我有一个关于如何仅使用 .key(点键)文件和 .crt(点 crt)文件构建 Netty io.netty.handler.ssl.SslContext 的问题。
强调一下,我正在寻求帮助来构建 io.netty.handler.ssl.SslContext,而不是 org.apache.http.ssl.SSLContexts。
此外,我正在寻求构建 io.netty.handler.ssl.SslContext 的帮助,但没有现成的 keystore 和信任库。 (无法直接执行此操作)
public SslContext getSslContext() {
try {
final Path keystorePath = Paths.get(keyStorePath);
final KeyStore keyStore = KeyStore.getInstance(keyStoreType);
try (InputStream keyStoreFile = Files.newInputStream(keystorePath)) {
keyStore.load(keyStoreFile, keyStorePassPhrase.toCharArray());
}
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyPassPhrase.toCharArray());
final Path truststorePath = Paths.get(trustStorePath);
final KeyStore trustStore = KeyStore.getInstance(trustStoreType);
try (InputStream trustStoreFile = Files.newInputStream(truststorePath)) {
trustStore.load(trustStoreFile, trustStorePassPhrase.toCharArray());
}
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
return SslContextBuilder.forClient().keyManager(keyManagerFactory).trustManager(trustManagerFactory).build();
} catch (KeyStoreException | IOException | UnrecoverableKeyException | NoSuchAlgorithmException | CertificateException e) {
return null;
}
}
请问最简单的方法是什么?
谢谢
最佳答案
Netty能够加载pem格式的私钥和证书作为 key Material 。它内置于 SslContextBuilder 中,请参阅下面的示例:
SslContext sslContext = SslContextBuilder.forClient()
.keyManager(new File("/path/to/certificate.crt"), new File("/path/to/private.key"), "secret")
.build();
请参阅下面的方法的 javadoc
/**
* Identifying certificate for this host. {@code keyCertChainFile} and {@code keyFile} may
* be {@code null} for client contexts, which disables mutual authentication.
*
* @param keyCertChainFile an X.509 certificate chain file in PEM format
* @param keyFile a PKCS#8 private key file in PEM format
* @param keyPassword the password of the {@code keyFile}, or {@code null} if it's not
* password-protected
*/
public SslContextBuilder keyManager(File keyCertChainFile, File keyFile, String keyPassword) {
...
}
关于在不使用 keystore 的情况下生成 netty ssl 上下文的第二个问题,我建议使用 Bouncy caSTLe 库创建私钥对作为 key Material ,您可以将其提供给 netty sslcontext 构建器。 有关使用充气城堡创建私钥对的引用,请参阅此处:Generating keyPair using Bouncy Castle
请参阅下文,了解可用于提供由充气城堡生成的私钥和证书的方法
/**
* Identifying certificate for this host. {@code keyCertChain} and {@code key} may
* be {@code null} for client contexts, which disables mutual authentication.
*
* @param key a PKCS#8 private key
* @param keyCertChain an X.509 certificate chain
*/
public SslContextBuilder keyManager(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) {
return keyManager(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
}
关于java - 仅使用 .key 和 .crt 构建 io.netty.handler.ssl.SslContext,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64052669/