mTLS: Netty单向/双向TLS Demo完整代码

最新推荐文章于 2024-06-12 11:19:55 发布
最新推荐文章于 2024-06-12 11:19:55 发布
阅读量1k 收藏 24
点赞数 16
文章标签: netty mtls tls
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Mr_rain/article/details/136413160
版权

NettyHelper.java: 主要用是创建EventLoopGroup和判断是否支持Epoll。

package org.example.netty;

import io.netty.channel.EventLoopGroup;
import io.netty.channel.epoll.Epoll;
import io.netty.channel.epoll.EpollEventLoopGroup;
import io.netty.channel.epoll.EpollSocketChannel;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioSocketChannel;
import io.netty.handler.codec.http2.Http2SecurityUtil;
import io.netty.handler.ssl.*;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.netty.handler.ssl.util.SelfSignedCertificate;
import io.netty.util.concurrent.DefaultThreadFactory;

import javax.net.ssl.SSLException;
import java.security.cert.CertificateException;
import java.util.concurrent.ThreadFactory;


public class NettyHelper {
    static final String NETTY_EPOLL_ENABLE_KEY = "netty.epoll.enable";

    static final String OS_NAME_KEY = "os.name";

    static final String OS_LINUX_PREFIX = "linux";

    public static EventLoopGroup eventLoopGroup(int threads, String threadFactoryName) {
        ThreadFactory threadFactory = new DefaultThreadFactory(threadFactoryName, true);
        return shouldEpoll() ? new EpollEventLoopGroup(threads, threadFactory) :
                new NioEventLoopGroup(threads, threadFactory);
    }


    public static boolean shouldEpoll() {
        if (Boolean.parseBoolean(System.getProperty(NETTY_EPOLL_ENABLE_KEY, "false"))) {
            String osName = System.getProperty(OS_NAME_KEY);
            return osName.toLowerCase().contains(OS_LINUX_PREFIX) && Epoll.isAvailable();
        }

        return false;
    }


    public static Class<? extends SocketChannel> socketChannelClass() {
        return shouldEpoll() ? EpollSocketChannel.class : NioSocketChannel.class;
    }
}

SslContexts: 创建SslContext对象的工具类

package org.example.netty.tls;

import io.netty.handler.codec.http2.Http2SecurityUtil;
import io.netty.handler.ssl.*;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.netty.handler.ssl.util.SelfSignedCertificate;
import lombok.extern.slf4j.Slf4j;

import javax.net.ssl.SSLException;
import java.io.*;
import java.net.MalformedURLException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.CertificateException;

@Slf4j
public class SslContexts {


    public static SslContext createTlsClientSslContext() throws SSLException {
        SslProvider provider = findSslProvider();
        return SslContextBuilder.forClient()
                .sslProvider(provider)
                .trustManager(InsecureTrustManagerFactory.INSTANCE)
                .protocols("TLSv1.3", "TLSv1.2")
                .build();
    }


    /**
     * 创建server SslContext
     * 会自动创建一个临时自签名的证书 -- Generates a temporary self-signed certificate
     *
     * @return
     * @throws CertificateException
     * @throws SSLException
     */
    public static SslContext createTlsServerSslContext() throws CertificateException, SSLException {
        SslProvider provider = findSslProvider();
        SelfSignedCertificate cert = new SelfSignedCertificate();
        return SslContextBuilder.forServer(cert.certificate(), cert.privateKey())
                .sslProvider(provider)
                .protocols("TLSv1.3", "TLSv1.2")
                .build();
    }


    public static SslContext createServerSslContext(File keyCertChainFile, File keyFile) {
        return createServerSslContext(keyCertChainFile, keyFile, null, null);
    }

    public static SslContext createServerSslContext(File keyCertChainFile, File keyFile, File trustCertCollection) {
        return createServerSslContext(keyCertChainFile, keyFile, null, trustCertCollection);
    }

    public static SslContext createServerSslContext(File keyCertChainFile, File keyFile, String keyPassword) {
        return createServerSslContext(keyCertChainFile, keyFile, keyPassword, null);
    }

    public static SslContext createServerSslContext(File keyCertChainFile, File keyFile, String keyPassword, File trustCertCollection) {
        return createServerSslContext(keyCertChainFile, keyFile, keyPassword, trustCertCollection, true);
    }

    public static SslContext createServerSslContext(File keyCertChainFile, File keyFile, String keyPassword, File trustCertCollection, boolean requireClientAuth) {
        try (InputStream keyCertChainInputStream = openInputStream(keyCertChainFile);
             InputStream keyInputStream = openInputStream(keyFile);
             InputStream trustCertCollectionInputStream = openInputStream(trustCertCollection);) {
            return createServerSslContext(keyCertChainInputStream, keyInputStream, keyPassword, trustCertCollectionInputStream, requireClientAuth);
        } catch (IOException e) {
            throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", e);
        }
    }




    public static SslContext createServerSslContext(InputStream keyCertChainInputStream, InputStream keyInputStream) {
        return createServerSslContext(keyCertChainInputStream, keyInputStream, null, null);
    }

    public static SslContext createServerSslContext(InputStream keyCertChainInputStream, InputStream keyInputStream, InputStream trustCertCollection) {
        return createServerSslContext(keyCertChainInputStream, keyInputStream, null, trustCertCollection);
    }

    public static SslContext createServerSslContext(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword) {
        return createServerSslContext(keyCertChainInputStream, keyInputStream, keyPassword, null);
    }

    public static SslContext createServerSslContext(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword, InputStream trustCertCollection) {
        return createServerSslContext(keyCertChainInputStream, keyInputStream, keyPassword, trustCertCollection, true);
    }

