUtils.loadCert("server1.key");
-      SslContextBuilder sslContextBuilder = GrpcSslContexts.forServer(cert, key);
+      SslContextBuilder sslContextBuilder = GrpcSslContexts.forServer(
+          TestUtils.loadCert("server1.pem"), TestUtils.loadCert("server1.key"));
       if (config.transport == ServerConfiguration.Transport.NETTY_NIO) {
         sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder, SslProvider.JDK);
       } else {

core/src/main/java/io/grpc/ServerBuilder.java

@@ -17,6 +17,7 @@
 package io.grpc;
 
 import java.io.File;
+import java.io.InputStream;
 import java.util.concurrent.Executor;
 import javax.annotation.Nullable;
 
@@ -150,6 +151,18 @@ public T addStreamTracerFactory(ServerStreamTracer.Factory factory) {
    */
   public abstract T useTransportSecurity(File certChain, File privateKey);
 
+  /**
+   * Makes the server use TLS.
+   *
+   * @param certChain InputStream containing the full certificate chain
+   * @param privateKey InputStream containing the private key
+   *
+   * @return this
+   * @throws UnsupportedOperationException if the server does not support TLS.
+   * @since 1.7.0
+   */
+  public abstract T useTransportSecurity(InputStream certChain, InputStream privateKey);
+
   /**
    * Set the decompression registry for use in the channel.  This is an advanced API call and
    * shouldn't be used unless you are using custom message encoding.   The default supported

core/src/main/java/io/grpc/inprocess/InProcessServerBuilder.java

@@ -22,6 +22,7 @@
 import io.grpc.internal.AbstractServerImplBuilder;
 import io.grpc.internal.GrpcUtil;
 import java.io.File;
+import java.io.InputStream;
 import java.util.List;
 
 /**
@@ -94,4 +95,10 @@ protected InProcessServer buildTransportServer(
   public InProcessServerBuilder useTransportSecurity(File certChain, File privateKey) {
     throw new UnsupportedOperationException("TLS not supported in InProcessServer");
   }
+
+  @Override
+  public InProcessServerBuilder useTransportSecurity(
+      InputStream certChain, InputStream privateKey) {
+    throw new UnsupportedOperationException("TLS not supported in InProcessServer");
+  }
 }

core/src/main/java/io/grpc/internal/GrpcUtil.java

@@ -624,7 +624,7 @@ static void closeQuietly(MessageProducer producer) {
   }
 
   /** Closes an InputStream, ignoring IOExceptions. */
-  static void closeQuietly(InputStream message) {
+  public static void closeQuietly(InputStream message) {
     try {
       message.close();
     } catch (IOException ioException) {

core/src/test/java/io/grpc/internal/AbstractServerImplBuilderTest.java

@@ -110,6 +110,11 @@ protected io.grpc.internal.InternalServer buildTransportServer(
     public Builder useTransportSecurity(File certChain, File privateKey) {
       throw new UnsupportedOperationException();
     }
+
+    @Override
+    public Builder useTransportSecurity(InputStream certChain, InputStream privateKey) {
+      throw new UnsupportedOperationException();
+    }
   }
 
 }

core/src/test/java/io/grpc/internal/ServerImplTest.java

@@ -1248,6 +1248,11 @@ private static class Builder extends AbstractServerImplBuilder<Builder> {
     @Override public Builder useTransportSecurity(File f1, File f2)  {
       throw new UnsupportedOperationException();
     }
+
+    @Override
+    public Builder useTransportSecurity(InputStream certChain, InputStream privateKey) {
+      throw new UnsupportedOperationException("TLS not supported in InProcessServer");
+    }
   }
 
   /** Allows more precise catch blocks than plain Error to avoid catching AssertionError. */

interop-testing/src/test/java/io/grpc/testing/integration/ConcurrencyTest.java

@@ -16,6 +16,8 @@
 
 package io.grpc.testing.integration;
 
+import static io.grpc.internal.testing.TestUtils.loadCert;
+
 import com.google.common.base.Preconditions;
 import com.google.common.util.concurrent.MoreExecutors;
 import io.grpc.ManagedChannel;
@@ -32,7 +34,6 @@
 import io.grpc.testing.integration.Messages.StreamingOutputCallResponse;
 import io.netty.handler.ssl.ClientAuth;
 import io.netty.handler.ssl.SslContext;
-import java.io.File;
 import java.io.IOException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -182,17 +183,15 @@ public void serverStreamingTest() throws Exception {
    * Creates and starts a new {@link TestServiceImpl} server.
    */
   private Server newServer() throws CertificateException, IOException {
-    File serverCertChainFile = TestUtils.loadCert("server1.pem");
-    File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
     X509Certificate[] serverTrustedCaCerts = {
       TestUtils.loadX509Cert("ca.pem")
     };
 
