Netty實現SSL雙向驗證完整實例

時間 2019-11-06

標籤 netty 實現 ssl 雙向驗證完整實例欄目 Netty 简体版

原文原文鏈接

Netty實現SSL雙向驗證完整實例

博客分類：

netty

netty ssl 自簽證書

1、證書準備java

要使用ssl雙向驗證，就必須先要生成服務端和客戶端的證書，並相互添加信任，具體流程以下(本人調試這個用例的時候，花了不少時間來驗證證書是否正確，以及握手失敗的緣由，這裏證書生成過程只要按流程走，本人能保證絕對沒有問題)算法

如今打開cmd，在哪一個目錄下打開，證書就會放在哪一個目錄下：spring

第一步: 生成Netty服務端私鑰和證書倉庫命令bootstrap

keytool -genkey -alias securechat -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sNetty -storepass sNetty -keystore sChat.jkssession

-keysize 2048 密鑰長度2048位（這個長度的密鑰目前可認爲沒法被暴力破解）
-validity 365 證書有效期365天
-keyalg RSA 使用RSA非對稱加密算法
-dname "CN=localhost" 設置Common Name爲localhost
-keypass sNetty密鑰的訪問密碼爲sNetty
-storepass sNetty密鑰庫的訪問密碼爲sNetty（其實這兩個密碼也能夠設置同樣，一般都設置同樣，方便記）
-keystore sChat.jks 指定生成的密鑰庫文件爲sChata.jks

第二步：生成Netty服務端自簽名證書socket

keytool -export -alias securechat -keystore sChat.jks -storepass sNetty -file sChat.ceride

第三步：生成客戶端的密鑰對和證書倉庫，用於將服務端的證書保存到客戶端的授信證書倉庫中oop

    keytool -genkey -alias smcc -keysize 2048 -validity 365  -keyalg RSA -dname "CN=localhost" -keypass sNetty  -storepass sNetty -keystore cChat.jks

第四步：將Netty服務端證書導入到客戶端的證書倉庫中測試

keytool -import -trustcacerts -alias securechat -file sChat.cer -storepass sNetty -keystore cChat.jksui

若是你只作單向認證，則到此就能夠結束了，若是是雙響認證，則還需繼續往下走

第五步:生成客戶端自簽名證書

keytool -export -alias smcc -keystore cChat.jks -storepass sNetty -file cChat.cer

最後一步:將客戶端的自簽名證書導入到服務端的信任證書倉庫中：

keytool -import -trustcacerts -alias smcc -file cChat.cer -storepass sNetty -keystore sChat.jks

到這裏，證書就生成完畢了，咱們就能夠獲得兩個jks文件，一個是服務端的sChat.jks ，一個是客戶端的cChat.jks ,這兩個文件後面初始化sslCOntext的時候會用到