    public static SslContext createServerSslContext(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword, InputStream trustCertCollection, boolean requireClientAuth) {
        SslContextBuilder builder;
        if (keyPassword != null) {
            builder = SslContextBuilder.forServer(keyCertChainInputStream, keyInputStream, keyPassword);
        } else {
            builder = SslContextBuilder.forServer(keyCertChainInputStream, keyInputStream);
        }
        if (trustCertCollection != null) {
            builder.trustManager(trustCertCollection)
            ;
        }
        if (requireClientAuth) {
            builder.clientAuth(ClientAuth.REQUIRE);
        }

        try {
            SslProvider provider = findSslProvider();
            return builder
                    .sslProvider(provider)
                    .protocols("TLSv1.3", "TLSv1.2")
                    .build();
        } catch (SSLException e) {
            throw new IllegalStateException("Build SslSession failed.", e);
        }
    }


    public static SslContext createClientSslContext() {
        try {
            SslProvider provider = findSslProvider();
            return SslContextBuilder.forClient()
                    .sslProvider(provider)
                    .trustManager(InsecureTrustManagerFactory.INSTANCE)
                    .protocols("TLSv1.3", "TLSv1.2")
                    .build();
        } catch (SSLException e) {
            throw new IllegalStateException("Build SslSession failed.", e);
        }
    }

    public static SslContext createClientSslContext(File trustCertCollection) {
        return createClientSslContext(null, null, null, trustCertCollection);
    }

    public static SslContext createClientSslContext(File keyCertChainInputStream, File keyInputStream, File trustCertCollection) {
        return createClientSslContext(keyCertChainInputStream, keyInputStream, null, trustCertCollection);
    }

    public static SslContext createClientSslContext(File keyCertChainFile, File keyFile, String keyPassword, File trustCertCollectionFile) {
        try (InputStream keyCertChainInputStream = openInputStream(keyCertChainFile);
             InputStream keyInputStream = openInputStream(keyFile);
             InputStream trustCertCollectionInputStream = openInputStream(trustCertCollectionFile);) {
            return createClientSslContext(keyCertChainInputStream, keyInputStream, keyPassword, trustCertCollectionInputStream);
        } catch (IOException e) {
            throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", e);
        }
    }

    public static SslContext createClientSslContext(InputStream trustCertCollection) {
        return createClientSslContext(null, null, null, trustCertCollection);
    }

    public static SslContext createClientSslContext(InputStream keyCertChainInputStream, InputStream keyInputStream, InputStream trustCertCollection) {
        return createClientSslContext(keyCertChainInputStream, keyInputStream, null, trustCertCollection);
    }

    public static SslContext createClientSslContext(InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword, InputStream trustCertCollection) {
        SslContextBuilder builder = SslContextBuilder.forClient();
        if (trustCertCollection != null) {
            builder.trustManager(trustCertCollection)
                    .clientAuth(ClientAuth.REQUIRE);
        }
        if (keyCertChainInputStream != null || keyInputStream != null) {
            if (keyPassword != null) {
                builder.keyManager(keyCertChainInputStream, keyInputStream, keyPassword);
            } else {
                builder.keyManager(keyCertChainInputStream, keyInputStream);
            }
        }

        try {
            SslProvider provider = findSslProvider();
            return builder
                    .sslProvider(provider)
                    .protocols("TLSv1.3", "TLSv1.2")
                    .build();
        } catch (SSLException e) {
            throw new IllegalStateException("Build SslSession failed.", e);
        }
    }


    /**
     * 创建 https server SslContext
     * 会自动创建一个临时自签名的证书 -- Generates a temporary self-signed certificate
     *
     * @return
     * @throws CertificateException
     * @throws SSLException
     */
    public static SslContext createHttpsServerSslContext() throws CertificateException, SSLException {
        SslProvider provider = findSslProvider();
        SelfSignedCertificate cert = new SelfSignedCertificate();
        return SslContextBuilder.forServer(cert.certificate(), cert.privateKey())
                .sslProvider(provider)
                .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
                .protocols("TLSv1.3", "TLSv1.2")
                .applicationProtocolConfig(
                        new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
                                ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT
                                , ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1
                        ))
                .build();
    }

    public static InputStream openInputStream(File file) throws IOException {
        return file == null ? null : file.toURI().toURL().openStream();
//        return file == null ? null : new FileInputStream(file);
    }

