add SSL certificate configuration support for HTTP/3

dubbo-remoting/dubbo-remoting-http3/src/main/java/org/apache/dubbo/remoting/http3/Netty4SslContext.java

@@ -0,0 +1,127 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.remoting.http3;
+
+import javax.crypto.NoSuchPaddingException;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSessionContext;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.util.List;
+import java.util.concurrent.Executor;
+
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.handler.ssl.ApplicationProtocolNegotiator;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslHandler;
+
+public class Netty4SslContext extends SslContext {
+
+    public PrivateKey toPrivateKey0(InputStream in, String password)
+            throws InvalidAlgorithmParameterException, NoSuchPaddingException, NoSuchAlgorithmException,
+                    InvalidKeySpecException, IOException, KeyException {
+        return toPrivateKey(in, password);
+    }
+
+    public X509Certificate[] toX509Certificates0(InputStream in) throws CertificateException {
+        return toX509Certificates(in);
+    }
+
+    protected Netty4SslContext() {
+        super();
+    }
+
+    @Override
+    public long sessionCacheSize() {
+        return super.sessionCacheSize();
+    }
+
+    @Override
+    public long sessionTimeout() {
+        return super.sessionTimeout();
+    }
+
+    @Override
+    protected SslHandler newHandler(ByteBufAllocator alloc, boolean startTls) {
+        return super.newHandler(alloc, startTls);
+    }
+
+    @Override
+    public SslHandler newHandler(ByteBufAllocator alloc, Executor delegatedTaskExecutor) {
+        return super.newHandler(alloc, delegatedTaskExecutor);
+    }
+
+    @Override
+    protected SslHandler newHandler(ByteBufAllocator alloc, boolean startTls, Executor executor) {
+        return super.newHandler(alloc, startTls, executor);
+    }
+
+    @Override
+    protected SslHandler newHandler(ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls) {
+        return super.newHandler(alloc, peerHost, peerPort, startTls);
+    }
+
+    @Override
+    public SslHandler newHandler(
+            ByteBufAllocator alloc, String peerHost, int peerPort, Executor delegatedTaskExecutor) {
+        return super.newHandler(alloc, peerHost, peerPort, delegatedTaskExecutor);
+    }
+
+    @Override
+    protected SslHandler newHandler(
+            ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls, Executor delegatedTaskExecutor) {
+        return super.newHandler(alloc, peerHost, peerPort, startTls, delegatedTaskExecutor);
+    }
+
+    @Override
+    public boolean isClient() {
+        return false;
+    }
+
+    @Override
+    public List<String> cipherSuites() {
+        return null;
+    }
+
+    @Override
+    public ApplicationProtocolNegotiator applicationProtocolNegotiator() {
+        return null;
+    }
+
+    @Override
+    public SSLEngine newEngine(ByteBufAllocator byteBufAllocator) {
+        return null;
+    }
+
+    @Override
+    public SSLEngine newEngine(ByteBufAllocator byteBufAllocator, String s, int i) {
+        return null;
+    }
+
+    @Override
+    public SSLSessionContext sessionContext() {
+        return null;
+    }
+}

dubbo-remoting/dubbo-remoting-http3/src/main/java/org/apache/dubbo/remoting/http3/QuicSslContexts.java

