-
Notifications
You must be signed in to change notification settings - Fork 26.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/dubbo3.2 add rest client tls #12251
Open
suncairong163
wants to merge
34
commits into
apache:3.3
Choose a base branch
from
LiujunjieALiling:feature/dubbo3.2_add_rest_client_tls
base: 3.3
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
34 commits
Select commit
Hold shift + click to select a range
b6d18cc
rest client add tls
suncairong163 0e14e48
rest client ssl
suncairong163 529499b
remove test log
suncairong163 757fb47
modify HTTPS_PROTOCOL
suncairong163 100977b
fix trust manage
suncairong163 9ce4def
PEM tls base64 decode
88ebde0
PEM tls base64 decode
7366c85
fix exception message
1489434
fix null point exception
suncairong163 e8b59db
fix SSL pem parse
suncairong163 6db95b6
add exception
suncairong163 f911d23
Merge branch '3.2' into feature/dubbo3.2_add_rest_client_tls
AlbumenJ 9d4ea7a
http client ssl
suncairong163 acd1bf0
Merge remote-tracking branch 'origin/feature/dubbo3.2_add_rest_client…
suncairong163 b60a495
http client build
suncairong163 90cd33c
add ssl cert file parse ut
suncairong163 06b8266
modify ssl context build
suncairong163 d1e4a47
license
suncairong163 a8307cf
remove unsued import
suncairong163 08fa31c
Merge branch '3.3' into feature/dubbo3.2_add_rest_client_tls
AlbumenJ 084572a
http client ssl
suncairong163 e854bed
Refactor file name & replace Base64Decode
suncairong163 a0fdfb9
Merge remote-tracking branch 'origin/feature/dubbo3.2_add_rest_client…
suncairong163 a7cf9b9
PEM charset US_ASCII
suncairong163 f8c0a35
remove empty X509TrustManager implement
suncairong163 f0a2301
add default host name verifier
suncairong163 0a27dfb
reconstruct rest client tls
suncairong163 280fe27
bug fix
suncairong163 069cb65
refactor file name
suncairong163 33551c8
refactor name
suncairong163 dca49f5
safeCloseStream out
suncairong163 78f6a9c
add ssl context cache
suncairong163 1e7a1c6
SslConfig exclude attribute
suncairong163 91d7f09
Merge branch '3.3' into feature/dubbo3.2_add_rest_client_tls
suncairong163 File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
358 changes: 358 additions & 0 deletions
358
dubbo-common/src/main/java/org/apache/dubbo/common/ssl/DefaultHostnameVerifier.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,358 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one or more | ||
* contributor license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright ownership. | ||
* The ASF licenses this file to You under the Apache License, Version 2.0 | ||
* (the "License"); you may not use this file except in compliance with | ||
* the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package org.apache.dubbo.common.ssl; | ||
|
||
|
||
import org.apache.dubbo.config.Constants; | ||
import java.net.InetAddress; | ||
import java.net.UnknownHostException; | ||
import java.security.cert.Certificate; | ||
import java.security.cert.CertificateParsingException; | ||
import java.security.cert.X509Certificate; | ||
import java.util.ArrayList; | ||
import java.util.Collection; | ||
import java.util.Collections; | ||
import java.util.List; | ||
import java.util.Locale; | ||
import java.util.NoSuchElementException; | ||
import java.util.Objects; | ||
import java.util.regex.Pattern; | ||
import javax.naming.InvalidNameException; | ||
import javax.naming.NamingException; | ||
import javax.naming.directory.Attribute; | ||
import javax.naming.directory.Attributes; | ||
import javax.naming.ldap.LdapName; | ||
import javax.naming.ldap.Rdn; | ||
import javax.net.ssl.HostnameVerifier; | ||
import javax.net.ssl.SSLException; | ||
import javax.net.ssl.SSLPeerUnverifiedException; | ||
import javax.net.ssl.SSLSession; | ||
import javax.security.auth.x500.X500Principal; | ||
|
||
/** | ||
* default HostnameVerifier , refer to ZKHostnameVerifier | ||
* | ||
* verify only if Constants.REST_CLIENT_HOST_NAME_VERIFIER_SWITCH_PROPERTY set true | ||
*/ | ||
public class DefaultHostnameVerifier implements HostnameVerifier { | ||
|
||
private static final class SubjectName { | ||
|
||
static final int DNS = 2; | ||
static final int IP = 7; | ||
|
||
private final String value; | ||
private final int type; | ||
|
||
SubjectName(final String value, final int type) { | ||
if (type != DNS && type != IP) { | ||
throw new IllegalArgumentException("Invalid type: " + type); | ||
} | ||
this.value = Objects.requireNonNull(value); | ||
this.type = type; | ||
} | ||
|
||
public int getType() { | ||
return type; | ||
} | ||
|
||
public String getValue() { | ||
return value; | ||
} | ||
|
||
@Override | ||
public String toString() { | ||
