gRPC使用SSL实现加密通讯

客官°小女子只卖身不卖艺 2022-03-06 13:54 777阅读 0赞

grpc默认实现了基于证书的SSL加密通讯，使用中需要注意以下事项。

*  在Windows上开发，首先安装 OpenSSL，将OpenSSL.exe的路径添加到环境变量中。
 *  通过以下样例脚本生成通讯中所需要的服务端和客户端证书，其中需要特别注意的是，Generate server signing reques中的CN=KEKYK字段，如果是本机测试，使用本机名称。如果是真实环境，使用域名。因为客户端必须通过机器名或域名访问该服务。

### 生成服务端和客户端证书 ###

通过以下脚本生成服务端和客户端证书。脚本中命令的含义，详见博客中的另一篇文章《[OpenSSL 生成服务器及客户端证书][OpenSSL]》。

@echo off
    
    cd /d %~dp0
    
    set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg  
    
    echo Generate CA key:
    openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
    
    echo Generate CA certificate:
    openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj  "/C=CN/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=MyRootCA"
    
    echo Generate server key:
    openssl genrsa -passout pass:1111 -des3 -out server.key 4096
    
    echo Generate server signing request:
    openssl req -passin pass:1111 -new -key server.key -out server.csr -subj  "/C=CN/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=localhost"
    
    echo Self-sign server certificate:
    openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
    
    echo Remove passphrase from server key:
    openssl rsa -passin pass:1111 -in server.key -out server.key
    
    echo Generate client key
    openssl genrsa -passout pass:1111 -des3 -out client.key 4096
    
    echo Generate client signing request:
    openssl req -passin pass:1111 -new -key client.key -out client.csr -subj  "/C=CN/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=FengJun"
    
    echo Self-sign client certificate:
    openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
    
    echo Remove passphrase from client key:
    openssl rsa -passin pass:1111 -in client.key -out client.key
    
    pause

脚本的执行结果：

![20190319101422273.png][]

使用SSL改进博客中《[.NET使用gRPC入门教程][.NET_gRPC]》中的演示样例。

### 基于SSL的服务端 ###

using Grpc.Core;
    using GrpcLibrary;
    using System;
    using System.Collections.Generic;
    using System.IO;
    using System.Threading.Tasks;
    
    namespace GrpcServer
    {
        class GrpcImpl : GrpcService.GrpcServiceBase
        {
            // 实现SayHello方法
            public override Task<HelloReply> SayHello(HelloRequest request, ServerCallContext context)
            {
                return Task.FromResult(new HelloReply { Message = "Hello " + request.Name });
            }
        }
        class Program
        {
            const int Port = 9007;
            public static void Main(string[] args)
            {
                var cacert = File.ReadAllText(path + "ca.crt");
                var servercert = File.ReadAllText(path + "server.crt");
                var serverkey = File.ReadAllText(path + "server.key");
                var keypair = new KeyCertificatePair(servercert, serverkey);
                var sslCredentials = new SslServerCredentials(new List<KeyCertificatePair>() { keypair }, cacert, false);
    
                Server server = new Server
                {
                    Services = { GrpcService.BindService(new GrpcImpl()) },
                    Ports = { new ServerPort("localhost", Port, sslCredentials) }
                };
                server.Start();
    
                Console.WriteLine("GrpcService server listening on port " + Port);
                Console.WriteLine("任意键退出...");
                Console.ReadKey();
    
                server.ShutdownAsync().Wait();
            }
        }
    }

### 基于SSL的客户端 ###

using Grpc.Core;
    using GrpcLibrary;
    using System;
    using System.IO;
    
    namespace GrpcClient
    {
        class Program
        {
            static void Main(string[] args)
            {
                var cacert = File.ReadAllText(path + "ca.crt");
                var clientcert = File.ReadAllText(path + "client.crt");
                var clientkey = File.ReadAllText(path + "client.key");
                var ssl = new SslCredentials(cacert, new KeyCertificatePair(clientcert, clientkey));
    
                Channel channel = new Channel("localhost:9007", ssl);
    
                var client = new GrpcService.GrpcServiceClient(channel);
                var reply = client.SayHello(new HelloRequest { Name = "April" });
                Console.WriteLine("来自" + reply.Message);
    
                channel.ShutdownAsync().Wait();
                Console.WriteLine("任意键退出...");
                Console.ReadKey();
            }
        }
    }

### 执行结果 ###

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2xpeWF6aGVuMjAxMQ_size_16_color_FFFFFF_t_70][]

![201903191021410.png][]

[OpenSSL]: https://blog.csdn.net/liyazhen2011/article/details/88644875
[20190319101422273.png]: /images/20220303/bcd416774095444baadf276cbbe3eaec.png
[.NET_gRPC]: https://blog.csdn.net/liyazhen2011/article/details/84937455
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2xpeWF6aGVuMjAxMQ_size_16_color_FFFFFF_t_70]: /images/20220303/685a2dc9ddaa486684ba27180413779b.png
[201903191021410.png]: /images/20220303/e112796370294e81a630bc1c326f0023.png

gRPC使用SSL实现加密通讯

发表评论取消回复

还没有评论，来说两句吧...

相关阅读