Implement using system root trust ca for TLS server authentication for XDS

xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java

@@ -16,6 +16,8 @@
 
 package io.grpc.xds;
 
+import static com.google.common.base.Preconditions.checkNotNull;
+
 import com.google.auto.value.AutoValue;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableList;
@@ -41,13 +43,13 @@ private EnvoyServerProtoData() {
   }
 
   public abstract static class BaseTlsContext {
-    @Nullable protected final CommonTlsContext commonTlsContext;
+    protected final CommonTlsContext commonTlsContext;
 
-    protected BaseTlsContext(@Nullable CommonTlsContext commonTlsContext) {
-      this.commonTlsContext = commonTlsContext;
+    protected BaseTlsContext(CommonTlsContext commonTlsContext) {
+      this.commonTlsContext = checkNotNull(commonTlsContext, "commonTlsContext cannot be null.");
     }
 
-    @Nullable public CommonTlsContext getCommonTlsContext() {
+    public CommonTlsContext getCommonTlsContext() {
       return commonTlsContext;
     }
 

xds/src/main/java/io/grpc/xds/XdsClusterResource.java

@@ -46,6 +46,7 @@
 import io.grpc.xds.XdsClusterResource.CdsUpdate;
 import io.grpc.xds.client.XdsClient.ResourceUpdate;
 import io.grpc.xds.client.XdsResourceType;
+import io.grpc.xds.internal.security.CommonTlsContextUtil;
 import java.util.List;
 import java.util.Locale;
 import java.util.Set;
@@ -430,9 +431,10 @@ static void validateCommonTlsContext(
     }
     String rootCaInstanceName = getRootCertInstanceName(commonTlsContext);
     if (rootCaInstanceName == null) {
-      if (!server) {
+      if (!server && !CommonTlsContextUtil.isUsingSystemRootCerts(commonTlsContext)) {
         throw new ResourceInvalidException(
-            "ca_certificate_provider_instance is required in upstream-tls-context");
+            "ca_certificate_provider_instance or system_root_certs is required in "
+                + "upstream-tls-context");
       }
     } else {
       if (certProviderInstances == null || !certProviderInstances.contains(rootCaInstanceName)) {

xds/src/main/java/io/grpc/xds/internal/security/ClientSslContextProviderFactory.java

@@ -16,8 +16,6 @@
 
 package io.grpc.xds.internal.security;
 
-import static com.google.common.base.Preconditions.checkNotNull;
-
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
 import io.grpc.xds.client.Bootstrapper.BootstrapInfo;
 import io.grpc.xds.internal.security.ReferenceCountingMap.ValueFactory;
@@ -44,17 +42,9 @@ final class ClientSslContextProviderFactory
   /** Creates an SslContextProvider from the given UpstreamTlsContext. */
   @Override
   public SslContextProvider create(UpstreamTlsContext upstreamTlsContext) {
-    checkNotNull(upstreamTlsContext, "upstreamTlsContext");
-    checkNotNull(
-        upstreamTlsContext.getCommonTlsContext(),
-        "upstreamTlsContext should have CommonTlsContext");
-    if (CommonTlsContextUtil.hasCertProviderInstance(
-        upstreamTlsContext.getCommonTlsContext())) {
-      return certProviderClientSslContextProviderFactory.getProvider(
-          upstreamTlsContext,
-          bootstrapInfo.node().toEnvoyProtoNode(),
-          bootstrapInfo.certProviders());
-    }
-    throw new UnsupportedOperationException("Unsupported configurations in UpstreamTlsContext!");
+    return certProviderClientSslContextProviderFactory.getProvider(
+        upstreamTlsContext,
+        bootstrapInfo.node().toEnvoyProtoNode(),
+        bootstrapInfo.certProviders());
   }
 }

xds/src/main/java/io/grpc/xds/internal/security/CommonTlsContextUtil.java

@@ -25,7 +25,7 @@ public final class CommonTlsContextUtil {
 
   private CommonTlsContextUtil() {}
 
-  static boolean hasCertProviderInstance(CommonTlsContext commonTlsContext) {
+  public static boolean hasCertProviderInstance(CommonTlsContext commonTlsContext) {
     if (commonTlsContext == null) {
       return false;
     }
@@ -65,4 +65,15 @@ public static CommonTlsContext.CertificateProviderInstance convert(
         .setInstanceName(pluginInstance.getInstanceName())
         .setCertificateName(pluginInstance.getCertificateName()).build();
   }
+
+  public static boolean isUsingSystemRootCerts(CommonTlsContext commonTlsContext) {
+    if (commonTlsContext.hasCombinedValidationContext()) {
+      return commonTlsContext.getCombinedValidationContext().getDefaultValidationContext()
+          .hasSystemRootCerts();
+    }
+    if (commonTlsContext.hasValidationContext()) {
+      return commonTlsContext.getValidationContext().hasSystemRootCerts();
+    }
+    return false;
+  }
 }