//
//    public static SslContext buildServerSslContext() {
//        SslContextBuilder sslClientContextBuilder;
//        InputStream serverKeyCertChainPathStream = null;
//        InputStream serverPrivateKeyPathStream = null;
//        InputStream serverTrustCertStream = null;
//        try {
//            serverKeyCertChainPathStream = sslConfig.getServerKeyCertChainPathStream();
//            serverPrivateKeyPathStream = sslConfig.getServerPrivateKeyPathStream();
//            serverTrustCertStream = sslConfig.getServerTrustCertCollectionPathStream();
//            String password = sslConfig.getServerKeyPassword();
//            if (password != null) {
//                sslClientContextBuilder = SslContextBuilder.forServer(serverKeyCertChainPathStream,
//                        serverPrivateKeyPathStream, password);
//            } else {
//                sslClientContextBuilder = SslContextBuilder.forServer(serverKeyCertChainPathStream,
//                        serverPrivateKeyPathStream);
//            }
//
//            if (serverTrustCertStream != null) {
//                sslClientContextBuilder.trustManager(serverTrustCertStream);
//                sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
//            }
//        } catch (Exception e) {
//            throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", e);
//        } finally {
//            safeCloseStream(serverTrustCertStream);
//            safeCloseStream(serverKeyCertChainPathStream);
//            safeCloseStream(serverPrivateKeyPathStream);
//        }
//        try {
//            return sslClientContextBuilder.sslProvider(findSslProvider()).build();
//        } catch (SSLException e) {
//            throw new IllegalStateException("Build SslSession failed.", e);
//        }
//    }
//
//    public static SslContext buildClientSslContext(URL url) {
//
//        SslContextBuilder builder = SslContextBuilder.forClient();
//        InputStream clientTrustCertCollectionPath = null;
//        InputStream clientCertChainFilePath = null;
//        InputStream clientPrivateKeyFilePath = null;
//        try {
//            clientTrustCertCollectionPath = sslConfig.getClientTrustCertCollectionPathStream();
//            if (clientTrustCertCollectionPath != null) {
//                builder.trustManager(clientTrustCertCollectionPath);
//            }
//
//            clientCertChainFilePath = sslConfig.getClientKeyCertChainPathStream();
//            clientPrivateKeyFilePath = sslConfig.getClientPrivateKeyPathStream();
//            if (clientCertChainFilePath != null && clientPrivateKeyFilePath != null) {
//                String password = sslConfig.getClientKeyPassword();
//                if (password != null) {
//                    builder.keyManager(clientCertChainFilePath, clientPrivateKeyFilePath, password);
//                } else {
//                    builder.keyManager(clientCertChainFilePath, clientPrivateKeyFilePath);
//                }
//            }
//        } catch (Exception e) {
//            throw new IllegalArgumentException("Could not find certificate file or find invalid certificate.", e);
//        } finally {
//            safeCloseStream(clientTrustCertCollectionPath);
//            safeCloseStream(clientCertChainFilePath);
//            safeCloseStream(clientPrivateKeyFilePath);
//        }
//        try {
//            return builder.sslProvider(findSslProvider()).build();
//        } catch (SSLException e) {
//            throw new IllegalStateException("Build SslSession failed.", e);
//        }
//    }


    /**
     * Returns OpenSSL if available, otherwise returns the JDK provider.
     */
    private static SslProvider findSslProvider() {
        return SslProvider.isAlpnSupported(SslProvider.OPENSSL) ? SslProvider.OPENSSL : SslProvider.JDK;
//        return SslProvider.OPENSSL;
//        if (OpenSsl.isAvailable()) {
//            log.debug("Using OPENSSL provider.");
//            return SslProvider.OPENSSL;
//        }
//        if (checkJdkProvider()) {
//            log.debug("Using JDK provider.");
//            return SslProvider.JDK;
//        }
//        throw new IllegalStateException(
//                "Could not find any valid TLS provider, please check your dependency or deployment environment, " +
//                        "usually netty-tcnative, Conscrypt, or Jetty NPN/ALPN is needed.");
    }

    private static boolean checkJdkProvider() {
        Provider[] jdkProviders = Security.getProviders("SSLContext.TLS");
        return (jdkProviders != null && jdkProviders.length > 0);
    }

    private static void safeCloseStream(InputStream stream) {
        if (stream == null) {
            return;
        }
        try {
            stream.close();
        } catch (IOException e) {
            log.warn("Failed to close a stream.", e);
        }
    }
}

NettySslCxt: 对SslContext进行了包装,同时加了一个标识是否是mtls的boolean 成员变量

package org.example.netty.tls;

import io.netty.handler.ssl.SslContext;
import lombok.Data;

@Data
public class NettySslCxt {
    private final boolean mtls;
    private final SslContext sslContext;
}

NettyTLSServer: Netty Server的代码

package org.example.netty.tls;

import io.netty.bootstrap.ServerBootstrap;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.channel.*;
import io.netty.channel.epoll.EpollServerSocketChannel;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.handler.codec.ByteToMessageDecoder;
import io.netty.handler.codec.LineBasedFrameDecoder;
import io.netty.handler.codec.MessageToByteEncoder;
import io.netty.handler.ssl.SslContext;
import lombok.extern.slf4j.Slf4j;
import org.example.netty.NettyHelper;

import javax.net.ssl.SSLException;
import java.net.InetSocketAddress;
import java.security.cert.CertificateException;

@Slf4j
public class NettyTLSServer {


    private InetSocketAddress bindAddress;
    private ServerBootstrap bootstrap;
    private EventLoopGroup bossGroup;
    private EventLoopGroup workerGroup;
    private ByteToMessageDecoder messageDecoder = new LineBasedFrameDecoder(Integer.MAX_VALUE);
    private MessageToByteEncoder encodeHandler;
    private ByteToMessageDecoder decodeHandler;
    private ChannelHandler handler;
    private NettySslCxt sslCxt;

    public NettyTLSServer(NettySslCxt sslCxt, MessageToByteEncoder encodeHandler, ByteToMessageDecoder decodeHandler, ChannelHandler handler) {
        this(8080, sslCxt, encodeHandler, decodeHandler, handler);
    }

    public NettyTLSServer(int bindPort, NettySslCxt sslCxt, MessageToByteEncoder encodeHandler, ByteToMessageDecoder decodeHandler, ChannelHandler handler) {
        this("localhost", bindPort, sslCxt, encodeHandler, decodeHandler, handler);
    }

    public NettyTLSServer(String bindIp, int bindPort, NettySslCxt sslCxt, MessageToByteEncoder encodeHandler, ByteToMessageDecoder decodeHandler, ChannelHandler handler) {
        bindAddress = new InetSocketAddress(bindIp, bindPort);
        this.handler = handler;
        this.encodeHandler = encodeHandler;
        this.decodeHandler = decodeHandler;
        this.sslCxt = sslCxt;
    }


