netty+证书认证

最新推荐文章于 2024-05-13 14:48:55 发布
置顶 最新推荐文章于 2024-05-13 14:48:55 发布
阅读量3.8k 收藏 15
点赞数 3
分类专栏: 计算机安全 文章标签: netty 证书 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_37893887/article/details/87281323
版权

netty客户端:

package com.lyf.csdn.netty;

import io.netty.bootstrap.Bootstrap;
import io.netty.channel.*;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioSocketChannel;
import io.netty.handler.timeout.IdleState;
import io.netty.handler.timeout.IdleStateEvent;
import io.netty.handler.timeout.IdleStateHandler;
import io.netty.util.concurrent.DefaultEventExecutorGroup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.util.Random;
import java.util.concurrent.TimeUnit;

/**
 * 客户端:启动时发送1,服务器返回该整数的平方,添加一个心跳,每隔一段时间发送一个随机数
 *
 * @author xuanchi.lyf
 */
public class NettyClient {

    private static final Logger logger = LoggerFactory.getLogger(NettyClient.class);

    public static void main(String[] args) {
        EventLoopGroup workerGroup = new NioEventLoopGroup();
        DefaultEventExecutorGroup bizGroup = new DefaultEventExecutorGroup(5);
        try {
            Bootstrap b = new Bootstrap();
            b.group(workerGroup);
            b.channel(NioSocketChannel.class);
            b.option(ChannelOption.SO_KEEPALIVE, Boolean.TRUE);
            b.handler(new ChannelInitializer<SocketChannel>() {
                @Override
                public void initChannel(SocketChannel ch) {
                    IdleStateHandler idleStateHandler = new IdleStateHandler(20, 20, 20,
                        TimeUnit.SECONDS);
                    ch.pipeline().addLast(idleStateHandler);
                    ch.pipeline().addLast(new HeartBeatHandler());
                    ch.pipeline().addLast("decoder", new NettyDecoder());
                    ch.pipeline().addLast("encoder", new NettyEncoder());
                    ch.pipeline().addLast(bizGroup, new ClientHandler());
                }
            });
            ChannelFuture f = b.connect("127.0.0.1", 9876).sync();
            f.channel().closeFuture().sync();
        } catch (Exception e) {
            logger.info(e.getMessage(), e);
        }
        logger.info("netty tcp connection build success.");
    }

}

/**
 * 心跳发送[0000]
 */
class HeartBeatHandler extends ChannelInboundHandlerAdapter {

    @Override
    public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
        if (evt instanceof IdleStateEvent) {
            IdleState state = ((IdleStateEvent) evt).state();
            if (state == IdleState.WRITER_IDLE) {
                ctx.channel().writeAndFlush(new Random().nextInt(100));
            }
        } else {
            super.userEventTriggered(ctx, evt);
        }
    }

}

class ClientHandler extends ChannelInboundHandlerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(ClientHandler.class);

    @Override
    public void channelActive(ChannelHandlerContext ctx) {
        logger.info("channel active");
        ctx.channel().writeAndFlush(1);
    }

    @Override
    public void channelInactive(ChannelHandlerContext ctx) {
        logger.info("channel inActive");
    }

    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) {
        logger.info("message = {}.", msg);
    }

    @Override
    public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
        logger.info("throw exception", cause);
    }
}

netty服务器端:

package com.lyf.csdn.netty;

import io.netty.bootstrap.ServerBootstrap;
import io.netty.buffer.ByteBuf;
import io.netty.channel.*;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
import io.netty.handler.codec.MessageToByteEncoder;
import io.netty.util.concurrent.DefaultEventExecutorGroup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.Serializable;

/**
 * 服务器端
 *
 * @author xuanchi.lyf
 */
public class NettyServer {

    private static final Logger logger = LoggerFactory.getLogger(NettyServer.class);

    public static void main(String[] args) {
        EventLoopGroup bossGroup = new NioEventLoopGroup();
        EventLoopGroup workerGroup = new NioEventLoopGroup();
        DefaultEventExecutorGroup bizGroup = new DefaultEventExecutorGroup(50);
        try {
            ServerBootstrap b = new ServerBootstrap().group(bossGroup, workerGroup)
                .channel(NioServerSocketChannel.class).option(ChannelOption.SO_BACKLOG, 128)
                .option(ChannelOption.SO_REUSEADDR, Boolean.TRUE)
                .childOption(ChannelOption.SO_KEEPALIVE, Boolean.TRUE)
                .childOption(ChannelOption.SO_REUSEADDR, Boolean.TRUE)
                .childOption(ChannelOption.TCP_NODELAY, Boolean.TRUE)
                .childOption(ChannelOption.ALLOW_HALF_CLOSURE, Boolean.FALSE)
                .childHandler(new ChannelInitializer<SocketChannel>() {
                    @Override
                    public void initChannel(SocketChannel channel) {
                        channel.pipeline().addLast("decoder", new NettyDecoder());
                        channel.pipeline().addLast("encoder", new NettyEncoder());
                        channel.pipeline().addLast(bizGroup, new BizHandler());
                    }
                });
            ChannelFuture f = b.bind(9876).sync();
            f.channel().closeFuture().sync();
        } catch (Exception e) {
            logger.info(e.getMessage(), e);
        } finally {
            workerGroup.shutdownGracefully();
            bossGroup.shutdownGracefully();
        }
    }

