netty4 使用SSL 安全连接，简单明了

最新推荐文章于 2024-05-13 14:48:55 发布

Gogym

最新推荐文章于 2024-05-13 14:48:55 发布

阅读量6.7k

点赞数

分类专栏： JAVA netty

本文链接：https://blog.csdn.net/KokJuis/article/details/99448840

版权

JAVA 同时被 2 个专栏收录

62 篇文章 2 订阅

订阅专栏

netty

7 篇文章 1 订阅

订阅专栏

netty是一个非常优秀的nio框架，就不多介绍啦，这里主要介绍如何在netty中开启ssl。

这里使用的版本是 netty4 ，netty4内部已经实现了标准的 jdk ssl 以及openssl。很方便的就能使用。

ssl的一些介绍，为何要用ssl就不累述了，百度一大堆。咱们讲究实战，直接上代码吧：

一、首先肯定要导入相关的jar：

<dependency>
			<groupId>io.netty</groupId>
			<artifactId>netty-all</artifactId>
			<version>4.1.36.Final</version>
		</dependency>
<!-- 如果使用openssl,需要添加下面两个jar，如果只用jdk 提供的ssl，可以不导入-->
		<dependency>
			<groupId>io.netty</groupId>
			<artifactId>netty-tcnative</artifactId>
			<version>2.0.25.Final</version>
			<scope>runtime</scope>
		</dependency>
		<dependency>
			<groupId>io.netty</groupId>
			<artifactId>netty-tcnative-boringssl-static</artifactId>
			<version>2.0.25.Final</version>
			<scope>runtime</scope>
		</dependency>

二、提供本人使用的一个示例的几个类吧。直接看代码：

配置类：

/*
 * 文件名：SSLConfig.java
 * 版权：Copyright by www.poly.com
 * 描述：
 * 修改人：gogym
 * 修改时间：2019年7月13日
 * 跟踪单号：
 * 修改单号：
 * 修改内容：
 */

package org.gogym.gim.socket.tcp.ssl;

public class SSLConfig {

	// 是否开启ssl
	private boolean isSSL = false;
	// 是否开启双向验证
	private boolean needClientAuth = false;
	// 密匙库地址
	private String pkPath;
	// 签名证书地址
	private String caPath;
	// 证书密码
	private String passwd;

	public SSLConfig isSSL(boolean isSSL) {
		this.isSSL = isSSL;
		return this;
	}

	public SSLConfig needClientAuth(boolean needClientAuth) {
		this.needClientAuth = needClientAuth;
		return this;
	}

	public SSLConfig pkPath(String pkPath) {
		this.pkPath = pkPath;
		return this;
	}

	public SSLConfig caPath(String caPath) {
		this.caPath = caPath;
		return this;
	}

	public SSLConfig passwd(String passwd) {
		this.passwd = passwd;
		return this;
	}

	public boolean isSSL() {

		return isSSL;
	}

	public boolean isNeedClientAuth() {

		return needClientAuth;
	}

	public String getPkPath() {

		return pkPath;
	}

	public String getCaPath() {

		return caPath;
	}

	public String getPasswd() {

		return passwd;
	}

}

关键的一个类，sslcontext工厂类，用来创建ssl上下文对象，非常重要，已经添加客户端和服务器端，jdk和openssl的配置，直接按需调用即可

/*
 * 文件名：SSLContextFactory.java
 * 版权：Copyright by www.poly.com
 * 描述：
 * 修改人：gogym
 * 修改时间：2019年7月13日
 * 跟踪单号：
 * 修改单号：
 * 修改内容：
 */

package org.gogym.gim.socket.tcp.ssl;

import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;

import org.gogym.getty.buffer.ByteBufAllocator;
import org.gogym.getty.handler.ssl.SslContext;
import org.gogym.getty.handler.ssl.SslContextBuilder;
import org.gogym.getty.handler.ssl.SslHandler;
import org.gogym.getty.handler.ssl.SslProvider;