    public void init() throws CertificateException, SSLException {
        initServerBootstrap();

        bootstrap.childHandler(new ChannelInitializer<SocketChannel>() {

            @Override
            protected void initChannel(SocketChannel ch) throws Exception {
                log.info("accept client: {} {}", ch.remoteAddress().getHostName(), ch.remoteAddress().getPort());
                ChannelPipeline pipeline = ch.pipeline();
                pipeline.addLast(sslCxt.getSslContext().newHandler(ch.alloc()));
                pipeline.addLast(new TlsHandler(true, isEnableMTls()));
                pipeline.addLast(messageDecoder)
                        .addLast(decodeHandler)
                        .addLast(encodeHandler)
                        .addLast(handler);
            }
        });
    }

    public void bind(boolean sync) throws CertificateException, SSLException {
        init();
        try {
            ChannelFuture channelFuture = bootstrap.bind(bindAddress).sync();
            if (channelFuture.isDone()) {
                log.info("netty server start at house and port: {} ", bindAddress.getPort());
            }
            io.netty.channel.Channel channel = channelFuture.channel();
            ChannelFuture closeFuture = channel.closeFuture();
            if (sync) {
                closeFuture.sync();
            }
        } catch (Exception e) {
            log.error("netty server start exception,", e);
        } finally {
            if (sync) {
                shutdown();
            }
        }
    }


    public void shutdown() {
        log.info("netty server shutdown");
        log.info("netty server shutdown bossEventLoopGroup&workerEventLoopGroup gracefully");
        bossGroup.shutdownGracefully();
        workerGroup.shutdownGracefully();
    }


    private void initServerBootstrap() {
        bootstrap = new ServerBootstrap();

        bossGroup = NettyHelper.eventLoopGroup(1, "NettyServerBoss");
        workerGroup = NettyHelper.eventLoopGroup(Math.min(Runtime.getRuntime().availableProcessors() + 1, 32), "NettyServerWorker");

        bootstrap.group(bossGroup, workerGroup)
                .channel(NettyHelper.shouldEpoll() ? EpollServerSocketChannel.class : NioServerSocketChannel.class)
                .option(ChannelOption.SO_REUSEADDR, Boolean.TRUE)
                .childOption(ChannelOption.TCP_NODELAY, Boolean.TRUE)
                .childOption(ChannelOption.SO_KEEPALIVE, Boolean.TRUE)
                .childOption(ChannelOption.ALLOCATOR, PooledByteBufAllocator.DEFAULT)
                .childOption(ChannelOption.CONNECT_TIMEOUT_MILLIS, 10000);
    }


    public ByteToMessageDecoder getMessageDecoder() {
        return messageDecoder;
    }

    public void setMessageDecoder(ByteToMessageDecoder messageDecoder) {
        this.messageDecoder = messageDecoder;
    }


    boolean isEnableMTls() {
        return sslCxt.isMtls();
    }


}

NettyTLSClient:Netty Client的代码

package org.example.netty.tls;

import io.netty.bootstrap.Bootstrap;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.channel.*;
import io.netty.channel.socket.SocketChannel;
import io.netty.handler.codec.ByteToMessageDecoder;
import io.netty.handler.codec.LineBasedFrameDecoder;
import io.netty.handler.codec.MessageToByteEncoder;
import io.netty.handler.ssl.SslContext;
import lombok.extern.slf4j.Slf4j;
import org.example.netty.NettyHelper;

import javax.net.ssl.SSLException;
import java.net.InetSocketAddress;
import java.util.concurrent.atomic.AtomicReference;

@Slf4j
public class NettyTLSClient {


    private InetSocketAddress serverAddress;

    private Bootstrap bootstrap;
    private EventLoopGroup workerGroup;

    private Channel channel;

    private ByteToMessageDecoder messageDecoder = new LineBasedFrameDecoder(Integer.MAX_VALUE);
    private MessageToByteEncoder encodeHandler;
    private ByteToMessageDecoder decodeHandler;

    private ChannelHandler handler;

    private NettySslCxt sslCxt;

    public NettyTLSClient(String severHost, int serverPort, NettySslCxt sslCxt, MessageToByteEncoder encodeHandler, ByteToMessageDecoder decodeHandler, ChannelHandler handler) {
        serverAddress = new InetSocketAddress(severHost, serverPort);
        this.encodeHandler = encodeHandler;
        this.decodeHandler = decodeHandler;
        this.handler = handler;
        this.sslCxt = sslCxt;
    }

    public ChannelFuture connect() throws SSLException {
        init();
        final ChannelFuture promise = bootstrap.connect(serverAddress.getHostName(), serverAddress.getPort());
//        final ChannelFuture promise = bootstrap.connect();
        promise.addListener(future -> {
            log.info("client connect to server: {}", future.isSuccess());
        });
        channel = promise.channel();
        return promise;
    }


    public void init() throws SSLException {
        initBootstrap();
        bootstrap.handler(new ChannelInitializer<SocketChannel>() {

            @Override
            protected void initChannel(SocketChannel ch) {
                final ChannelPipeline pipeline = ch.pipeline();
                pipeline
//                        .addLast(sslCtx.newHandler(ch.alloc(), serverAddress.getHostName(), serverAddress.getPort()))
                        .addLast(sslCxt.getSslContext().newHandler(ch.alloc()))
                        .addLast(new TlsHandler(false, isEnableMTls()))
                        .addLast(messageDecoder)
                        .addLast(decodeHandler)
                        .addLast(encodeHandler)
                        .addLast(handler);

