CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-io-grpc--grpc-util

Advanced utilities for gRPC Java providing load balancing, TLS management, and server utilities

Pending
Overview
Eval results
Files

tls-management.mddocs/

TLS and Certificate Management

Advanced TLS certificate and key management utilities that provide automatic certificate reloading, custom verification, and flexible trust store configuration for gRPC connections.

Capabilities

Advanced Trust Manager

The AdvancedTlsX509TrustManager provides enhanced trust management with certificate reloading and custom verification capabilities.

/**
 * Advanced TLS trust manager with certificate reloading and custom verification.
 * Supports automatic certificate refresh from files and custom peer verification.
 */
public final class AdvancedTlsX509TrustManager extends X509ExtendedTrustManager {
  
  /**
   * Creates a new builder for configuring the trust manager
   * @return Builder instance for configuration
   */
  public static Builder newBuilder();

  /**
   * Uses the default trust certificates stored on user's local system
   * @throws CertificateException if certificate processing fails
   * @throws KeyStoreException if keystore operations fail  
   * @throws NoSuchAlgorithmException if trust manager algorithm unavailable
   */
  public void useSystemDefaultTrustCerts() throws CertificateException, KeyStoreException, NoSuchAlgorithmException;

  /**
   * Updates the current cached trust certificates
   * @param trustCerts the trust certificates to use
   * @throws IOException if certificate processing fails
   * @throws GeneralSecurityException if security operations fail
   */
  public void updateTrustCredentials(X509Certificate[] trustCerts) throws IOException, GeneralSecurityException;

  /**
   * Updates trust certificates from a local file path
   * @param trustCertFile the file containing trust certificates
   * @throws IOException if file operations fail
   * @throws GeneralSecurityException if certificate processing fails
   */
  public void updateTrustCredentials(File trustCertFile) throws IOException, GeneralSecurityException;

  /**
   * Schedules periodic reading of trust certificates from file
   * @param trustCertFile the file containing trust certificates
   * @param period the period between successive read-and-update executions
   * @param unit the time unit of the period parameter
   * @param executor the executor service used to read and update the credentials
   * @return a Closeable that caller should close when file refreshes are not needed
   * @throws IOException if file operations fail
   * @throws GeneralSecurityException if certificate processing fails
   */
  public Closeable updateTrustCredentials(File trustCertFile, long period, TimeUnit unit, ScheduledExecutorService executor) throws IOException, GeneralSecurityException;
}

Builder Configuration:

public static final class Builder {
  /**
   * Sets verification mode for peer certificate authentication
   * @param verification the verification mode to use
   * @return Builder instance for method chaining
   */
  public Builder setVerification(Verification verification);

  /**
   * Sets custom peer verifier for additional certificate checks
   * @param verifier the custom peer verifier
   * @return Builder instance for method chaining  
   */
  public Builder setSslSocketAndEnginePeerVerifier(SslSocketAndEnginePeerVerifier verifier);

  /**
   * Builds the configured trust manager
   * @return configured AdvancedTlsX509TrustManager instance
   * @throws CertificateException if trust manager creation fails
   */
  public AdvancedTlsX509TrustManager build() throws CertificateException;
}

Verification Modes:

public enum Verification {
  /** Performs both certificate and hostname verification (RECOMMENDED) */
  CERTIFICATE_AND_HOST_NAME_VERIFICATION,
  /** Performs only certificate verification (requires custom peer verification) */
  CERTIFICATE_ONLY_VERIFICATION,
  /** Skips all verification (DANGEROUS - requires custom implementation) */
  INSECURELY_SKIP_ALL_VERIFICATION
}

Custom Peer Verification:

public interface SslSocketAndEnginePeerVerifier {
  /**
   * Verifies peer certificate chain for socket connections
   * @param peerCertChain the certificate chain from the peer
   * @param authType the key exchange algorithm used
   * @param socket the socket used for connection (may be null)
   * @throws CertificateException if verification fails
   */
  void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, Socket socket) throws CertificateException;

  /**
   * Verifies peer certificate chain for engine connections  
   * @param peerCertChain the certificate chain from the peer
   * @param authType the key exchange algorithm used
   * @param engine the SSL engine used for connection (may be null)
   * @throws CertificateException if verification fails
   */
  void verifyPeerCertificate(X509Certificate[] peerCertChain, String authType, SSLEngine engine) throws CertificateException;
}

Usage Examples:

import io.grpc.util.AdvancedTlsX509TrustManager;
import java.security.cert.X509Certificate;
import java.io.File;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;

// Basic trust manager with system defaults
AdvancedTlsX509TrustManager trustManager = AdvancedTlsX509TrustManager.newBuilder()
    .setVerification(AdvancedTlsX509TrustManager.Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION)
    .build();
trustManager.useSystemDefaultTrustCerts();

// Trust manager with custom certificates
X509Certificate[] customCerts = loadCustomCertificates();
trustManager.updateTrustCredentials(customCerts);

// Trust manager with automatic certificate reloading
File certFile = new File("/path/to/trust-certs.pem");
AdvancedTlsX509TrustManager.Closeable reloader = trustManager.updateTrustCredentials(
    certFile, 
    30, 
    TimeUnit.MINUTES, 
    Executors.newScheduledThreadPool(1)
);

// Remember to close the reloader when done
reloader.close();

Advanced Key Manager

The AdvancedTlsX509KeyManager provides enhanced key management with identity credential reloading capabilities.

