英文:
Construct Java netty SslContext and apache SSLContexts to trust certificates from dynamic .pem files without a preloaded truststore
问题
关于使用Java io.netty.handler.ssl.SslContext和org.apache.http.ssl.SSLContexts构建以多个动态生成的.pem文件为基础的证书,而无需预先加载的信任存储的问题。
在我的情况下,我有3个动态生成的证书,一个根CA,一个中间CA,另一个根CA,都以.pem格式存在。(所有证书都以-----BEGIN CERTIFICATE-----开头)
我想使用上述生成的证书同时创建io.netty.handler.ssl.SslContext和org.apache.http.ssl.SSLContexts。
如果可能的话,我希望在不创建预加载的truststore.p12的情况下实现这一点。
可能类似于keytool -import -trustcacerts -file root_ca.pem -alias root-ca -keystore truststore.p12,然后拥有一个包含所有内容的最终truststore.p12,并且应用程序读取最终的truststore.p12 可能会起作用,但我希望避免这样做。
是否有一种方法可以在不使用预加载的信任存储的情况下,直接从.pem文件构建io.netty.handler.ssl.SslContext和org.apache.http.ssl.SSLContexts呢?
谢谢。
英文:
Question on the possibility to construct Java io.netty.handler.ssl.SslContext and org.apache.http.ssl.SSLContexts to trust certificates from multiple dynamic generated .pem files without a preloaded truststore.
In my case, I have 3 dynamically generated certificates, a root CA, an intermediate CA, another root CA, all in .pem format. (All starting with -----BEGIN CERTIFICATE----- )
I would like to create both the io.netty.handler.ssl.SslContext and org.apache.http.ssl.SSLContexts with the above generated certificates.
If possible, I would like to achieve this without creating a preloaded truststore.p12.
Probably something like keytool -import -trustcacerts -file root_ca.pem -alias root-ca -keystore truststore.p12 And have a final truststore.p12 with everything, and have the app read the final truststore.p12 might work, but this is something I would like to avoid.
Is there a way to achieve the construction of both io.netty.handler.ssl.SslContext and org.apache.http.ssl.SSLContexts without a preloaded trust store, but directly from the .pem files?
Thank you
答案1
得分: 2
Apache(肯定会)使用JSSE提供的TrustManager,稍微进行了一些调整。实际上,这个TrustManager是从内存中的KeyStore对象初始化的,该对象包含了证书;这个KeyStore通常是从一个信任存储(truststore)_文件_中读取的(或者至少是类似于类加载器资源的伪文件),但并不是必需的。
// 在标准JCA中准备
KeyStore ks = KeyStore.getInstance("PKCS12"); // 类型无关紧要,只要是基于文件的即可
ks.load(null);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
int counter = 0;
for (String f : new String[]{"pem1", "pem2", "pem3"}) { // 或其他数据源
try (InputStream is = new FileInputStream(f)) {
ks.setCertificateEntry("alias" + (++counter), cf.generateCertificate(is));
// 或者其他唯一的别名,甚至可能是文件名
}
}
// 现在在Apache中使用
SSLContext ctx = SSLContexts.custom().loadTrustMaterial(ks).build();
HttpClient client = HttpClientBuilder.create().setSSLContext(ctx)....build();
我认为Netty也基本是如此,但我对它不太熟悉。
JCA的CertificateFactory实际上可以读取PEM 或者 DER格式,如果你需要的话。
英文:
Apache (for sure) uses the JSSE-provided TrustManager with minor tweaks. This TrustManager is actually initalized from a KeyStore object in memory that contains the certs; this KeyStore is often read in from a truststore file (or at least pseudo-file like a classloader resource), but need not be.
// prepare in standard JCA
KeyStore ks = KeyStore.getInstance("PKCS12"); // type doesn't matter as long as it's filebased
ks.load(null);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
int counter = 0;
for( String f : new String[]{"pem1","pem2","pem3"} ){ // or other source(s) of data
try( InputStream is = new FileInputStream(f) ){
ks.setCertificateEntry("alias"+(++counter), cf.generateCertificate(is) );
// or other aliases as long as they're unique, maybe even filenames
}
}
// now use in Apache
SSLContext ctx = SSLContexts.custom().loadTrustMaterial(ks).build();
HttpClient client = HttpClientBuilder.create().setSSLContext(ctx)....build();
I expect more or less the same is true with netty, but I'm not familiar with it.
JCA CertificateFactory actually reads either PEM or DER, if you needed that.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论