This is the 13th day of my participation in the August More Text Challenge. For details, see:August is more challenging

Introduction to the

In the previous article, we talked about how to use Netty to set up chat rooms, but such simple chat rooms are so easy to eavesdrop on that it’s not safe to have a private chat. Those of you who have studied cryptography may have come up with a solution that encrypts messages while chatting and decrypts them while processing them.

Of course, netty does not need to do any of this manually. Netty already provides SSL channels for you to choose from.

PKI standards

Before we get into the specifics of Netty support, we need to look at PKI, the public and private key encryption standard. The full name of PKI is Public Key Infrastructure, which is the Public Key system. It is used to regulate the rules of encryption and decryption for public key private placement, so as to facilitate the interconnection of different systems.

In fact, the PKI standard has two generations of protocols.

The first generation of PKI standard is mainly composed of the PUBLIC key encryption standard PKCS of RSA corporation, ITU-T X.509 of international Telecommunication Union, X.509 of IETF, WAP and WPKI. However, because the first generation of PKI standard is encoded based on abstract syntax symbol ASN.1, it is complicated and difficult to implement, so the second generation of PKI standard is produced.

The second generation PKI standard is an XML-based key management specification, also known as XKMS, published by Microsoft, VeriSign, and webMethods in 2001.

In fact, the most common specifications used by CA centers today are the X.509 and PKCS families.

The X.509 series consists mainly of X.209, X.500 and X.509, of which X.509 is the digital certificate standard developed by the International Telecommunication Union (ITU-T). Feature enhancements over X.500, X.509 was released in 1988. An X.509 certificate consists of a user public key and a user identifier. In addition, the information includes the version number, certificate serial number, CA identifier, signature algorithm identifier, issuer name, and certificate validity period.

PKCS is the public key encryption standard of RSA, which includes a series of related protocols of certificate application, certificate update, certificate invalidation form release, extension of certificate content, digital signature, digital envelope format and so on. It defines a series of standards from PKCS#1 to PKCS#15.

The most commonly used are PKCS#7, PKCS#12, and PKCS#10. PKCS#7 is a message request syntax used for digital signature and encryption, and PKCS#12 is a personal message exchange and packaging syntax used primarily to generate public and private keys. PKCS#10 is the certificate request syntax.

Suffixes and conversion of certificates

Those who have operated certificates may be confused about the suffixes of certificates. Generally, there are several suffixes of certificates, such as DER, CRT, CER, and PEM.

DER indicates that the contents of the certificate are encoded in binary.

A PEM file is a text file whose contents are base64-encoded characters beginning with “-begin -“.

CRT and CER are basically equivalent. They are both extensions of certificates and text files. The difference is that CRT is usually used on Unix and Unix systems, while CER is usually used on Windows systems. In Windows, the CER file is identified by the MS cryptoAPI command, and the import and/or view certificate contents dialog box can be displayed directly.

KEY file, mainly used to save PKCS# 8 standard public and private keys.

To view the contents of a text certificate, run the following command:

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout
Copy the code

To view the binary certificate contents, run the following command:

openssl x509 -in cert.der -inform der -text -noout
Copy the code

The following are common PEM and DER conversions:

CRT -outform DER -out cert. DER DER to PEM openSSL x509 -in cert. CRT -inform der-outform PEM -out cert.pemCopy the code

Start the SSL server in Netty

In fact, this title is not correct. The server started in Netty is still the same server, but the sent messages are encrypted and decrypted. That is, a special SSL Handler has been added.

The netty class that represents the SSL handler is called SslHandler. It is an inner class of the SslContext project class, so we only need to create SslContext to return SslHandler by calling the newHandler method.

To enable SSL on the server:

ChannelPipeline p = channel.pipeline(); SslContext sslCtx = SslContextBuilder.forServer(...) .build(); p.addLast("ssl", sslCtx.newHandler(channel.alloc()));Copy the code

To enable SSL on the client:

ChannelPipeline p = channel.pipeline();
   SslContext sslCtx = SslContextBuilder.forClient().build();
   p.addLast("ssl", sslCtx.newHandler(channel.alloc(), host, port));
Copy the code

There are two ways to implement SSL in Netty. OpenSSL is used by default, and if OpenSSL is not available, the JDK implementation will be used.

To create the SslContext, can call SslContextBuilder. ForServer or SslContextBuilder. ForClient method.

Take a look at the creation process using the server as an example. SslContextBuilder has a variety of forServer methods, the simplest of which is analyzed here:

    public static SslContextBuilder forServer(File keyCertChainFile, File keyFile) {
        return new SslContextBuilder(true).keyManager(keyCertChainFile, keyFile);
    }
Copy the code

This method takes two arguments: keyCertChainFile is an x.509 certificate file in PEM format, and keyFile is a private keyFile of PKCS#8.

If you are familiar with OpenSSL, you should know that you can use the OpenSSL command to generate a private key file and a self-signed certificate file.

The details of how openSSL works can be found in my other articles, but I won’t go into details here.

In addition to manually creating the certificate file and private key file, if you are in a development environment, you may want a very simple way to create the certificate and private key file. Netty provides you with the SelfSignedCertificate class.

The name of this class indicates that it is a self-signed certificate class and automatically generates the certificate file and private key file in the temp folder of the system. Therefore, this class is not recommended to be used in production environment. By default, this class uses OpenJDK’s X.509 to generate the private key for the certificate; if this is not possible, Bouncy Castle is used instead.

The SSL client is started in netty. Procedure

Similarly, to support SSL in the client, you need to create a handler. The SslContext creation code for the client is as follows:

/ / configure SSL. The final SslContext sslCtx = SslContextBuilder. ForClient () .trustManager(InsecureTrustManagerFactory.INSTANCE).build();Copy the code

The above code we used a InsecureTrustManagerFactory. As trustManager INSTANCE. What is a trustManager?

When a client and a server make an SSL connection, the client needs to verify the validity of the certificate sent by the server. Usually, this verification is performed on the CA server. However, this requires a real CA certificate environment, so in the test, We use InsecureTrustManagerFactory, this class will accept all the default certificate, ignore all the certificate exceptions.

Of course, a CA server is not required. The purpose of client verification is to check whether the public key in the certificate is the same as that of the sender. In a non-networking environment or a self-signed environment, we only need to verify the fingerprint in the certificate on the client.

Netty provides a FingerprintTrustManagerFactory class, to check the certificate of the fingerprint.

The class has a FINGERPRINTS array to store secure, authorized fingerprint information. The certificate and fingerprint are compared. If they are the same, the verification succeeds.

To extract fingerprints from a certificate using OpenSSL, perform the following steps:

openssl x509 -fingerprint -sha256 -in my_certificate.crt
Copy the code

conclusion

By setting SSL Handler on client and server, you can realize encrypted message transmission on client and server.

An example for this article is learn-Netty4

This article is available at www.flydean.com/12-netty-se…

The most popular interpretation, the most profound dry goods, the most concise tutorial, many you do not know the small skills waiting for you to find!

Welcome to follow my public number: “procedures those things”, understand technology, more understand you!