“不积跬步,无以至千里。”
说明
其实Netty使用SslHandler实现加密通信单向认证和双向认证在代码上区别不大,下面是双向认证的代码示例
引入依赖
<dependency><groupId>io.netty</groupId><artifactId>netty-all</artifactId><version>4.1.100.Final</version>
</dependency>
生成keystore.jks文件
keytool -genkeypair -alias your_alias -keyalg RSA -keystore keystore.jks -keysize 2048
Server端
import io.netty.bootstrap.ServerBootstrap;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.*;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.CharsetUtil;import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import java.io.FileInputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;public class NettySslServer {private static final int PORT = 8888;public static void main(String[] args) throws Exception {// 加载SSL证书String serverKeyStorePath = "/home/admin/server/keystore.jks";String clientKeyStorePath = "/home/admin/client/keystore.jks";String serverKeyStorePassword = "happya";String clientKeyStorePassword = "happya";// 创建SSL上下文SSLContext sslContext = SSLContext.getInstance("TLS");sslContext.getServerSessionContext().setSessionCacheSize(1);sslContext.getServerSessionContext().setSessionTimeout(60);// 配置密钥库KeyStore keyStore = KeyStore.getInstance("JKS");keyStore.load(new FileInputStream(serverKeyStorePath), serverKeyStorePassword.toCharArray());KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());keyManagerFactory.init(keyStore, serverKeyStorePassword.toCharArray());// 配置信任库KeyStore trustStore = KeyStore.getInstance("JKS");trustStore.load(new FileInputStream(clientKeyStorePath), clientKeyStorePassword.toCharArray());TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());trustManagerFactory.init(trustStore);// 初始化SSLContextsslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);// 创建EventLoopGroupEventLoopGroup bossGroup = new NioEventLoopGroup();EventLoopGroup workerGroup = new NioEventLoopGroup();try {// 创建服务器BootstrapServerBootstrap serverBootstrap = new ServerBootstrap();serverBootstrap.group(bossGroup, workerGroup).channel(NioServerSocketChannel.class).childHandler(new ChannelInitializer<SocketChannel>() {@Overrideprotected void initChannel(SocketChannel ch) throws Exception {ChannelPipeline pipeline = ch.pipeline();// 在ChannelPipeline中添加SSL处理器SSLEngine sslEngine = sslContext.createSSLEngine();sslEngine.setUseClientMode(false);pipeline.addLast(new SslHandler(sslEngine));// 添加加密通信处理器pipeline.addLast(new SecureChatServerHandler());}}).childOption(ChannelOption.SO_BACKLOG, 128).childOption(ChannelOption.SO_KEEPALIVE, true);// 启动服务器System.out.println("======Begin to start ssl server======");ChannelFuture future = serverBootstrap.bind(PORT).sync();System.out.println("======Ssl server started======");future.channel().closeFuture().sync();} finally {workerGroup.shutdownGracefully();bossGroup.shutdownGracefully();}}public static class SecureChatServerHandler extends ChannelInboundHandlerAdapter {@Overridepublic void channelActive(ChannelHandlerContext ctx) throws Exception {// 当连接建立时,发送欢迎消息System.out.println("Server channel active : " + ctx.channel().toString());ctx.channel().writeAndFlush(Unpooled.wrappedBuffer("Welcome to the secure chat server!\n".getBytes(StandardCharsets.UTF_8)));ctx.channel().writeAndFlush(Unpooled.wrappedBuffer("Your connection is protected by SSL.\n".getBytes(StandardCharsets.UTF_8)));}@Overridepublic void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {ByteBuf byteBuf= (ByteBuf) msg;System.out.println("Server received message: " + byteBuf.toString(CharsetUtil.UTF_8));super.channelRead(ctx, msg);}@Overridepublic void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {// 处理异常cause.printStackTrace();ctx.close();}}
}
Client端
import io.netty.bootstrap.Bootstrap;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.*;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioSocketChannel;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.CharsetUtil;import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import java.io.FileInputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;public class NettySslClient {private static final String HOST = "localhost";private static final int PORT = 8888;public static void main(String[] args) throws Exception {// 加载SSL证书String serverKeyStorePath = "/home/admin/server/keystore.jks";String clientKeyStorePath = "/home/admin/client/keystore.jks";String serverKeyStorePassword = "happya";String clientKeyStorePassword = "happya";// 创建SSL上下文SSLContext sslContext = SSLContext.getInstance("TLS");sslContext.getServerSessionContext().setSessionCacheSize(1);// session cache timeout (sessionTimeout) 's default value is 86400s (24hr), and reduced to 60s to reduce IO block issue.sslContext.getServerSessionContext().setSessionTimeout(60);// 配置密钥库KeyStore keyStore = KeyStore.getInstance("JKS");keyStore.load(new FileInputStream(clientKeyStorePath), clientKeyStorePassword.toCharArray());KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());keyManagerFactory.init(keyStore, clientKeyStorePassword.toCharArray());// 配置信任库KeyStore trustStore = KeyStore.getInstance("JKS");trustStore.load(new FileInputStream(serverKeyStorePath), serverKeyStorePassword.toCharArray());TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());trustManagerFactory.init(trustStore);sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);// 创建EventLoopGroupEventLoopGroup group = new NioEventLoopGroup();try {// 创建客户端BootstrapBootstrap bootstrap = new Bootstrap();bootstrap.group(group).channel(NioSocketChannel.class).handler(new ChannelInitializer<SocketChannel>() {@Overrideprotected void initChannel(SocketChannel ch) throws Exception {ChannelPipeline pipeline = ch.pipeline();// 在ChannelPipeline中添加SSL处理器SSLEngine sslEngine = sslContext.createSSLEngine();sslEngine.setUseClientMode(true);pipeline.addLast(new SslHandler(sslEngine));// 添加加密通信处理器pipeline.addLast(new SecureChatClientHandler());}});// 连接服务器System.out.println("======Begin to start ssl client======");ChannelFuture future = bootstrap.connect(HOST, PORT).sync();System.out.println("======Ssl client started======");future.channel().closeFuture().sync();} finally {group.shutdownGracefully();}}public static class SecureChatClientHandler extends ChannelInboundHandlerAdapter {@Overridepublic void channelActive(ChannelHandlerContext ctx) throws Exception {// 连接建立时,发送一条消息给服务器System.out.println("Client channel active : " + ctx.channel().toString());ctx.channel().writeAndFlush(Unpooled.wrappedBuffer("Hello from client!\n".getBytes(StandardCharsets.UTF_8)));}@Overridepublic void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {ByteBuf byteBuf = (ByteBuf) msg;System.out.println("Client received message: \n" + byteBuf.toString(CharsetUtil.UTF_8));super.channelRead(ctx, msg);}@Overridepublic void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {// 处理异常cause.printStackTrace();ctx.close();}}
}