You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@dubbo.apache.org by "github-code-scanning[bot] (via GitHub)" <gi...@apache.org> on 2023/05/20 11:16:47 UTC
[GitHub] [dubbo] github-code-scanning[bot] commented on a diff in pull request #12251: Feature/dubbo3.2 add rest client tls
github-code-scanning[bot] commented on code in PR #12251:
URL: https://github.com/apache/dubbo/pull/12251#discussion_r1199598722
##########
dubbo-remoting/dubbo-remoting-http/src/main/java/org/apache/dubbo/remoting/http/ssl/RestClientSSLContexts.java:
##########
@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.remoting.http.ssl;
+
+import org.apache.dubbo.common.URL;
+import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
+import org.apache.dubbo.common.logger.LoggerFactory;
+import org.apache.dubbo.common.ssl.Cert;
+import org.apache.dubbo.common.ssl.CertManager;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.IOException;
+import java.io.InputStream;
+
+import static org.apache.dubbo.common.constants.LoggerCodeConstants.TRANSPORT_FAILED_CLOSE_STREAM;
+
+/**
+ * for rest client ssl context build
+ */
+public class RestClientSSLContexts {
+ private static final ErrorTypeAwareLogger logger = LoggerFactory.getErrorTypeAwareLogger(RestClientSSLContexts.class);
+
+ public static <T> T buildClientSslContext(URL url, RestClientSSLSetter restClientSSLSetter, T t) {
+
+
+ InputStream clientTrustCertCollectionStream = null;
+ InputStream clientCertChainStream = null;
+ InputStream clientPrivateKeyStream = null;
+
+ try {
+
+ if (url == null) {
+ return t;
+ }
+
+
+ CertManager certManager = url.getOrDefaultFrameworkModel().getBeanFactory().getBean(CertManager.class);
+ Cert consumerConnectionConfig = certManager.getConsumerConnectionConfig(url);
+
+ if (consumerConnectionConfig == null) {
+ return t;
+ }
+
+ clientCertChainStream = consumerConnectionConfig.getKeyCertChainInputStream();
+ clientPrivateKeyStream = consumerConnectionConfig.getPrivateKeyInputStream();
+ clientTrustCertCollectionStream = consumerConnectionConfig.getTrustCertInputStream();
+
+
+ if (clientCertChainStream == null || clientPrivateKeyStream == null) {
+ return t;
+ }
+
+ // TODO add SSLContext cache for decreasing cost of SSLContext build
+ // TODO add others format certificate parsing
+ // TODO add openssl certificate support
+ SSLContext sslContext =
+ SSLContextBuilder.createSSLContext();
+
+ KeyManagerFactory keyManagerFactory = SSLContextBuilder.keyManager(clientCertChainStream, clientPrivateKeyStream, consumerConnectionConfig.getPassword());
+
+
+ TrustManagerFactory trustManagerFactory = SSLContextBuilder.trustManager(clientTrustCertCollectionStream);
+
+ TrustManager[] trustManagers = SSLContextBuilder.buildTrustManagers(trustManagerFactory);
+
+ sslContext.init(keyManagerFactory.getKeyManagers(), trustManagers, null);
+
+ restClientSSLSetter.initSSLContext(sslContext, trustManagers);
+
+ restClientSSLSetter.setHostnameVerifier((hostname, session) -> true);
Review Comment:
## Server hostnames should be verified during SSL/TLS connections
<!--SONAR_ISSUE_KEY:AYf7u-aAEBW9xNyMfAyq-->Enable server hostname verification on this SSL/TLS connection. <p>See more on <a href="https://sonarcloud.io/project/issues?id=apache_dubbo&issues=AYf7u-aAEBW9xNyMfAyq&open=AYf7u-aAEBW9xNyMfAyq&pullRequest=12251">SonarCloud</a></p>
[Show more details](https://github.com/apache/dubbo/security/code-scanning/33)
##########
dubbo-remoting/dubbo-remoting-http/src/main/java/org/apache/dubbo/remoting/http/ssl/SSLContextBuilder.java:
##########
@@ -0,0 +1,140 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.remoting.http.ssl;
+
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+public class SSLContextBuilder {
+
+ public static SSLContext sslContextBuild(String keyCertChainInputStream, String keyInputStream, String trustCertCollectionInputStream,
+ String keyPassword) throws Exception {
+ return sslContextBuild(new FileInputStream(keyCertChainInputStream), new FileInputStream(keyInputStream), new FileInputStream(trustCertCollectionInputStream), keyPassword);
+
+ }
+
+ public static SSLContext sslContextBuild(InputStream clientCertChainStream, InputStream clientPrivateKeyStream, InputStream clientTrustCertCollectionStream,
+ String keyPassword) throws Exception {
+
+
+ SSLContext sslContext = createSSLContext();
+
+ KeyManagerFactory keyManagerFactory = SSLContextBuilder.keyManager(clientCertChainStream, clientPrivateKeyStream, keyPassword);
+
+
+ TrustManagerFactory trustManagerFactory = SSLContextBuilder.trustManager(clientTrustCertCollectionStream);
+
+ TrustManager[] trustManagers = buildTrustManagers(trustManagerFactory);
+
+ sslContext.init(keyManagerFactory.getKeyManagers(), trustManagers, null);
+
+ return sslContext;
+
+ }
+
+ public static KeyManagerFactory keyManager(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
+
+ X509Certificate[] keyCertChain;
+
+ try {
+ keyCertChain = SslContext.toX509Certificates(keyCertChainInputStream);
+ } catch (Exception e) {
+ throw new IllegalArgumentException("Input stream not contain valid certificates.", e);
+ }
+
+ PrivateKey key;
+ try {
+ key = SslContext.toPrivateKey(keyInputStream, keyPassword);
+ } catch (Exception e) {
+ throw new IllegalArgumentException("Input stream does not contain valid private key.", e);
