Android Development uses SSL encryption in Netty TCP connections

Source: Internet
Author: User
Tags socket starttls

1 Introduction

Data security is a very important aspect of network communication. In order to support Ssl/tls,java the JAVAX.NET.SSL package is provided with Class Sslcontext and Sslengine. In the Netty framework, I/O data is processed in Channelpipeline by the Channelhandler in the pipeline and forwarded to the next Channelhandler. Naturally, Netty also provides Channelhandler implementation Sslhandler to support SSL, and there is an internal sslengine to do the actual work.

2 Steps

First look at the Sslhandler constructor:
Public Sslhandler (Sslengine engine) {
This (engine, false);
}

Public Sslhandler (Sslengine engine, Boolean startTls) {
This (engine, startTls, immediateexecutor.instance);
}
It's not hard to see that we need a Sslengine object to build Sslhandler. According to the data, you need to invoke Sslcontext.createsslengine () based on the initialized Sslcontext to create the sslengine.
So the process of using SSL/TLS encryption in a TCP connection based on the Netty framework is as follows:
1. Import the certificate in code and use the certificate to construct the Sslcontext
2. Invoke the Createsslengine () of the Sslcontext object to create Sslengine
3. Initialize Netty Sslhandler with Sslengine object
4. In the Channelinitializer.initchannel () of the Netty, install Sslhandler in the pipeline (pipeline).

3 Usage

3.1 Import Certificate
Public Sslcontext Getclientsslcontext () {
KeyStore trustkeystore= keystore.getinstance ("JKS")//access to the Java KeyStore, JKS is the Java KeyStore created by Keytool
InputStream keystream = Myapplication.getappcontext (). Getassets (). Open ("Key.jks");//Open certificate file (. jks format)
Char keystorepass[]= "12345678". ToCharArray (); Certificate Password
KeyStore. Load (Trustkeystore,keystorepass);


Trustmanagerfactory trustmanagerfactory = trustmanagerfactory.getinstance (trustmanagerfactory.getdefaultalgorithm ());
Trustmanagerfactory.init (KeyStore);//Save the service-side authorization certificate

Sslcontext ClientContext = sslcontext.getinstance ("TLS");
Clientcontext.init (NULL, trustmanagerfactory.gettrustmanagers (), NULL);

return clientcontext;
}
In the above code, only the client adopts the KEY.JKS certificate in Trustkeystore (including the server's public key) to decrypt the data, and if the decryption succeeds, the proof message comes from the server and carries on the logic processing.
Just server->client one-way SSL authentication.
If you want to implement two-way authentication between server and client, you need to emulate Trustmanagerfactory initialization to build a keymanagerfactory to hold the client's private key and pass in
Clientcontext.init (Kmf.getkeymanagers (), trustmanagerfactory.gettrustmanagers (), NULL);

Specific reference SSL bi-directional authentication Java implementation

3.2 Add Sslhandler

Channelhandler is installed in Channelpipeline at the time when the should be initialized (Channelinitializer.initchannel () is invoked).

Bootstrap introduction reference to Android development using Netty for Socket Programming (ii)
Boostrap initialization reference the Android development using Netty for Socket Programming (iii)
    Bootstrap.handler (new channelinitializer<socketchannel> () {
             @Override
            protected void Initchannel (Socketchannel ch) throws Exception {
        & nbsp;       Channelpipeline pipeline = Ch.pipeline ();
                Sslengine engine = Getclientsslcontext (). Createsslengine ();
                Engine.setuseclientmode (TRUE);
                Pipeline.addfirst ("SSL", new Sslhandler (engine));

               /.... Add additional Channelhandler
                 Pipeline.addlast (Nettychannelhandler);
           }
       });
In most cases, Sslhandler becomes the first channelhandler in Channelpipeline, so the Pipeline.addfirst () is invoked. This will ensure that all other channelhandler apply their logic to the data after they are encrypted before they occur, ensuring that their changes are secure.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.