@@ -0,0 +1,143 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.remoting.http3;
+
+import org.apache.dubbo.common.URL;
+import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
+import org.apache.dubbo.common.logger.LoggerFactory;
+import org.apache.dubbo.common.ssl.AuthPolicy;
+import org.apache.dubbo.common.ssl.Cert;
+import org.apache.dubbo.common.ssl.CertManager;
+import org.apache.dubbo.common.ssl.ProviderCert;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import io.netty.handler.ssl.util.SelfSignedCertificate;
+import io.netty.incubator.codec.http3.Http3;
+import io.netty.incubator.codec.quic.QuicSslContext;
+import io.netty.incubator.codec.quic.QuicSslContextBuilder;
+
+import static org.apache.dubbo.common.constants.LoggerCodeConstants.TRANSPORT_FAILED_CLOSE_STREAM;
+
+public class QuicSslContexts {
+
+    private static final ErrorTypeAwareLogger logger = LoggerFactory.getErrorTypeAwareLogger(QuicSslContexts.class);
+
+    public static QuicSslContext buildServerSslContext(URL url) {
+
+        CertManager certManager =
+                url.getOrDefaultApplicationModel().getBeanFactory().getBean(CertManager.class);
+        ProviderCert providerConnectionConfig = certManager.getProviderConnectionConfig(url, url.toInetSocketAddress());
+
+        QuicSslContextBuilder builder;
+        InputStream serverKeyCertChainPathStream = null;
+        InputStream serverPrivateKeyPathStream = null;
+        InputStream serverTrustCertStream = null;
+        Netty4SslContext netty4SslContext = new Netty4SslContext();
+        try {
+            serverKeyCertChainPathStream = providerConnectionConfig.getKeyCertChainInputStream();
+            serverPrivateKeyPathStream = providerConnectionConfig.getPrivateKeyInputStream();
+            serverTrustCertStream = providerConnectionConfig.getTrustCertInputStream();
+            if (serverKeyCertChainPathStream == null || serverPrivateKeyPathStream == null) {
+                SelfSignedCertificate certificate = new SelfSignedCertificate();
+                return QuicSslContextBuilder.forServer(certificate.privateKey(), null, certificate.certificate())
+                        .applicationProtocols(Http3.supportedApplicationProtocols())
+                        .build();
+            }
+            String password = providerConnectionConfig.getPassword();
+            PrivateKey privateKey = netty4SslContext.toPrivateKey0(serverPrivateKeyPathStream, password);
+            X509Certificate[] x509Certificates0 = netty4SslContext.toX509Certificates0(serverKeyCertChainPathStream);
+            builder = QuicSslContextBuilder.forServer(privateKey, password, x509Certificates0);
+            if (serverTrustCertStream != null) {
+                builder.trustManager(netty4SslContext.toX509Certificates0(serverTrustCertStream));
+                if (providerConnectionConfig.getAuthPolicy() == AuthPolicy.CLIENT_AUTH) {
+                    builder.clientAuth(ClientAuth.REQUIRE);
+                } else {
+                    builder.clientAuth(ClientAuth.OPTIONAL);
+                }
+            }
+        } catch (Exception e) {
+            throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", e);
+        } finally {
+            safeCloseStream(serverTrustCertStream);
+            safeCloseStream(serverKeyCertChainPathStream);
+            safeCloseStream(serverPrivateKeyPathStream);
+        }
+
+        try {
+            return builder.applicationProtocols(Http3.supportedApplicationProtocols())
+                    .build();
+        } catch (Exception e) {
+            throw new IllegalStateException("Build QuicSslContext failed. ", e);
+        }
+    }
+
+    public static QuicSslContext buildClientSslContext(URL url) throws Exception {
+        CertManager certManager =
+                url.getOrDefaultFrameworkModel().getBeanFactory().getBean(CertManager.class);
+        Cert consumerConnectionConfig = certManager.getConsumerConnectionConfig(url);
+        if (consumerConnectionConfig == null) {
+            return QuicSslContextBuilder.forClient()
+                    .trustManager(InsecureTrustManagerFactory.INSTANCE)
+                    .applicationProtocols(Http3.supportedApplicationProtocols())
+                    .build();
+        }
+        Netty4SslContext netty4SslContext = new Netty4SslContext();
+        QuicSslContextBuilder builder = QuicSslContextBuilder.forClient();
+        InputStream clientTrustCertCollectionPath = null;
+        InputStream clientCertChainFilePath = null;
+        InputStream clientPrivateKeyFilePath = null;
+        String password = consumerConnectionConfig.getPassword();
+        try {
+            clientTrustCertCollectionPath = consumerConnectionConfig.getTrustCertInputStream();
+            if (clientTrustCertCollectionPath != null) {
+                builder.trustManager(netty4SslContext.toX509Certificates0(clientTrustCertCollectionPath));
+            }
+            clientCertChainFilePath = consumerConnectionConfig.getKeyCertChainInputStream();
+            clientPrivateKeyFilePath = consumerConnectionConfig.getPrivateKeyInputStream();
+            PrivateKey privateKey = netty4SslContext.toPrivateKey0(clientPrivateKeyFilePath, password);
+            X509Certificate[] x509Certificates = netty4SslContext.toX509Certificates0(clientCertChainFilePath);
+            builder.keyManager(privateKey, password, x509Certificates);
+
+            return builder.applicationProtocols(Http3.supportedApplicationProtocols())
+                    .build();
+
+        } catch (Exception e) {
+            throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", e);
+        } finally {
+            safeCloseStream(clientTrustCertCollectionPath);
+            safeCloseStream(clientCertChainFilePath);
+            safeCloseStream(clientPrivateKeyFilePath);
+        }
+    }
+
+    private static void safeCloseStream(InputStream stream) {
+        if (stream == null) {
+            return;
+        }
+        try {
+            stream.close();
+        } catch (IOException e) {
+            logger.warn(TRANSPORT_FAILED_CLOSE_STREAM, "", "", "Failed to close a stream.", e);
+        }
+    }
+}

dubbo-remoting/dubbo-remoting-http3/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyHttp3ConnectionClient.java