return value; | ||
} | ||
|
||
} | ||
|
||
private static class InetAddressUtils { | ||
|
||
private InetAddressUtils() { | ||
} | ||
|
||
private static final Pattern IPV4_PATTERN = Pattern.compile("^(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}$"); | ||
|
||
private static final Pattern IPV6_STD_PATTERN = Pattern.compile("^(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$"); | ||
|
||
private static final Pattern IPV6_HEX_COMPRESSED_PATTERN = Pattern.compile("^((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)$"); | ||
|
||
static boolean isIPv4Address(final String input) { | ||
return IPV4_PATTERN.matcher(input).matches(); | ||
} | ||
|
||
static boolean isIPv6StdAddress(final String input) { | ||
return IPV6_STD_PATTERN.matcher(input).matches(); | ||
} | ||
|
||
static boolean isIPv6HexCompressedAddress(final String input) { | ||
return IPV6_HEX_COMPRESSED_PATTERN.matcher(input).matches(); | ||
} | ||
|
||
static boolean isIPv6Address(final String input) { | ||
return isIPv6StdAddress(input) || isIPv6HexCompressedAddress(input); | ||
} | ||
|
||
} | ||
|
||
enum HostNameType { | ||
|
||
IPv4(7), | ||
IPv6(7), | ||
DNS(2); | ||
|
||
final int subjectType; | ||
|
||
HostNameType(final int subjectType) { | ||
this.subjectType = subjectType; | ||
} | ||
|
||
} | ||
|
||
|
||
@Override | ||
public boolean verify(final String host, final SSLSession session) { | ||
try { | ||
|
||
if (!hostNameVerifierIsOpen()) { | ||
return true; | ||
} | ||
|
||
final Certificate[] certs = session.getPeerCertificates(); | ||
final X509Certificate x509 = (X509Certificate) certs[0]; | ||
verify(host, x509); | ||
return true; | ||
} catch (SSLException ex) { | ||
return false; | ||
} | ||
} | ||
|
||
void verify(final String host, final X509Certificate cert) throws SSLException { | ||
final HostNameType hostType = determineHostFormat(host); | ||
final List<SubjectName> subjectAlts = getSubjectAltNames(cert); | ||
if (subjectAlts != null && !subjectAlts.isEmpty()) { | ||
switch (hostType) { | ||
case IPv4: | ||
matchIPAddress(host, subjectAlts); | ||
break; | ||
case IPv6: | ||
matchIPv6Address(host, subjectAlts); | ||
break; | ||
default: | ||
matchDNSName(host, subjectAlts); | ||
} | ||
} else { | ||
final X500Principal subjectPrincipal = cert.getSubjectX500Principal(); | ||
final String cn = extractCN(subjectPrincipal.getName(X500Principal.RFC2253)); | ||
if (cn == null) { | ||
throw new SSLException("Certificate subject for <" | ||
+ host | ||
+ "> doesn't contain " | ||
+ "a common name and does not have alternative names"); | ||
} | ||
matchCN(host, cn); | ||
} | ||
} | ||
|
||
private static void matchIPAddress(final String host, final List<SubjectName> subjectAlts) throws SSLException { | ||
for (int i = 0; i < subjectAlts.size(); i++) { | ||
final SubjectName subjectAlt = subjectAlts.get(i); | ||
if (subjectAlt.getType() == SubjectName.IP) { | ||
if (host.equals(subjectAlt.getValue())) { | ||
return; | ||
} | ||
} | ||
} | ||
throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match any " | ||
+ "of the subject alternative names: " + subjectAlts); | ||
} | ||
|
||
private static void matchIPv6Address(final String host, final List<SubjectName> subjectAlts) throws SSLException { | ||
if (host == null) { | ||
return; | ||
} | ||
final String normalisedHost = normaliseAddress(host); | ||
for (int i = 0; i < subjectAlts.size(); i++) { | ||
final SubjectName subjectAlt = subjectAlts.get(i); | ||
if (subjectAlt.getType() == SubjectName.IP) { | ||
final String normalizedSubjectAlt = normaliseAddress(subjectAlt.getValue()); | ||
if (normalisedHost.equals(normalizedSubjectAlt)) { | ||
return; | ||
} | ||
} | ||
} | ||
throw new SSLPeerUnverifiedException("Certificate for <" | ||
+ host | ||
+ "> doesn't match any " | ||
+ "of the subject alternative names: " | ||
+ subjectAlts); | ||
} | ||
|
||
private static void matchDNSName(final String host, final List<SubjectName> subjectAlts) throws SSLException { | ||
final String normalizedHost = host.toLowerCase(Locale.ROOT); | ||
for (int i = 0; i < subjectAlts.size(); i++) { | ||
final SubjectName subjectAlt = subjectAlts.get(i); | ||
if (subjectAlt.getType() == SubjectName.DNS) { | ||
final String normalizedSubjectAlt = subjectAlt.getValue().toLowerCase(Locale.ROOT); | ||
if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt)) { | ||
return; | ||
} | ||
} | ||
} | ||
throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match any " | ||
+ "of the subject alternative names: " + subjectAlts); | ||
} | ||
|
||
private static void matchCN(final String host, final String cn) throws SSLException { | ||
