okhttp/src/main/java/io/grpc/okhttp/OkHttpTlsUpgrader.java - platform/external/grpc-grpc-java - Git at Google

 /*
  * Copyright 2014 The gRPC Authors
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package io.grpc.okhttp;

 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import io.grpc.okhttp.internal.ConnectionSpec;
 import io.grpc.okhttp.internal.OkHostnameVerifier;
 import io.grpc.okhttp.internal.Protocol;
 import java.io.IOException;
 import java.net.Socket;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;

 /**
  * A helper class that located in package com.squareup.okhttp, so that we can use OkHttp internals
  * to do TLS upgrading.
  */
 final class OkHttpTlsUpgrader {

   /*
    * List of ALPN/NPN protocols in order of preference. GRPC_EXP requires that
    * HTTP_2 be present and that GRPC_EXP should be preferenced over HTTP_2.
    */
   @VisibleForTesting
   static final List<Protocol> TLS_PROTOCOLS =
       Collections.unmodifiableList(Arrays.<Protocol>asList(Protocol.GRPC_EXP, Protocol.HTTP_2));

   /**
    * Upgrades given Socket to be a SSLSocket.
    *
    * @throws IOException if an IO error was encountered during the upgrade handshake.
    * @throws RuntimeException if the upgrade negotiation failed.
    */
   public static SSLSocket upgrade(SSLSocketFactory sslSocketFactory,
       HostnameVerifier hostnameVerifier, Socket socket, String host, int port,
       ConnectionSpec spec) throws IOException {
     Preconditions.checkNotNull(sslSocketFactory, "sslSocketFactory");
     Preconditions.checkNotNull(socket, "socket");
     Preconditions.checkNotNull(spec, "spec");
     SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(
         socket, host, port, true /* auto close */);
     spec.apply(sslSocket, false);
     String negotiatedProtocol = OkHttpProtocolNegotiator.get().negotiate(
         sslSocket, host, spec.supportsTlsExtensions() ? TLS_PROTOCOLS : null);
     Preconditions.checkState(
         TLS_PROTOCOLS.contains(Protocol.get(negotiatedProtocol)),
         "Only " + TLS_PROTOCOLS + " are supported, but negotiated protocol is %s",
         negotiatedProtocol);

     if (hostnameVerifier == null) {
       hostnameVerifier = OkHostnameVerifier.INSTANCE;
     }
     if (!hostnameVerifier.verify(canonicalizeHost(host), sslSocket.getSession())) {
       throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
     }
     return sslSocket;
   }

   /**
    * Converts a host from URI to X509 format.
    *
    * <p>IPv6 host addresses derived from URIs are enclosed in square brackets per RFC2732, but
    * omit these brackets in X509 certificate subjectAltName extensions per RFC5280.
    *
    * @see <a href="https://www.ietf.org/rfc/rfc2732.txt">RFC2732</a>
    * @see <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.6">RFC5280</a>
    *
    * @return {@param host} in a form consistent with X509 certificates
    */
   @VisibleForTesting
   static String canonicalizeHost(String host) {
     if (host.startsWith("[") && host.endsWith("]")) {
       return host.substring(1, host.length() - 1);
     }
     return host;
   }
 }
	/*
	* Copyright 2014 The gRPC Authors
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package io.grpc.okhttp;

	import com.google.common.annotations.VisibleForTesting;
	import com.google.common.base.Preconditions;
	import io.grpc.okhttp.internal.ConnectionSpec;
	import io.grpc.okhttp.internal.OkHostnameVerifier;
	import io.grpc.okhttp.internal.Protocol;
	import java.io.IOException;
	import java.net.Socket;
	import java.util.Arrays;
	import java.util.Collections;
	import java.util.List;
	import javax.net.ssl.HostnameVerifier;
	import javax.net.ssl.SSLPeerUnverifiedException;
	import javax.net.ssl.SSLSocket;
	import javax.net.ssl.SSLSocketFactory;

	/**
	* A helper class that located in package com.squareup.okhttp, so that we can use OkHttp internals
	* to do TLS upgrading.
	*/
	final class OkHttpTlsUpgrader {

	/*
	* List of ALPN/NPN protocols in order of preference. GRPC_EXP requires that
	* HTTP_2 be present and that GRPC_EXP should be preferenced over HTTP_2.
	*/
	@VisibleForTesting
	static final List<Protocol> TLS_PROTOCOLS =
	Collections.unmodifiableList(Arrays.<Protocol>asList(Protocol.GRPC_EXP, Protocol.HTTP_2));

	/**
	* Upgrades given Socket to be a SSLSocket.
	*
	* @throws IOException if an IO error was encountered during the upgrade handshake.
	* @throws RuntimeException if the upgrade negotiation failed.
	*/
	public static SSLSocket upgrade(SSLSocketFactory sslSocketFactory,
	HostnameVerifier hostnameVerifier, Socket socket, String host, int port,
	ConnectionSpec spec) throws IOException {
	Preconditions.checkNotNull(sslSocketFactory, "sslSocketFactory");
	Preconditions.checkNotNull(socket, "socket");
	Preconditions.checkNotNull(spec, "spec");
	SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(
	socket, host, port, true /* auto close */);
	spec.apply(sslSocket, false);
	String negotiatedProtocol = OkHttpProtocolNegotiator.get().negotiate(
	sslSocket, host, spec.supportsTlsExtensions() ? TLS_PROTOCOLS : null);
	Preconditions.checkState(
	TLS_PROTOCOLS.contains(Protocol.get(negotiatedProtocol)),
	"Only " + TLS_PROTOCOLS + " are supported, but negotiated protocol is %s",
	negotiatedProtocol);

	if (hostnameVerifier == null) {
	hostnameVerifier = OkHostnameVerifier.INSTANCE;
	}
	if (!hostnameVerifier.verify(canonicalizeHost(host), sslSocket.getSession())) {
	throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
	}
	return sslSocket;
	}

	/**
	* Converts a host from URI to X509 format.
	*
	* <p>IPv6 host addresses derived from URIs are enclosed in square brackets per RFC2732, but
	* omit these brackets in X509 certificate subjectAltName extensions per RFC5280.
	*
	* @see <a href="https://www.ietf.org/rfc/rfc2732.txt">RFC2732</a>
	* @see <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.6">RFC5280</a>
	*
	* @return {@param host} in a form consistent with X509 certificates
	*/
	@VisibleForTesting
	static String canonicalizeHost(String host) {
	if (host.startsWith("[") && host.endsWith("]")) {
	return host.substring(1, host.length() - 1);
	}
	return host;
	}
	}