}

class NettyDecoder extends LengthFieldBasedFrameDecoder {

    NettyDecoder() {
        super(1024, 0, 4);
    }

    @Override
    protected Object decode(ChannelHandlerContext ctx, ByteBuf in) throws Exception {
        ByteBuf frame = (ByteBuf) super.decode(ctx, in);
        if (frame == null) {
            return null;
        }
        int dataLength = frame.readInt();
        if (dataLength == 0) {
            return null;
        }
        return frame.readInt();
    }
}

class NettyEncoder extends MessageToByteEncoder<Serializable> {

    @Override
    protected void encode(ChannelHandlerContext ctx, Serializable msg, ByteBuf out) {
        out.writeInt(4);
        out.writeInt((Integer) msg);
    }

}

class BizHandler extends ChannelInboundHandlerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(BizHandler.class);

    @Override
    public void channelActive(ChannelHandlerContext ctx) {
        logger.info("channel active.");
    }

    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) {
        int data = (Integer) msg;
        ctx.channel().writeAndFlush(data * data);
        logger.info("message = {}.", msg);
    }

    @Override
    public void channelInactive(ChannelHandlerContext ctx) {
        logger.info("channel inActive.");
    }

    @Override
    public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
        logger.info("throw exception", cause);
    }

}

以上我们可以服务器和客户端建立连接,正常的收发数据了。现在我们需要给netty加上SSL。其中证书可以是单向认证,也可以双向认证,两种方式各有特点。

单向认证是在服务器添加证书,客户端不添加证书,这样客户端需要校验服务器证书,但是服务器不用校验客户端证书,这种情况客户端是安全的,因为能够保证服务器是自己人,但是服务器本身不安全,因为服务器不知道客户端证书,没法校验。这种场景下主要是针对WEB场景。

双向认证是服务器端同时校验客户端身份信息,在点对点通信场景很重要。双向任务的问题是客户端证书过期了,如何更换客户端证书,这个问题很要命。

二、自签证书

1、生成服务器端和客户端keystore

keytool -genkey -alias server -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass mypassword  -storepass mypassword -keystore server.jks
keytool -genkey -alias client -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass mypassword  -storepass mypassword -keystore client.jks

其中:

    -alias:表示秘钥对的名称

  -keysize:秘钥长度,1024已经不安全了,至少2048起步

  -keypass、-storepass:密码,保持一样就好

  -keystore:生成keystore文件名

2、导出证书

keytool -export -alias server -keystore server.jks -storepass mypassword -file server.cer
keytool -export -alias client -keystore client.jks -storepass mypassword -file client.cer

3、将服务器端证书导入客户端的keystore(供客户端验证服务器证书)

keytool -import -trustcacerts -alias server -file server.cer -storepass mypassword -keystore client.jks

4、将客户端证书导入服务器端的keystore(供服务器端验证客户端证书)

keytool -import -trustcacerts -alias client -file client.cer -storepass mypassword -keystore server.jks

三、单向认证

服务器端代码:

package com.lyf.csdn.netty;

import io.netty.bootstrap.ServerBootstrap;
import io.netty.buffer.ByteBuf;
import io.netty.channel.*;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
import io.netty.handler.codec.MessageToByteEncoder;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.DefaultEventExecutorGroup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.Serializable;
import java.security.KeyStore;

/**
 * 服务器端
 *
 * @author xuanchi.lyf
 */
public class NettyServer {

    private static final Logger logger = LoggerFactory.getLogger(NettyServer.class);

    private static SSLEngine    sslEngine;

    static {
        String sChatPath = "/Users/xuanchi.lyf/Desktop/testNetty/server.jks";
        sslEngine = ServerSslContextFactory.getServerContext(sChatPath).createSSLEngine();
        sslEngine.setUseClientMode(false);
    }