            }
        });
    }

    private SslContext createSslContext() throws SSLException {
        if (isEnableMTls()) {
            return null;
        } else {
            return SslContexts.createTlsClientSslContext();
        }
    }

    private void initBootstrap() {
        bootstrap = new Bootstrap();
        workerGroup = NettyHelper.eventLoopGroup(1, "NettyClientWorker");
        bootstrap.group(workerGroup)
                .option(ChannelOption.SO_KEEPALIVE, true)
                .option(ChannelOption.TCP_NODELAY, true)
                .option(ChannelOption.ALLOCATOR, PooledByteBufAllocator.DEFAULT)
                .option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 10000)
                .remoteAddress(serverAddress)
                .channel(NettyHelper.socketChannelClass());
    }

    public void shutdown() {
        log.info("netty client shutdown");
        channel.closeFuture()
                .addListener(future -> {
                    log.info("netty client shutdown workerEventLoopGroup gracefully");
                    workerGroup.shutdownGracefully();
                });
    }

    public Channel getChannel() {
        return channel;
    }

    public ByteToMessageDecoder getMessageDecoder() {
        return messageDecoder;
    }

    public void setMessageDecoder(ByteToMessageDecoder messageDecoder) {
        this.messageDecoder = messageDecoder;
    }

    boolean isEnableMTls() {
        return sslCxt.isMtls();
    }
}

TlsHandler:检查ssl handshake,在mtls场景下打印对端的证书信息,否则在client打印服务端的证书信息。

package org.example.netty.tls;

import io.netty.channel.Channel;
import io.netty.channel.ChannelDuplexHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.socket.SocketChannel;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.GenericFutureListener;
import lombok.extern.slf4j.Slf4j;

import javax.net.ssl.SSLSession;
import javax.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Date;



@Slf4j
public class TlsHandler extends ChannelDuplexHandler {

    private boolean serverSide;
    private boolean mtls;

    public TlsHandler(boolean serverSide, boolean mtls) {
        this.serverSide = serverSide;
        this.mtls = mtls;
    }

    @Override
    public void channelActive(ChannelHandlerContext ctx) throws Exception {
        ctx.pipeline().get(SslHandler.class).handshakeFuture().addListener(
                new GenericFutureListener<Future<Channel>>() {
                    @Override
                    public void operationComplete(Future<Channel> future) throws Exception {
                        if (future.isSuccess()) {
                            log.info("[{}] {} 握手成功", getSideType(), ctx.channel().remoteAddress());
                            SSLSession ss = ctx.pipeline().get(SslHandler.class).engine().getSession();
                            log.info("[{}] {} cipherSuite: {}", getSideType(), ctx.channel().remoteAddress(), ss.getCipherSuite());
                            if (mtls || !serverSide) {
                                X509Certificate cert = ss.getPeerCertificateChain()[0];
                                String info = null;
                                // 获得证书版本
                                info = String.valueOf(cert.getVersion());
                                System.out.println("证书版本:" + info);
                                // 获得证书序列号
                                info = cert.getSerialNumber().toString(16);
                                System.out.println("证书序列号:" + info);
                                // 获得证书有效期
                                Date beforedate = cert.getNotBefore();
                                info = new SimpleDateFormat("yyyy/MM/dd").format(beforedate);
                                System.out.println("证书生效日期:" + info);
                                Date afterdate = (Date) cert.getNotAfter();
                                info = new SimpleDateFormat("yyyy/MM/dd").format(afterdate);
                                System.out.println("证书失效日期:" + info);
                                // 获得证书主体信息
                                info = cert.getSubjectDN().getName();
                                System.out.println("证书拥有者:" + info);
                                // 获得证书颁发者信息
                                info = cert.getIssuerDN().getName();
                                System.out.println("证书颁发者:" + info);
                                // 获得证书签名算法名称
                                info = cert.getSigAlgName();
                                System.out.println("证书签名算法:" + info);
                            }
                        } else {
                            log.warn("[{}] {} 握手失败,关闭连接", getSideType(), ctx.channel().remoteAddress());
                            ctx.channel().closeFuture().addListener(closeFuture -> {
                                log.info("[{}] {} 关闭连接:{}", getSideType(), ctx.channel().remoteAddress(), closeFuture.isSuccess());
                            });
                        }
                    }
                });

        SocketChannel channel = (SocketChannel) ctx.channel();
        System.out.println(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date()) + " conn:");
        System.out.println("IP:" + channel.localAddress().getHostString());
        System.out.println("Port:" + channel.localAddress().getPort());
    }


    private String getSideType() {
        return serverSide ? "SERVER" : "CLIENT";
    }
}

NettyTLSMain.java: 测试Main Class

package org.example.netty.tls;

import io.netty.buffer.ByteBuf;
import io.netty.channel.ChannelDuplexHandler;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.ByteToMessageDecoder;
import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
import io.netty.handler.codec.LineBasedFrameDecoder;
import io.netty.handler.codec.MessageToByteEncoder;
import lombok.extern.slf4j.Slf4j;

import javax.net.ssl.SSLException;
import java.io.File;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.util.List;
import java.util.Scanner;

public class NettyTLSMain {

    private static String serverHost = "localhost";
    private static int serverPort = 10001;

    public static void main(String[] args) throws CertificateException, SSLException {

        // 自签名的tls
//        nettyTlsLauncher(new NettySslCxt(false, SslContexts.createTlsServerSslContext()), new NettySslCxt(false, SslContexts.createTlsClientSslContext()));

        String certDir = "~/Desktop/test/cert/uncrypted4";
        // 指定证书的tls
//        nettyTlsLauncher(
//                new NettySslCxt(false, SslContexts.createServerSslContext(
//                        new File(certDir + "/server.crt"),
//                        new File(certDir + "/pkcs8_server.key"),
//                        null, null, false)),
//                new NettySslCxt(false, SslContexts.createClientSslContext()));

