1 Introduction
Data security is a very important aspect of network communication. In order to support Ssl/tls,java the JAVAX.NET.SSL package is provided with Class Sslcontext and Sslengine. In the Netty framework, I/O data is processed in Channelpipeline by the Channelhandler in the pipeline and forwarded to the next Channelhandler. Naturally, Netty also provides Channelhandler implementation Sslhandler to support SSL, and there is an internal sslengine to do the actual work.
2 Steps
First look at the Sslhandler constructor:
Public Sslhandler (Sslengine engine) {
This (engine, false);
}
Public Sslhandler (Sslengine engine, Boolean startTls) {
This (engine, startTls, immediateexecutor.instance);
}
It's not hard to see that we need a Sslengine object to build Sslhandler. According to the data, you need to invoke Sslcontext.createsslengine () based on the initialized Sslcontext to create the sslengine.
So the process of using SSL/TLS encryption in a TCP connection based on the Netty framework is as follows:
1. Import the certificate in code and use the certificate to construct the Sslcontext
2. Invoke the Createsslengine () of the Sslcontext object to create Sslengine
3. Initialize Netty Sslhandler with Sslengine object
4. In the Channelinitializer.initchannel () of the Netty, install Sslhandler in the pipeline (pipeline).
3 Usage
3.1 Import Certificate
Public Sslcontext Getclientsslcontext () {
KeyStore trustkeystore= keystore.getinstance ("JKS")//access to the Java KeyStore, JKS is the Java KeyStore created by Keytool
InputStream keystream = Myapplication.getappcontext (). Getassets (). Open ("Key.jks");//Open certificate file (. jks format)
Char keystorepass[]= "12345678". ToCharArray (); Certificate Password
KeyStore. Load (Trustkeystore,keystorepass);
Trustmanagerfactory trustmanagerfactory = trustmanagerfactory.getinstance (trustmanagerfactory.getdefaultalgorithm ());
Trustmanagerfactory.init (KeyStore);//Save the service-side authorization certificate
Sslcontext ClientContext = sslcontext.getinstance ("TLS");
Clientcontext.init (NULL, trustmanagerfactory.gettrustmanagers (), NULL);
return clientcontext;
}
In the above code, only the client adopts the KEY.JKS certificate in Trustkeystore (including the server's public key) to decrypt the data, and if the decryption succeeds, the proof message comes from the server and carries on the logic processing.
Just server->client one-way SSL authentication.
If you want to implement two-way authentication between server and client, you need to emulate Trustmanagerfactory initialization to build a keymanagerfactory to hold the client's private key and pass in
Clientcontext.init (Kmf.getkeymanagers (), trustmanagerfactory.gettrustmanagers (), NULL);
Specific reference SSL bi-directional authentication Java implementation
3.2 Add Sslhandler
Channelhandler is installed in Channelpipeline at the time when the should be initialized (Channelinitializer.initchannel () is invoked).
Bootstrap introduction reference to Android development using Netty for Socket Programming (ii)
Boostrap initialization reference the Android development using Netty for Socket Programming (iii)
Bootstrap.handler (new channelinitializer<socketchannel> () {
@Override
protected void Initchannel (Socketchannel ch) throws Exception {
& nbsp; Channelpipeline pipeline = Ch.pipeline ();
Sslengine engine = Getclientsslcontext (). Createsslengine ();
Engine.setuseclientmode (TRUE);
Pipeline.addfirst ("SSL", new Sslhandler (engine));
/.... Add additional Channelhandler
Pipeline.addlast (Nettychannelhandler);
}
});
In most cases, Sslhandler becomes the first channelhandler in Channelpipeline, so the Pipeline.addfirst () is invoked. This will ensure that all other channelhandler apply their logic to the data after they are encrypted before they occur, ensuring that their changes are secure.