/**
 * Advanced key manager with identity credential reloading capabilities.
 * Supports automatic credential refresh from files.
 * Uses default constructor for instantiation.
 */
public final class AdvancedTlsX509KeyManager extends X509ExtendedKeyManager {

  /**
   * Creates a new advanced key manager instance
   */
  public AdvancedTlsX509KeyManager();

  /**
   * Updates current cached private key and certificate chains
   * @param certs the certificate chain to use  
   * @param key the private key to use
   * @throws IOException if credential processing fails
   * @throws GeneralSecurityException if security operations fail
   */
  public void updateIdentityCredentials(X509Certificate[] certs, PrivateKey key) throws IOException, GeneralSecurityException;

  /**
   * Updates identity credentials from local files
   * @param certFile the file containing certificate chain
   * @param keyFile the file containing private key
   * @throws IOException if file operations fail
   * @throws GeneralSecurityException if credential processing fails
   */
  public void updateIdentityCredentials(File certFile, File keyFile) throws IOException, GeneralSecurityException;

  /**
   * Schedules periodic reading of identity credentials from files
   * @param certFile the file containing certificate chain
   * @param keyFile the file containing private key  
   * @param period the period between successive updates
   * @param unit the time unit of the period parameter
   * @param executor the executor service for scheduled updates
   * @return Closeable to stop the scheduled updates
   * @throws IOException if initial file read fails
   * @throws GeneralSecurityException if credential processing fails
   */
  public Closeable updateIdentityCredentials(File certFile, File keyFile, long period, TimeUnit unit, ScheduledExecutorService executor) throws IOException, GeneralSecurityException;
}

Usage Examples:

import io.grpc.util.AdvancedTlsX509KeyManager;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.io.File;

// Basic key manager with credentials
AdvancedTlsX509KeyManager keyManager = new AdvancedTlsX509KeyManager();
X509Certificate[] certChain = loadCertificateChain();
PrivateKey privateKey = loadPrivateKey();
keyManager.updateIdentityCredentials(certChain, privateKey);

// Key manager with automatic credential reloading
File certFile = new File("/path/to/server-cert.pem");
File keyFile = new File("/path/to/server-key.pem");
AdvancedTlsX509KeyManager.Closeable reloader = keyManager.updateIdentityCredentials(
    certFile, 
    keyFile,
    60, 
    TimeUnit.MINUTES, 
    Executors.newScheduledThreadPool(1)
);

Closeable Interface

Specialized Closeable interface for resource management in TLS operations.

/**
 * Custom Closeable interface that extends java.io.Closeable
 * Used by credential reloading methods to manage scheduled tasks
 */
public interface Closeable extends java.io.Closeable {
  /**
   * Closes the resource without throwing checked exceptions
   */
  @Override
  void close();
}

Certificate Utilities

Utility methods for parsing certificates and private keys from PEM format.

/**
 * Utility methods for certificate and private key parsing.
 * All methods are static and thread-safe.
 */
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/8024")
public final class CertificateUtils {

  /**
   * Generates X509Certificate array from PEM formatted input stream
   * @param inputStream input stream containing PEM formatted certificates
   * @return array of X509Certificate instances
   * @throws IOException if stream reading fails
   * @throws GeneralSecurityException if certificate parsing fails
   */
  public static X509Certificate[] getX509Certificates(InputStream inputStream) throws IOException, GeneralSecurityException;

  /**
   * Generates PrivateKey from PKCS #8 formatted PEM input stream
   * @param inputStream input stream containing PKCS #8 formatted private key
   * @return PrivateKey instance
   * @throws IOException if stream reading fails  
   * @throws GeneralSecurityException if key parsing fails
   */
  public static PrivateKey getPrivateKey(InputStream inputStream) throws IOException, GeneralSecurityException;
}

Usage Examples:

import io.grpc.util.CertificateUtils;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;

// Parse certificates from PEM file
try (InputStream certStream = new FileInputStream("certificates.pem")) {
    X509Certificate[] certificates = CertificateUtils.getX509Certificates(certStream);
}

// Parse private key from PEM file  
try (InputStream keyStream = new FileInputStream("private-key.pem")) {
    PrivateKey privateKey = CertificateUtils.getPrivateKey(keyStream);
}

Types

/**
 * Non-throwing closeable interface for cleanup operations
 */
public interface Closeable extends java.io.Closeable {
  @Override
  void close();
}

Security Considerations

  • Always use CERTIFICATE_AND_HOST_NAME_VERIFICATION for production environments
  • CERTIFICATE_ONLY_VERIFICATION requires additional peer verification to be secure
  • INSECURELY_SKIP_ALL_VERIFICATION should never be used in production
  • When using automatic reloading, ensure certificate files have appropriate file permissions
  • Minimum refresh period is automatically enforced at 1 minute for security reasons
  • Always close Closeable instances returned by scheduling methods to prevent resource leaks

Install with Tessl CLI

npx tessl i tessl/maven-io-grpc--grpc-util

docs

forwarding-utilities.md

index.md

load-balancing.md

server-utilities.md

tls-management.md

tile.json