1

我有一个关于如何仅使用 .key(点键)文件和 .crt(点 crt)文件构建 Netty io.netty.handler.ssl.SslContext 的问题。

需要强调的是,我正在寻求帮助来构建 io.netty.handler.ssl.SslContext,而不是 org.apache.http.ssl.SSLContexts。

另外,我正在寻求帮助构建 io.netty.handler.ssl.SslContext,没有现成的密钥库和信任库。(将无法直接执行此操作)

public SslContext getSslContext() {
        try {
            final Path     keystorePath = Paths.get(keyStorePath);
            final KeyStore keyStore     = KeyStore.getInstance(keyStoreType);
            try (InputStream keyStoreFile = Files.newInputStream(keystorePath)) {
                keyStore.load(keyStoreFile, keyStorePassPhrase.toCharArray());
            }
            final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, keyPassPhrase.toCharArray());

            final Path     truststorePath = Paths.get(trustStorePath);
            final KeyStore trustStore     = KeyStore.getInstance(trustStoreType);
            try (InputStream trustStoreFile = Files.newInputStream(truststorePath)) {
                trustStore.load(trustStoreFile, trustStorePassPhrase.toCharArray());
            }
            final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(trustStore);

            return SslContextBuilder.forClient().keyManager(keyManagerFactory).trustManager(trustManagerFactory).build();
        } catch (KeyStoreException | IOException | UnrecoverableKeyException | NoSuchAlgorithmException | CertificateException e) {
            
            return null;
        }
    }

请问最简单的方法是什么?

谢谢

4

1 回答 1

1

Netty 能够加载 pem 格式的私钥和证书作为密钥材料。它内置在 SslContextBuilder 中,示例如下:

SslContext sslContext = SslContextBuilder.forClient()
    .keyManager(new File("/path/to/certificate.crt"), new File("/path/to/private.key"), "secret")
    .build();

有关该方法的 javadoc,请参见下文

   /**
     * Identifying certificate for this host. {@code keyCertChainFile} and {@code keyFile} may
     * be {@code null} for client contexts, which disables mutual authentication.
     *
     * @param keyCertChainFile an X.509 certificate chain file in PEM format
     * @param keyFile a PKCS#8 private key file in PEM format
     * @param keyPassword the password of the {@code keyFile}, or {@code null} if it's not
     *     password-protected
     */
    public SslContextBuilder keyManager(File keyCertChainFile, File keyFile, String keyPassword) {
    ...
    }

关于在不使用密钥库的情况下生成 netty ssl 上下文的第二个问题,我建议使用 Bouncy castle 库创建私钥对作为密钥材料,您可以将其提供给 netty sslcontext builder。有关使用充气城堡创建私钥对的参考,请参见此处:使用充气城堡生成密钥对

可用于提供由 bouncy castle 生成的私钥和证书的方法见下文

    /**
     * Identifying certificate for this host. {@code keyCertChain} and {@code key} may
     * be {@code null} for client contexts, which disables mutual authentication.
     *
     * @param key a PKCS#8 private key
     * @param keyCertChain an X.509 certificate chain
     */
    public SslContextBuilder keyManager(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) {
        return keyManager(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
    }
于 2020-09-28T17:22:32.260 回答