    public static void main(String[] args) {
        EventLoopGroup bossGroup = new NioEventLoopGroup();
        EventLoopGroup workerGroup = new NioEventLoopGroup();
        DefaultEventExecutorGroup bizGroup = new DefaultEventExecutorGroup(50);
        try {
            ServerBootstrap b = new ServerBootstrap().group(bossGroup, workerGroup)
                    .channel(NioServerSocketChannel.class).option(ChannelOption.SO_BACKLOG, 128)
                    .option(ChannelOption.SO_REUSEADDR, Boolean.TRUE)
                    .childOption(ChannelOption.SO_KEEPALIVE, Boolean.TRUE)
                    .childOption(ChannelOption.SO_REUSEADDR, Boolean.TRUE)
                    .childOption(ChannelOption.TCP_NODELAY, Boolean.TRUE)
                    .childOption(ChannelOption.ALLOW_HALF_CLOSURE, Boolean.FALSE)
                    .childHandler(new ChannelInitializer<SocketChannel>() {
                        @Override
                        public void initChannel(SocketChannel channel) {
                            channel.pipeline().addLast("ssl", new SslHandler(sslEngine));
                            channel.pipeline().addLast("decoder", new NettyDecoder());
                            channel.pipeline().addLast("encoder", new NettyEncoder());
                            channel.pipeline().addLast(bizGroup, new BizHandler());
                        }
                    });
            ChannelFuture f = b.bind(9876).sync();
            f.channel().closeFuture().sync();
        } catch (Exception e) {
            logger.info(e.getMessage(), e);
        } finally {
            workerGroup.shutdownGracefully();
            bossGroup.shutdownGracefully();
        }
    }

}

class ServerSslContextFactory {

    private static final String PROTOCOL = "TLS";

    private static SSLContext   SERVER_CONTEXT;

    static SSLContext getServerContext(String pkPath) {
        if (SERVER_CONTEXT != null) {
            return SERVER_CONTEXT;
        }
        InputStream inputStream = null;
        try {
            KeyManagerFactory keyManagerFactory;
            if (pkPath != null) {
                //密钥库KeyStore
                KeyStore keyStore = KeyStore.getInstance("JKS");
                //加载服务端证书
                inputStream = new FileInputStream(pkPath);
                //加载服务端的KeyStore  ;sNetty是生成仓库时设置的密码,用于检查密钥库完整性的密码
                keyStore.load(inputStream, "mypassword".toCharArray());
                keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
                //初始化密钥管理器
                keyManagerFactory.init(keyStore, "mypassword".toCharArray());
                //获取安全套接字协议(TLS协议)的对象
                SERVER_CONTEXT = SSLContext.getInstance(PROTOCOL);
                // 初始化此上下文
                // 参数一:认证的密钥
                // 参数二:对等信任认证
                // 参数三:伪随机数生成器
                // 由于单向认证,服务端不用验证客户端,所以第二个参数为null
                SERVER_CONTEXT.init(keyManagerFactory.getKeyManagers(), null, null);
            }
        } catch (Exception e) {
            throw new Error("Failed to initialize the server-side SSLContext", e);
        } finally {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
        return SERVER_CONTEXT;
    }

}

class NettyDecoder extends LengthFieldBasedFrameDecoder {

    NettyDecoder() {
        super(1024, 0, 4);
    }

    @Override
    protected Object decode(ChannelHandlerContext ctx, ByteBuf in) throws Exception {
        ByteBuf frame = (ByteBuf) super.decode(ctx, in);
        if (frame == null) {
            return null;
        }
        int dataLength = frame.readInt();
        if (dataLength == 0) {
            return null;
        }
        return frame.readInt();
    }
}

class NettyEncoder extends MessageToByteEncoder<Serializable> {

    @Override
    protected void encode(ChannelHandlerContext ctx, Serializable msg, ByteBuf out) {
        out.writeInt(4);
        out.writeInt((Integer) msg);
    }

}

class BizHandler extends ChannelInboundHandlerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(BizHandler.class);

    @Override
    public void channelActive(ChannelHandlerContext ctx) {
        logger.info("channel active.");
    }

    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) {
        int data = (Integer) msg;
        ctx.channel().writeAndFlush(data * data);
        logger.info("message = {}.", msg);
    }

    @Override
    public void channelInactive(ChannelHandlerContext ctx) {
        logger.info("channel inActive.");
    }

    @Override
    public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
        logger.info("throw exception", cause);
    }

}

客户端代码:

package com.lyf.csdn.netty;

import io.netty.bootstrap.Bootstrap;
import io.netty.channel.*;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioSocketChannel;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.timeout.IdleState;
import io.netty.handler.timeout.IdleStateEvent;
import io.netty.handler.timeout.IdleStateHandler;
import io.netty.util.concurrent.DefaultEventExecutorGroup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.util.Random;
import java.util.concurrent.TimeUnit;

