xds: security code refactoring/renaming (#9555)

* xds: security code refactoring/renaming 1) move certprovider package under security 2) refactor inner Factory into CertProviderClientSslContextProviderFactory and CertProviderServerSslContextProviderFactory 3) Make CertProviderClientSslContextProvider and CertProviderServerSslContextProvider non-public 4) use only public (non package private) types like SslContextProvider (instead of CertProviderClientSslContextProvider etc)
2022-09-24 00:05:15 -07:00 · 2022-09-24 00:05:15 -07:00 · 6f8e44a7f5
parent 0cda133c52
commit 6f8e44a7f5
25 changed files with 261 additions and 170 deletions
--- a/xds/src/main/java/io/grpc/xds/internal/security/ClientSslContextProviderFactory.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/ClientSslContextProviderFactory.java
@ -20,23 +20,23 @@ import static com.google.common.base.Preconditions.checkNotNull;

 import io.grpc.xds.Bootstrapper.BootstrapInfo;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
-import io.grpc.xds.internal.certprovider.CertProviderClientSslContextProvider;
 import io.grpc.xds.internal.security.ReferenceCountingMap.ValueFactory;
+import io.grpc.xds.internal.security.certprovider.CertProviderClientSslContextProviderFactory;

 /** Factory to create client-side SslContextProvider from UpstreamTlsContext. */
 final class ClientSslContextProviderFactory
    implements ValueFactory<UpstreamTlsContext, SslContextProvider> {

  private BootstrapInfo bootstrapInfo;
-  private final CertProviderClientSslContextProvider.Factory
+  private final CertProviderClientSslContextProviderFactory
      certProviderClientSslContextProviderFactory;

  ClientSslContextProviderFactory(BootstrapInfo bootstrapInfo) {
-    this(bootstrapInfo, CertProviderClientSslContextProvider.Factory.getInstance());
+    this(bootstrapInfo, CertProviderClientSslContextProviderFactory.getInstance());
  }

  ClientSslContextProviderFactory(
-      BootstrapInfo bootstrapInfo, CertProviderClientSslContextProvider.Factory factory) {
+      BootstrapInfo bootstrapInfo, CertProviderClientSslContextProviderFactory factory) {
    this.bootstrapInfo = bootstrapInfo;
    this.certProviderClientSslContextProviderFactory = factory;
  }
--- a/xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java
@ -21,6 +21,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
 import com.google.common.collect.ImmutableList;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
+import io.grpc.Internal;
 import io.grpc.Status;
 import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
 import io.netty.handler.ssl.ApplicationProtocolConfig;
@ -34,6 +35,7 @@ import java.util.List;
 import javax.annotation.Nullable;

 /** Base class for dynamic {@link SslContextProvider}s. */
+@Internal
 public abstract class DynamicSslContextProvider extends SslContextProvider {

  protected final List<Callback> pendingCallbacks = new ArrayList<>();
--- a/xds/src/main/java/io/grpc/xds/internal/security/ServerSslContextProviderFactory.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/ServerSslContextProviderFactory.java
@ -20,23 +20,23 @@ import static com.google.common.base.Preconditions.checkNotNull;

 import io.grpc.xds.Bootstrapper.BootstrapInfo;
 import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
-import io.grpc.xds.internal.certprovider.CertProviderServerSslContextProvider;
 import io.grpc.xds.internal.security.ReferenceCountingMap.ValueFactory;
+import io.grpc.xds.internal.security.certprovider.CertProviderServerSslContextProviderFactory;

 /** Factory to create server-side SslContextProvider from DownstreamTlsContext. */
 final class ServerSslContextProviderFactory
    implements ValueFactory<DownstreamTlsContext, SslContextProvider> {

  private BootstrapInfo bootstrapInfo;
-  private final CertProviderServerSslContextProvider.Factory
+  private final CertProviderServerSslContextProviderFactory
      certProviderServerSslContextProviderFactory;

  ServerSslContextProviderFactory(BootstrapInfo bootstrapInfo) {
-    this(bootstrapInfo, CertProviderServerSslContextProvider.Factory.getInstance());
+    this(bootstrapInfo, CertProviderServerSslContextProviderFactory.getInstance());
  }