/**
 * 
 * 〈一句话功能简述〉 〈功能详细描述〉
 * 
 * @author gogym
 * @version 2019年7月13日
 * @see SSLContextFactory
 * @since
 */
public class SSLContextFactory {

	private static final String PROTOCOL = "TLS";

	private static SSLContext SERVER_CONTEXT;// 服务器安全套接字协议

	private static SslContext openSslContext;

	private static SSLContext CLIENT_CONTEXT;// 客户端安全套接字协议

	private static SslContext openSslClientContext;

	public static SSLContext getServerContext(String pkPath, String passwd) {
		if (SERVER_CONTEXT != null)
			return SERVER_CONTEXT;
		InputStream in = null;

		try {
			// 密钥管理器
			KeyManagerFactory kmf = null;
			if (pkPath != null) {
				// 密钥库KeyStore
				KeyStore ks = KeyStore.getInstance("JKS");
				// 加载服务端证书
				in = new FileInputStream(pkPath);
				// 加载服务端的KeyStore ；sNetty是生成仓库时设置的密码，用于检查密钥库完整性的密码
				ks.load(in, passwd.toCharArray());

				kmf = KeyManagerFactory.getInstance("SunX509");
				// 初始化密钥管理器
				kmf.init(ks, passwd.toCharArray());
			}
			// 获取安全套接字协议（TLS协议）的对象
			SERVER_CONTEXT = SSLContext.getInstance(PROTOCOL);
			// 初始化此上下文
			// 参数一：认证的密钥 参数二：对等信任认证 参数三：伪随机数生成器 。 由于单向认证，服务端不用验证客户端，所以第二个参数为null
			SERVER_CONTEXT.init(kmf.getKeyManagers(), null, null);

		} catch (Exception e) {
			throw new Error("Failed to initialize the server-side SSLContext",
					e);
		} finally {
			if (in != null) {
				try {
					in.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
			}

		}
		return SERVER_CONTEXT;
	}

	public static SslContext getOpenSslServerContext(String pkPath,
			String passwd) {
		if (openSslContext != null) {
			return openSslContext;
		}

		InputStream in = null;
		try {

			// 密钥管理器
			KeyManagerFactory kmf = null;
			if (pkPath != null) {
				// 密钥库KeyStore
				KeyStore ks = KeyStore.getInstance("JKS");
				// 加载服务端证书
				in = new FileInputStream(pkPath);
				// 加载服务端的KeyStore ；sNetty是生成仓库时设置的密码，用于检查密钥库完整性的密码
				ks.load(in, passwd.toCharArray());

				kmf = KeyManagerFactory.getInstance("SunX509");
				// 初始化密钥管理器
				kmf.init(ks, passwd.toCharArray());
			}
			openSslContext = SslContextBuilder.forServer(kmf)
					.sslProvider(SslProvider.OPENSSL).build();
			return openSslContext;
		} catch (Exception e) {
			e.printStackTrace();
		} finally {
			if (in != null) {
				try {
					in.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
				in = null;
			}

		}

		return null;

	}

	public static SSLContext getClientContext(String pkPath, String passwd) {
		if (CLIENT_CONTEXT != null)
			return CLIENT_CONTEXT;

		InputStream tIN = null;
		try {
			// 信任库
			TrustManagerFactory tf = null;
			if (pkPath != null) {
				// 密钥库KeyStore
				KeyStore tks = KeyStore.getInstance("JKS");
				// 加载客户端证书
				tIN = new FileInputStream(pkPath);
				tks.load(tIN, passwd.toCharArray());
				tf = TrustManagerFactory.getInstance("SunX509");
				// 初始化信任库
				tf.init(tks);
			}

			CLIENT_CONTEXT = SSLContext.getInstance(PROTOCOL);
			// 设置信任证书
			CLIENT_CONTEXT.init(null,
					tf == null ? null : tf.getTrustManagers(), null);

		} catch (Exception e) {
			throw new Error("Failed to initialize the client-side SSLContext");
		} finally {
			if (tIN != null) {
				try {
					tIN.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
			}
		}

		return CLIENT_CONTEXT;
	}

	public static SslContext getOpenSslClientContext(String pkPath,
			String passwd) {

		if (openSslClientContext != null) {
			return openSslClientContext;
		}

		InputStream tIN = null;
		try {

			// 信任库
			TrustManagerFactory tf = null;
			if (pkPath != null) {
				// 密钥库KeyStore
				KeyStore tks = KeyStore.getInstance("JKS");
				// 加载客户端证书
				tIN = new FileInputStream(pkPath);
				tks.load(tIN, passwd.toCharArray());
				tf = TrustManagerFactory.getInstance("SunX509");
				// 初始化信任库
				tf.init(tks);
			}

			openSslClientContext = SslContextBuilder.forClient()
					.sslProvider(SslProvider.OPENSSL).trustManager(tf).build();

			return openSslClientContext;
		} catch (Exception e) {
			e.printStackTrace();
		} finally {
			if (tIN != null) {
				try {
					tIN.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
				tIN = null;
			}