/**
 * 客户端
 *
 * @author xuanchi.lyf
 */
public class NettyClient {

    private static final Logger logger = LoggerFactory.getLogger(NettyClient.class);

    private static SSLEngine    sslEngine;

    static {
        String clientKeystorePath = "/Users/xuanchi.lyf/Desktop/testNetty/client.jks";
        sslEngine = ClientSslContextFactory.getClientContext(clientKeystorePath).createSSLEngine();
        sslEngine.setUseClientMode(true);
    }

    public static void main(String[] args) {
        EventLoopGroup workerGroup = new NioEventLoopGroup();
        DefaultEventExecutorGroup bizGroup = new DefaultEventExecutorGroup(5);
        try {
            Bootstrap b = new Bootstrap();
            b.group(workerGroup);
            b.channel(NioSocketChannel.class);
            b.option(ChannelOption.SO_KEEPALIVE, Boolean.TRUE);
            b.handler(new ChannelInitializer<SocketChannel>() {
                @Override
                public void initChannel(SocketChannel ch) {
                    IdleStateHandler idleStateHandler = new IdleStateHandler(1, 1, 1,
                        TimeUnit.SECONDS);
                    ch.pipeline().addLast("ssl", new SslHandler(sslEngine));
                    ch.pipeline().addLast("idleCheck", idleStateHandler);
                    ch.pipeline().addLast("heartbeat", new HeartBeatHandler());
                    ch.pipeline().addLast("decoder", new NettyDecoder());
                    ch.pipeline().addLast("encoder", new NettyEncoder());
                    ch.pipeline().addLast(bizGroup, new ClientHandler());
                }
            });
            ChannelFuture f = b.connect("127.0.0.1", 9876).sync();
            f.channel().closeFuture().sync();
        } catch (Exception e) {
            logger.info(e.getMessage(), e);
        }
        logger.info("netty tcp connection build success.");
    }

}

class ClientSslContextFactory {

    private static final String PROTOCOL = "TLS";

    private static SSLContext   CLIENT_CONTEXT;

    static SSLContext getClientContext(String caPath) {
        if (CLIENT_CONTEXT != null) {
            return CLIENT_CONTEXT;
        }
        InputStream inputStream = null;
        try {
            //信任库
            TrustManagerFactory trustManagerFactory = null;
            if (caPath != null) {
                //密钥库KeyStore
                KeyStore tks = KeyStore.getInstance("JKS");
                //加载客户端证书
                inputStream = new FileInputStream(caPath);
                tks.load(inputStream, "mypassword".toCharArray());
                trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
                // 初始化信任库
                trustManagerFactory.init(tks);
            }
            CLIENT_CONTEXT = SSLContext.getInstance(PROTOCOL);
            //设置信任证书
            TrustManager[] trustManagers = trustManagerFactory == null ? null
                : trustManagerFactory.getTrustManagers();
            CLIENT_CONTEXT.init(null, trustManagers, null);
        } catch (Exception e) {
            throw new Error("Failed to initialize the client-side SSLContext");
        } finally {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
        return CLIENT_CONTEXT;
    }

}

/**
 * 心跳发送[0000]
 */
class HeartBeatHandler extends ChannelInboundHandlerAdapter {

    @Override
    public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
        if (evt instanceof IdleStateEvent) {
            IdleState state = ((IdleStateEvent) evt).state();
            if (state == IdleState.WRITER_IDLE) {
                ctx.channel().writeAndFlush(new Random().nextInt(100));
            }
        } else {
            super.userEventTriggered(ctx, evt);
        }
    }

}

class ClientHandler extends ChannelInboundHandlerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(ClientHandler.class);

    @Override
    public void channelActive(ChannelHandlerContext ctx) {
        logger.info("channel active");
        ctx.channel().writeAndFlush(1);
    }

    @Override
    public void channelInactive(ChannelHandlerContext ctx) {
        logger.info("channel inActive");
    }

    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) {
        logger.info("message = {}.", msg);
    }

    @Override
    public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
        logger.info("throw exception", cause);
    }

}

单向认证,客户端需要认证服务器身份,此时我们可以构造一个新服务器证书,换上试一下。

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:141)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:292)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1248)
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1159)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1194)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
    ... 16 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1408)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1316)
    ... 20 more
Caused by: sun.security.validator.ValidatorException: Certificate signature validation failed
    at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:215)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501)
    ... 28 more
Caused by: java.security.SignatureException: Signature does not match.
    at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)
    at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:392)
    at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:213)
    ... 33 more

说明客户端验证了服务器的证书。

四、双向认证

服务器端:

package com.lyf.csdn.netty;

import io.netty.bootstrap.ServerBootstrap;
import io.netty.buffer.ByteBuf;
import io.netty.channel.*;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
import io.netty.handler.codec.MessageToByteEncoder;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.DefaultEventExecutorGroup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.*;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.Serializable;
import java.security.KeyStore;
import java.security.SecureRandom;