  ServerSslContextProviderFactory(
-      BootstrapInfo bootstrapInfo, CertProviderServerSslContextProvider.Factory factory) {
+      BootstrapInfo bootstrapInfo, CertProviderServerSslContextProviderFactory factory) {
    this.bootstrapInfo = bootstrapInfo;
    this.certProviderServerSslContextProviderFactory = factory;
  }
--- a/xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java
@ -21,6 +21,7 @@ import static com.google.common.base.Preconditions.checkState;

 import com.google.common.annotations.VisibleForTesting;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
+import io.grpc.Internal;
 import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
 import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
@ -39,6 +40,7 @@ import java.util.concurrent.Executor;
 * stream that is receiving the requested secret(s) or it could represent file-system based
 * secret(s) that are dynamic.
 */
+@Internal
 public abstract class SslContextProvider implements Closeable {

  protected final BaseTlsContext tlsContext;
--- a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java
@ -14,15 +14,13 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static com.google.common.base.Preconditions.checkNotNull;

-import com.google.common.annotations.VisibleForTesting;
 import io.envoyproxy.envoy.config.core.v3.Node;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
-import io.grpc.Internal;
 import io.grpc.netty.GrpcSslContexts;
 import io.grpc.xds.Bootstrapper.CertificateProviderInfo;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
@ -34,10 +32,9 @@ import java.util.Map;
 import javax.annotation.Nullable;

 /** A client SslContext provider using CertificateProviderInstance to fetch secrets. */
-@Internal
-public final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {
+final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {

-  private CertProviderClientSslContextProvider(
+  CertProviderClientSslContextProvider(
      Node node,
      @Nullable Map<String, CertificateProviderInfo> certProviders,
      CommonTlsContext.CertificateProviderInstance certInstance,
@ -71,42 +68,4 @@ public final class CertProviderClientSslContextProvider extends CertProviderSslC
    return sslContextBuilder;
  }

-  /** Creates CertProviderClientSslContextProvider. */
-  @Internal
-  public static final class Factory {
-    private static final Factory DEFAULT_INSTANCE =
-        new Factory(CertificateProviderStore.getInstance());
-    private final CertificateProviderStore certificateProviderStore;
-
-    @VisibleForTesting public Factory(CertificateProviderStore certificateProviderStore) {
-      this.certificateProviderStore = certificateProviderStore;
-    }
-
-    public static Factory getInstance() {
-      return DEFAULT_INSTANCE;
-    }
-
-    /** Creates a {@link CertProviderClientSslContextProvider}. */
-    public CertProviderClientSslContextProvider getProvider(
-        UpstreamTlsContext upstreamTlsContext,
-        Node node,
-        @Nullable Map<String, CertificateProviderInfo> certProviders) {
-      checkNotNull(upstreamTlsContext, "upstreamTlsContext");
-      CommonTlsContext commonTlsContext = upstreamTlsContext.getCommonTlsContext();
-      CertificateValidationContext staticCertValidationContext = getStaticValidationContext(
-          commonTlsContext);
-      CommonTlsContext.CertificateProviderInstance rootCertInstance = getRootCertProviderInstance(
-          commonTlsContext);
-      CommonTlsContext.CertificateProviderInstance certInstance = getCertProviderInstance(
-          commonTlsContext);
-      return new CertProviderClientSslContextProvider(
-          node,
-          certProviders,
-          certInstance,
-          rootCertInstance,
-          staticCertValidationContext,
-          upstreamTlsContext,
-          certificateProviderStore);
-    }
-  }
 }
--- a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderFactory.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderFactory.java
@ -0,0 +1,76 @@
+/*
+ * Copyright 2022 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds.internal.security.certprovider;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.envoyproxy.envoy.config.core.v3.Node;
+import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
+import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
+import io.grpc.Internal;
+import io.grpc.xds.Bootstrapper.CertificateProviderInfo;
+import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
+import io.grpc.xds.internal.security.SslContextProvider;
+import java.util.Map;
+import javax.annotation.Nullable;
+
+/**
+ * Creates CertProviderClientSslContextProvider.
+ */
+@Internal
+public final class CertProviderClientSslContextProviderFactory {
+
+  private static final CertProviderClientSslContextProviderFactory DEFAULT_INSTANCE =
+      new CertProviderClientSslContextProviderFactory(CertificateProviderStore.getInstance());
+  private final CertificateProviderStore certificateProviderStore;
+
+  @VisibleForTesting
+  public CertProviderClientSslContextProviderFactory(
+      CertificateProviderStore certificateProviderStore) {
+    this.certificateProviderStore = certificateProviderStore;
+  }
+
+  public static CertProviderClientSslContextProviderFactory getInstance() {
+    return DEFAULT_INSTANCE;
+  }
+
+  /**
+   * Creates a {@link CertProviderClientSslContextProvider}.
+   */
+  public SslContextProvider getProvider(
+      UpstreamTlsContext upstreamTlsContext,
+      Node node,
+      @Nullable Map<String, CertificateProviderInfo> certProviders) {
+    checkNotNull(upstreamTlsContext, "upstreamTlsContext");
+    CommonTlsContext commonTlsContext = upstreamTlsContext.getCommonTlsContext();
+    CertificateValidationContext staticCertValidationContext
+        = CertProviderSslContextProvider.getStaticValidationContext(commonTlsContext);
+    CommonTlsContext.CertificateProviderInstance rootCertInstance
+        = CertProviderSslContextProvider.getRootCertProviderInstance(commonTlsContext);
+    CommonTlsContext.CertificateProviderInstance certInstance
+        = CertProviderSslContextProvider.getCertProviderInstance(commonTlsContext);
+    return new CertProviderClientSslContextProvider(
+        node,
+        certProviders,
+        certInstance,
+        rootCertInstance,
+        staticCertValidationContext,
+        upstreamTlsContext,
+        certificateProviderStore);
+  }
+}
--- a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderServerSslContextProvider.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderServerSslContextProvider.java
@ -14,21 +14,18 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static com.google.common.base.Preconditions.checkNotNull;