@@ -20,6 +20,7 @@
 import org.apache.dubbo.remoting.ChannelHandler;
 import org.apache.dubbo.remoting.Constants;
 import org.apache.dubbo.remoting.RemotingException;
+import org.apache.dubbo.remoting.http3.QuicSslContexts;
 import org.apache.dubbo.remoting.utils.UrlUtils;
 
 import java.util.concurrent.atomic.AtomicReference;
@@ -31,14 +32,11 @@
 import io.netty.channel.ChannelOption;
 import io.netty.channel.ChannelPromise;
 import io.netty.channel.socket.nio.NioDatagramChannel;
-import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import io.netty.handler.timeout.IdleStateHandler;
 import io.netty.incubator.codec.http3.Http3;
 import io.netty.incubator.codec.http3.Http3ClientConnectionHandler;
 import io.netty.incubator.codec.quic.QuicChannel;
 import io.netty.incubator.codec.quic.QuicChannelBootstrap;
-import io.netty.incubator.codec.quic.QuicSslContext;
-import io.netty.incubator.codec.quic.QuicSslContextBuilder;
 import io.netty.util.concurrent.Future;
 import io.netty.util.concurrent.GenericFutureListener;
 
@@ -62,14 +60,10 @@ protected void initConnectionClient() {
 
     @Override
     protected void initBootstrap() throws Exception {
-        QuicSslContext context = QuicSslContextBuilder.forClient()
-                .trustManager(InsecureTrustManagerFactory.INSTANCE)
-                .applicationProtocols(Http3.supportedApplicationProtocols())
-                .build();
         int idleTimeout = UrlUtils.getIdleTimeout(getUrl());
         io.netty.channel.ChannelHandler codec = Helper.configCodec(Http3.newQuicClientCodecBuilder(), getUrl())
                 .maxIdleTimeout(idleTimeout, MILLISECONDS)
-                .sslContext(context)
+                .sslContext(QuicSslContexts.buildClientSslContext(getUrl()))
                 .build();
         io.netty.channel.Channel nettyDatagramChannel = new Bootstrap()
                 .option(ChannelOption.CONNECT_TIMEOUT_MILLIS, getConnectTimeout())

dubbo-remoting/dubbo-remoting-http3/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyHttp3Server.java

@@ -26,6 +26,7 @@
 import org.apache.dubbo.remoting.ChannelHandler;
 import org.apache.dubbo.remoting.RemotingException;
 import org.apache.dubbo.remoting.http12.netty4.HttpWriteQueueHandler;
+import org.apache.dubbo.remoting.http3.QuicSslContexts;
 import org.apache.dubbo.remoting.http3.netty4.NettyHttp3FrameCodec;
 import org.apache.dubbo.remoting.http3.netty4.NettyHttp3ProtocolSelectorHandler;
 import org.apache.dubbo.remoting.transport.AbstractServer;
@@ -50,8 +51,6 @@
 import io.netty.incubator.codec.http3.Http3ServerConnectionHandler;
 import io.netty.incubator.codec.quic.InsecureQuicTokenHandler;
 import io.netty.incubator.codec.quic.QuicChannel;
-import io.netty.incubator.codec.quic.QuicSslContext;
-import io.netty.incubator.codec.quic.QuicSslContextBuilder;
 import io.netty.incubator.codec.quic.QuicStreamChannel;
 import io.netty.util.concurrent.Future;
 
@@ -89,14 +88,10 @@ protected void doOpen() throws Throwable {
                 new NettyHttp3ProtocolSelectorHandler(getUrl(), frameworkModel);
 
         SelfSignedCertificate certificate = new SelfSignedCertificate();
-        QuicSslContext context = QuicSslContextBuilder.forServer(
-                        certificate.privateKey(), null, certificate.certificate())
-                .applicationProtocols(Http3.supportedApplicationProtocols())
-                .build();
 
         int idleTimeout = UrlUtils.getIdleTimeout(getUrl());
         io.netty.channel.ChannelHandler codec = Helper.configCodec(Http3.newQuicServerCodecBuilder(), getUrl())
-                .sslContext(context)
+                .sslContext(QuicSslContexts.buildServerSslContext(getUrl()))
                 .maxIdleTimeout(idleTimeout, MILLISECONDS)
                 .tokenHandler(InsecureQuicTokenHandler.INSTANCE)
                 .handler(new ChannelInitializer<QuicChannel>() {