        //指定证书的tls -Djdk.security.allowNonCaAnchor=true
//        nettyTlsLauncher(
//                new NettySslCxt(false, SslContexts.createServerSslContext(
//                        new File(certDir + "/server.crt"),
//                        new File(certDir + "/pkcs8_server.key"),
//                        null,
//                        new File(certDir + "/ca.crt"),
//                        false)),
//                new NettySslCxt(false, SslContexts.createClientSslContext(
//                        new File(certDir + "/ca.crt"))));


        //
//        nettyTlsLauncher(
//                new NettySslCxt(true, SslContexts.createServerSslContext(
//                        new File(certDir + "/server.crt"),
//                        new File(certDir + "/server.key"),
//                        new File(certDir + "/ca.crt"))),
//                new NettySslCxt(true, SslContexts.createClientSslContext(
//                        new File(certDir + "/client.crt"),
//                        new File(certDir + "/client.key"),
//                        new File(certDir + "/ca.crt"))));

        nettyTlsLauncher(
                new NettySslCxt(true, SslContexts.createServerSslContext(
                        new File(certDir + "/server.crt"),
                        new File(certDir + "/server.key"),
                        new File(certDir + "/ca4.crt"))),
                new NettySslCxt(true, SslContexts.createClientSslContext(
                        new File(certDir + "/client.crt"),
                        new File(certDir + "/client.key"),
                        new File(certDir + "/ca.crt"))));


//        String serCertDir = "~/Desktop/test/cert/uncrypted_merge_2_3";
        String serCertDir = "~/Desktop/test/cert/uncrypted3";
//        String certDir2 = "~/Desktop/test/cert/uncrypted3";
//        String certDir3 = "~/Desktop/test/cert/uncrypted3";
//        nettyTlsLauncher(
//                new NettySslCxt(true, SslContexts.createServerSslContext(
//                        new File(serCertDir + "/server.crt"),
//                        new File(serCertDir + "/server.key"),
//                        new File(serCertDir + "/ca.crt"))),
//                new NettySslCxt(true, SslContexts.createClientSslContext(
//                        new File(certDir2 + "/client.crt"),
//                        new File(certDir2 + "/client.key"),
//                        new File(certDir2 + "/ca.crt")))
                , new NettySslCxt(false, SslContexts.createClientSslContext(
                        new File(certDir3 + "/client.crt"),
                        new File(certDir3 + "/client.key"),
                        new File(certDir3 + "/ca.crt")))
//        );

    }

    private static void nettyTlsLauncher(NettySslCxt serverSslCxt, NettySslCxt clientSslCxt) throws CertificateException, SSLException {
        nettyTlsLauncher(serverSslCxt, clientSslCxt, null);
    }

    private static void nettyTlsLauncher(NettySslCxt serverSslCxt, NettySslCxt clientSslCxt, NettySslCxt clientSslCxt2) throws CertificateException, SSLException {
        NettyTLSServer server = new NettyTLSServer(
                serverHost, serverPort, serverSslCxt, new Encoder(), new Decoder(), new StringServerChannelHandler());
        server.setMessageDecoder(new LineBasedFrameDecoder(Integer.MAX_VALUE));
        server.bind(false);


        NettyTLSClient client = new NettyTLSClient(
                serverHost, serverPort, clientSslCxt, new Encoder(), new Decoder(), new StringClientChannelHandler());
        client.setMessageDecoder(new LineBasedFrameDecoder(Integer.MAX_VALUE));
        client.connect().addListener(future -> {
            if (future.isSuccess()) {
                client.getChannel().writeAndFlush("--test--");
            }
        });

        NettyTLSClient client2;
        if (clientSslCxt2 != null) {
            client2 = new NettyTLSClient(
                    serverHost, serverPort, clientSslCxt2, new Encoder(), new Decoder(), new StringClientChannelHandler());
            client2.setMessageDecoder(new LineBasedFrameDecoder(Integer.MAX_VALUE));
            client2.connect().addListener(future -> {
                if (future.isSuccess()) {
                    client2.getChannel().writeAndFlush("--test2--");
                }
            });
        } else {
            client2 = null;
        }

        Scanner scanner = new Scanner(System.in);

        while (true) {
            System.out.println("waiting input");
            String line = scanner.nextLine();
            if ("exit".equals(line) || "eq".equals(line) || "quit".equals(line)) {
                client.shutdown();
                server.shutdown();
                return;
            }
            client.getChannel().writeAndFlush(line);
            if (client2 != null) {
                client2.getChannel().writeAndFlush("c2:" + line);
            }

        }
    }


    public static class Decoder extends ByteToMessageDecoder {

        @Override
        protected void decode(ChannelHandlerContext ctx, ByteBuf in, List<Object> out) throws Exception {
            byte[] b = new byte[in.readableBytes()];
            in.readBytes(b);
            out.add(new String(b, StandardCharsets.UTF_8));
        }
    }

    @ChannelHandler.Sharable
    public static class Encoder extends MessageToByteEncoder<String> {

        @Override
        protected void encode(ChannelHandlerContext ctx, String msg, ByteBuf out) throws Exception {
            out.writeBytes((msg + "\n").getBytes(StandardCharsets.UTF_8));
        }
    }


    @Slf4j
    public static class StringClientChannelHandler extends ChannelDuplexHandler {

        @Override
        public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
            log.info("received message from server: {}", msg);
            super.channelRead(ctx, msg);
        }
    }

    @Slf4j
    public static class StringServerChannelHandler extends ChannelDuplexHandler {