/**
 * 服务器端
 *
 * @author xuanchi.lyf
 */
public class NettyServer {

    private static final Logger logger = LoggerFactory.getLogger(NettyServer.class);

    private static SSLEngine    sslEngine;

    static {
        String sChatPath = "/Users/xuanchi.lyf/Desktop/testNetty/server.jks";
        sslEngine = ServerSslContextFactory.getServerContext(sChatPath, sChatPath)
            .createSSLEngine();
        sslEngine.setUseClientMode(false);
        sslEngine.setNeedClientAuth(true);
    }

    public static void main(String[] args) {
        EventLoopGroup bossGroup = new NioEventLoopGroup();
        EventLoopGroup workerGroup = new NioEventLoopGroup();
        DefaultEventExecutorGroup bizGroup = new DefaultEventExecutorGroup(50);
        try {
            ServerBootstrap b = new ServerBootstrap().group(bossGroup, workerGroup)
                .channel(NioServerSocketChannel.class).option(ChannelOption.SO_BACKLOG, 128)
                .option(ChannelOption.SO_REUSEADDR, Boolean.TRUE)
                .childOption(ChannelOption.SO_KEEPALIVE, Boolean.TRUE)
                .childOption(ChannelOption.SO_REUSEADDR, Boolean.TRUE)
                .childOption(ChannelOption.TCP_NODELAY, Boolean.TRUE)
                .childOption(ChannelOption.ALLOW_HALF_CLOSURE, Boolean.FALSE)
                .childHandler(new ChannelInitializer<SocketChannel>() {
                    @Override
                    public void initChannel(SocketChannel channel) {
                        channel.pipeline().addLast("ssl", new SslHandler(sslEngine));
                        channel.pipeline().addLast("decoder", new NettyDecoder());
                        channel.pipeline().addLast("encoder", new NettyEncoder());
                        channel.pipeline().addLast(bizGroup, new BizHandler());
                    }
                });
            ChannelFuture f = b.bind(9876).sync();
            f.channel().closeFuture().sync();
        } catch (Exception e) {
            logger.info(e.getMessage(), e);
        } finally {
            workerGroup.shutdownGracefully();
            bossGroup.shutdownGracefully();
        }
    }

}

class ServerSslContextFactory {

    private static final String PROTOCOL = "TLS";

    private static SSLContext   SERVER_CONTEXT;

    static SSLContext getServerContext(String pkPath, String caPath) {
        if (SERVER_CONTEXT != null) {
            return SERVER_CONTEXT;
        }
        InputStream inputStream1 = null;
        InputStream inputStream2 = null;
        try {
            KeyManagerFactory keyManagerFactory;
            if (pkPath != null) {
                //密钥库KeyStore
                KeyStore keyStore = KeyStore.getInstance("JKS");
                //加载服务端证书
                inputStream1 = new FileInputStream(pkPath);
                //加载服务端的KeyStore  ;sNetty是生成仓库时设置的密码,用于检查密钥库完整性的密码
                keyStore.load(inputStream1, "mypassword".toCharArray());
                keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
                //初始化密钥管理器
                keyManagerFactory.init(keyStore, "mypassword".toCharArray());
                KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

                //信任库
                TrustManagerFactory trustManagerFactory = null;
                if (caPath != null) {
                    KeyStore tks = KeyStore.getInstance("JKS");
                    inputStream2 = new FileInputStream(caPath);
                    tks.load(inputStream2, "mypassword".toCharArray());
                    trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
                    trustManagerFactory.init(tks);
                }
                TrustManager[] trustManagers = trustManagerFactory == null ? null
                    : trustManagerFactory.getTrustManagers();

                SERVER_CONTEXT = SSLContext.getInstance(PROTOCOL);
                SERVER_CONTEXT.init(keyManagers, trustManagers, new SecureRandom());
            }
        } catch (Exception e) {
            throw new Error("Failed to initialize the server-side SSLContext", e);
        } finally {
            if (inputStream1 != null) {
                try {
                    inputStream1.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
            if (inputStream2 != null) {
                try {
                    inputStream2.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
        return SERVER_CONTEXT;
    }

}

class NettyDecoder extends LengthFieldBasedFrameDecoder {

    NettyDecoder() {
        super(1024, 0, 4);
    }

    @Override
    protected Object decode(ChannelHandlerContext ctx, ByteBuf in) throws Exception {
        ByteBuf frame = (ByteBuf) super.decode(ctx, in);
        if (frame == null) {
            return null;
        }
        int dataLength = frame.readInt();
        if (dataLength == 0) {
            return null;
        }
        return frame.readInt();
    }
}

class NettyEncoder extends MessageToByteEncoder<Serializable> {

    @Override
    protected void encode(ChannelHandlerContext ctx, Serializable msg, ByteBuf out) {
        out.writeInt(4);
        out.writeInt((Integer) msg);
    }

}

class BizHandler extends ChannelInboundHandlerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(BizHandler.class);

    @Override
    public void channelActive(ChannelHandlerContext ctx) {
        logger.info("channel active.");
    }

    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) {
        int data = (Integer) msg;
        ctx.channel().writeAndFlush(data * data);
        logger.info("message = {}.", msg);
    }