     SslContext sslContext =
-        GrpcSslContexts.forServer(serverCertChainFile, serverPrivateKeyFile)
-                       .trustManager(serverTrustedCaCerts)
-                       .clientAuth(ClientAuth.REQUIRE)
-                       .build();
+        GrpcSslContexts.forServer(loadCert("server1.pem"), loadCert("server1.key"))
+            .trustManager(serverTrustedCaCerts)
+            .clientAuth(ClientAuth.REQUIRE)
+            .build();
 
     return NettyServerBuilder.forPort(0)
         .sslContext(sslContext)
@@ -202,17 +201,15 @@ private Server newServer() throws CertificateException, IOException {
   }
 
   private ManagedChannel newClientChannel() throws CertificateException, IOException {
-    File clientCertChainFile = TestUtils.loadCert("client.pem");
-    File clientPrivateKeyFile = TestUtils.loadCert("client.key");
     X509Certificate[] clientTrustedCaCerts = {
       TestUtils.loadX509Cert("ca.pem")
     };
 
     SslContext sslContext =
         GrpcSslContexts.forClient()
-                       .keyManager(clientCertChainFile, clientPrivateKeyFile)
-                       .trustManager(clientTrustedCaCerts)
-                       .build();
+            .keyManager(loadCert("client.pem"), loadCert("client.key"))
+            .trustManager(clientTrustedCaCerts)
+            .build();
 
     return NettyChannelBuilder.forAddress("localhost", server.getPort())
         .overrideAuthority(TestUtils.TEST_SERVER_HOST)

interop-testing/src/test/java/io/grpc/testing/integration/TlsTest.java

@@ -16,6 +16,7 @@
 
 package io.grpc.testing.integration;
 
+import static io.grpc.internal.testing.TestUtils.loadCert;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
 
@@ -37,8 +38,8 @@
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.SslProvider;
-import java.io.File;
 import java.io.IOException;
+import java.io.InputStream;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
@@ -118,24 +119,21 @@ public void tearDown() {
   @Test
   public void basicClientServerIntegrationTest() throws Exception {
     // Create & start a server.
-    File serverCertFile = TestUtils.loadCert("server1.pem");
-    File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
     X509Certificate[] serverTrustedCaCerts = {
       TestUtils.loadX509Cert("ca.pem")
     };
-    server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
+    server = serverBuilder(
+        0, loadCert("server1.pem"), loadCert("server1.key"), serverTrustedCaCerts)
         .addService(new TestServiceImpl(executor))
         .build()
         .start();
 
     // Create a client.
-    File clientCertChainFile = TestUtils.loadCert("client.pem");
-    File clientPrivateKeyFile = TestUtils.loadCert("client.key");
     X509Certificate[] clientTrustedCaCerts = {
       TestUtils.loadX509Cert("ca.pem")
     };
     channel = clientChannel(server.getPort(), clientContextBuilder
-        .keyManager(clientCertChainFile, clientPrivateKeyFile)
+        .keyManager(loadCert("client.pem"), loadCert("client.key"))
         .trustManager(clientTrustedCaCerts)
         .build());
     TestServiceGrpc.TestServiceBlockingStub client = TestServiceGrpc.newBlockingStub(channel);
@@ -154,26 +152,23 @@ public void basicClientServerIntegrationTest() throws Exception {
   @Test
   public void serverRejectsUntrustedClientCert() throws Exception {
     // Create & start a server. It requires client authentication and trusts only the test CA.
-    File serverCertFile = TestUtils.loadCert("server1.pem");
-    File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
     X509Certificate[] serverTrustedCaCerts = {
       TestUtils.loadX509Cert("ca.pem")
     };
-    server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
+    server = serverBuilder(
+        0, loadCert("server1.pem"), loadCert("server1.key"), serverTrustedCaCerts)
         .addService(new TestServiceImpl(executor))
         .build()
         .start();
 
     // Create a client. Its credentials come from a CA that the server does not trust. The client
     // trusts both test CAs, so we can be sure that the handshake failure is due to the server
     // rejecting the client's cert, not the client rejecting the server's cert.
-    File clientCertChainFile = TestUtils.loadCert("badclient.pem");
-    File clientPrivateKeyFile = TestUtils.loadCert("badclient.key");
     X509Certificate[] clientTrustedCaCerts = {
       TestUtils.loadX509Cert("ca.pem")
     };
     channel = clientChannel(server.getPort(), clientContextBuilder
-        .keyManager(clientCertChainFile, clientPrivateKeyFile)
+        .keyManager(loadCert("badclient.pem"), loadCert("badclient.key"))
         .trustManager(clientTrustedCaCerts)
         .build());
     TestServiceGrpc.TestServiceBlockingStub client = TestServiceGrpc.newBlockingStub(channel);
@@ -201,12 +196,11 @@ public void serverRejectsUntrustedClientCert() throws Exception {
   @Test
   public void noClientAuthFailure() throws Exception {
     // Create & start a server.
-    File serverCertFile = TestUtils.loadCert("server1.pem");
-    File serverPrivateKeyFile = TestUtils.loadCert("server1.key");
     X509Certificate[] serverTrustedCaCerts = {
       TestUtils.loadX509Cert("ca.pem")
     };
-    server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
+    server = serverBuilder(
+        0, loadCert("server1.pem"), loadCert("server1.key"), serverTrustedCaCerts)
         .addService(new TestServiceImpl(executor))
         .build()
         .start();
@@ -243,26 +237,25 @@ public void noClientAuthFailure() throws Exception {
   @Test
   public void clientRejectsUntrustedServerCert() throws Exception {
     // Create & start a server.
-    File serverCertFile = TestUtils.loadCert("badserver.pem");
-    File serverPrivateKeyFile = TestUtils.loadCert("badserver.key");
     X509Certificate[] serverTrustedCaCerts = {
       TestUtils.loadX509Cert("ca.pem")
     };
-    server = serverBuilder(0, serverCertFile, serverPrivateKeyFile, serverTrustedCaCerts)
+    server = serverBuilder(
+        0, loadCert("badserver.pem"), loadCert("badserver.key"), serverTrustedCaCerts)
         .addService(new TestServiceImpl(executor))
         .build()
         .start();
 