若是還想了解更多能夠查看

http://dwj147258.iteye.com/blog/2339934

2、netty服務端

下面就直接貼代碼了，首先是實例化SSLContext的類：

Java代碼

package main.java.com.nionetty;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.springframework.core.io.ClassPathResource;
/**
* 初始化sslcontext類
*
*/
public class ContextSSLFactory {
private static final SSLContext SSL_CONTEXT_S ;
private static final SSLContext SSL_CONTEXT_C ;
static{
SSLContext sslContext = null ;
SSLContext sslContext2 = null ;
try {
sslContext = SSLContext.getInstance("SSLv3") ;
sslContext2 = SSLContext.getInstance("SSLv3") ;
} catch (NoSuchAlgorithmException e1) {
e1.printStackTrace();
}
try{
if(getKeyManagersServer() != null && getTrustManagersServer() != null ){
sslContext.init(getKeyManagersServer(), getTrustManagersServer(), null);
}
if(getKeyManagersClient() != null && getTrustManagersClient() != null){
sslContext2.init(getKeyManagersClient(), getTrustManagersClient(), null);
}
}catch(Exception e){
e.printStackTrace() ;
}
sslContext.createSSLEngine().getSupportedCipherSuites() ;
sslContext2.createSSLEngine().getSupportedCipherSuites() ;
SSL_CONTEXT_S = sslContext ;
SSL_CONTEXT_C = sslContext2 ;
}
public ContextSSLFactory(){
}
public static SSLContext getSslContext(){
return SSL_CONTEXT_S ;
}
public static SSLContext getSslContext2(){
return SSL_CONTEXT_C ;
}
private static TrustManager[] getTrustManagersServer(){
FileInputStream is = null ;
KeyStore ks = null ;
TrustManagerFactory keyFac = null ;
TrustManager[] kms = null ;
try {
// 得到KeyManagerFactory對象. 初始化位默認算法
keyFac = TrustManagerFactory.getInstance("SunX509") ;
is =new FileInputStream( (new ClassPathResource("main/java/conf/sChat.jks")).getFile() );
ks = KeyStore.getInstance("JKS") ;
String keyStorePass = "sNetty" ;
ks.load(is , keyStorePass.toCharArray()) ;
keyFac.init(ks) ;
kms = keyFac.getTrustManagers() ;
} catch (Exception e) {
e.printStackTrace();
}
finally{
if(is != null ){
try {
is.close() ;
} catch (IOException e) {
e.printStackTrace();
}
}
}
return kms ;
}
private static TrustManager[] getTrustManagersClient(){
FileInputStream is = null ;
KeyStore ks = null ;
TrustManagerFactory keyFac = null ;
TrustManager[] kms = null ;
try {
// 得到KeyManagerFactory對象. 初始化位默認算法
keyFac = TrustManagerFactory.getInstance("SunX509") ;
is =new FileInputStream( (new ClassPathResource("main/java/conf/cChat.jks")).getFile() );
ks = KeyStore.getInstance("JKS") ;
String keyStorePass = "sNetty" ;
ks.load(is , keyStorePass.toCharArray()) ;
keyFac.init(ks) ;
kms = keyFac.getTrustManagers() ;
} catch (Exception e) {
e.printStackTrace();
}
finally{
if(is != null ){
try {
is.close() ;
} catch (IOException e) {
e.printStackTrace();
}
}
}
return kms ;
}
private static KeyManager[] getKeyManagersServer(){
FileInputStream is = null ;
KeyStore ks = null ;
KeyManagerFactory keyFac = null ;
KeyManager[] kms = null ;
try {
// 得到KeyManagerFactory對象. 初始化位默認算法
keyFac = KeyManagerFactory.getInstance("SunX509") ;
is =new FileInputStream( (new ClassPathResource("main/java/conf/sChat.jks")).getFile() );
ks = KeyStore.getInstance("JKS") ;
String keyStorePass = "sNetty" ;
ks.load(is , keyStorePass.toCharArray()) ;
keyFac.init(ks, keyStorePass.toCharArray()) ;
kms = keyFac.getKeyManagers() ;
} catch (Exception e) {
e.printStackTrace();
}
finally{
if(is != null ){
try {
is.close() ;
} catch (IOException e) {
e.printStackTrace();
}
}
}
return kms ;
}
private static KeyManager[] getKeyManagersClient(){
FileInputStream is = null ;
KeyStore ks = null ;
KeyManagerFactory keyFac = null ;
KeyManager[] kms = null ;
try {
// 得到KeyManagerFactory對象. 初始化位默認算法
keyFac = KeyManagerFactory.getInstance("SunX509") ;
is =new FileInputStream( (new ClassPathResource("main/java/conf/cChat.jks")).getFile() );
ks = KeyStore.getInstance("JKS") ;
String keyStorePass = "sNetty" ;
ks.load(is , keyStorePass.toCharArray()) ;
keyFac.init(ks, keyStorePass.toCharArray()) ;
kms = keyFac.getKeyManagers() ;
} catch (Exception e) {
e.printStackTrace();
}
finally{
if(is != null ){
try {
is.close() ;
} catch (IOException e) {
e.printStackTrace();
}
}
}
return kms ;
}
}

服務端啓動類：

Java代碼

package main.java.com.nionetty;
import javax.net.ssl.SSLEngine;
import javax.print.attribute.standard.MediaSize.Engineering;
import main.java.com.nettyTest.SecureChatServerHandler;
import io.netty.bootstrap.ServerBootstrap;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInitializer;
import io.netty.channel.ChannelOption;
import io.netty.channel.ChannelPipeline;
import io.netty.channel.EventLoopGroup;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.handler.logging.LogLevel;
import io.netty.handler.logging.LoggingHandler;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.timeout.IdleState;
import io.netty.handler.timeout.IdleStateEvent;
import io.netty.handler.timeout.IdleStateHandler;
public class NettySocketServer {
private static SslHandler sslHandler = null ;
private EventLoopGroup bossGroup = null ;
private EventLoopGroup workerGroup = null ;
public void start(){
bossGroup = new NioEventLoopGroup() ;
workerGroup = new NioEventLoopGroup() ;
try{
ServerBootstrap serverStrap = new ServerBootstrap() ;
serverStrap.group(bossGroup , workerGroup)
.channel(NioServerSocketChannel.class)
.option(ChannelOption.SO_BACKLOG, 128)
.option(ChannelOption.SO_KEEPALIVE, true)
.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 1000 * 5 * 60)
.handler(new LoggingHandler(LogLevel.DEBUG))
.childHandler(new ChannelInitializer<SocketChannel>() {
@Override
protected void initChannel(SocketChannel socketChannel) throws Exception {
ChannelPipeline pie = socketChannel.pipeline() ;
pie.addLast("decoder" , new MyDecoder()) ;
pie.addLast("encoder" , new MyEncoder()) ;
pie.addLast("handler" , new NettySocketSSLHandler()) ;
SSLEngine engine = ContextSSLFactory.getSslContext().createSSLEngine();
engine.setUseClientMode(false);
engine.setNeedClientAuth(true);
pie.addFirst("ssl", new SslHandler(engine));
}
});
serverStrap.bind(161616).sync() ;
System.out.println("服務已開啓");
}catch(Exception e){
e.printStackTrace() ;
bossGroup.shutdownGracefully() ;
workerGroup.shutdownGracefully() ;
}
}
private SslHandler getSslHandler(){
if(sslHandler == null ){
SSLEngine sslEngine = ContextSSLFactory.getSslContext().createSSLEngine() ;
sslEngine.setUseClientMode(false) ;
//false爲單向認證，true爲雙向認證
sslEngine.setNeedClientAuth(true) ;
sslHandler = new SslHandler(sslEngine);
}
return sslHandler ;
}
public static void main(String[] args) {
new NettySocketServer().start() ;
}
}

