Example usage for io.netty.handler.ssl ReferenceCountedOpenSslContext release

List of usage examples for io.netty.handler.ssl ReferenceCountedOpenSslContext release

  1. HOME
  2. Java
  3. io.netty
  4. io.netty.handler.ssl.*
  5. ReferenceCountedOpenSslContext
  6. release

Introduction

In this page you can find the example usage for io.netty.handler.ssl ReferenceCountedOpenSslContext release.

Prototype

@Override
    public final boolean release()

Source Link

Usage

From source file:io.netty.example.ocsp.OcspClientExample.java

License:Apache License

public static void main(String[] args) throws Exception {
    if (!OpenSsl.isAvailable()) {
        throw new IllegalStateException("OpenSSL is not available!");
    }// w w  w .  j  av a 2s  .c om

    if (!OpenSsl.isOcspSupported()) {
        throw new IllegalStateException("OCSP is not supported!");
    }

    // Using Wikipedia as an example. I'd rather use Netty's own website
    // but the server (Cloudflare) doesn't support OCSP stapling. A few
    // other examples could be Microsoft or Squarespace. Use OpenSSL's
    // CLI client to assess if a server supports OCSP stapling. E.g.:
    //
    // openssl s_client -tlsextdebug -status -connect www.squarespace.com:443
    //
    String host = "www.wikipedia.org";

    ReferenceCountedOpenSslContext context = (ReferenceCountedOpenSslContext) SslContextBuilder.forClient()
            .sslProvider(SslProvider.OPENSSL).enableOcsp(true).build();

    try {
        EventLoopGroup group = new NioEventLoopGroup();
        try {
            Promise<FullHttpResponse> promise = group.next().newPromise();

            Bootstrap bootstrap = new Bootstrap().channel(NioSocketChannel.class).group(group)
                    .option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 5 * 1000)
                    .handler(newClientHandler(context, host, promise));

            Channel channel = bootstrap.connect(host, 443).syncUninterruptibly().channel();

            try {
                FullHttpResponse response = promise.get();
                ReferenceCountUtil.release(response);
            } finally {
                channel.close();
            }
        } finally {
            group.shutdownGracefully();
        }
    } finally {
        context.release();
    }
}

From source file:io.netty.example.ocsp.OcspServerExample.java

License:Apache License

public static void main(String[] args) throws Exception {
    // We assume there's a private key.
    PrivateKey privateKey = null;

    // Step 1: Load the certificate chain for netty.io. We'll need the certificate
    // and the issuer's certificate and we don't need any of the intermediate certs.
    // The array is assumed to be a certain order to keep things simple.
    X509Certificate[] keyCertChain = parseCertificates(OcspServerExample.class, "netty_io_chain.pem");

    X509Certificate certificate = keyCertChain[0];
    X509Certificate issuer = keyCertChain[keyCertChain.length - 1];

    // Step 2: We need the URL of the CA's OCSP responder server. It's somewhere encoded
    // into the certificate! Notice that it's an HTTP URL.
    URI uri = OcspUtils.ocspUri(certificate);
    System.out.println("OCSP Responder URI: " + uri);

    if (uri == null) {
        throw new IllegalStateException("The CA/certificate doesn't have an OCSP responder");
    }/*from   w  w  w  . j  av a 2s .co  m*/

    // Step 3: Construct the OCSP request
    OCSPReq request = new OcspRequestBuilder().certificate(certificate).issuer(issuer).build();

    // Step 4: Do the request to the CA's OCSP responder
    OCSPResp response = OcspUtils.request(uri, request, 5L, TimeUnit.SECONDS);
    if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
        throw new IllegalStateException("response-status=" + response.getStatus());
    }

    // Step 5: Is my certificate any good or has the CA revoked it?
    BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject();
    SingleResp first = basicResponse.getResponses()[0];

    CertificateStatus status = first.getCertStatus();
    System.out.println("Status: " + (status == CertificateStatus.GOOD ? "Good" : status));
    System.out.println("This Update: " + first.getThisUpdate());
    System.out.println("Next Update: " + first.getNextUpdate());

    if (status != null) {
        throw new IllegalStateException("certificate-status=" + status);
    }

    BigInteger certSerial = certificate.getSerialNumber();
    BigInteger ocspSerial = first.getCertID().getSerialNumber();
    if (!certSerial.equals(ocspSerial)) {
        throw new IllegalStateException("Bad Serials=" + certSerial + " vs. " + ocspSerial);
    }

    // Step 6: Cache the OCSP response and use it as long as it's not
    // expired. The exact semantics are beyond the scope of this example.

    if (!OpenSsl.isAvailable()) {
        throw new IllegalStateException("OpenSSL is not available!");
    }

    if (!OpenSsl.isOcspSupported()) {
        throw new IllegalStateException("OCSP is not supported!");
    }

    if (privateKey == null) {
        throw new IllegalStateException(
                "Because we don't have a PrivateKey we can't continue past this point.");
    }

    ReferenceCountedOpenSslContext context = (ReferenceCountedOpenSslContext) SslContextBuilder
            .forServer(privateKey, keyCertChain).sslProvider(SslProvider.OPENSSL).enableOcsp(true).build();

    try {
        ServerBootstrap bootstrap = new ServerBootstrap().childHandler(newServerHandler(context, response));

        // so on and so forth...
    } finally {
        context.release();
    }
}