Netty 使用数字证书建立tsl(ssl),检查crl(证书吊销列表)

  1. 使用SslContext 建立ssl连接
File certChainFile = new File("D:\\test\\test\\sdk_test03\\test_03.crt");
        File keyFile = new File("D:\\test\\test\\sdk_test03\\test_03.key");
        File rootFile = new File("D:/test/MyPKISubCAG1.crt");
        String crlPath = "D:/test/test/ca.crl";
        
        SslContext sslCtx = SslContextBuilder
                .forServer(certChainFile, keyFile)
                .trustManager(rootFile)
                .clientAuth(ClientAuth.REQUIRE).build();
  1. 通过Listener检查crl,证书是否被吊销
  		ChannelPipeline pipeline = channel.pipeline();
        SslHandler sslHandler = sslContext.newHandler(channel.alloc());
        sslHandler.handshakeFuture().addListener(new MyGenericFutureListener(sslHandler,crlPath));
        // 添加SSL安全验证
        pipeline.addLast(sslHandler);


  1. Listener监听方法
@Slf4j
public class MyGenericFutureListener implements GenericFutureListener<DefaultPromise<Channel>> {
    SslHandler sslHandler;
    String crlPath;

    public MyGenericFutureListener(SslHandler sslHandler, String crlPath) {
        this.sslHandler = sslHandler;
        this.crlPath = crlPath;
    }

    @Override
    public void operationComplete(DefaultPromise<Channel> channelFuture) throws Exception {
        if (channelFuture.isSuccess()) {
            SSLSession sslSession = sslHandler.engine().getSession();
            X509Certificate cert = (X509Certificate) sslSession.getPeerCertificates()[0];
            if (isCertificateRevoked(cert)) {
                log.error("Certificate revoked");
                //channelFuture.get().close();
            }
        }
    }

    @SneakyThrows
    private boolean isCertificateRevoked(X509Certificate cert) {
        X509CRL crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(new FileInputStream(crlPath));
        return crl.isRevoked(cert);
    }

你可能感兴趣的:(ssl,netty,crl,数字证书)