-import com.google.common.annotations.VisibleForTesting;
 import io.envoyproxy.envoy.config.core.v3.Node;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
-import io.grpc.Internal;
 import io.grpc.netty.GrpcSslContexts;
 import io.grpc.xds.Bootstrapper.CertificateProviderInfo;
 import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
 import io.grpc.xds.internal.security.trust.XdsTrustManagerFactory;
 import io.netty.handler.ssl.SslContextBuilder;
-
 import java.io.IOException;
 import java.security.cert.CertStoreException;
 import java.security.cert.CertificateException;
@ -37,17 +34,16 @@ import java.util.Map;
 import javax.annotation.Nullable;

 /** A server SslContext provider using CertificateProviderInstance to fetch secrets. */
-@Internal
-public final class CertProviderServerSslContextProvider extends CertProviderSslContextProvider {
+final class CertProviderServerSslContextProvider extends CertProviderSslContextProvider {

-  private CertProviderServerSslContextProvider(
-          Node node,
-          @Nullable Map<String, CertificateProviderInfo> certProviders,
-          CommonTlsContext.CertificateProviderInstance certInstance,
-          CommonTlsContext.CertificateProviderInstance rootCertInstance,
-          CertificateValidationContext staticCertValidationContext,
-          DownstreamTlsContext downstreamTlsContext,
-          CertificateProviderStore certificateProviderStore) {
+  CertProviderServerSslContextProvider(
+      Node node,
+      @Nullable Map<String, CertificateProviderInfo> certProviders,
+      CommonTlsContext.CertificateProviderInstance certInstance,
+      CommonTlsContext.CertificateProviderInstance rootCertInstance,
+      CertificateValidationContext staticCertValidationContext,
+      DownstreamTlsContext downstreamTlsContext,
+      CertificateProviderStore certificateProviderStore) {
    super(
        node,
        certProviders,
@ -74,42 +70,4 @@ public final class CertProviderServerSslContextProvider extends CertProviderSslC
    return sslContextBuilder;
  }

