使用只有 `.key` 和 `.crt` 的文件构建 `io.netty.handler.ssl.SslContext`。

huangapple go评论66阅读模式
英文:

build io.netty.handler.ssl.SslContext with just a .key and a .crt

问题

我有一个关于如何使用一个 .key(dot key)文件和一个 .crt(dot crt)文件构建 Netty io.netty.handler.ssl.SslContext 的问题。

强调一下,我正在寻求构建 io.netty.handler.ssl.SslContext 的帮助,而不是 org.apache.http.ssl.SSLContexts。

此外,我正在寻求构建 io.netty.handler.ssl.SslContext 的帮助,而不使用现成的 keystore 和 truststore。(将无法直接进行该操作)

public SslContext getSslContext() {
    try {
        final Path keystorePath = Paths.get(keyStorePath);
        final KeyStore keyStore = KeyStore.getInstance(keyStoreType);
        try (InputStream keyStoreFile = Files.newInputStream(keystorePath)) {
            keyStore.load(keyStoreFile, keyStorePassPhrase.toCharArray());
        }
        final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, keyPassPhrase.toCharArray());

        final Path truststorePath = Paths.get(trustStorePath);
        final KeyStore trustStore = KeyStore.getInstance(trustStoreType);
        try (InputStream trustStoreFile = Files.newInputStream(truststorePath)) {
            trustStore.load(trustStoreFile, trustStorePassPhrase.toCharArray());
        }
        final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trustStore);

        return SslContextBuilder.forClient().keyManager(keyManagerFactory).trustManager(trustManagerFactory).build();
    } catch (KeyStoreException | IOException | UnrecoverableKeyException | NoSuchAlgorithmException | CertificateException e) {
        return null;
    }
}

请问最简便的方法是什么?

谢谢

英文:

I have a question regarding how to build a Netty io.netty.handler.ssl.SslContext with just a .key (dot key) file and a .crt (dot crt) file.

To emphasize, I am looking for help to build a io.netty.handler.ssl.SslContext, not org.apache.http.ssl.SSLContexts.

Also, I am looking for help building the io.netty.handler.ssl.SslContext, without ready made keystore and truststore.
(will not be able to do that directly)

public SslContext getSslContext() {
        try {
            final Path     keystorePath = Paths.get(keyStorePath);
            final KeyStore keyStore     = KeyStore.getInstance(keyStoreType);
            try (InputStream keyStoreFile = Files.newInputStream(keystorePath)) {
                keyStore.load(keyStoreFile, keyStorePassPhrase.toCharArray());
            }
            final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, keyPassPhrase.toCharArray());

            final Path     truststorePath = Paths.get(trustStorePath);
            final KeyStore trustStore     = KeyStore.getInstance(trustStoreType);
            try (InputStream trustStoreFile = Files.newInputStream(truststorePath)) {
                trustStore.load(trustStoreFile, trustStorePassPhrase.toCharArray());
            }
            final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(trustStore);

            return SslContextBuilder.forClient().keyManager(keyManagerFactory).trustManager(trustManagerFactory).build();
        } catch (KeyStoreException | IOException | UnrecoverableKeyException | NoSuchAlgorithmException | CertificateException e) {
            
            return null;
        }
    }

What would be the easiest way please?

Thank you

答案1

得分: 1

Netty能够加载以PEM格式编写的私钥和证书作为密钥材料。这在SslContextBuilder中内置,在下面的示例中可以看到:

SslContext sslContext = SslContextBuilder.forClient()
    .keyManager(new File("/path/to/certificate.crt"), new File("/path/to/private.key"), "secret")
    .build();

以下是该方法的javadoc说明:

   /**
     * 为此主机标识证书。对于客户端上下文,{@code keyCertChainFile}和{@code keyFile}可以为{@code null},从而禁用互相认证。
     *
     * @param keyCertChainFile 以PEM格式编写的X.509证书链文件
     * @param keyFile 以PEM格式编写的PKCS#8私钥文件
     * @param keyPassword {@code keyFile}的密码,如果未受密码保护,则为{@code null}
     */
    public SslContextBuilder keyManager(File keyCertChainFile, File keyFile, String keyPassword) {
    ...
    }

关于您的第二个问题,如果要生成Netty SSL上下文而不使用密钥库,我建议使用Bouncy Castle库创建私钥对作为密钥材料,然后将其提供给Netty的SSL上下文构建器。下面是一个使用Bouncy Castle创建私钥对的参考链接:https://stackoverflow.com/questions/22008337/generating-keypair-using-bouncy-castle

以下是一个可以用来提供由Bouncy Castle生成的私钥和证书的方法示例:

    /**
     * 为此主机标识证书。对于客户端上下文,{@code keyCertChain}和{@code key}可以为{@code null},从而禁用互相认证。
     *
     * @param key PKCS#8私钥
     * @param keyCertChain X.509证书链
     */
    public SslContextBuilder keyManager(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) {
        return keyManager(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
    }
英文:

Netty is able to load pem formatted private key and certificate as a key material. It is built in within the SslContextBuilder, see below for an example:

SslContext sslContext = SslContextBuilder.forClient()
    .keyManager(new File(&quot;/path/to/certificate.crt&quot;), new File(&quot;/path/to/private.key&quot;), &quot;secret&quot;)
    .build();

See below for the javadoc of the method

   /**
     * Identifying certificate for this host. {@code keyCertChainFile} and {@code keyFile} may
     * be {@code null} for client contexts, which disables mutual authentication.
     *
     * @param keyCertChainFile an X.509 certificate chain file in PEM format
     * @param keyFile a PKCS#8 private key file in PEM format
     * @param keyPassword the password of the {@code keyFile}, or {@code null} if it&#39;s not
     *     password-protected
     */
    public SslContextBuilder keyManager(File keyCertChainFile, File keyFile, String keyPassword) {
    ...
    }

Regarding your second question for generating a netty ssl context without the usage of keystore I would advise to use Bouncy castle library to create private keypair as keymaterial which you can supply to netty sslcontext builder.
See here for a reference for creating a private key pair with bouncy castle: https://stackoverflow.com/questions/22008337/generating-keypair-using-bouncy-castle

See below for the method which can be used to supply private key and certificates which are generated by bouncy castle

    /**
     * Identifying certificate for this host. {@code keyCertChain} and {@code key} may
     * be {@code null} for client contexts, which disables mutual authentication.
     *
     * @param key a PKCS#8 private key
     * @param keyCertChain an X.509 certificate chain
     */
    public SslContextBuilder keyManager(PrivateKey key, Iterable&lt;? extends X509Certificate&gt; keyCertChain) {
        return keyManager(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
    }

huangapple
  • 本文由 发表于 2020年9月25日 02:53:21
  • 转载请务必保留本文链接:https://go.coder-hub.com/64052669.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定