+ }
+ KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+
+ keystore.load(null);
+
+ char[] password = keyPassword == null ? new char[0] : keyPassword.toCharArray();
+
+
+ keystore.setKeyEntry("keyEntry", key, password, keyCertChain);
+
+
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+
+ kmf.init(keystore, password);
+ return kmf;
+ }
+
+ public static TrustManagerFactory trustManager(InputStream trustCertCollectionInputStream) throws Exception {
+ if (trustCertCollectionInputStream == null) {
+ return null;
+ }
+
+ X509Certificate[] x509Certificates = SslContext.toX509Certificates(trustCertCollectionInputStream);
+
+ return SslContext.buildTrustManagerFactory(x509Certificates, TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()), null);
+
+
+ }
+
+ public static TrustManager[] buildTrustManagers(TrustManagerFactory trustManagerFactory) {
+
+ if (trustManagerFactory != null) {
+ TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+ if (trustManagers != null && trustManagers.length > 0) {
+
+ return trustManagers;
+ }
+ }
+
+
+ return new TrustManager[]{
+ new X509TrustManager() {
+ @Override
+ public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {
+ }
+
+ @Override
+ public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {
Review Comment:
## Server certificates should be verified during SSL/TLS connections
<!--SONAR_ISSUE_KEY:AYf7u-Z2EBW9xNyMfAym-->Enable server certificate validation on this SSL/TLS connection. <p>See more on <a href="https://sonarcloud.io/project/issues?id=apache_dubbo&issues=AYf7u-Z2EBW9xNyMfAym&open=AYf7u-Z2EBW9xNyMfAym&pullRequest=12251">SonarCloud</a></p>
[Show more details](https://github.com/apache/dubbo/security/code-scanning/35)
##########
dubbo-remoting/dubbo-remoting-http/src/main/java/org/apache/dubbo/remoting/http/ssl/SSLContextBuilder.java:
##########
@@ -0,0 +1,140 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.remoting.http.ssl;
+
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+public class SSLContextBuilder {
+
+ public static SSLContext sslContextBuild(String keyCertChainInputStream, String keyInputStream, String trustCertCollectionInputStream,
+ String keyPassword) throws Exception {
+ return sslContextBuild(new FileInputStream(keyCertChainInputStream), new FileInputStream(keyInputStream), new FileInputStream(trustCertCollectionInputStream), keyPassword);
+
+ }
+
+ public static SSLContext sslContextBuild(InputStream clientCertChainStream, InputStream clientPrivateKeyStream, InputStream clientTrustCertCollectionStream,
+ String keyPassword) throws Exception {
+
+
+ SSLContext sslContext = createSSLContext();
+
+ KeyManagerFactory keyManagerFactory = SSLContextBuilder.keyManager(clientCertChainStream, clientPrivateKeyStream, keyPassword);
+
+
+ TrustManagerFactory trustManagerFactory = SSLContextBuilder.trustManager(clientTrustCertCollectionStream);
+
+ TrustManager[] trustManagers = buildTrustManagers(trustManagerFactory);
+
+ sslContext.init(keyManagerFactory.getKeyManagers(), trustManagers, null);
+
+ return sslContext;
+
+ }
+
+ public static KeyManagerFactory keyManager(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
+
+ X509Certificate[] keyCertChain;
+
+ try {
+ keyCertChain = SslContext.toX509Certificates(keyCertChainInputStream);
+ } catch (Exception e) {
+ throw new IllegalArgumentException("Input stream not contain valid certificates.", e);
+ }
+
+ PrivateKey key;
+ try {
+ key = SslContext.toPrivateKey(keyInputStream, keyPassword);
+ } catch (Exception e) {
+ throw new IllegalArgumentException("Input stream does not contain valid private key.", e);
+ }
+ KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+
+ keystore.load(null);
+
+ char[] password = keyPassword == null ? new char[0] : keyPassword.toCharArray();
+
+
+ keystore.setKeyEntry("keyEntry", key, password, keyCertChain);
+
+
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+
+ kmf.init(keystore, password);
+ return kmf;
+ }
+
+ public static TrustManagerFactory trustManager(InputStream trustCertCollectionInputStream) throws Exception {
+ if (trustCertCollectionInputStream == null) {
+ return null;
+ }
+
+ X509Certificate[] x509Certificates = SslContext.toX509Certificates(trustCertCollectionInputStream);
+
+ return SslContext.buildTrustManagerFactory(x509Certificates, TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()), null);
+
+
+ }
+
+ public static TrustManager[] buildTrustManagers(TrustManagerFactory trustManagerFactory) {
+
+ if (trustManagerFactory != null) {
+ TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+ if (trustManagers != null && trustManagers.length > 0) {
+
+ return trustManagers;
+ }
+ }
+
+
+ return new TrustManager[]{
+ new X509TrustManager() {
+ @Override
+ public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {
Review Comment:
## Server certificates should be verified during SSL/TLS connections
<!--SONAR_ISSUE_KEY:AYf7u-Z2EBW9xNyMfAyl-->Enable server certificate validation on this SSL/TLS connection. <p>See more on <a href="https://sonarcloud.io/project/issues?id=apache_dubbo&issues=AYf7u-Z2EBW9xNyMfAyl&open=AYf7u-Z2EBW9xNyMfAyl&pullRequest=12251">SonarCloud</a></p>
[Show more details](https://github.com/apache/dubbo/security/code-scanning/34)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org