		}

		return null;

	}

	/**
	 * 
	 * Description: 生成sslContext
	 * 
	 * @param pkPath
	 * @param caPath
	 * @param passwd
	 * @return
	 * @see
	 */
	public static SSLContext getServerContext(String pkPath, String caPath,
			String passwd) {
		if (SERVER_CONTEXT != null)
			return SERVER_CONTEXT;
		InputStream in = null;
		InputStream tIN = null;

		try {
			// 密钥管理器
			KeyManagerFactory kmf = null;
			if (pkPath != null) {
				KeyStore ks = KeyStore.getInstance("JKS");
				in = new FileInputStream(pkPath);
				ks.load(in, passwd.toCharArray());

				kmf = KeyManagerFactory.getInstance("SunX509");
				kmf.init(ks, passwd.toCharArray());
			}
			// 信任库
			TrustManagerFactory tf = null;
			if (caPath != null) {
				KeyStore tks = KeyStore.getInstance("JKS");
				tIN = new FileInputStream(caPath);
				tks.load(tIN, passwd.toCharArray());
				tf = TrustManagerFactory.getInstance("SunX509");
				tf.init(tks);
			}

			SERVER_CONTEXT = SSLContext.getInstance(PROTOCOL);

			// 初始化此上下文
			// 参数一：认证的密钥 参数二：对等信任认证 参数三：伪随机数生成器 。 由于单向认证，服务端不用验证客户端，所以第二个参数为null
			// 单向认证？无需验证客户端证书
			if (tf == null) {
				SERVER_CONTEXT.init(kmf.getKeyManagers(), null, null);
			}
			// 双向认证，需要验证客户端证书
			else {
				SERVER_CONTEXT.init(kmf.getKeyManagers(),
						tf.getTrustManagers(), null);
			}

		} catch (Exception e) {
			throw new Error("Failed to initialize the server-side SSLContext",
					e);
		} finally {
			if (in != null) {
				try {
					in.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
				in = null;
			}

			if (tIN != null) {
				try {
					tIN.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
				tIN = null;
			}
		}
		return SERVER_CONTEXT;
	}

	public static SslContext getOpenSslServerContext(String pkPath,
			String caPath, String passwd) {
		if (openSslContext != null)
			return openSslContext;

		InputStream in = null;
		InputStream tIN = null;
		try {

			// 密钥管理器
			KeyManagerFactory kmf = null;
			if (pkPath != null) {
				// 密钥库KeyStore
				KeyStore ks = KeyStore.getInstance("JKS");
				// 加载服务端证书
				in = new FileInputStream(pkPath);
				// 加载服务端的KeyStore ；sNetty是生成仓库时设置的密码，用于检查密钥库完整性的密码
				ks.load(in, passwd.toCharArray());

				kmf = KeyManagerFactory.getInstance("SunX509");
				// 初始化密钥管理器
				kmf.init(ks, passwd.toCharArray());
			}

			// 信任库
			TrustManagerFactory tf = null;
			if (caPath != null) {
				KeyStore tks = KeyStore.getInstance("JKS");
				tIN = new FileInputStream(caPath);
				tks.load(tIN, passwd.toCharArray());
				tf = TrustManagerFactory.getInstance("SunX509");
				tf.init(tks);
			}

			openSslContext = SslContextBuilder.forServer(kmf).trustManager(tf)
					.sslProvider(SslProvider.OPENSSL).build();
			return openSslContext;
		} catch (Exception e) {
			e.printStackTrace();
		} finally {
			if (in != null) {
				try {
					in.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
				in = null;
			}

			if (tIN != null) {
				try {
					tIN.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
				tIN = null;
			}
		}

		return null;

	}

	public static SSLContext getClientContext(String pkPath, String caPath,
			String passwd) {
		if (CLIENT_CONTEXT != null)
			return CLIENT_CONTEXT;

		InputStream in = null;
		InputStream tIN = null;
		try {
			KeyManagerFactory kmf = null;
			if (pkPath != null) {
				KeyStore ks = KeyStore.getInstance("JKS");
				in = new FileInputStream(pkPath);
				ks.load(in, passwd.toCharArray());
				kmf = KeyManagerFactory.getInstance("SunX509");
				kmf.init(ks, passwd.toCharArray());
			}