編碼器：

Java代碼

package main.java.com.nionetty;
import io.netty.buffer.ByteBuf;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.MessageToByteEncoder;
import java.nio.ByteBuffer;
public class MyEncoder extends MessageToByteEncoder<ByteBuffer>{
@Override
protected void encode(ChannelHandlerContext ctx, ByteBuffer message,
ByteBuf out) throws Exception {
if(message==null){
return;
}
if(message.hasArray()){
byte[] msg =message.array();
if(msg == null || msg.length <= 0){
return;
}
out.writeBytes(msg) ;
}
}
}

解碼器：

Java代碼

/*
* Copyright (C) TD Tech
* All Rights Reserved.
*
*/
package main.java.com.nionetty;
import io.netty.buffer.ByteBuf;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.ByteToMessageDecoder;
import java.nio.ByteBuffer;
import java.util.List;
/**
* Create Date: 2014-11-4 下午02:42:21
* Create Author: lWX232692
* Description :
*/
public class MyDecoder extends ByteToMessageDecoder {
@Override
protected void decode(ChannelHandlerContext ctx, ByteBuf buffer,
List<Object> out) throws Exception {
//UnpooledUnsafeDirectByteBuf(ridx: 0, widx: 1, cap: 1024)
if (buffer != null) {
ByteBuffer msg = null;
try {
if(buffer.readableBytes() > 0 ){
msg = ByteBuffer.allocate(buffer.readableBytes()) ;
byte[] bb = new byte[buffer.readableBytes()] ;
buffer.readBytes(bb) ;
msg.put(bb);
msg.flip();
}
} catch (Exception e) {
e.printStackTrace();
msg = null ;
}
if (msg != null) {
out.add(msg);
}
}
}
}

業務實現類：

Java代碼

package main.java.com.nionetty;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.SimpleChannelInboundHandler;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.GenericFutureListener;
import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.util.Arrays;
public class NettySocketSSLHandler extends SimpleChannelInboundHandler<ByteBuffer>{
@Override
public void channelActive(final ChannelHandlerContext ctx) throws Exception {
// Once session is secured, send a greeting and register the channel to the global channel
// list so the channel received the messages from others.
ctx.pipeline().get(SslHandler.class).handshakeFuture().addListener(
new GenericFutureListener<Future<Channel>>() {
@Override
public void operationComplete(Future<Channel> future) throws Exception {
if(future.isSuccess()){
System.out.println("握手成功");
byte[] array = new byte[]{ (byte)7d, 04} ;
ByteBuffer bu = ByteBuffer.wrap(array) ;
ctx.channel().writeAndFlush(bu) ;
}else{
System.out.println("握手失敗");
}
ctx.writeAndFlush(
"Welcome to " + InetAddress.getLocalHost().getHostName() +
" secure chat service!\n");
ctx.writeAndFlush(
"Your session is protected by " +
ctx.pipeline().get(SslHandler.class).engine().getSession().getCipherSuite() +
" cipher suite.\n");
}
});
}
@Override
public void handlerAdded(ChannelHandlerContext ctx)
throws Exception {
System.out.println("服務端增長");
}
@Override
public void handlerRemoved(ChannelHandlerContext ctx){
System.out.println("移除:"+ctx.channel().remoteAddress());
}
@Override
public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
System.out.println("Unexpected exception from downstream.");
ctx.close();
}
@Override
public void messageReceived(ChannelHandlerContext ctx, ByteBuffer msg) throws Exception {
System.out.println("服務端receive msg ");
byte[] array = new byte[]{00, 01, 00, 00, 00, 06, 05, 03, (byte)7d, 00, 00, 07} ;
ByteBuffer bu = ByteBuffer.wrap(array) ;
ctx.channel().writeAndFlush(bu) ;
}
}