From 8fda4e9e49c48caf7c8ed7df94c2929dbd4b5a86 Mon Sep 17 00:00:00 2001
From: Ken Payson <kpayson@google.com>
Date: Mon, 6 Mar 2017 14:04:59 -0800
Subject: [PATCH] okhttp: Add restricted AppEngine SSL setup

---
 .../io/grpc/okhttp/OkHttpChannelBuilder.java  | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java b/okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java
index 7bf39d4bfff..d8c9e8bf48a 100644
--- a/okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java
+++ b/okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java
@@ -53,6 +53,8 @@
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.SecureRandom;
 import java.util.concurrent.Executor;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
@@ -60,6 +62,7 @@
 import javax.annotation.Nullable;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManagerFactory;
 
 /** Convenience class for building channels with the OkHttp transport. */
 @ExperimentalApi("https://github.com/grpc/grpc-java/issues/1785")
@@ -252,7 +255,25 @@ SSLSocketFactory createSocketFactory() {
       case TLS:
         try {
           if (sslSocketFactory == null) {
-            SSLContext sslContext = SSLContext.getInstance("Default", Platform.get().getProvider());
+            SSLContext sslContext;
+            if (GrpcUtil.IS_RESTRICTED_APPENGINE) {
+              // The following auth code circumvents the following AccessControlException:
+              // access denied ("java.util.PropertyPermission" "javax.net.ssl.keyStore" "read")
+              // Conscrypt will attempt to load the default KeyStore if a trust manager is not
+              // provided, which is forbidden on AppEngine
+              sslContext = SSLContext.getInstance("TLS", Platform.get().getProvider());
+              TrustManagerFactory trustManagerFactory =
+                  TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+              trustManagerFactory.init((KeyStore) null);
+              sslContext.init(
+                  null,
+                  trustManagerFactory.getTrustManagers(),
+                  // Use an algorithm that doesn't need /dev/urandom
+                  SecureRandom.getInstance("SHA1PRNG", Platform.get().getProvider()));
+
+            } else {
+              sslContext = SSLContext.getInstance("Default", Platform.get().getProvider());
+            }
             sslSocketFactory = sslContext.getSocketFactory();
           }
           return sslSocketFactory;