        @Override
        public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
            log.info("received message from client: {}", msg);
            ctx.writeAndFlush("server response: " + msg);
        }

        @Override
        public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
            log.info("occur exception, close channel:{}.", ctx.channel().remoteAddress(), cause);
            ctx.channel().closeFuture()
                    .addListener(future -> {
                        log.info("close client channel {}: {}",
                                ctx.channel().remoteAddress(),
                                future.isSuccess());
                    });
        }
    }
}

参考

netty实现TLS/SSL双向加密认证
Netty+OpenSSL TCP双向认证证书配置
基于Netty的MQTT Server实现并支持SSL
Netty tls验证
netty使用ssl双向认证
netty中实现双向认证的SSL连接
记一次TrustAnchor with subject异常解决
SpringBoot (WebFlux Netty) 支持动态更换https证书
手动实现CA数字认证(java)
java编程方式生成CA证书
netty https有什么方式根据域名设置证书?

Saleson
关注
  • 16
    点赞
  • 24
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Netty和SSL/TLS应用例子
12-22
本源代码例子实现了Socket服务端和客户端,以及Http服务端和客户端;采用了Netty框架,实现SSL/TLS支持。
netty实现TLS/SSL双向加密认证
zhangfls的博客
09-21 5301
1、双向加密认证首先要获取到证书,可以先自己生成证书用于测试(实际获取到的公网证书使用方式其实差不多) (1)可以通过openssl生成证书 (2)首先要生成一份CA根证书,再由该证书生成服务器和客户端的证书 (3)完成基本的SSL/TLS服务器和客户端的双向加密通讯,一共需要生成5份证书 ①CA证书 ②服务器证书 ③服务器密钥 ④客户端证书 ⑤客户端密钥 (4)、一般证书有多种格式,这里我们用pem格式做示例(linux系统常用) 2、假设...
netty实现tls双向证书认证
最新发布
ldy15729357137的博客
06-12 194
Netty结合TLS实现双向认证。
使用Java执行mTLS调用
i6588662的博客
03-04 1131
在本教程中,我们将学习如何通过使用不同的客户端使我们的Java应用程序能够使用mTLS。我们将使用将mTLS添加到Nginx实例的现有示例。 假设我们有一个Nginx实例,使用SSL还有。如果使用Java与使用mTLS保护的服务进行交互,则需要对代码库进行一些更改。在本教程中,我们将使Java应用程序能够使用不同客户端的mTLS。 要快速入门,我们可以使用现有的示例添加MTLS一个Nginx实例。我们的java mTLS配置将使用用于将mTLS添加到Nginx的证书和密钥。 为了为我们的Java客户端
mTSL: netty单向/双向TLS连接
Mr_rain的专栏
03-02 1162
不管是单向tls还是双向tls(mTLS),都需要创建证书。创建证书可以使用openssl或者keytool,openssl 参考。
Netty的SSL和TLS支持
lonely_baby的博客
03-08 858
异步的SSL和TLSNetty的SSL和TLS实现是异步的,这意味着在进行SSL和TLS握手时,不会阻塞线程,从而提高了应用程序的吞吐量和性能。SSL和TLS的实现:Netty提供了SSL和TLS的实现,使得开发者可以在应用程序中使用这些协议来保护数据的安全性。可扩展的SSL和TLSNetty的SSL和TLS实现是可扩展的,允许开发者对其进行自定义,以满足特定应用程序的需求。总的来说,Netty的SSL和TLS支持使得开发者可以方便地为Netty应用程序添加安全性,保护数据的机密性和完整性。
hello-mtls:演示各种技术中相互TLS配置的文档
02-05
你好mTLS 该软件包包含有关如何配置多种技术以执行相互TLS的文档。 它是项目的一部分,该项目旨在提高开发人员对公钥基础结构的认识,将其作为常见安全问题的潜在解决方案。 如果您发现任何过时,丢失或错误的文档,...
gae_requests_mtls_demo:在GAE上请求通过双向TLS(MTLS)认证的远程HTTPS资源的一个小示例
05-20
一个通过库在Google App Engine上通过双向TLS(MTLS)认证的远程HTTPS资源的小示例。 为什么? 相互TLS与其他两方身份验证方法(例如OAuth2)相比,具有几个主要优点。 速度:加密操作由C库执行。 安全性:身份...
vc winhttp用https双向认证代码
06-16
在IT行业中,HTTPS协议是用于保护网络通信的重要安全机制,它通过SSL/TLS协议提供数据加密、服务器身份验证以及消息完整性检查。而“双向认证”(Mutual TLS或mTLS)则是HTTPS的一种加强形式,不仅客户端验证服务器...
SSLClient:SSL将SSLTLS功能添加到任何Arduino库
02-01
创建SSLClient的目的是使用作为底层TLS引擎将TLS与Arduino基础结构无缝集成。 与不同,SSLClient是完全独立的,不需要任何其他硬件(网络连接除外)。 SSLClient正式支持SAMD21,SAM3X,ESP32,TIVA C,STM32F7和...
autocert::anchor:一个自动将TLSHTTPS证书注入到您的容器中的kubernetes插件
05-12
动机Autocert存在使它可以轻松使用mTLS (相互TLS )来提高群集内的安全性,并确保进出Kubernetes群集以及在kubernetes群集之间进行通信。 TLS(和HTTPS,即TLS上的HTTP)提供经过身份验证的加密:身份拨号音和工作...
客户端与服务器SSL双向认证(客户端:java-服务端:vc)
04-23
客户端与服务器SSL双向认证(客户端:java-服务端:vc):运行成功,
vc6_tls1.2Demo with openssl
09-06
vc6下编写的tls1.2Demo(也包含ssl的参考),支持vc6及以上版本.... 依赖库:openssl1.0.2e 可自行参考或跟进需求修改. 标签:tls tls1.2 tlsdemo vc6tls ssl
搭建http2 mTLS通道,实现本地/远程端口转发(gost)
wzp1986的专栏
11-07 1366
mTLS于端口转发示例
TLS1.2握手过程(双方都进行身份认证)
sweet_Mary的博客
07-31 1324
该证书为Server端向Client端提供的Server证书,mtlstls主要的区别即为“m(mutual)”,mtls需要双方都提供证书,而tls只需要server证书提供给client(Server证书中含有Server的公钥,tls:将Server证书交给Client,Client将自己想好的会话秘钥用Server的公钥进行加密,再传给Server,Server再用公钥进行解密,这样双方都得到了会话秘钥)Server端让Client端发来Client的证书。根据更改的协议发送示例进行测试。
(转)为 Ingress-nginx 配置双向认证(mtls
senlin1202的博客
05-15 871