     // Create a client.
-    File clientCertChainFile = TestUtils.loadCert("client.pem");
-    File clientPrivateKeyFile = TestUtils.loadCert("client.key");
     X509Certificate[] clientTrustedCaCerts = {
       TestUtils.loadX509Cert("ca.pem")
     };
-    channel = clientChannel(server.getPort(), clientContextBuilder
-        .keyManager(clientCertChainFile, clientPrivateKeyFile)
-        .trustManager(clientTrustedCaCerts)
-        .build());
+    channel =
+        clientChannel(
+            server.getPort(),
+            clientContextBuilder.keyManager(loadCert("client.pem"), loadCert("client.key"))
+                .trustManager(clientTrustedCaCerts)
+                .build());
     TestServiceGrpc.TestServiceBlockingStub client = TestServiceGrpc.newBlockingStub(channel);
 
     // Check that the TLS handshake fails.
@@ -282,10 +275,10 @@ public void clientRejectsUntrustedServerCert() throws Exception {
   }
 
 
-  private ServerBuilder<?> serverBuilder(int port, File serverCertChainFile,
-      File serverPrivateKeyFile, X509Certificate[] serverTrustedCaCerts) throws IOException {
+  private ServerBuilder<?> serverBuilder(int port, InputStream serverCertChain,
+      InputStream serverPrivateKey, X509Certificate[] serverTrustedCaCerts) throws IOException {
     SslContextBuilder sslContextBuilder
-        = SslContextBuilder.forServer(serverCertChainFile, serverPrivateKeyFile);
+        = SslContextBuilder.forServer(serverCertChain, serverPrivateKey);
     GrpcSslContexts.configure(sslContextBuilder, sslProvider);
     sslContextBuilder.trustManager(serverTrustedCaCerts)
         .clientAuth(ClientAuth.REQUIRE);

netty/src/main/java/io/grpc/netty/GrpcSslContexts.java

@@ -20,6 +20,7 @@
 
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import io.grpc.ExperimentalApi;
+import io.grpc.internal.GrpcUtil;
 import io.netty.handler.codec.http2.Http2SecurityUtil;
 import io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.netty.handler.ssl.ApplicationProtocolConfig.Protocol;
@@ -30,6 +31,7 @@
 import io.netty.handler.ssl.SslProvider;
 import io.netty.handler.ssl.SupportedCipherSuiteFilter;
 import java.io.File;
+import java.io.InputStream;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
@@ -104,6 +106,21 @@ public static SslContextBuilder forServer(File keyCertChainFile, File keyFile) {
     return configure(SslContextBuilder.forServer(keyCertChainFile, keyFile));
   }
 
+  /**
+   * Creates a SslContextBuilder with ciphers and APN appropriate for gRPC.
+   *
+   * @see SslContextBuilder#forServer(InputStream, InputStream)
+   * @see #configure(SslContextBuilder)
+   */
+  public static SslContextBuilder forServer(InputStream keyCertChain, InputStream key) {
+    try {
+      return configure(SslContextBuilder.forServer(keyCertChain, key));
+    } finally {
+      GrpcUtil.closeQuietly(keyCertChain);
+      GrpcUtil.closeQuietly(key);
+    }
+  }
+
   /**
    * Creates a SslContextBuilder with ciphers and APN appropriate for gRPC.
    *
@@ -115,6 +132,22 @@ public static SslContextBuilder forServer(
     return configure(SslContextBuilder.forServer(keyCertChainFile, keyFile, keyPassword));
   }
 
+  /**
+   * Creates a SslContextBuilder with ciphers and APN appropriate for gRPC.
+   *
+   * @see SslContextBuilder#forServer(InputStream, InputStream, String)
+   * @see #configure(SslContextBuilder)
+   */
+  public static SslContextBuilder forServer(
+      InputStream keyCertChain, InputStream key, String keyPassword) {
+    try {
+      return configure(SslContextBuilder.forServer(keyCertChain, key, keyPassword));
+    } finally {
+      GrpcUtil.closeQuietly(keyCertChain);
+      GrpcUtil.closeQuietly(key);
+    }
+  }
+
   /**
    * Set ciphers and APN appropriate for gRPC. Precisely what is set is permitted to change, so if
    * an application requires particular settings it should override the options set here.