#!/bin/bash
# 加個前綴
PFX='file'
# Password 這里只能使用單引號
PASS='123456'
echo "---- 產(chǎn)生根相關(guān)文件 ----"
echo "創(chuàng)建自簽名的根密鑰"
openssl genrsa -out ${PFX}.rootkey.pem 2048
echo "生成根證書"
openssl req -x509 -new -key ${PFX}.rootkey.pem -out ${PFX}.root.crt -subj "/C=CN/ST=GD/L=GZ/O=RootCA/OU=RootCA/CN=RootCA"
echo "----- 產(chǎn)生客戶端相關(guān)文件 -----"
echo "生成客戶端密鑰"
openssl genrsa -out ${PFX}.clientkey.pem 2048
echo "生成客戶端證書請求文件，使用根證書進行簽發(fā)"
openssl req -new -key ${PFX}.clientkey.pem -out ${PFX}.client.csr -subj "/C=CN/ST=GD/L=GZ/O=BMW/OU=Vehicle/CN=Vehicle1"
echo "用根證書來簽發(fā)客戶端請求文件，生成客戶端證書client.crt"
openssl x509 -req -in ${PFX}.client.csr -CA ${PFX}.root.crt -CAkey ${PFX}.rootkey.pem -CAcreateserial -days 3650 -out ${PFX}.client.crt
echo "打包客戶端資料為pkcs12格式(client.pkcs12)"
openssl pkcs12 -export -in ${PFX}.client.crt -inkey clientkey.pem -out ${PFX}.client.pkcs12 -passin "pass:$PASS" -passout "pass:$PASS"
echo "生成信任客戶端的keystore，把根證書以及需要信任的客戶端的證書添加到這個keystore"
keytool -importcert -alias ca -file ${PFX}.root.crt -keystore ${PFX}.clienttrust.jks -storepass "$PASS" <<EOF
是
EOF
keytool -importcert -alias clientcert -file ${PFX}.client.crt -keystore ${PFX}.clienttrust.jks -storepass "$PASS"
echo "--------產(chǎn)生服務(wù)端相關(guān)文件----"
echo "生成服務(wù)器端的密匙"
openssl genrsa -out ${PFX}.serverkey.pem 2048
echo "生成服務(wù)器端證書的請求文件。請求根證書來簽發(fā)"
openssl req -new -key ${PFX}.serverkey.pem -out ${PFX}.server.csr -subj "/C=CN/ST=GD/L=GZ/O=BMW/OU=IT/CN=Broker"
echo "用根證書來簽發(fā)服務(wù)器端請求文件，生成服務(wù)器端證書server.crt"
openssl x509 -req -in ${PFX}.server.csr -CA ${PFX}.root.crt -CAkey ${PFX}.rootkey.pem -CAcreateserial -days 3650 -out ${PFX}.server.crt
echo "打包服務(wù)器端資料為pkcs12格式(server.pkcs12 )"
openssl pkcs12 -export -in ${PFX}.server.crt -inkey ${PFX}.serverkey.pem -out ${PFX}.server.pkcs12 -passin "pass:$PASS" -passout "pass:$PASS"
echo "生成信任服務(wù)器端的keystore，把根證書以及需要信任的服務(wù)端的證書添加到這個keystore"
keytool -importcert -alias ca -file ${PFX}.root.crt -keystore ${PFX}.servertrust.jks -storepass "$PASS" <<EOF
是
EOF
keytool -importcert -alias servercert -file ${PFX}.server.crt -keystore ${PFX}.servertrust.jks -storepass "$PASS"