			TrustManagerFactory tf = null;
			if (caPath != null) {
				KeyStore tks = KeyStore.getInstance("JKS");
				tIN = new FileInputStream(caPath);
				tks.load(tIN, passwd.toCharArray());
				tf = TrustManagerFactory.getInstance("SunX509");
				tf.init(tks);
			}

			CLIENT_CONTEXT = SSLContext.getInstance(PROTOCOL);
			// 初始化此上下文
			// 参数一：认证的密钥 参数二：对等信任认证 参数三：伪随机数生成器 。 由于单向认证，服务端不用验证客户端，所以第二个参数为null
			CLIENT_CONTEXT.init(kmf.getKeyManagers(), tf.getTrustManagers(),
					null);

		} catch (Exception e) {
			throw new Error("Failed to initialize the client-side SSLContext");
		} finally {
			if (in != null) {
				try {
					in.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
				in = null;
			}

			if (tIN != null) {
				try {
					tIN.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
				tIN = null;
			}
		}

		return CLIENT_CONTEXT;
	}

	public static SslContext getOpenSslClientContext(String pkPath,
			String caPath, String passwd) {

		if (openSslClientContext != null) {
			return openSslClientContext;
		}

		InputStream in = null;
		InputStream tIN = null;
		try {

			// 密钥管理器
			KeyManagerFactory kmf = null;
			if (pkPath != null) {
				// 密钥库KeyStore
				KeyStore ks = KeyStore.getInstance("JKS");
				// 加载服务端证书
				in = new FileInputStream(pkPath);
				// 加载服务端的KeyStore ；sNetty是生成仓库时设置的密码，用于检查密钥库完整性的密码
				ks.load(in, passwd.toCharArray());

				kmf = KeyManagerFactory.getInstance("SunX509");
				// 初始化密钥管理器
				kmf.init(ks, passwd.toCharArray());
			}

			// 信任库
			TrustManagerFactory tf = null;
			if (caPath != null) {
				KeyStore tks = KeyStore.getInstance("JKS");
				tIN = new FileInputStream(caPath);
				tks.load(tIN, passwd.toCharArray());
				tf = TrustManagerFactory.getInstance("SunX509");
				tf.init(tks);
			}

			openSslClientContext = SslContextBuilder.forClient()
					.sslProvider(SslProvider.OPENSSL).keyManager(kmf)
					.trustManager(tf).build();

			return openSslClientContext;
		} catch (Exception e) {
			e.printStackTrace();
		} finally {
			if (in != null) {
				try {
					in.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
				in = null;
			}
			if (tIN != null) {
				try {
					tIN.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
				tIN = null;
			}

		}

		return null;

	}

	/**
	 * 
	 * Description:
	 * 
	 * @return
	 * @see
	 */
	public static SSLEngine getSslServerEngine(SSLConfig sslConfig) {

		SSLEngine sslEngine = null;
		if (sslConfig.isNeedClientAuth()) {
			sslEngine = getServerContext(sslConfig.getPkPath(),
					sslConfig.getCaPath(), sslConfig.getPasswd())
					.createSSLEngine();
		} else {
			sslEngine = getServerContext(sslConfig.getPkPath(),
					sslConfig.getPasswd()).createSSLEngine();
		}

		sslEngine.setUseClientMode(false);
		sslEngine.setEnabledProtocols(new String[] { "TLSv1", "TLSv1.1",
				"TLSv1.2" });
		// false为单向认证，true为双向认证
		sslEngine.setNeedClientAuth(sslConfig.isNeedClientAuth());
		return sslEngine;
	}

	public static SSLEngine getOpenSslServerEngine(SSLConfig sslConfig,
			ByteBufAllocator alloc) {

		SSLEngine sslEngine = null;
		if (sslConfig.isNeedClientAuth()) {
			sslEngine = getOpenSslServerContext(sslConfig.getPkPath(),
					sslConfig.getCaPath(), sslConfig.getPasswd()).newEngine(
					alloc);
		} else {
			sslEngine = getOpenSslServerContext(sslConfig.getPkPath(),
					sslConfig.getPasswd()).newEngine(alloc);
		}

		sslEngine.setUseClientMode(false);
		sslEngine.setEnabledProtocols(new String[] { "TLSv1", "TLSv1.1",
				"TLSv1.2" });
		// false为单向认证，true为双向认证
		sslEngine.setNeedClientAuth(sslConfig.isNeedClientAuth());
		return sslEngine;
	}

	public static SSLEngine getSslClientEngine(String pkPath, String caPath,
			String passwd, boolean isNeedClientAuth) {