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java

@@ -16,8 +16,6 @@
 
 package io.grpc.xds.internal.security.certprovider;
 
-import static com.google.common.base.Preconditions.checkNotNull;
-
 import io.envoyproxy.envoy.config.core.v3.Node;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
@@ -46,7 +44,7 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
         node,
         certProviders,
         certInstance,
-        checkNotNull(rootCertInstance, "Client SSL requires rootCertInstance"),
+        rootCertInstance,
         staticCertValidationContext,
         upstreamTlsContext,
         certificateProviderStore);
@@ -56,12 +54,15 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
   protected final SslContextBuilder getSslContextBuilder(
           CertificateValidationContext certificateValidationContextdationContext)
       throws CertStoreException {
-    SslContextBuilder sslContextBuilder =
-        GrpcSslContexts.forClient()
-            .trustManager(
-                new XdsTrustManagerFactory(
-                    savedTrustedRoots.toArray(new X509Certificate[0]),
-                    certificateValidationContextdationContext));
+    SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient();
+    // Null rootCertInstance implies hasSystemRootCerts because of the check in
+    // {@link CertProviderClientSslContextProviderFactory}.
+    if (rootCertInstance != null) {
+      sslContextBuilder.trustManager(
+          new XdsTrustManagerFactory(
+              savedTrustedRoots.toArray(new X509Certificate[0]),
+              certificateValidationContextdationContext));
+    }
     if (isMtls()) {
       sslContextBuilder.keyManager(savedKey, savedCertChain);
     }

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderFactory.java

@@ -25,6 +25,7 @@
 import io.grpc.Internal;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
 import io.grpc.xds.client.Bootstrapper.CertificateProviderInfo;
+import io.grpc.xds.internal.security.CommonTlsContextUtil;
 import io.grpc.xds.internal.security.SslContextProvider;
 import java.util.Map;
 import javax.annotation.Nullable;
@@ -64,13 +65,17 @@ public SslContextProvider getProvider(
         = CertProviderSslContextProvider.getRootCertProviderInstance(commonTlsContext);
     CommonTlsContext.CertificateProviderInstance certInstance
         = CertProviderSslContextProvider.getCertProviderInstance(commonTlsContext);
-    return new CertProviderClientSslContextProvider(
-        node,
-        certProviders,
-        certInstance,
-        rootCertInstance,
-        staticCertValidationContext,
-        upstreamTlsContext,
-        certificateProviderStore);
+    if (CommonTlsContextUtil.hasCertProviderInstance(upstreamTlsContext.getCommonTlsContext())
+        || CommonTlsContextUtil.isUsingSystemRootCerts(upstreamTlsContext.getCommonTlsContext())) {
+      return new CertProviderClientSslContextProvider(
+          node,
+          certProviders,
+          certInstance,
+          rootCertInstance,
+          staticCertValidationContext,
+          upstreamTlsContext,
+          certificateProviderStore);
+    }
+    throw new UnsupportedOperationException("Unsupported configurations in UpstreamTlsContext!");
   }
 }

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java

@@ -37,10 +37,11 @@ abstract class CertProviderSslContextProvider extends DynamicSslContextProvider
   @Nullable private final CertificateProviderStore.Handle certHandle;
   @Nullable private final CertificateProviderStore.Handle rootCertHandle;
   @Nullable private final CertificateProviderInstance certInstance;
-  @Nullable private final CertificateProviderInstance rootCertInstance;
+  @Nullable protected final CertificateProviderInstance rootCertInstance;
   @Nullable protected PrivateKey savedKey;
   @Nullable protected List<X509Certificate> savedCertChain;
   @Nullable protected List<X509Certificate> savedTrustedRoots;
+  private final boolean isUsingSystemRootCerts;
 
   protected CertProviderSslContextProvider(
       Node node,
@@ -83,6 +84,8 @@ protected CertProviderSslContextProvider(
     } else {
       rootCertHandle = null;
     }
+    this.isUsingSystemRootCerts = CommonTlsContextUtil.isUsingSystemRootCerts(
+        tlsContext.getCommonTlsContext());
   }
 
   private static CertificateProviderInfo getCertProviderConfig(
@@ -151,7 +154,7 @@ public final void updateTrustedRoots(List<X509Certificate> trustedRoots) {
 
