[GitHub] [skywalking-java] dmsolr commented on a change in pull request #15: Support mTLS for gRPC channel

Mon, 30 Aug 2021 10:48:29 -0700 


dmsolr commented on a change in pull request #15:
URL: https://github.com/apache/skywalking-java/pull/15#discussion_r698685415



##########
File path: 
apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java
##########
@@ -23,31 +23,61 @@
 import io.grpc.netty.NettyChannelBuilder;
 import io.netty.handler.ssl.SslContextBuilder;
 import java.io.File;
-import javax.net.ssl.SSLException;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
 import org.apache.skywalking.apm.agent.core.boot.AgentPackageNotFoundException;
 import org.apache.skywalking.apm.agent.core.boot.AgentPackagePath;
 import org.apache.skywalking.apm.agent.core.conf.Config;
-import org.apache.skywalking.apm.agent.core.conf.Constants;
+import org.apache.skywalking.apm.agent.core.logging.api.ILog;
+import org.apache.skywalking.apm.agent.core.logging.api.LogManager;
+import org.apache.skywalking.apm.agent.core.util.PrivateKeyUtil;
+import org.apache.skywalking.apm.util.StringUtil;
 
 /**
- * Detect the `/ca` folder in agent package, if `ca.crt` exists, start TLS (no 
mutual auth).
+ * If only ca.crt exists, start TLS. If cert, key and ca files exist, enable 
mTLS.
  */
 public class TLSChannelBuilder implements ChannelBuilder<NettyChannelBuilder> {
-    private static String CA_FILE_NAME = "ca" + Constants.PATH_SEPARATOR + 
"ca.crt";
+    private static final ILog LOGGER = 
LogManager.getLogger(TLSChannelBuilder.class);
 
     @Override
     public NettyChannelBuilder build(
-        NettyChannelBuilder managedChannelBuilder) throws 
AgentPackageNotFoundException, SSLException {
-        File caFile = new File(AgentPackagePath.getPath(), CA_FILE_NAME);
-        boolean isCAFileExist = caFile.exists() && caFile.isFile();

Review comment:
       Remove means remove this part `caFile.exist()`, right. `File#isFile()` 
is true means the file existed.
   JDK docs say:
   > return: true if and only if the file denoted by this abstract pathname 
exists and is a normal file; false otherwise
   
   Tests `caFile#isFile()` twice, that is previously logic. There is a case to 
enable  SSL/TLS with a none CA certificate by force switch. And the CA file is 
detected, SSL/TLS is enabled by default. 
   The second time, the CA certificate has to load it to SSL context when it 
existed.
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to