仅使用 .key 和 .crt 构建 io.netty.handler.ssl.SslContext
build io.netty.handler.ssl.SslContext with just a .key and a .crt
我有一个关于如何仅使用 .key(点密钥)文件和 .crt(点 crt)文件构建 Netty io.netty.handler.ssl.SslContext 的问题。
强调一下,我正在寻求帮助来构建 io.netty.handler.ssl.SslContext,而不是 org.apache.http.ssl.SSLContexts。
此外,我正在寻求构建 io.netty.handler.ssl.SslContext 的帮助,但没有现成的密钥库和信任库。
(将无法直接这样做)
public SslContext getSslContext() {
try {
final Path keystorePath = Paths.get(keyStorePath);
final KeyStore keyStore = KeyStore.getInstance(keyStoreType);
try (InputStream keyStoreFile = Files.newInputStream(keystorePath)) {
keyStore.load(keyStoreFile, keyStorePassPhrase.toCharArray());
}
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyPassPhrase.toCharArray());
final Path truststorePath = Paths.get(trustStorePath);
final KeyStore trustStore = KeyStore.getInstance(trustStoreType);
try (InputStream trustStoreFile = Files.newInputStream(truststorePath)) {
trustStore.load(trustStoreFile, trustStorePassPhrase.toCharArray());
}
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
return SslContextBuilder.forClient().keyManager(keyManagerFactory).trustManager(trustManagerFactory).build();
} catch (KeyStoreException | IOException | UnrecoverableKeyException | NoSuchAlgorithmException | CertificateException e) {
return null;
}
}
请问最简单的方法是什么?
谢谢
Netty 能够加载 pem 格式的私钥和证书作为密钥 material。它内置于 SslContextBuilder 中,请参见下面的示例:
SslContext sslContext = SslContextBuilder.forClient()
.keyManager(new File("/path/to/certificate.crt"), new File("/path/to/private.key"), "secret")
.build();
方法的javadoc见下文
/**
* Identifying certificate for this host. {@code keyCertChainFile} and {@code keyFile} may
* be {@code null} for client contexts, which disables mutual authentication.
*
* @param keyCertChainFile an X.509 certificate chain file in PEM format
* @param keyFile a PKCS#8 private key file in PEM format
* @param keyPassword the password of the {@code keyFile}, or {@code null} if it's not
* password-protected
*/
public SslContextBuilder keyManager(File keyCertChainFile, File keyFile, String keyPassword) {
...
}
关于在不使用密钥库的情况下生成 netty ssl 上下文的第二个问题,我建议使用 Bouncy castle 库创建私钥对作为密钥material,您可以将其提供给 netty sslcontext 构建器。
有关使用充气城堡创建私钥对的参考,请参阅此处:Generating keyPair using Bouncy Castle
充气城堡生成私钥和证书的方法见下文
/**
* Identifying certificate for this host. {@code keyCertChain} and {@code key} may
* be {@code null} for client contexts, which disables mutual authentication.
*
* @param key a PKCS#8 private key
* @param keyCertChain an X.509 certificate chain
*/
public SslContextBuilder keyManager(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) {
return keyManager(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
}
我有一个关于如何仅使用 .key(点密钥)文件和 .crt(点 crt)文件构建 Netty io.netty.handler.ssl.SslContext 的问题。
强调一下,我正在寻求帮助来构建 io.netty.handler.ssl.SslContext,而不是 org.apache.http.ssl.SSLContexts。
此外,我正在寻求构建 io.netty.handler.ssl.SslContext 的帮助,但没有现成的密钥库和信任库。 (将无法直接这样做)
public SslContext getSslContext() {
try {
final Path keystorePath = Paths.get(keyStorePath);
final KeyStore keyStore = KeyStore.getInstance(keyStoreType);
try (InputStream keyStoreFile = Files.newInputStream(keystorePath)) {
keyStore.load(keyStoreFile, keyStorePassPhrase.toCharArray());
}
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyPassPhrase.toCharArray());
final Path truststorePath = Paths.get(trustStorePath);
final KeyStore trustStore = KeyStore.getInstance(trustStoreType);
try (InputStream trustStoreFile = Files.newInputStream(truststorePath)) {
trustStore.load(trustStoreFile, trustStorePassPhrase.toCharArray());
}
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
return SslContextBuilder.forClient().keyManager(keyManagerFactory).trustManager(trustManagerFactory).build();
} catch (KeyStoreException | IOException | UnrecoverableKeyException | NoSuchAlgorithmException | CertificateException e) {
return null;
}
}
请问最简单的方法是什么?
谢谢
Netty 能够加载 pem 格式的私钥和证书作为密钥 material。它内置于 SslContextBuilder 中,请参见下面的示例:
SslContext sslContext = SslContextBuilder.forClient()
.keyManager(new File("/path/to/certificate.crt"), new File("/path/to/private.key"), "secret")
.build();
方法的javadoc见下文
/**
* Identifying certificate for this host. {@code keyCertChainFile} and {@code keyFile} may
* be {@code null} for client contexts, which disables mutual authentication.
*
* @param keyCertChainFile an X.509 certificate chain file in PEM format
* @param keyFile a PKCS#8 private key file in PEM format
* @param keyPassword the password of the {@code keyFile}, or {@code null} if it's not
* password-protected
*/
public SslContextBuilder keyManager(File keyCertChainFile, File keyFile, String keyPassword) {
...
}
关于在不使用密钥库的情况下生成 netty ssl 上下文的第二个问题,我建议使用 Bouncy castle 库创建私钥对作为密钥material,您可以将其提供给 netty sslcontext 构建器。 有关使用充气城堡创建私钥对的参考,请参阅此处:Generating keyPair using Bouncy Castle
充气城堡生成私钥和证书的方法见下文
/**
* Identifying certificate for this host. {@code keyCertChain} and {@code key} may
* be {@code null} for client contexts, which disables mutual authentication.
*
* @param key a PKCS#8 private key
* @param keyCertChain an X.509 certificate chain
*/
public SslContextBuilder keyManager(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) {
return keyManager(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
}