alibaba · yanlinly · Aug 24, 2020 · Aug 18, 2020 · Aug 20, 2020 · Aug 20, 2020
diff --git a/client/src/main/java/com/alibaba/nacos/client/config/utils/ParamUtils.java b/client/src/main/java/com/alibaba/nacos/client/config/utils/ParamUtils.java
@@ -17,7 +17,7 @@
 package com.alibaba.nacos.client.config.utils;
 
 import com.alibaba.nacos.api.exception.NacosException;
-import com.alibaba.nacos.client.utils.IpUtil;
+import com.alibaba.nacos.common.utils.IpUtils;
 import com.alibaba.nacos.common.utils.StringUtils;
 
 import java.util.List;
@@ -190,7 +190,7 @@ public static void checkBetaIps(String betaIps) throws NacosException {
         }
         String[] ipsArr = betaIps.split(",");
         for (String ip : ipsArr) {
-            if (!IpUtil.isIpv4(ip)) {
+            if (!IpUtils.isIpv4(ip)) {
                 throw new NacosException(NacosException.CLIENT_INVALID_PARAM, "betaIps invalid");
             }
         }

diff --git a/common/src/main/java/com/alibaba/nacos/common/http/client/request/JdkHttpClientRequest.java b/common/src/main/java/com/alibaba/nacos/common/http/client/request/JdkHttpClientRequest.java
@@ -24,11 +24,21 @@
 import com.alibaba.nacos.common.http.param.Header;
 import com.alibaba.nacos.common.http.param.MediaType;
 import com.alibaba.nacos.common.model.RequestHttpEntity;
+import com.alibaba.nacos.common.tls.SelfHostnameVerifier;
+import com.alibaba.nacos.common.tls.TlsFileWatcher;
+import com.alibaba.nacos.common.tls.TlsHelper;
+import com.alibaba.nacos.common.tls.TlsSystemConfig;
 import com.alibaba.nacos.common.utils.JacksonUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URI;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -39,10 +49,44 @@
  */
 public class JdkHttpClientRequest implements HttpClientRequest {
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(JdkHttpClientRequest.class);
+
     private HttpClientConfig httpClientConfig;
 
     public JdkHttpClientRequest(HttpClientConfig httpClientConfig) {
         this.httpClientConfig = httpClientConfig;
+        loadSSLContext();
+        replaceHostnameVerifier();
+        try {
+            TlsFileWatcher.getInstance().addFileChangeListener(new TlsFileWatcher.FileChangeListener() {
+                @Override
+                public void onChanged(String filePath) {
+                    loadSSLContext();
+                }
+            }, TlsSystemConfig.tlsClientTrustCertPath, TlsSystemConfig.tlsClientKeyPath);
+        } catch (IOException e) {
+            LOGGER.error("add tls file listener fail", e);
+        }
+    }
+
+    @SuppressWarnings("checkstyle:abbreviationaswordinname")
+    private synchronized void loadSSLContext() {
+        if (TlsSystemConfig.tlsEnable) {
+            try {
+                HttpsURLConnection.setDefaultSSLSocketFactory(TlsHelper.buildSslContext(true).getSocketFactory());
+            } catch (NoSuchAlgorithmException e) {
+                LOGGER.error("Failed to create SSLContext", e);
+            } catch (KeyManagementException e) {
+                LOGGER.error("Failed to create SSLContext", e);
+            } catch (Exception e) {
+                e.printStackTrace();
+            }
+        }
+    }
+
+    private void replaceHostnameVerifier() {
+        final HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier();
+        HttpsURLConnection.setDefaultHostnameVerifier(new SelfHostnameVerifier(hv));
     }
 