final String normalizedHost = host.toLowerCase(Locale.ROOT); | ||
final String normalizedCn = cn.toLowerCase(Locale.ROOT); | ||
if (!matchIdentityStrict(normalizedHost, normalizedCn)) { | ||
throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match " | ||
+ "common name of the certificate subject: " + cn); | ||
} | ||
} | ||
|
||
private static boolean matchIdentity(final String host, final String identity, final boolean strict) { | ||
// "...Names may contain the wildcard | ||
// character * which is considered to match any single domain name | ||
// component or component fragment..." | ||
// Based on this statement presuming only singular wildcard is legal | ||
final int asteriskIdx = identity.indexOf('*'); | ||
if (asteriskIdx != -1) { | ||
final String prefix = identity.substring(0, asteriskIdx); | ||
final String suffix = identity.substring(asteriskIdx + 1); | ||
if (!prefix.isEmpty() && !host.startsWith(prefix)) { | ||
return false; | ||
} | ||
if (!suffix.isEmpty() && !host.endsWith(suffix)) { | ||
return false; | ||
} | ||
// Additional sanity checks on content selected by wildcard can be done here | ||
if (strict) { | ||
final String remainder = host.substring(prefix.length(), host.length() - suffix.length()); | ||
return !remainder.contains("."); | ||
} | ||
return true; | ||
} | ||
return host.equalsIgnoreCase(identity); | ||
} | ||
|
||
private static boolean matchIdentityStrict(final String host, final String identity) { | ||
return matchIdentity(host, identity, true); | ||
} | ||
|
||
private static String extractCN(final String subjectPrincipal) throws SSLException { | ||
if (subjectPrincipal == null) { | ||
return null; | ||
} | ||
try { | ||
final LdapName subjectDN = new LdapName(subjectPrincipal); | ||
final List<Rdn> rdns = subjectDN.getRdns(); | ||
for (int i = rdns.size() - 1; i >= 0; i--) { | ||
final Rdn rds = rdns.get(i); | ||
final Attributes attributes = rds.toAttributes(); | ||
final Attribute cn = attributes.get("cn"); | ||
if (cn != null) { | ||
try { | ||
final Object value = cn.get(); | ||
if (value != null) { | ||
return value.toString(); | ||
} | ||
} catch (final NoSuchElementException ignore) { | ||
// ignore exception | ||
} catch (final NamingException ignore) { | ||
// ignore exception | ||
} | ||
} | ||
} | ||
return null; | ||
} catch (final InvalidNameException e) { | ||
throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name"); | ||
} | ||
} | ||
|
||
private static HostNameType determineHostFormat(final String host) { | ||
if (InetAddressUtils.isIPv4Address(host)) { | ||
return HostNameType.IPv4; | ||
} | ||
String s = host; | ||
if (s.startsWith("[") && s.endsWith("]")) { | ||
s = host.substring(1, host.length() - 1); | ||
} | ||
if (InetAddressUtils.isIPv6Address(s)) { | ||
return HostNameType.IPv6; | ||
} | ||
return HostNameType.DNS; | ||
} | ||
|
||
private static List<SubjectName> getSubjectAltNames(final X509Certificate cert) { | ||
try { | ||
final Collection<List<?>> entries = cert.getSubjectAlternativeNames(); | ||
if (entries == null) { | ||
return Collections.emptyList(); | ||
} | ||
final List<SubjectName> result = new ArrayList<SubjectName>(); | ||
for (List<?> entry : entries) { | ||
final Integer type = entry.size() >= 2 ? (Integer) entry.get(0) : null; | ||
if (type != null) { | ||
if (type == SubjectName.DNS || type == SubjectName.IP) { | ||
final Object o = entry.get(1); | ||
if (o instanceof String) { | ||
result.add(new SubjectName((String) o, type)); | ||
} else if (o instanceof byte[]) { | ||
// TODO ASN.1 DER encoded form | ||
} | ||
} | ||
} | ||
} | ||
return result; | ||
} catch (final CertificateParsingException ignore) { | ||
return Collections.emptyList(); | ||
} | ||
} | ||
|
||
/* | ||
* Normalize IPv6 or DNS name. | ||
*/ | ||
private static String normaliseAddress(final String hostname) { | ||
if (hostname == null) { | ||
return hostname; | ||
} | ||
try { | ||
final InetAddress inetAddress = InetAddress.getByName(hostname); | ||
return inetAddress.getHostAddress(); | ||
} catch (final UnknownHostException unexpected) { // Should not happen, because we check for IPv6 address above | ||
return hostname; | ||
} | ||
} | ||
|
||
public boolean hostNameVerifierIsOpen() { | ||
String property = System.getProperty(Constants.REST_CLIENT_HOST_NAME_VERIFIER_SWITCH_PROPERTY); | ||
if (property == null) { | ||
return false; | ||
} | ||
|
||
try { | ||
return Boolean.valueOf(property); | ||
} catch (Exception e) { | ||
return false; | ||
} | ||
} | ||
|
||
} | ||
|
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to match from context with regex?