在Scala中使用Akka实现双向身份验证

bqucvtff  于 2022-11-06  发布在  Scala
关注(0)|答案(1)|浏览(272)

我将在Scala中使用Akka创建一个TLS会话,在客户端和服务器之间进行相互认证。我创建了两个CA证书,它们必须信任来自另一方的相应证书。您能给予我一个如何实现的示例吗?谢谢。

h7appiyu

h7appiyu1#

我创建了一个github项目,它演示了与不同类型的客户端(包括Akka)的相互认证。请看这里:https://github.com/Hakky54/mutual-tls-ssl
它包含将ssl材料加载到客户机和服务器的完整示例。
总结一下你需要做的事情是:

  • 对于客户端
  • 创建密钥和证书并将其加载到密钥库中
  • 导出证书
  • 为受信任证书创建单独的密钥库并导入服务器证书
  • 将两个密钥库加载到http客户端
  • 对于服务器
  • 创建密钥和证书并将其加载到密钥库中
  • 导出证书
  • 为受信任证书创建单独的密钥库并导入客户端证书
  • 将两个密钥库加载到服务器中

我不太清楚您使用的是哪种服务器,但如果您使用的是spring-boot,则示例配置为:

server:
  port: 8443
  ssl:
    enabled: true
    key-store: classpath:identity.jks
    key-password: secret
    key-store-password: secret
    trust-store: classpath:truststore.jks
    trust-store-password: secret
    client-auth: need

Akka需要一个预先配置的SSLContext示例来配置HTTPS。下面的代码片段是一个创建带有https选项的客户端的示例。

import akka.actor.ActorSystem;
import akka.http.javadsl.ConnectionContext;
import akka.http.javadsl.Http;
import akka.http.javadsl.HttpsConnectionContext;
import com.typesafe.config.ConfigFactory;

import javax.net.ssl.SSLContext;
import java.util.Optional;

class App {

    public static void main(String[] args) {
        ActorSystem actorSystem = ActorSystem.create(
                App.class.getSimpleName(),
                ConfigFactory.defaultApplication(App.class.getClassLoader())
        );

        SSLContext sslContext = ...; //Initialized SSLContext

        Http http = Http.get(actorSystem);
        HttpsConnectionContext httpsContext = ConnectionContext.https(
                sslContext,
                Optional.empty(),
                Optional.empty(),
                Optional.empty(),
                Optional.of(sslContext.getDefaultSSLParameters()));
        http.setDefaultClientHttpsContext(httpsContext);
    }
}

有几个库提供了易于使用的实用程序/工厂/构建器类来帮助您创建SSLContext。

可能有很多其他的库提供类似的功能,但我只知道这三个。顺便说一下,sslcontext-kickstart是一个由我维护的库。
下面概述了四种加载密钥库和创建SSLContext. VanillaJava的方法,并使用了三个库。

import io.netty.handler.ssl.SslContextBuilder;
import nl.altindag.sslcontext.SSLFactory;
import org.apache.http.ssl.SSLContextBuilder;
import org.eclipse.jetty.util.ssl.SslContextFactory;

import javax.net.ssl.*;
import java.io.File;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.Objects;

class SslExample {

    public static void main(String[] args) throws Exception {

        //Traditional flow of creating sslContext
        String keyStorePath = "keystore.p12";
        String trustStorePath = "truststore.p12";

        char[] keyStorePassword = "secret".toCharArray();
        char[] trustStorePassword = "secret".toCharArray();

        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        KeyStore trustStore = KeyStore.getInstance("PKCS12");

        try(InputStream keyStoreInputStream = SslExample.class.getClassLoader().getResourceAsStream(keyStorePath);
            InputStream trustStoreInputStream = SslExample.class.getClassLoader().getResourceAsStream(trustStorePath)) {

            Objects.requireNonNull(keyStoreInputStream);
            Objects.requireNonNull(trustStoreInputStream);

            keyStore.load(keyStoreInputStream, keyStorePassword);
            trustStore.load(trustStoreInputStream, trustStorePassword);
        }

        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, keyStorePassword);
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trustStore);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();

        SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
        sslContext.init(keyManagers, trustManagers, new SecureRandom());

        //creating sslContext with Apache SSLContextBuilder
        SSLContext sslContext1 = SSLContextBuilder.create()
                .loadKeyMaterial(new File("keystore.p12"), "secret".toCharArray(), "secret".toCharArray())
                .loadTrustMaterial(new File("truststore.p12"), "secret".toCharArray())
                .build();

        //creating sslContext with Jetty SslContextFactory
        SslContextFactory.Client sslContextFactory = new SslContextFactory.Client();
        sslContextFactory.setKeyStorePath("keystore.p12");
        sslContextFactory.setKeyStorePassword("secret");
        sslContextFactory.setTrustStorePath("truststore.p12");
        sslContextFactory.setTrustStorePassword("secret");
        sslContextFactory.start();

        SSLContext sslContext2 = sslContextFactory.getSslContext();

        //creating sslContext with sslcontext-kickstart
        SSLFactory sslFactory = SSLFactory.builder()
                .withIdentity("keystore.p12", "secret".toCharArray())
                .withTrustStore("truststore.p12", "secret".toCharArray())
                .build();

        SSLContext sslContext3 = sslFactory.getSslContext();
    }

}

它是用java编写的,但是IntelliJ Idea在粘贴代码片段时提供了一个方便的转换函数。

相关问题