-  /** Creates CertProviderServerSslContextProvider. */
-  @Internal
-  public static final class Factory {
-    private static final Factory DEFAULT_INSTANCE =
-        new Factory(CertificateProviderStore.getInstance());
-    private final CertificateProviderStore certificateProviderStore;
-
-    @VisibleForTesting public Factory(CertificateProviderStore certificateProviderStore) {
-      this.certificateProviderStore = certificateProviderStore;
-    }
-
-    public static Factory getInstance() {
-      return DEFAULT_INSTANCE;
-    }
-
-    /** Creates a {@link CertProviderServerSslContextProvider}. */
-    public CertProviderServerSslContextProvider getProvider(
-        DownstreamTlsContext downstreamTlsContext,
-        Node node,
-        @Nullable Map<String, CertificateProviderInfo> certProviders) {
-      checkNotNull(downstreamTlsContext, "downstreamTlsContext");
-      CommonTlsContext commonTlsContext = downstreamTlsContext.getCommonTlsContext();
-      CertificateValidationContext staticCertValidationContext = getStaticValidationContext(
-          commonTlsContext);
-      CommonTlsContext.CertificateProviderInstance rootCertInstance = getRootCertProviderInstance(
-          commonTlsContext);
-      CommonTlsContext.CertificateProviderInstance certInstance = getCertProviderInstance(
-          commonTlsContext);
-      return new CertProviderServerSslContextProvider(
-          node,
-          certProviders,
-          certInstance,
-          rootCertInstance,
-          staticCertValidationContext,
-          downstreamTlsContext,
-          certificateProviderStore);
-    }
-  }
 }
--- a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderServerSslContextProviderFactory.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderServerSslContextProviderFactory.java
@ -0,0 +1,76 @@
+/*
+ * Copyright 2022 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds.internal.security.certprovider;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.envoyproxy.envoy.config.core.v3.Node;
+import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
+import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
+import io.grpc.Internal;
+import io.grpc.xds.Bootstrapper.CertificateProviderInfo;
+import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
+import io.grpc.xds.internal.security.SslContextProvider;
+import java.util.Map;
+import javax.annotation.Nullable;
+
+/**
+ * Creates CertProviderServerSslContextProvider.
+ */
+@Internal
+public final class CertProviderServerSslContextProviderFactory {
+
+  private static final CertProviderServerSslContextProviderFactory DEFAULT_INSTANCE =
+      new CertProviderServerSslContextProviderFactory(CertificateProviderStore.getInstance());
+  private final CertificateProviderStore certificateProviderStore;
+
+  @VisibleForTesting
+  public CertProviderServerSslContextProviderFactory(
+      CertificateProviderStore certificateProviderStore) {
+    this.certificateProviderStore = certificateProviderStore;
+  }
+
+  public static CertProviderServerSslContextProviderFactory getInstance() {
+    return DEFAULT_INSTANCE;
+  }
+
+  /**
+   * Creates a {@link CertProviderServerSslContextProvider}.
+   */
+  public SslContextProvider getProvider(
+      DownstreamTlsContext downstreamTlsContext,
+      Node node,
+      @Nullable Map<String, CertificateProviderInfo> certProviders) {
+    checkNotNull(downstreamTlsContext, "downstreamTlsContext");
+    CommonTlsContext commonTlsContext = downstreamTlsContext.getCommonTlsContext();
+    CertificateValidationContext staticCertValidationContext
+        = CertProviderSslContextProvider.getStaticValidationContext(commonTlsContext);
+    CommonTlsContext.CertificateProviderInstance rootCertInstance
+        = CertProviderSslContextProvider.getRootCertProviderInstance(commonTlsContext);
+    CommonTlsContext.CertificateProviderInstance certInstance
+        = CertProviderSslContextProvider.getCertProviderInstance(commonTlsContext);
+    return new CertProviderServerSslContextProvider(
+        node,
+        certProviders,
+        certInstance,
+        rootCertInstance,
+        staticCertValidationContext,
+        downstreamTlsContext,
+        certificateProviderStore);
+  }
+}
--- a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java
@ -14,7 +14,7 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import io.envoyproxy.envoy.config.core.v3.Node;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
--- a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertificateProvider.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertificateProvider.java
@ -14,7 +14,7 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static com.google.common.base.Preconditions.checkNotNull;

--- a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertificateProviderProvider.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertificateProviderProvider.java
@ -14,10 +14,10 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import io.grpc.Internal;
-import io.grpc.xds.internal.certprovider.CertificateProvider.Watcher;
+import io.grpc.xds.internal.security.certprovider.CertificateProvider.Watcher;

 /**
 * Provider of {@link CertificateProvider}s. Implemented by the implementer of the plugin. We may
--- a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertificateProviderRegistry.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertificateProviderRegistry.java
@ -14,7 +14,7 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static com.google.common.base.Preconditions.checkNotNull;

--- a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertificateProviderStore.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertificateProviderStore.java
@ -14,12 +14,11 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import com.google.common.annotations.VisibleForTesting;
-import io.grpc.xds.internal.certprovider.CertificateProvider.Watcher;
 import io.grpc.xds.internal.security.ReferenceCountingMap;
-
+import io.grpc.xds.internal.security.certprovider.CertificateProvider.Watcher;
 import java.io.Closeable;
 import java.util.Objects;
 import java.util.logging.Level;
--- a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProvider.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProvider.java
@ -14,7 +14,7 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static com.google.common.base.Preconditions.checkNotNull;