     @Override

diff --git a/common/src/main/java/com/alibaba/nacos/common/tls/PemReader.java b/common/src/main/java/com/alibaba/nacos/common/tls/PemReader.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.common.tls;
+
+import com.alibaba.nacos.common.utils.IoUtils;
+import sun.misc.BASE64Decoder;
+
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.KeyException;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Reads a PEM file and converts it into a list of DERs. Support PKCS #8 format
+ *
+ * @author wangwei
+ * @date 2020/8/20 9:32 AM
+ */
+final class PemReader {
+
+    /**
+     * Header + Base64 text + Footer.
+     */
+    private static final Pattern KEY_PATTERN = Pattern.compile(
+            "-+BEGIN\\s+.*PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+" + "([a-z0-9+/=\\r\\n]+)"
+                    + "-+END\\s+.*PRIVATE\\s+KEY[^-]*-+", Pattern.CASE_INSENSITIVE);
+
+    private static final String ENCODE_US_ASCII = "US-ASCII";
+
+    static byte[] readPrivateKey(String keyPath) throws KeyException, IOException {
+        try {
+            InputStream in = new FileInputStream(keyPath);
+            try {
+                String content;
+                try {
+                    content = IoUtils.toString(in, ENCODE_US_ASCII);
+                } catch (IOException e) {
+                    throw new KeyException("failed to read key input stream", e);
+                }
+
+                Matcher m = KEY_PATTERN.matcher(content);
+                if (!m.find()) {
+                    throw new KeyException("could not find a PKCS #8 private key in input stream");
+                }
+
+                final BASE64Decoder base64 = new BASE64Decoder();
+                return base64.decodeBuffer(m.group(1));
+            } finally {
+                IoUtils.closeQuietly(in);
+            }
+        } catch (FileNotFoundException e) {
+            throw new KeyException("could not fine key file: " + keyPath);
+        }
+    }
+}
diff --git a/common/src/main/java/com/alibaba/nacos/common/tls/SelfHostnameVerifier.java b/common/src/main/java/com/alibaba/nacos/common/tls/SelfHostnameVerifier.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.common.tls;
+
+import com.alibaba.nacos.common.utils.IpUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLSession;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * A HostnameVerifier verify ipv4 and localhost.
+ *
+ * @author wangwei
+ */
+
+public final class SelfHostnameVerifier implements HostnameVerifier {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(SelfHostnameVerifier.class);
+
+    private final HostnameVerifier hv;
+
+    private static ConcurrentHashMap<String, Boolean> hosts = new ConcurrentHashMap<String, Boolean>();
+
+    private static final String[] LOCALHOST_HOSTNAME = new String[] {"localhost", "127.0.0.1"};
+
+    public SelfHostnameVerifier(HostnameVerifier hv) {
+        this.hv = hv;
+    }
+
+    @Override
+    public boolean verify(String hostname, SSLSession session) {
+        if (LOCALHOST_HOSTNAME[0].equalsIgnoreCase(hostname) || LOCALHOST_HOSTNAME[1].equals(hostname)) {
+            return true;
+        }
+        if (isIpv4(hostname)) {
+            return true;
+        }
+        return hv.verify(hostname, session);
+    }
+
+    private static boolean isIpv4(String host) {
+        if (host == null || host.isEmpty()) {
+            LOGGER.warn("host is empty, isIPv4 = false");
+            return false;
+        }
+        Boolean cacheHostVerify = hosts.get(host);
+        if (cacheHostVerify != null) {
+            return cacheHostVerify;
+        }
+        boolean isIp = IpUtils.isIpv4(host);
+        hosts.putIfAbsent(host, isIp);
+        return isIp;
+    }
+}
diff --git a/common/src/main/java/com/alibaba/nacos/common/tls/SelfKeyManager.java b/common/src/main/java/com/alibaba/nacos/common/tls/SelfKeyManager.java
@@ -0,0 +1,148 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.common.tls;
+
+import com.alibaba.nacos.api.utils.StringUtils;
+import com.alibaba.nacos.common.utils.IoUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.crypto.Cipher;
+import javax.crypto.EncryptedPrivateKeyInfo;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.TrustManager;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.KeyException;
