英文:
build io.netty.handler.ssl.SslContext with just a .key and a .crt
问题
我有一个关于如何使用一个 .key(dot key)文件和一个 .crt(dot crt)文件构建 Netty io.netty.handler.ssl.SslContext 的问题。
强调一下,我正在寻求构建 io.netty.handler.ssl.SslContext 的帮助,而不是 org.apache.http.ssl.SSLContexts。
此外,我正在寻求构建 io.netty.handler.ssl.SslContext 的帮助,而不使用现成的 keystore 和 truststore。(将无法直接进行该操作)
public SslContext getSslContext() {
try {
final Path keystorePath = Paths.get(keyStorePath);
final KeyStore keyStore = KeyStore.getInstance(keyStoreType);
try (InputStream keyStoreFile = Files.newInputStream(keystorePath)) {
keyStore.load(keyStoreFile, keyStorePassPhrase.toCharArray());
}
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyPassPhrase.toCharArray());
final Path truststorePath = Paths.get(trustStorePath);
final KeyStore trustStore = KeyStore.getInstance(trustStoreType);
try (InputStream trustStoreFile = Files.newInputStream(truststorePath)) {
trustStore.load(trustStoreFile, trustStorePassPhrase.toCharArray());
}
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
return SslContextBuilder.forClient().keyManager(keyManagerFactory).trustManager(trustManagerFactory).build();
} catch (KeyStoreException | IOException | UnrecoverableKeyException | NoSuchAlgorithmException | CertificateException e) {
return null;
}
}
请问最简便的方法是什么?
谢谢
英文:
I have a question regarding how to build a Netty io.netty.handler.ssl.SslContext with just a .key (dot key) file and a .crt (dot crt) file.
To emphasize, I am looking for help to build a io.netty.handler.ssl.SslContext, not org.apache.http.ssl.SSLContexts.
Also, I am looking for help building the io.netty.handler.ssl.SslContext, without ready made keystore and truststore.
(will not be able to do that directly)
public SslContext getSslContext() {
try {
final Path keystorePath = Paths.get(keyStorePath);
final KeyStore keyStore = KeyStore.getInstance(keyStoreType);
try (InputStream keyStoreFile = Files.newInputStream(keystorePath)) {
keyStore.load(keyStoreFile, keyStorePassPhrase.toCharArray());
}
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyPassPhrase.toCharArray());
final Path truststorePath = Paths.get(trustStorePath);
final KeyStore trustStore = KeyStore.getInstance(trustStoreType);
try (InputStream trustStoreFile = Files.newInputStream(truststorePath)) {
trustStore.load(trustStoreFile, trustStorePassPhrase.toCharArray());
}
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
return SslContextBuilder.forClient().keyManager(keyManagerFactory).trustManager(trustManagerFactory).build();
} catch (KeyStoreException | IOException | UnrecoverableKeyException | NoSuchAlgorithmException | CertificateException e) {
return null;
}
}
What would be the easiest way please?
Thank you
答案1
得分: 1
Netty能够加载以PEM格式编写的私钥和证书作为密钥材料。这在SslContextBuilder中内置,在下面的示例中可以看到:
SslContext sslContext = SslContextBuilder.forClient()
.keyManager(new File("/path/to/certificate.crt"), new File("/path/to/private.key"), "secret")
.build();
以下是该方法的javadoc说明:
/**
* 为此主机标识证书。对于客户端上下文,{@code keyCertChainFile}和{@code keyFile}可以为{@code null},从而禁用互相认证。
*
* @param keyCertChainFile 以PEM格式编写的X.509证书链文件
* @param keyFile 以PEM格式编写的PKCS#8私钥文件
* @param keyPassword {@code keyFile}的密码,如果未受密码保护,则为{@code null}
*/
public SslContextBuilder keyManager(File keyCertChainFile, File keyFile, String keyPassword) {
...
}
关于您的第二个问题,如果要生成Netty SSL上下文而不使用密钥库,我建议使用Bouncy Castle库创建私钥对作为密钥材料,然后将其提供给Netty的SSL上下文构建器。下面是一个使用Bouncy Castle创建私钥对的参考链接:https://stackoverflow.com/questions/22008337/generating-keypair-using-bouncy-castle
以下是一个可以用来提供由Bouncy Castle生成的私钥和证书的方法示例:
/**
* 为此主机标识证书。对于客户端上下文,{@code keyCertChain}和{@code key}可以为{@code null},从而禁用互相认证。
*
* @param key PKCS#8私钥
* @param keyCertChain X.509证书链
*/
public SslContextBuilder keyManager(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) {
return keyManager(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
}
英文:
Netty is able to load pem formatted private key and certificate as a key material. It is built in within the SslContextBuilder, see below for an example:
SslContext sslContext = SslContextBuilder.forClient()
.keyManager(new File("/path/to/certificate.crt"), new File("/path/to/private.key"), "secret")
.build();
See below for the javadoc of the method
/**
* Identifying certificate for this host. {@code keyCertChainFile} and {@code keyFile} may
* be {@code null} for client contexts, which disables mutual authentication.
*
* @param keyCertChainFile an X.509 certificate chain file in PEM format
* @param keyFile a PKCS#8 private key file in PEM format
* @param keyPassword the password of the {@code keyFile}, or {@code null} if it's not
* password-protected
*/
public SslContextBuilder keyManager(File keyCertChainFile, File keyFile, String keyPassword) {
...
}
Regarding your second question for generating a netty ssl context without the usage of keystore I would advise to use Bouncy castle library to create private keypair as keymaterial which you can supply to netty sslcontext builder.
See here for a reference for creating a private key pair with bouncy castle: https://stackoverflow.com/questions/22008337/generating-keypair-using-bouncy-castle
See below for the method which can be used to supply private key and certificates which are generated by bouncy castle
/**
* Identifying certificate for this host. {@code keyCertChain} and {@code key} may
* be {@code null} for client contexts, which disables mutual authentication.
*
* @param key a PKCS#8 private key
* @param keyCertChain an X.509 certificate chain
*/
public SslContextBuilder keyManager(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) {
return keyManager(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论