   private void updateSslContextWhenReady() {
     if (isMtls()) {
-      if (savedKey != null && savedTrustedRoots != null) {
+      if (savedKey != null && (savedTrustedRoots != null || isUsingSystemRootCerts)) {
         updateSslContext();
         clearKeysAndCerts();
       }
@@ -175,7 +178,7 @@ private void clearKeysAndCerts() {
   }
 
   protected final boolean isMtls() {
-    return certInstance != null && rootCertInstance != null;
+    return certInstance != null && (rootCertInstance != null || isUsingSystemRootCerts);
   }
 
   protected final boolean isClientSideTls() {

xds/src/test/java/io/grpc/xds/GrpcXdsClientImplDataTest.java

@@ -2503,7 +2503,8 @@ public void validateCommonTlsContext_validationContext() throws ResourceInvalidE
             .setValidationContext(CertificateValidationContext.getDefaultInstance())
             .build();
     thrown.expect(ResourceInvalidException.class);
-    thrown.expectMessage("ca_certificate_provider_instance is required in upstream-tls-context");
+    thrown.expectMessage("ca_certificate_provider_instance or system_root_certs is required "
+        + "in upstream-tls-context");
     XdsClusterResource.validateCommonTlsContext(commonTlsContext, null, false);
   }
 
@@ -2613,6 +2614,38 @@ public void validateCommonTlsContext_validationContextProviderInstance()
         .validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), false);
   }
 
+  @Test
+  public void validateCommonTlsContext_combinedValidationContextSystemRootCerts()
+      throws ResourceInvalidException {
+    CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
+        .setCombinedValidationContext(
+            CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
+                .setDefaultValidationContext(
+                    CertificateValidationContext.newBuilder()
+                        .setSystemRootCerts(
+                            CertificateValidationContext.SystemRootCerts.newBuilder().build())
+                        .build()
+                )
+                .build())
+        .build();
+    XdsClusterResource
+        .validateCommonTlsContext(commonTlsContext, ImmutableSet.of(), false);
+  }
+
+  @Test
+  public void validateCommonTlsContext_validationContextSystemRootCerts()
+      throws ResourceInvalidException {
+    CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
+        .setValidationContext(
+            CertificateValidationContext.newBuilder()
+                .setSystemRootCerts(
+                    CertificateValidationContext.SystemRootCerts.newBuilder().build())
+                .build())
+        .build();
+    XdsClusterResource
+        .validateCommonTlsContext(commonTlsContext, ImmutableSet.of(), false);
+  }
+
   @Test
   @SuppressWarnings("deprecation")
   public void validateCommonTlsContext_validationContextProviderInstance_absentInBootstrapFile()
@@ -2674,7 +2707,8 @@ public void validateCommonTlsContext_combinedValidationContext_isRequiredForClie
     CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
         .build();
     thrown.expect(ResourceInvalidException.class);
-    thrown.expectMessage("ca_certificate_provider_instance is required in upstream-tls-context");
+    thrown.expectMessage("ca_certificate_provider_instance or system_root_certs is required "
+        + "in upstream-tls-context");
     XdsClusterResource.validateCommonTlsContext(commonTlsContext, null, false);
   }
 
@@ -2687,7 +2721,8 @@ public void validateCommonTlsContext_combinedValidationContextWithoutCertProvide
         .build();
     thrown.expect(ResourceInvalidException.class);
     thrown.expectMessage(
-        "ca_certificate_provider_instance is required in upstream-tls-context");
+        "ca_certificate_provider_instance or system_root_certs is required in "
+            + "upstream-tls-context");
     XdsClusterResource.validateCommonTlsContext(commonTlsContext, null, false);
   }
 

xds/src/test/java/io/grpc/xds/GrpcXdsClientImplTestBase.java

@@ -2218,7 +2218,8 @@ public void cdsResponseErrorHandling_badUpstreamTlsContext() {
     String errorMsg =  "CDS response Cluster 'cluster.googleapis.com' validation error: "
             + "Cluster cluster.googleapis.com: malformed UpstreamTlsContext: "
             + "io.grpc.xds.client.XdsResourceType$ResourceInvalidException: "
-            + "ca_certificate_provider_instance is required in upstream-tls-context";
+            + "ca_certificate_provider_instance or system_root_certs is required in "
+            + "upstream-tls-context";
     call.verifyRequestNack(CDS, CDS_RESOURCE, "", "0000", NODE, ImmutableList.of(errorMsg));
     verify(cdsResourceWatcher).onError(errorCaptor.capture());
     verifyStatusWithNodeId(errorCaptor.getValue(), Code.UNAVAILABLE, errorMsg);