--- a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderProvider.java
+++ b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderProvider.java
@ -14,7 +14,7 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
--- a/xds/src/test/java/io/grpc/xds/internal/security/ClientSslContextProviderFactoryTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/security/ClientSslContextProviderFactoryTest.java
@ -32,12 +32,12 @@ import io.grpc.xds.Bootstrapper;
 import io.grpc.xds.CommonBootstrapperTestUtils;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
 import io.grpc.xds.XdsInitializationException;
-import io.grpc.xds.internal.certprovider.CertProviderClientSslContextProvider;
-import io.grpc.xds.internal.certprovider.CertificateProvider;
-import io.grpc.xds.internal.certprovider.CertificateProviderProvider;
-import io.grpc.xds.internal.certprovider.CertificateProviderRegistry;
-import io.grpc.xds.internal.certprovider.CertificateProviderStore;
-import io.grpc.xds.internal.certprovider.TestCertificateProvider;
+import io.grpc.xds.internal.security.certprovider.CertProviderClientSslContextProviderFactory;
+import io.grpc.xds.internal.security.certprovider.CertificateProvider;
+import io.grpc.xds.internal.security.certprovider.CertificateProviderProvider;
+import io.grpc.xds.internal.security.certprovider.CertificateProviderRegistry;
+import io.grpc.xds.internal.security.certprovider.CertificateProviderStore;
+import io.grpc.xds.internal.security.certprovider.TestCertificateProvider;
 import java.io.IOException;
 import org.junit.Assert;
 import org.junit.Before;
@ -53,7 +53,7 @@ public class ClientSslContextProviderFactoryTest {

  CertificateProviderRegistry certificateProviderRegistry;
  CertificateProviderStore certificateProviderStore;
-  CertProviderClientSslContextProvider.Factory certProviderClientSslContextProviderFactory;
+  CertProviderClientSslContextProviderFactory certProviderClientSslContextProviderFactory;
  ClientSslContextProviderFactory clientSslContextProviderFactory;

  @Before
@ -61,7 +61,7 @@ public class ClientSslContextProviderFactoryTest {
    certificateProviderRegistry = new CertificateProviderRegistry();
    certificateProviderStore = new CertificateProviderStore(certificateProviderRegistry);
    certProviderClientSslContextProviderFactory =
-        new CertProviderClientSslContextProvider.Factory(certificateProviderStore);
+        new CertProviderClientSslContextProviderFactory(certificateProviderStore);
  }

  @Test
@ -84,12 +84,14 @@ public class ClientSslContextProviderFactoryTest {
                    bootstrapInfo, certProviderClientSslContextProviderFactory);
    SslContextProvider sslContextProvider =
        clientSslContextProviderFactory.create(upstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderClientSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
    // verify that bootstrapInfo is cached...
    sslContextProvider =
        clientSslContextProviderFactory.create(upstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderClientSslContextProvider");
  }

  @Test
@ -117,7 +119,8 @@ public class ClientSslContextProviderFactoryTest {
                    bootstrapInfo, certProviderClientSslContextProviderFactory);
    SslContextProvider sslContextProvider =
        clientSslContextProviderFactory.create(upstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderClientSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
  }

@ -142,7 +145,8 @@ public class ClientSslContextProviderFactoryTest {
                    bootstrapInfo, certProviderClientSslContextProviderFactory);
    SslContextProvider sslContextProvider =
            clientSslContextProviderFactory.create(upstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderClientSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
  }

@ -175,7 +179,8 @@ public class ClientSslContextProviderFactoryTest {
                    certProviderClientSslContextProviderFactory);
    SslContextProvider sslContextProvider =
            clientSslContextProviderFactory.create(upstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderClientSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
  }

@ -204,7 +209,8 @@ public class ClientSslContextProviderFactoryTest {
                    bootstrapInfo, certProviderClientSslContextProviderFactory);
    SslContextProvider sslContextProvider =
        clientSslContextProviderFactory.create(upstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderClientSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
    verifyWatcher(sslContextProvider, watcherCaptor[1]);
  }
@ -240,7 +246,8 @@ public class ClientSslContextProviderFactoryTest {
            bootstrapInfo, certProviderClientSslContextProviderFactory);
    SslContextProvider sslContextProvider =
        clientSslContextProviderFactory.create(upstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderClientSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
    verifyWatcher(sslContextProvider, watcherCaptor[1]);
  }
@ -273,7 +280,8 @@ public class ClientSslContextProviderFactoryTest {
            bootstrapInfo, certProviderClientSslContextProviderFactory);
    SslContextProvider sslContextProvider =
        clientSslContextProviderFactory.create(upstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderClientSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
  }