    @Override
    public void channelInactive(ChannelHandlerContext ctx) {
        logger.info("channel inActive.");
    }

    @Override
    public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
        logger.info("throw exception", cause);
    }

}

客户端:

package com.lyf.csdn.netty;

import io.netty.bootstrap.Bootstrap;
import io.netty.channel.*;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioSocketChannel;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.timeout.IdleState;
import io.netty.handler.timeout.IdleStateEvent;
import io.netty.handler.timeout.IdleStateHandler;
import io.netty.util.concurrent.DefaultEventExecutorGroup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.*;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.Random;
import java.util.concurrent.TimeUnit;

/**
 * 客户端
 *
 * @author xuanchi.lyf
 */
public class NettyClient {

    private static final Logger logger = LoggerFactory.getLogger(NettyClient.class);

    private static SSLEngine    sslEngine;

    static {
        String clientKeystorePath = "/Users/xuanchi.lyf/Desktop/testNetty/client.jks";
        sslEngine = ClientSslContextFactory.getClientContext(clientKeystorePath, clientKeystorePath)
            .createSSLEngine();
        sslEngine.setUseClientMode(true);
    }

    public static void main(String[] args) {
        EventLoopGroup workerGroup = new NioEventLoopGroup();
        DefaultEventExecutorGroup bizGroup = new DefaultEventExecutorGroup(5);
        try {
            Bootstrap b = new Bootstrap();
            b.group(workerGroup);
            b.channel(NioSocketChannel.class);
            b.option(ChannelOption.SO_KEEPALIVE, Boolean.TRUE);
            b.handler(new ChannelInitializer<SocketChannel>() {
                @Override
                public void initChannel(SocketChannel ch) {
                    IdleStateHandler idleStateHandler = new IdleStateHandler(1, 1, 1,
                        TimeUnit.SECONDS);
                    ch.pipeline().addLast("ssl", new SslHandler(sslEngine));
                    ch.pipeline().addLast("idleCheck", idleStateHandler);
                    ch.pipeline().addLast("heartbeat", new HeartBeatHandler());
                    ch.pipeline().addLast("decoder", new NettyDecoder());
                    ch.pipeline().addLast("encoder", new NettyEncoder());
                    ch.pipeline().addLast(bizGroup, new ClientHandler());
                }
            });
            ChannelFuture f = b.connect("127.0.0.1", 9876).sync();
            f.channel().closeFuture().sync();
        } catch (Exception e) {
            logger.info(e.getMessage(), e);
        }
        logger.info("netty tcp connection build success.");
    }

}

class ClientSslContextFactory {

    private static final String PROTOCOL = "TLS";

    private static SSLContext   CLIENT_CONTEXT;

    static SSLContext getClientContext(String pkPath, String caPath) {
        if (CLIENT_CONTEXT != null) {
            return CLIENT_CONTEXT;
        }
        InputStream inputStream1 = null;
        InputStream inputStream2 = null;
        try {
            KeyManagerFactory keyManagerFactory;
            if (pkPath != null) {
                //密钥库KeyStore
                KeyStore keyStore = KeyStore.getInstance("JKS");
                //加载服务端证书
                inputStream1 = new FileInputStream(pkPath);
                //加载服务端的KeyStore  ;sNetty是生成仓库时设置的密码,用于检查密钥库完整性的密码
                keyStore.load(inputStream1, "mypassword".toCharArray());
                keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
                //初始化密钥管理器
                keyManagerFactory.init(keyStore, "mypassword".toCharArray());
                KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

                //信任库
                TrustManagerFactory trustManagerFactory = null;
                if (caPath != null) {
                    KeyStore tks = KeyStore.getInstance("JKS");
                    inputStream2 = new FileInputStream(caPath);
                    tks.load(inputStream2, "mypassword".toCharArray());
                    trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
                    trustManagerFactory.init(tks);
                }
                TrustManager[] trustManagers = trustManagerFactory == null ? null
                    : trustManagerFactory.getTrustManagers();

                CLIENT_CONTEXT = SSLContext.getInstance(PROTOCOL);
                CLIENT_CONTEXT.init(keyManagers, trustManagers, new SecureRandom());
            }
        } catch (Exception e) {
            throw new Error("Failed to initialize the server-side SSLContext", e);
        } finally {
            if (inputStream1 != null) {
                try {
                    inputStream1.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
            if (inputStream2 != null) {
                try {
                    inputStream2.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
        return CLIENT_CONTEXT;
    }

}

/**
 * 心跳发送[0000]
 */
class HeartBeatHandler extends ChannelInboundHandlerAdapter {

    @Override
    public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
        if (evt instanceof IdleStateEvent) {
            IdleState state = ((IdleStateEvent) evt).state();
            if (state == IdleState.WRITER_IDLE) {
                ctx.channel().writeAndFlush(new Random().nextInt(100));
            }
        } else {
            super.userEventTriggered(ctx, evt);
        }
    }

