openssl cert
https://www.cnblogs.com/dust90/p/11207219.html
https://studygolang.com/articles/9329
Version int
PrivateKey *big.Int //asn1.RawContent
NamedCurveOID asn1.ObjectIdentifier `asn1:"optional,explicit,tag:0"`
PublicKey asn1.BitString
openssl genrsa -out ca.key 2048openssl req -new -x509 -days 365 -key ca.key -out ca.pem
openssl ecparam -genkey -name secp256r1 -out server.key
openssl req -new -key server.key -out server.csr -subj "/C=US/ST=province/L=city/O=someorg/OU=somedept/CN=example.com" echo subjectAltName = IP:127.0.0.1 > extfile.cnf
openssl x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem -extfile extfile.cnf
openssl ecparam -genkey -name secp384r1 -out client.keyopenssl req -new -key client.key -out client.csropenssl x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
gmssl ecparam -genkey -name sm2p256v1 -out ca.key
gmssl req -new -x509 -days 365 -key ca.key -out ca.pem
gmssl ecparam -genkey -name sm2p256v1 -out server.keygmssl req -new -key server.key -out server.csr -subj "/C=US/ST=province/L=city/O=someorg/OU=somedept/CN=server.com"
echo subjectAltName = IP:127.0.0.1 > extfile.cnf
gmssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem -extfile extfile.cnf
gmssl ecparam -genkey -name sm2p256v1 -out client.keygmssl req -new -key client.key -out client.csr -subj "/C=US/ST=province/L=city/O=someorg/OU=somedept/CN=client.com"
gmssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem -extfile extfile.cnf
//here's new
export DYLD_LIBRARY_PATH=$PWD
mkdir tls
cd tls
gmssl=openssl
$gmssl ecparam -genkey -name secp256r1 -out ca.key
$gmssl req -new -x509 -days 365 -key ca.key -out ca.pem -subj '/C=CA/ST=province/L=city/O=someorg/OU=somedept/CN=ca.com'
$gmssl ecparam -genkey -name secp256r1 -out server.key
$gmssl req -new -key server.key -out server.csr -subj "/C=US/ST=province/L=city/O=someorg/OU=somedept/CN=server.com"
echo subjectAltName = IP:127.0.0.1 > extfile.cnf
$gmssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem -extfile extfile.cnf
$gmssl ecparam -genkey -name secp384r1 -out client.key
$gmssl req -new -key client.key -out client.csr -subj "/C=US/ST=province/L=city/O=someorg/OU=somedept/CN=client.com"
$gmssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem -extfile extfile.cnf
cat ca.pem >CAS.pem
cat ca.key >> CAS.pem
cat server.pem >SS.pem
cat server.key >> SS.pem
cat client.pem >CS.pem
cat client.key >> CS.pem
export DYLD_LIBRARY_PATH=$PWD
mkdir certs
cd certs
gmssl=../gmssl
$gmssl ecparam -genkey -name sm2p256v1 -out ca.key
$gmssl req -new -x509 -days 365 -key ca.key -out ca.pem -subj '/C=CA/ST=province/L=city/O=someorg/OU=somedept/CN=ca.com'
$gmssl ecparam -genkey -name sm2p256v1 -out server.key
$gmssl req -new -key server.key -out server.csr -subj "/C=SS/ST=province/L=city/O=someorg/OU=somedept/CN=ca.com"
echo subjectAltName = IP:127.0.0.1 > extfile.cnf
$gmssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem -extfile extfile.cnf
echo keyUsage = keyEncipherment, dataEncipherment >> extfile.cnf
$gmssl ecparam -genkey -name sm2p256v1 -out serverE.key
$gmssl req -new -key serverE.key -out serverE.csr -subj "/C=SE/ST=province/L=city/O=someorg/OU=somedept/CN=ca.com"
$gmssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in serverE.csr -out serverE.pem -extfile extfile.cnf
$gmssl ecparam -genkey -name sm2p256v1 -out client.key
$gmssl req -new -key client.key -out client.csr -subj "/C=CS/ST=province/L=city/O=someorg/OU=somedept/CN=ca.com"
$gmssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
$gmssl ecparam -genkey -name sm2p256v1 -out clientE.key
$gmssl req -new -key clientE.key -out clientE.csr -subj "/C=CE/ST=province/L=city/O=someorg/OU=somedept/CN=ca.com"
$gmssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in clientE.csr -out clientE.pem -extfile extfile.cnf
cat ca.pem >CAS.pem
cat ca.key >> CAS.pem
cat server.pem >SS.pem
cat server.key >> SS.pem
cat serverE.pem >SE.pem
cat serverE.key >> SE.pem
cat client.pem >CS.pem
cat client.key >> CS.pem
cat clientE.pem >CE.pem
cat clientE.key >> CE.pem
openssl pkcs8 -topk8 -inform PEM -in client.key -outform der -nocrypt -out pk8client.key
该证书用于导入浏览器使用。
openssl pkcs12 -export -clcerts -in client.pem -inkey client.key -out client.p12
java:
https://my.oschina.net/itblog/blog/651608
openssl pkcs12 -export -clcerts -name server -inkey server.key -in server.pem -out server.keystore
openssl pkcs12 -export -clcerts -name client -inkey client.key -in client.pem -out client.keystore
keytool -importcert -trustcacerts -alias testca -file ca.pem -keystore ca.keystore
package main
import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"log"
)
func main() {
cert, err := tls.LoadX509KeyPair("client.pem", "client.key")
if err != nil {
log.Println(err)
return
}
clientCertPool := x509.NewCertPool()
{
certBytes, err := ioutil.ReadFile("ca.pem")
if err != nil {
panic("Unable to read cert.pem")
}
ok := clientCertPool.AppendCertsFromPEM(certBytes)
if !ok {
panic("failed to parse root certificate")
}
}
if cert.Certificate == nil {
log.Fatal("not a cert")
}
conf := &tls.Config{
RootCAs: clientCertPool,
Certificates: []tls.Certificate{cert},
//InsecureSkipVerify: true,
}
conn, err := tls.Dial("tcp", "127.0.0.1:7443", conf)
if err != nil {
log.Println(err)
return
}
defer conn.Close()
n, err := conn.Write([]byte("hello\n"))
if err != nil {
log.Println(n, err)
return
}
buf := make([]byte, 100)
n, err = conn.Read(buf)
if err != nil {
log.Println(n, err)
return
}
log.Println(string(buf))
log.Print("end")
}
package main
import (
"bufio"
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net"
)
func main() {
cert, err := tls.LoadX509KeyPair("server.pem", "server.key")
if err != nil {
fmt.Println(err)
return
}
clientCertPool := x509.NewCertPool()
{
certBytes, err := ioutil.ReadFile("ca.pem")
if err != nil {
panic("Unable to read cert.pem")
}
ok := clientCertPool.AppendCertsFromPEM(certBytes)
if !ok {
panic("failed to parse root certificate")
}
}
config := &tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCertPool,
}
ln, err := tls.Listen("tcp", ":9443", config)
if err != nil {
fmt.Println(err)
return
}
defer ln.Close()
for {
conn, err := ln.Accept()
if err != nil {
fmt.Println(err)
continue
}
go handleConn(conn)
}
}
func handleConn(conn net.Conn) {
defer conn.Close()
r := bufio.NewReader(conn)
for {
msg, err := r.ReadString('\n')
if err != nil {
fmt.Println(err)
return
}
println(msg)
n, err := conn.Write([]byte("world\n"))
if err != nil {
fmt.Println(n, err)
return
}
}
}
package sslserver;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.TrustManagerFactory;
public class Servers {
private SSLServerSocket sslServerSocket;
// 服务器端将要使用到server.keystore和ca-trust.keystore
public void init() throws Exception {
int port = 7443;
String pathString = "/Users/jalyzhang/Documents/test/src/github.com/ultramesh/flato-msp-cert/z/";
String serverkeystorePath = pathString + "server.keystore";
String trustKeystorePath = pathString + "ca.keystore";