这种格式可以保存证书和私钥,有时我们也把PEM 格式的私钥的后缀改为 .key 以区别证书与私钥。相信 tls 大家都比较熟悉,就是 server 端提供一个授信证书,当我们使用 https 协议访问server端时,client 会向 server 端索取证书并认证(浏览器会与自己的授信域匹配或弹出不安全的页面)。Java Key Storage,很容易知道这是 JAVA 的专属格式,利用 JAVA 的一个叫 keytool 的工具可以进行格式转换。这就说明服务端认为我们是不可信的,因为没有携带证书。
使用Netty实现SSL和TLS加密通信
lonely_baby的博客
03-09 2613
代码中,我们在创建EchoServer时指定了SslContext对象,用于启用SSL和TLS协议支持。以上代码中,我们在EchoServerHandler的channelActive方法中添加了一个SslHandler处理器,并将其添加到ChannelPipeline中。Netty支持使用SSL和TLS协议进行加密通信,可以在保证通信安全的同时,保证数据传输的完整性和可靠性。例如,我们可以使用下面的代码创建一个EchoServer,并指定SSL和TLS协议支持。然后,我们调用sync方法等待服务器关闭。
如何实现Netty中的SSL / TLS支持以实现安全通信?
越努力越幸运。
02-22 1169
在实际使用中,你需要创建合适的证书和私钥,配置SSLContext,并确保正确地加载它们。同时,你可能需要处理SSL握手事件、异常等情况,以确保安全通信的顺利进行。
【JAVA/MTLS/SSL】自签证书调用问题
mfshi的博客
04-13 243
Java的密钥库jks文件放在/src/main/resources目录下,在Maven中编译的时候就会自动增长变大,导致java读取keystore文件异常,抛出证书文件格式不正确异常。原因为maven会自动替换文件中的占位符。参考:https://blog.csdn.net/xiaoyi52/article/details/73741347。
使用Java代码实现采用HTTPS和TLS 1.2版本建立连接,并完成双向TLS认证 (mTLS)的示例
03-29
以下是使用Java代码实现采用HTTPS和TLS 1.2版本建立连接,并完成双向TLS认证(mTLS)的示例: ```java import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; import java.net.URL; import java.security.KeyStore; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLException; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; public class SSLExample { public static void main(String[] args) throws Exception { // Load client certificate and private key for mTLS String keyStorePath = "client.jks"; String keyStorePassword = "password"; String keyPassword = "password"; KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(SSLExample.class.getClassLoader().getResourceAsStream(keyStorePath), keyStorePassword.toCharArray()); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, keyPassword.toCharArray()); // Load server truststore for server certificate verification String trustStorePath = "server.jks"; String trustStorePassword = "password"; KeyStore trustStore = KeyStore.getInstance("JKS"); trustStore.load(SSLExample.class.getClassLoader().getResourceAsStream(trustStorePath), trustStorePassword.toCharArray()); TrustManagerFactory trustManagerFactory = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustStore); // Create SSL context with TLS 1.2 protocol and mTLS configuration SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null); // Set default SSL context for HTTPS connection HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory()); // Create URL object for HTTPS endpoint URL url = new URL("https://example.com/api"); // Open HTTPS connection HttpsURLConnection connection = (HttpsURLConnection) url.openConnection(); // Set request method and headers connection.setRequestMethod("GET"); connection.setRequestProperty("User-Agent", "Mozilla/5.0"); // Get response from HTTPS endpoint try (InputStream inputStream = connection.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream))) { String line; while ((line = reader.readLine()) != null) { System.out.println(line); } } catch (SSLException e) { e.printStackTrace(); } finally { connection.disconnect(); } } // Trust manager to accept all server certificates private static final TrustManager[] TRUST_ALL_CERTIFICATES = new TrustManager[] { new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { // Do nothing } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { // Do nothing } public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } } }; } ``` 在上面的示例中,我们使用了Java的`HttpsURLConnection`类来建立连接。我们首先加载客户端证书和私钥,并使用它们来创建`KeyManager`对象。然后,我们加载服务器信任库并使用它来创建`TrustManager`对象。接下来,我们使用这些`KeyManager`和`TrustManager`对象创建一个SSL上下文对象,该对象使用TLS 1.2协议并完成mTLS配置。最后,我们将默认的SSL上下文设置为HTTPS连接,并打开连接以向服务器发送请求。 在此示例中,我们还提供了一个`TrustManager`实现,它接受所有服务器证书。这不是一个好的做法,因为它会使您的应用程序容易受到中间人攻击。在实际生产环境中,您应该使用一个更安全的`TrustManager`实现,它会验证服务器证书并拒绝不受信任的证书。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值