+import java.security.KeyFactory;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.SecureRandom;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Collection;
+
+/**
+ * A KeyManager tool returns the specified KeyManager.
+ *
+ * @author wangwei
+ * @date 2020/8/19 4:53 PM
+ */
+@SuppressWarnings("checkstyle:LineLength")
+public final class SelfKeyManager {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(SelfKeyManager.class);
+
+    public static final char[] EMPTY_CHARS = {};
+
+    /**
+     * Returns the Array of {@link KeyManager} for {@link SSLContext#init(KeyManager[], TrustManager[], SecureRandom)}.
+     *
+     * <p>Returns {@code null} if certificate file path or private key file path missing
+     *
+     * @param certPath    certificate file path
+     * @param keyPath     private key file path
+     * @param keyPassword password of private key file
+     * @return Array of {@link KeyManager }
+     * @throws SSLException If build keyManagerFactory failed
+     */
+    public static KeyManager[] keyManager(String certPath, String keyPath, String keyPassword) throws SSLException {
+        if (StringUtils.isEmpty(certPath) || StringUtils.isEmpty(keyPath)) {
+            return null;
+        }
+        KeyManagerFactory kmf;
+        InputStream in = null;
+        try {
+
+            String algorithm = KeyManagerFactory.getDefaultAlgorithm();
+            kmf = KeyManagerFactory.getInstance(algorithm);
+
+            KeyStore trustKeyStore = KeyStore.getInstance("JKS");
+            trustKeyStore.load(null, null);
+
+            in = new FileInputStream(certPath);
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+            Collection<X509Certificate> certs = (Collection<X509Certificate>) cf.generateCertificates(in);
+
+            char[] keyPasswordChars = keyPassword == null ? EMPTY_CHARS : keyPassword.toCharArray();
+
+            PrivateKey privateKey = getPrivateKey(keyPath, keyPassword);
+
+            trustKeyStore.setKeyEntry("key", privateKey, keyPasswordChars, certs.toArray(new X509Certificate[0]));
+
+            kmf.init(trustKeyStore, keyPasswordChars);
+            return kmf.getKeyManagers();
+        } catch (Exception e) {
+            LOGGER.error("build client keyManagerFactory failed", e);
+            throw new SSLException(e);
+        } finally {
+            IoUtils.closeQuietly(in);
+        }
+    }
+
+    private static PrivateKey getPrivateKey(String keyPath, String keyPassword)
+            throws NoSuchAlgorithmException, InvalidKeySpecException, IOException, KeyException, InvalidAlgorithmParameterException, NoSuchPaddingException {
+        byte[] keyBytes = PemReader.readPrivateKey(keyPath);
+        PKCS8EncodedKeySpec encodedKeySpec = generateKeySpec(keyPassword == null ? null : keyPassword.toCharArray(),
+                keyBytes);
+        try {
+            return KeyFactory.getInstance("RSA").generatePrivate(encodedKeySpec);
+        } catch (InvalidKeySpecException ignore) {
+            try {
+                return KeyFactory.getInstance("DSA").generatePrivate(encodedKeySpec);
+            } catch (InvalidKeySpecException ignored) {
+                try {
+                    return KeyFactory.getInstance("EC").generatePrivate(encodedKeySpec);
+                } catch (InvalidKeySpecException e) {
+                    throw new InvalidKeySpecException("Neither RSA, DSA nor EC worked", e);
+                }
+            }
+        }
+    }
+
+    private static PKCS8EncodedKeySpec generateKeySpec(char[] password, byte[] key)
+            throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeySpecException, InvalidKeyException, InvalidAlgorithmParameterException {
+
+        if (password == null) {
+            return new PKCS8EncodedKeySpec(key);
+        }
+
+        EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(key);
+        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName());
+        PBEKeySpec pbeKeySpec = new PBEKeySpec(password);
+        SecretKey pbeKey = keyFactory.generateSecret(pbeKeySpec);
+
+        Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
+        cipher.init(Cipher.DECRYPT_MODE, pbeKey, encryptedPrivateKeyInfo.getAlgParameters());
+
+        return encryptedPrivateKeyInfo.getKeySpec(cipher);
+    }
+}