String keystorePassword = "server";
SSLContext context = SSLContext.getInstance("TLSv1.2");
// 客户端证书库
KeyStore keystore = KeyStore.getInstance("pkcs12");
FileInputStream keystoreFis = new FileInputStream(serverkeystorePath);
keystore.load(keystoreFis, keystorePassword.toCharArray());
// 信任证书库
KeyStore trustKeystore = KeyStore.getInstance("jks");
FileInputStream trustKeystoreFis = new FileInputStream(trustKeystorePath);
String cakeystorePassword = "testca";
trustKeystore.load(trustKeystoreFis, cakeystorePassword.toCharArray());
// 密钥库
KeyManagerFactory kmf = KeyManagerFactory.getInstance("sunx509");
kmf.init(keystore, keystorePassword.toCharArray());
// 信任库
TrustManagerFactory tmf = TrustManagerFactory.getInstance("sunx509");
tmf.init(trustKeystore);
// 初始化SSL上下文
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
// 初始化SSLSocket
sslServerSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(port);
// 设置这个SSLServerSocket需要授权的客户端访问
sslServerSocket.setNeedClientAuth(true);
}
public void process() throws Exception {
String bye = "Bye!";
byte[] buffer = new byte[50];
while (true) {
Socket socket = sslServerSocket.accept();
InputStream in = socket.getInputStream();
in.read(buffer);
System.out.println("Received: " + new String(buffer));
OutputStream out = socket.getOutputStream();
out.write(bye.getBytes());
out.flush();
out.close();
}
}
}
public static void main(String[] args) throws Exception {
Servers server = new Servers();
server.init();
System.out.println("SSLServer initialized.");
server.process();
}
package sslclient;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
public class SSLClient {
private SSLSocket sslSocket;
public static void main(String[] args) throws Exception {
SSLClient client = new SSLClient();
client.init();
System.out.println("SSLClient initialized.");
client.process();
}
//客户端将要使用到client.keystore和ca-trust.keystore
public void init() throws Exception {
String host = "127.0.0.1";
int port = 9443;
String pathString = "/Users/jalyzhang/Documents/test/src/github.com/ultramesh/flato-msp-cert/z/";
String keystorePath = pathString + "client.keystore";
String trustKeystorePath = pathString + "ca.keystore";
String keystorePassword = "client";
SSLContext context = SSLContext.getInstance("TLSv1.2");
//客户端证书库
KeyStore clientKeystore = KeyStore.getInstance("pkcs12");
FileInputStream keystoreFis = new FileInputStream(keystorePath);
clientKeystore.load(keystoreFis, keystorePassword.toCharArray());
//信任证书库
KeyStore trustKeystore = KeyStore.getInstance("jks");
FileInputStream trustKeystoreFis = new FileInputStream(trustKeystorePath);
String cakeystorePassword = "testca";
trustKeystore.load(trustKeystoreFis, cakeystorePassword.toCharArray());
//密钥库
KeyManagerFactory kmf = KeyManagerFactory.getInstance("sunx509");
kmf.init(clientKeystore, keystorePassword.toCharArray());
//信任库
TrustManagerFactory tmf = TrustManagerFactory.getInstance("sunx509");
tmf.init(trustKeystore);
//初始化SSL上下文
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
sslSocket = (SSLSocket)context.getSocketFactory().createSocket(host, port);
}
public void process() throws Exception {
//往SSLSocket中写入数据
String hello = "hello boy!\n";
OutputStream out = sslSocket.getOutputStream();
out.write(hello.getBytes(), 0, hello.getBytes().length);
out.flush();
System.out.println("writed");
//从SSLSocket中读取数据
InputStream in = sslSocket.getInputStream();
byte[] buffer = new byte[50];
in.read(buffer);
System.out.println(new String(buffer));
}
}
https://github.com/openjdk/jdk15