--- a/xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java
@ -51,9 +51,9 @@ import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
 import io.grpc.xds.InternalXdsAttributes;
 import io.grpc.xds.TlsContextManager;
-import io.grpc.xds.internal.certprovider.CommonCertProviderTestUtils;
 import io.grpc.xds.internal.security.SecurityProtocolNegotiators.ClientSdsHandler;
 import io.grpc.xds.internal.security.SecurityProtocolNegotiators.ClientSdsProtocolNegotiator;
+import io.grpc.xds.internal.security.certprovider.CommonCertProviderTestUtils;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.channel.ChannelPipeline;
--- a/xds/src/test/java/io/grpc/xds/internal/security/ServerSslContextProviderFactoryTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/security/ServerSslContextProviderFactoryTest.java
@ -29,10 +29,10 @@ import io.grpc.xds.CommonBootstrapperTestUtils;
 import io.grpc.xds.EnvoyServerProtoData;
 import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
 import io.grpc.xds.XdsInitializationException;
-import io.grpc.xds.internal.certprovider.CertProviderServerSslContextProvider;
-import io.grpc.xds.internal.certprovider.CertificateProvider;
-import io.grpc.xds.internal.certprovider.CertificateProviderRegistry;
-import io.grpc.xds.internal.certprovider.CertificateProviderStore;
+import io.grpc.xds.internal.security.certprovider.CertProviderServerSslContextProviderFactory;
+import io.grpc.xds.internal.security.certprovider.CertificateProvider;
+import io.grpc.xds.internal.security.certprovider.CertificateProviderRegistry;
+import io.grpc.xds.internal.security.certprovider.CertificateProviderStore;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@ -44,7 +44,7 @@ public class ServerSslContextProviderFactoryTest {

  CertificateProviderRegistry certificateProviderRegistry;
  CertificateProviderStore certificateProviderStore;
-  CertProviderServerSslContextProvider.Factory certProviderServerSslContextProviderFactory;
+  CertProviderServerSslContextProviderFactory certProviderServerSslContextProviderFactory;
  ServerSslContextProviderFactory serverSslContextProviderFactory;

  @Before
@ -52,7 +52,7 @@ public class ServerSslContextProviderFactoryTest {
    certificateProviderRegistry = new CertificateProviderRegistry();
    certificateProviderStore = new CertificateProviderStore(certificateProviderRegistry);
    certProviderServerSslContextProviderFactory =
-        new CertProviderServerSslContextProvider.Factory(certificateProviderStore);
+        new CertProviderServerSslContextProviderFactory(certificateProviderStore);
  }

  @Test
@ -76,12 +76,14 @@ public class ServerSslContextProviderFactoryTest {
                    bootstrapInfo, certProviderServerSslContextProviderFactory);
    SslContextProvider sslContextProvider =
        serverSslContextProviderFactory.create(downstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderServerSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderServerSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
    // verify that bootstrapInfo is cached...
    sslContextProvider =
        serverSslContextProviderFactory.create(downstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderServerSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderServerSslContextProvider");
  }

  @Test
@ -113,7 +115,8 @@ public class ServerSslContextProviderFactoryTest {
                    bootstrapInfo, certProviderServerSslContextProviderFactory);
    SslContextProvider sslContextProvider =
        serverSslContextProviderFactory.create(downstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderServerSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderServerSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
  }

@ -139,7 +142,8 @@ public class ServerSslContextProviderFactoryTest {
                    bootstrapInfo, certProviderServerSslContextProviderFactory);
    SslContextProvider sslContextProvider =
            serverSslContextProviderFactory.create(downstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderServerSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderServerSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
  }

@ -173,7 +177,8 @@ public class ServerSslContextProviderFactoryTest {
                    bootstrapInfo, certProviderServerSslContextProviderFactory);
    SslContextProvider sslContextProvider =
            serverSslContextProviderFactory.create(downstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderServerSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderServerSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
  }