}

class ClientHandler extends ChannelInboundHandlerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(ClientHandler.class);

    @Override
    public void channelActive(ChannelHandlerContext ctx) {
        logger.info("channel active");
        ctx.channel().writeAndFlush(1);
    }

    @Override
    public void channelInactive(ChannelHandlerContext ctx) {
        logger.info("channel inActive");
    }

    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) {
        logger.info("message = {}.", msg);
    }

    @Override
    public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
        logger.info("throw exception", cause);
    }

}

重点理解:CLIENT_CONTEXT.init(keyManagers, trustManagers, new SecureRandom());

第一个参数是是允许对方校验自己的证书,作用是加密

第二个参数是信任证书列表,作用是鉴权

第三个参数是随机种子

 

1、最严密的策略是双方互相校验对方证书,并且只信任对方证书

2、其次可以双方互相校验对方证书,并且信任所有证书

当信任所有证书:

new TrustManager[] {new X509TrustManager() {
    @Override
    public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
    }
    @Override
    public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
    }
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}}

 

玄尺
关注
  • 3
    点赞
  • 15
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
SSL证书生成与使用(基于Netty)
lbl的博客
03-19 4942
为了接入SSL,故了解证书的种类/结构/生成方式和使用方式。 证书的结构 证书包含签发方信息,拥有者信息,公钥,签名等。 签名是使用签发方私钥对证书进行加密运算的来,通过使用签发方公钥解密可以验证证书真伪。 证书格式参考:https://blog.csdn.net/jjxojm/article/details/81266601 证书的种类 先了解两种证书,一种是自签证书,另一种是由机构签发的证书。...
netty 校验_Netty的基本身份验证器
weixin_39840153的博客
12-20 2138
实际上,对于我的服务器游戏,我不使用Netty。我已经为发送数据包对象创建了一个套接字多线程系统,该系统从(Int和Out)StreamBuffer序列化和反序列化。我发现了Netty,我认为将它用于我的网络系统会更好。我实际上创建了一个客户端和服务器处理程序(都扩展了ChannelInboundHandlerAdapter)来从ByteBuf序列化和反序列化我的数据包,它的工作很精细:)!现在我...
Netty进行SSL认证
drsbbbl的博客
06-04 4602
第一步: 生成Netty服务端私钥和证书仓库命令,用于将客户端证书保存到服务端的授信证书仓库中 keytool -genkey -alias securechat -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sNetty -storepass sNetty -keystore sChat.jks 第二步:生成Netty服务端自签名证书 用于颁给使用者 从 证书仓库中导出证书 keytool -e...
netty配置SSL、netty配置https(生产环境)
最新发布
凌康的博客
05-13 800
netty配置SSL、netty配置https(生产环境)那么netty如何使用可信任的证书呢?分以下步骤: 1、可靠机构颁发正规证书 2、正规证书转换为netty可加载的证书 3、netty加载证书处理channel初始化
Netty+OpenSSL TCP双向认证证书配置
Brethless_breath的博客
11-04 2592
百度加自研终于成功配置了netty+TLS双向认证,做个笔记。 TCP双向认证证书配置 1.linux下OpenSSL安装 1.1 openSSL下载 OpenSSL*下载地址:https://oomake.com/download/openssl 1.2 openSSL安装 # tar -xzf openssl-1.0.2f.tar.gz # cd openssl-1.0.2f # mkdir /usr/local/openssl # ./config --prefix=/usr/local/opens
Netty双向认证以及白名单证书验证
02-27
使用Netty搭建服务端配置Https双向认证可以参考此代码
基于springboot的Netty的SSL加密PKI认证通信
04-01
采用springboot的基于Netty的SSL加密PKI认证通信,里面模拟了Netty客户端服务端证书认证规则,同时分为单向认证和双向认证,信任证书链并对RA颁发的证书来进行验签,实现了双向和单向加密通信,保障了数据的...
netty实现SSL/TSL双向加密认证示例
09-21
一个netty建立的SSL双向加密的服务器和客户端的简单示例。工程是IDEA创建的,直接导入即可,注意需要依赖的pom文件中的包。需要的证书文件示例也在压缩包内。
netty的SSL双向认证
01-18
netty的client和server端建立SSL连接,并进行双向的证书验证
netty服务端支持ssl协议实现websocket的wss协议(java)
05-16
在网上查的资料,整理了一下 实现了wss协议的连接 和websocket的心跳,,在网上查的资料,整理了一下 实现了wss协议的连接 和websocket的心跳
Netty实现Unity登录验证(一)
dongbeng5682的博客
03-03 437
