Grpc Java:在服务器上设置SSLContext
[英]Grpc Java : Set up SSLContext on Server
问题描述
I want to set-up SSL on my GRPC server. 
我想在我的GRPC服务器上设置SSL。 For that I need certificate chain and a pkcs8 private key. 为此,我需要证书链和pkcs8私钥。
I have done the following: 我已经完成以下工作:
Generate CA key: 生成CA密钥:
openssl genrsa -des3 -out ca.key 4096 openssl genrsa -des3 -out ca.key 4096
Generate CA certificate: 生成CA证书:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Generate server key: 生成服务器密钥:
openssl genrsa -des3 -out server.key 4096 openssl genrsa -des3 -out server.key 4096
Generate server signing request: 生成服务器签名请求:
openssl req -new -key server.key -out server.csr openssl req-新-key server.key -out server.csr
Self-sign server certificate: 自签名服务器证书:
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Remove passphrase from the server key: 从服务器密钥中删除密码:
openssl rsa -in server.key -out server.key openssl rsa -in server.key -out server.key
Conver to pkcs8 转换为pkcs8
openssl pkcs8 -topk8 -nocrypt -in server.key -out pkcs8_key.pem openssl pkcs8 -topk8 -nocrypt-输入server.key -out pkcs8_key.pem
Now that I have my server.cert and pkcs8_key.pem files, I've created the server as such: 现在我有了server.cert和pkcs8_key.pem文件,我已经这样创建了服务器:
InputStream certChain = MyServer.class.getResourceAsStream("/server.crt");
InputStream privateKey = MyServer.class.getResourceAsStream("/pkcs8_key.pem");
SslContext sslContext = GrpcSslContexts.forServer(certChain, privateKey, "password").build();
Server server = NettyServerBuilder.forPort(8080)
.sslContext(sslContext)
.addService(new ChatService())
.addService(new HelloWorldService())
.useTransportSecurity(certChain, privateKey)
.build();
The classpath is configured properly. 类路径已正确配置。
The error stack I'm getting: 我得到的错误堆栈:
Exception in thread "main" java.lang.IllegalArgumentException: Input stream does not contain valid private key.
at io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:296)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:104)
at io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts.forServer(GrpcSslContexts.java:162)
at server.MyServer.main(MyServer.java:20)
Caused by: java.io.IOException: overrun, bytes = 2353
at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:92)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:978)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1034)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1024)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:294)
... 3 more
1 个解决方案
解决方案1
0 2018-10-29 16:12:39
The exception is being caused by this line: 异常是由以下行引起的:
SslContext sslContext = GrpcSslContexts
.forServer(certChain, privateKey, "password").build();
Since your pkcs8 key has no password, you should not be passing a password and instead use the two-argument method: 由于您的pkcs8密钥没有密码,因此您不应传递密码,而应使用两种参数的方法:
SslContext sslContext = GrpcSslContexts
.forServer(certChain, privateKey).build();
Note that calling useTransportSecurity() will overwrite your call to sslContext() , so you shouldn't call both. 请注意,调用useTransportSecurity()将覆盖对sslContext()调用,因此您不应同时调用两者。 Calling both would break in the current code because forServer() consumes and close the provided InputStream s, so you'd be passing closed streams to useTransportSecurity() . 调用这两种方法都会中断当前代码,因为forServer()会消耗并关闭提供的InputStream ,因此您需要将关闭的useTransportSecurity() 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.