Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

okhttp: support Conscrypt security provider #3971

Merged
merged 2 commits into from Jan 31, 2018
Merged

okhttp: support Conscrypt security provider #3971

merged 2 commits into from Jan 31, 2018

Conversation

ericgribkoff
Copy link
Contributor

This addresses #3966 and incorporates the text changes to SECURITY.md from #3301. Tested with org.conscrypt:conscrypt-android:1.0.0.RC14, as well as Google Play's security provider.

This changes our detection of the Google Play security provider from using the class name to the provider name, GmsCore_OpenSSL. This would seem to be equally as stable, and recent versions of OkHttp do the check similarly, although I realized in testing this that OkHttp uses GMSCore_OpenSSL, which did not work in my tests (checking elsewhere, it should indeed be GmsCore_OpenSSL, and the lookup is case-sensitive).

@ericgribkoff ericgribkoff added the kokoro:force-run Add this label to a PR to tell Kokoro to re-run all tests. Not generally necessary label Jan 16, 2018
@kokoro-team kokoro-team removed kokoro:force-run Add this label to a PR to tell Kokoro to re-run all tests. Not generally necessary labels Jan 16, 2018
ejona86
ejona86 approved these changes Jan 17, 2018
View reviewed changes
okhttp/src/test/java/io/grpc/okhttp/OkHttpProtocolNegotiatorTest.java Outdated
assertEquals(TlsExtensionType.ALPN_AND_NPN, tlsExtensionType);

// Clean up
Security.removeProvider(fakeConscrypt.getName());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

try-finally or similar (could maybe remove it unconditionally in the @After).

@ejona86 ejona86 mentioned this pull request Jan 17, 2018
Closed
ejona86
ejona86 reviewed Jan 17, 2018
View reviewed changes
SECURITY.md Outdated
import java.security.Security;
...

Security.addProvider(Conscrypt.newProvider());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should prefer insertProviderAt so that Conscrypt can be prioritized.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

okhttp/third_party/okhttp/java/io/grpc/okhttp/internal/Platform.java Outdated
*/
private static Provider getAndroidSecurityProvider() {
for (String providerClassName : ANDROID_SECURITY_PROVIDERS) {
for (String providerName : ANDROID_SECURITY_PROVIDERS) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should loop through the providers in order and choose the first we can use. That way the user has some way of configuring our behavior, and our behavior will better match expectations.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@ericgribkoff
Copy link
Contributor Author

Moved the logic to decide what TLS extensions are available into Platform. This seems like where it belongs, since the Platform already decides on the security provider using similar logic. This means that tests of this logic are gone from OkHttpProtocolNegotiatorTest (but this maybe isn't so much worse than the status quo since we never had tests for picking the actual provider anyways). I've manually tested the changes on emulators, but this almost certainly deserves some test coverage. I didn't add tests yet, as to-date we don't have any (?) tests of the copied OkHttp classes (and simulating all the different platforms/API levels looks a little tricky), but I can add tests if the approach here looks good.

Worth noting: recent Android builds have AndroidNSSP (Android Network Security Policy) as the #1 security provider. I haven't looked into it, but it might be worthwhile adding this to the list of recognized security providers later.

@ericgribkoff
Copy link
Contributor Author

@ejona86 FYI this was heavily refactored/redone since the earlier approval, so I'm holding off on merging until you have a chance to (re)review

@ericgribkoff ericgribkoff merged commit 722d6f0 into grpc:master Jan 31, 2018
@ericgribkoff ericgribkoff deleted the conscrypt branch January 31, 2018 18:45
@ericgribkoff ericgribkoff mentioned this pull request Jan 31, 2018
Closed
@lock lock bot locked as resolved and limited conversation to collaborators Jan 19, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ejona86 ejona86 ejona86 approved these changes

Assignees

@ejona86 ejona86

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ericgribkoff @ejona86 @kokoro-team