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import java.net.Socket;

public class SSLServer {
    private SSLServerSocket sslServerSocket;

    public static void main(String[] args) throws Exception {
        SSLServer server = new SSLServer();
        server.initTestServer();
        server.process();
    }

    private SSLServerSocket initTestServer() throws Exception {
    // ssl-cert 放在 測試 resources 目錄下
        String certDic = SSLServer.class.getClassLoader().getResource("ssl-cert").getPath();
        sslServerSocket = initSocket(certDic + "/file.server.pkcs12",
                certDic + "/file.clienttrust.jks",
                "123456");
    // 如果為 false 表示單向認證，否則為雙向認證
        sslServerSocket.setNeedClientAuth(false);
        System.out.println("Server test initialted!");
        return sslServerSocket;
    }

    private SSLServerSocket initSocket(String keyPath, String trustPath, String password) throws Exception {
        SSLContext context = SSLContext.getInstance("TLSv1.2");
        char[] keystorePass = password.toCharArray();
        context.init(SSLUtils.creatKey(keyPath, keystorePass).getKeyManagers(),
                SSLUtils.creatTrustJks(trustPath, keystorePass).getTrustManagers(),
                null);
        return (SSLServerSocket) context.getServerSocketFactory().createServerSocket(9999);
    }

//服務(wù)端回復(fù)客戶端
    private void process() throws Exception {
        String bye = "Hello, I am Server!";
        while (true) {
            Socket socket = sslServerSocket.accept();
            System.out.println("Received: " + SSLUtils.read(socket));
            SSLUtils.write(bye, socket);
        }
    }
}

import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;

public class SSLClient {
    private SSLSocket sslSocket;

    public static void main(String[] args) throws Exception {
        SSLClient client = new SSLClient();
        client.init();
        client.process();
    }

    private void init() throws Exception {
     // ssl-cert 放在 測試 resources 目錄下
        String certDic = this.getClass().getClassLoader().getResource("ssl-cert").getPath();
        initSocket(certDic + "/file.server.pkcs12", certDic + "/file.servertrust.jks", "123456");
        System.out.println("Client initiated.");
    }

    private void initSocket(String keystorePath, String trustStorePath, String password) throws Exception {
        char[] keystorePass = password.toCharArray();

        KeyManager[] keyManagers = null;
        KeyManagerFactory keyManagerFactory = SSLUtils.creatKey(keystorePath, keystorePass);
        if (keyManagerFactory != null) {
            keyManagers = keyManagerFactory.getKeyManagers();
        }

        TrustManager[] trustManagers = null;
        TrustManagerFactory trustManagerFactory = SSLUtils.creatTrustJks(trustStorePath, keystorePass);
        if (trustManagerFactory != null) {
            trustManagers = trustManagerFactory.getTrustManagers();
        }

        SSLContext context = SSLContext.getInstance("TLSv1.2");
        context.init(keyManagers, trustManagers, null);

        String host = "127.0.0.1";
        sslSocket = (SSLSocket) context.getSocketFactory().createSocket(host, 9999);
    }

    public void process() throws Exception {
        String hello = "Client Hello";
        SSLUtils.write(hello, sslSocket);
        System.out.println(SSLUtils.read(sslSocket));
    }

}

import org.apache.commons.lang3.StringUtils;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;

public class SSLUtils {

    public static void write(String message, Socket sslSocket) throws Exception {
        OutputStream out = sslSocket.getOutputStream();
        byte[] messageBytes = message.getBytes(StandardCharsets.UTF_8);
        out.write(messageBytes, 0, messageBytes.length);
        out.flush();
    }

    public static String read(Socket sslSocket) throws Exception {
        InputStream in = sslSocket.getInputStream();
        byte[] buffer = new byte[50];
        in.read(buffer);
        return new String(buffer);
    }

    public static KeyManagerFactory creatKey(String keystorePath, char[] keystorePass) throws Exception {
        if (StringUtils.isEmpty(keystorePath)) {
            return null;
        }
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("sunx509");
        kmf.init(loadKeyStore(keystorePath, keystorePass), keystorePass);
        return kmf;
    }

    public static TrustManagerFactory creatTrustJks(String trustClientKeystorePath, char[] keystorePass) throws Exception {
        if (StringUtils.isEmpty(trustClientKeystorePath)) {
            return null;
        }
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("sunx509");
        tmf.init(loadKeyStore(trustClientKeystorePath, keystorePass));
        return tmf;
    }

    private static KeyStore loadKeyStore(String keystorePath, char[] keystorePass) throws Exception {
        KeyStore serverKeyStore = KeyStore.getInstance(StringUtils.substringAfterLast(keystorePath, "."));
        serverKeyStore.load(new FileInputStream(keystorePath), keystorePass);
        return serverKeyStore;
    }
}