[enhancement](mysql) enable two-way ssl authentication (#18530)

According to the mysql-ssl, enable two-way SSL authentication.
2023-04-21 14:39:14 +08:00
parent c41b486e7e
commit 3007cd49f2
22 changed files with 303 additions and 56 deletions
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java
@ -47,9 +47,10 @@ public class MysqlSslContext {
    private SSLContext sslContext;
    private String protocol;
    private ByteBuffer serverAppData;
-    private static final String keyStoreFile = Config.mysql_ssl_default_certificate;
-    private static final String trustStoreFile = Config.mysql_ssl_default_certificate;
-    private static final String certificatePassword = Config.mysql_ssl_default_certificate_password;
+    private static final String keyStoreFile = Config.mysql_ssl_default_server_certificate;
+    private static final String trustStoreFile = Config.mysql_ssl_default_ca_certificate;
+    private static final String caCertificatePassword = Config.mysql_ssl_default_ca_certificate_password;
+    private static final String serverCertificatePassword = Config.mysql_ssl_default_server_certificate_password;
    private ByteBuffer serverNetData;
    private ByteBuffer clientAppData;
    private ByteBuffer clientNetData;
@ -68,13 +69,14 @@ public class MysqlSslContext {
            KeyStore ks = KeyStore.getInstance("PKCS12");
            KeyStore ts = KeyStore.getInstance("PKCS12");

-            char[] password = certificatePassword.toCharArray();
+            char[] serverPassword = serverCertificatePassword.toCharArray();
+            char[] caPassword = caCertificatePassword.toCharArray();

-            ks.load(Files.newInputStream(Paths.get(keyStoreFile)), password);
-            ts.load(Files.newInputStream(Paths.get(trustStoreFile)), password);
+            ks.load(Files.newInputStream(Paths.get(keyStoreFile)), serverPassword);
+            ts.load(Files.newInputStream(Paths.get(trustStoreFile)), caPassword);

            KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-            kmf.init(ks, password);
+            kmf.init(ks, serverPassword);

            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(ts);
@ -91,6 +93,10 @@ public class MysqlSslContext {
        // set to server mode
        sslEngine.setUseClientMode(false);
        sslEngine.setEnabledCipherSuites(sslEngine.getSupportedCipherSuites());
+        sslEngine.setWantClientAuth(true);
+        if (Config.ssl_force_client_auth) {
+            sslEngine.setNeedClientAuth(true);
+        }
    }

    public SSLEngine getSslEngine() {