开发环境:JDK1.7,Uniyt5.4.2,数据格式ProtoStuff1.08,Netty5.0.0,数据库MySQL。 代码对应关系如下: 首先实现数据模型设计,用于ProtoStuff数据传输。 这里的类服务端客户端对应,以便消息的序列化与反序列化。 1 package com.netty.model; 2 3 import java.util.L...
spring boot netty 即时通讯系统之登录认证(六)
qq_36760953的博客
07-21 3313
通过MessagePack框架将用户信息进行JSON格式数据传输给服务端,进行账号密码验证登录,推荐从前面的章节开始看。 LoginAuthReqHandler.java import com.alibaba.fastjson.JSONObject; import com.fyrt.fyrtim.util.*; import io.netty.channel.ChannelHand...
netty4.1.70-学习笔记之HELLO WORLD
随笔
11-17 502
server package sample; import io.netty.buffer.ByteBuf; import io.netty.buffer.Unpooled; import io.netty.channel.*; import io.netty.channel.socket.SocketChannel; import io.netty.bootstrap.ServerBootstrap; import io.netty.channel.nio.NioEventLoopGroup;
Netty下SSL认证
xjc208的专栏
06-04 1343
基于Netty下SSL认证的实现. 1、SSL证书说明 2、SSL证书创建 3、加入SSL认证 生成证书内容 package ext.opensource.netty.common.utils; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java....
spring security netty websocket 用户认证
qq_21134059的博客
08-15 544
当WebSocket客户端连接到服务器时,服务器会通过拦截器进行用户认证,并将认证结果保存到SecurityContextHolder中。然后,在Web```在上面的配置中,定义了“/ws/**”路径需要进行认证,其他路径不需要认证。使用inMemoryAuthentication方法添加了一个用户"user"和密码"password",并赋予了"ROLE_USER"角色。在该拦截器中,可以获取到连接的HTTP请求,并使用Spring Security来进行用户认证
Netty调用第三方服务中的身份认证
qq_43318840的博客
02-07 1013
1.问题. 第三方服务接口如下: @GetMapping("/courses_teachers") List<Course> getStudentCoursesAndTeachers(@RequestHeader String username) 因为第三方服务使用的OAuth2身份认证,所以除了username参数外,还需要请求头携带Authorization. 如果在controller里,使用Feign调用时会自动把HttpServletRequest的请求头信息
Netty实现长连接,客户端随时发送消息给服务端,可在任意代码位置发送消息给服务端
祁_z
12-23 6196
目 pom依赖 netty服务端代码 netty客户端 PosttingObject封装netty客户端连接信息 测试客户端发送消息到服务器端 1. 可以实现长连接,心跳机制每隔N秒客户端给服务器发送一条消息,代表客户端还存活。 2. 可以实现在随意代码位置按照用户id标识,发送消息给服务端。 pom依赖 <dependency> <groupId>io.netty</groupId> <artifactId>ne
Netty分布式聊天室 - 登录功能实现
爱飞的男孩的博客
12-02 126
如此一来,后续handler接收到的请求都是合法请求,不需要验证权限,但指令数据是否合法还需判断,如果不嫌麻烦可以对Message添加一个自检方法,在WebSocketHandler这里运行一次自检也可以,我们后续默认指令数据合法。这里有一个登录时拉取消息的问题:对于离线消息,我们存储在Redis中,如果Redis执行淘汰策略,把数据清空了,我们该如何判断离线消息?这里我的思路是:在数据发送时存储数据,缓存离线消息,如果离线消息被删除,则用户通过漫游查询消息(类似微信太久没登陆会导致消息丢失)
netty整合websocket支持自签证书出现netty websocket ssl Received fatal alert: certificate_unknown
答案的博客
03-02 2457
不添加信任netty websocket ssl Received fatal alert: certificate_unknown。值得一提的是,自签的证书有且之能在本机使用,如将A机生成的证书拷贝B机使用也会出现同样的错误。生成自己jks文件,指向自己要生成jks的文件位置下,我直接生成到项目resources下。点击安装证书 - 选择本地计算机 - 将所有的证书都放入下列存储 - 受信任的根证书颁发机构。这并不是程序的问题,这是证书本身的问题,主机并不承认这个证书导致的。添加完成后就不会有不信任了。
netty+mqtt
08-11
Netty是一个基于Java的高性能网络通信框架,而MQTT是一种轻量级的消息传输协议。Netty实现了并封装了MQTT协议,并提供了编解码器,但需要注意的是MQTT协议的具体功能需要自己实现。123 #### 引用[.reference_title] - *1* *3* [springboot+netty+mqtt服务端实现](https://blog.csdn.net/zwjzone/article/details/130089677)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v92^chatsearchT3_1"}} ] [.reference_item] - *2* [MQTT协议基本讲解(结合netty)](https://blog.csdn.net/zwjzone/article/details/131112929)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v92^chatsearchT3_1"}} ] [.reference_item] [ .reference_list ]

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值