@ -203,7 +208,8 @@ public class ServerSslContextProviderFactoryTest {
                    bootstrapInfo, certProviderServerSslContextProviderFactory);
    SslContextProvider sslContextProvider =
        serverSslContextProviderFactory.create(downstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderServerSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderServerSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
    verifyWatcher(sslContextProvider, watcherCaptor[1]);
  }
@ -241,7 +247,8 @@ public class ServerSslContextProviderFactoryTest {
            bootstrapInfo, certProviderServerSslContextProviderFactory);
    SslContextProvider sslContextProvider =
        serverSslContextProviderFactory.create(downstreamTlsContext);
-    assertThat(sslContextProvider).isInstanceOf(CertProviderServerSslContextProvider.class);
+    assertThat(sslContextProvider.getClass().getSimpleName()).isEqualTo(
+        "CertProviderServerSslContextProvider");
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
    verifyWatcher(sslContextProvider, watcherCaptor[1]);
  }
--- a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java
@ -14,11 +14,10 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.truth.Truth.assertThat;
-import static io.grpc.xds.internal.certprovider.CommonCertProviderTestUtils.getCertFromResourceName;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CA_PEM_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CLIENT_KEY_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CLIENT_PEM_FILE;
@ -26,6 +25,7 @@ import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_0_P
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_1_KEY_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.doChecksOnSslContext;
+import static io.grpc.xds.internal.security.certprovider.CommonCertProviderTestUtils.getCertFromResourceName;
 import static org.junit.Assert.fail;

 import com.google.common.annotations.VisibleForTesting;
@ -56,14 +56,14 @@ public class CertProviderClientSslContextProviderTest {

  CertificateProviderRegistry certificateProviderRegistry;
  CertificateProviderStore certificateProviderStore;
-  private CertProviderClientSslContextProvider.Factory certProviderClientSslContextProviderFactory;
+  private CertProviderClientSslContextProviderFactory certProviderClientSslContextProviderFactory;

  @Before
  public void setUp() throws Exception {
    certificateProviderRegistry = new CertificateProviderRegistry();
    certificateProviderStore = new CertificateProviderStore(certificateProviderRegistry);
    certProviderClientSslContextProviderFactory =
-        new CertProviderClientSslContextProvider.Factory(certificateProviderStore);
+        new CertProviderClientSslContextProviderFactory(certificateProviderStore);
  }

  /** Helper method to build CertProviderClientSslContextProvider. */
@ -81,10 +81,11 @@ public class CertProviderClientSslContextProviderTest {
            "root-default",
            alpnProtocols,
            staticCertValidationContext);
-    return certProviderClientSslContextProviderFactory.getProvider(
-        upstreamTlsContext,
-        bootstrapInfo.node().toEnvoyProtoNode(),
-        bootstrapInfo.certProviders());
+    return (CertProviderClientSslContextProvider)
+        certProviderClientSslContextProviderFactory.getProvider(
+            upstreamTlsContext,
+            bootstrapInfo.node().toEnvoyProtoNode(),
+            bootstrapInfo.certProviders());
  }

  /** Helper method to build CertProviderClientSslContextProvider. */
@ -102,7 +103,8 @@ public class CertProviderClientSslContextProviderTest {
                    "root-default",
                    alpnProtocols,
                    staticCertValidationContext);
-    return certProviderClientSslContextProviderFactory.getProvider(
+    return (CertProviderClientSslContextProvider)
+        certProviderClientSslContextProviderFactory.getProvider(
            upstreamTlsContext,
            bootstrapInfo.node().toEnvoyProtoNode(),
            bootstrapInfo.certProviders());
--- a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderServerSslContextProviderTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderServerSslContextProviderTest.java
@ -14,10 +14,9 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static com.google.common.truth.Truth.assertThat;
-import static io.grpc.xds.internal.certprovider.CommonCertProviderTestUtils.getCertFromResourceName;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CA_PEM_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CLIENT_PEM_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_0_KEY_FILE;
@ -25,6 +24,7 @@ import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_0_P
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_1_KEY_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.doChecksOnSslContext;
+import static io.grpc.xds.internal.security.certprovider.CommonCertProviderTestUtils.getCertFromResourceName;
 import static org.junit.Assert.fail;

 import com.google.common.collect.ImmutableList;
@ -35,9 +35,9 @@ import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
 import io.grpc.xds.Bootstrapper;
 import io.grpc.xds.CommonBootstrapperTestUtils;
 import io.grpc.xds.EnvoyServerProtoData;
-import io.grpc.xds.internal.certprovider.CertProviderClientSslContextProviderTest.QueuedExecutor;
 import io.grpc.xds.internal.security.CommonTlsContextTestsUtil;
 import io.grpc.xds.internal.security.CommonTlsContextTestsUtil.TestCallback;
+import io.grpc.xds.internal.security.certprovider.CertProviderClientSslContextProviderTest.QueuedExecutor;
 import java.util.Arrays;
 import org.junit.Before;
 import org.junit.Test;
@ -50,14 +50,14 @@ public class CertProviderServerSslContextProviderTest {