		SSLEngine sslEngine = null;
		if (isNeedClientAuth) {
			sslEngine = getClientContext(pkPath, caPath, passwd)
					.createSSLEngine();
		} else {
			sslEngine = getClientContext(pkPath, passwd).createSSLEngine();

		}
		sslEngine.setEnabledProtocols(new String[] { "TLSv1", "TLSv1.1",
				"TLSv1.2" });
		sslEngine.setUseClientMode(true);
		return sslEngine;
	}

	public static SSLEngine getOpenSslClientEngine(String pkPath,
			String caPath, String passwd, ByteBufAllocator alloc,
			boolean isNeedClientAuth) {

		SSLEngine sslEngine = null;
		if (isNeedClientAuth) {
			sslEngine = getOpenSslClientContext(pkPath, caPath, passwd)
					.newEngine(alloc);
		} else {
			sslEngine = getOpenSslClientContext(pkPath, passwd)
					.newEngine(alloc);
		}
		sslEngine.setEnabledProtocols(new String[] { "TLSv1", "TLSv1.1",
				"TLSv1.2" });
		sslEngine.setUseClientMode(true);
		return sslEngine;
	}

	/**
	 * 
	 * Description:
	 * 
	 * @return
	 * @see
	 */
	public static SslHandler getSslHandler(SSLConfig sslConfig) {

		if (sslConfig != null && sslConfig.isSSL()) {
			return new SslHandler(getSslServerEngine(sslConfig));
		} else {
			return null;
		}
	}

	public static SslHandler getOpenSslHandler(SSLConfig sslConfig,
			ByteBufAllocator alloc) {

		if (sslConfig != null && sslConfig.isSSL()) {
			return new SslHandler(getOpenSslServerEngine(sslConfig, alloc));
		} else {
			return null;
		}
	}

}

三、使用很简单，按netty的标准用法就好：

SslHandler sslHandler = SSLContextFactory.getOpenSslHandler(
				new SslConfig(), ch.alloc());
		if (sslHandler != null) {
			pipeline.addLast("ssl", sslHandler);
            //添加一个提示成功的类
			pipeline.addLast(new SslCheckServerHandler());
		}

/*
 * 文件名：SslCheckServerHandler.java
 * 描述：
 * 修改人：gogym
 * 修改时间：2019年7月16日
 * 跟踪单号：
 * 修改单号：
 * 修改内容：
 */

package org.gogym.gim.socket.tcp.ssl;

import java.nio.ByteBuffer;

import org.gogym.getty.channel.Channel;
import org.gogym.getty.channel.ChannelHandlerContext;
import org.gogym.getty.channel.SimpleChannelInboundHandler;
import org.gogym.getty.handler.ssl.SslHandler;
import org.gogym.getty.util.concurrent.Future;
import org.gogym.getty.util.concurrent.GenericFutureListener;

public class SslCheckServerHandler extends
		SimpleChannelInboundHandler<ByteBuffer> {

	@Override
	public void channelActive(final ChannelHandlerContext ctx) throws Exception {
		// Once session is secured, send a greeting and register the channel to
		// the global channel
		// list so the channel received the messages from others.
		ctx.pipeline().get(SslHandler.class).handshakeFuture()
				.addListener(new GenericFutureListener<Future<Channel>>() {
					@Override
					public void operationComplete(Future<Channel> future)
							throws Exception {
						if (future.isSuccess()) {
							System.out.println("握手成功");
						} else {
							System.out.println("握手失败");
						}
					}
				});
	}

	@Override
	public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause)
			throws Exception {
		cause.printStackTrace();
		ctx.close();
	}

	@Override
	protected void channelRead0(ChannelHandlerContext ctx, ByteBuffer msg)
			throws Exception {
	}

}

完

Gogym

关注

0
点赞
踩
14

收藏

觉得还不错? 一键收藏
2
评论
netty4 使用SSL 安全连接，简单明了

netty是一个非常优秀的nio框架，就不多介绍啦，这里主要介绍如何在netty中开启ssl。这里使用的版本是 netty4 ，netty4内部已经实现了标准的 jdk ssl 以及openssl。很方便的就能使用。ssl的一些介绍，为何要用ssl就不累述了，百度一大堆。咱们讲究实战，直接上代码吧：一、首先肯定要导入相关的jar：<dependency> &lt...
复制链接

扫一扫