  CertificateProviderRegistry certificateProviderRegistry;
  CertificateProviderStore certificateProviderStore;
-  private CertProviderServerSslContextProvider.Factory certProviderServerSslContextProviderFactory;
+  private CertProviderServerSslContextProviderFactory certProviderServerSslContextProviderFactory;

  @Before
  public void setUp() throws Exception {
    certificateProviderRegistry = new CertificateProviderRegistry();
    certificateProviderStore = new CertificateProviderStore(certificateProviderRegistry);
    certProviderServerSslContextProviderFactory =
-        new CertProviderServerSslContextProvider.Factory(certificateProviderStore);
+        new CertProviderServerSslContextProviderFactory(certificateProviderStore);
  }

  /** Helper method to build CertProviderServerSslContextProvider. */
@ -77,10 +77,11 @@ public class CertProviderServerSslContextProviderTest {
            alpnProtocols,
            staticCertValidationContext,
            requireClientCert);
-    return certProviderServerSslContextProviderFactory.getProvider(
-        downstreamTlsContext,
-        bootstrapInfo.node().toEnvoyProtoNode(),
-        bootstrapInfo.certProviders());
+    return (CertProviderServerSslContextProvider)
+        certProviderServerSslContextProviderFactory.getProvider(
+            downstreamTlsContext,
+            bootstrapInfo.node().toEnvoyProtoNode(),
+            bootstrapInfo.certProviders());
  }

  /** Helper method to build CertProviderServerSslContextProvider. */
@ -100,7 +101,8 @@ public class CertProviderServerSslContextProviderTest {
                    alpnProtocols,
                    staticCertValidationContext,
                    requireClientCert);
-    return certProviderServerSslContextProviderFactory.getProvider(
+    return (CertProviderServerSslContextProvider)
+        certProviderServerSslContextProviderFactory.getProvider(
            downstreamTlsContext,
            bootstrapInfo.node().toEnvoyProtoNode(),
            bootstrapInfo.certProviders());
--- a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertificateProviderStoreTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertificateProviderStoreTest.java
@ -14,7 +14,7 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static com.google.common.truth.Truth.assertThat;
 import static org.junit.Assert.fail;
--- a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CommonCertProviderTestUtils.java
+++ b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CommonCertProviderTestUtils.java
@ -14,7 +14,7 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static java.nio.charset.StandardCharsets.UTF_8;

@ -22,7 +22,7 @@ import com.google.common.io.CharStreams;
 import io.grpc.internal.FakeClock;
 import io.grpc.internal.TimeProvider;
 import io.grpc.internal.testing.TestUtils;
-import io.grpc.xds.internal.certprovider.FileWatcherCertificateProviderProvider.ScheduledExecutorServiceFactory;
+import io.grpc.xds.internal.security.certprovider.FileWatcherCertificateProviderProvider.ScheduledExecutorServiceFactory;
 import io.grpc.xds.internal.security.trust.CertificateUtils;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
--- a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderProviderTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderProviderTest.java
@ -14,7 +14,7 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static com.google.common.truth.Truth.assertThat;
 import static org.junit.Assert.fail;
--- a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderTest.java
@ -14,7 +14,7 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 import static com.google.common.truth.Truth.assertThat;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CA_PEM_FILE;
@ -34,8 +34,8 @@ import static org.mockito.Mockito.verify;

 import io.grpc.Status;
 import io.grpc.internal.TimeProvider;
-import io.grpc.xds.internal.certprovider.CertificateProvider.DistributorWatcher;
 import io.grpc.xds.internal.security.CommonTlsContextTestsUtil;
+import io.grpc.xds.internal.security.certprovider.CertificateProvider.DistributorWatcher;
 import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
--- a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/TestCertificateProvider.java
+++ b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/TestCertificateProvider.java
@ -14,7 +14,7 @@
 * limitations under the License.
 */

-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;

 public class TestCertificateProvider extends CertificateProvider {
  Object config;