-
-
Save RobotSail/a8f4af3d4cfe23f542409bf456774d17 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"crypto/tls" | |
"crypto/x509" | |
"fmt" | |
"io/ioutil" | |
"log" | |
"net/http" | |
) | |
func main() { | |
log.SetFlags(log.Lshortfile) | |
// add the cert to the pool of certs | |
caCert, err := ioutil.ReadFile("server.crt") | |
caCertPool := x509.NewCertPool() | |
caCertPool.AppendCertsFromPEM(caCert) | |
conf := &tls.Config{ | |
RootCAs: caCertPool, | |
} | |
// create an HTTPS client to hit 127.0.0.1:8443/hello | |
client := &http.Client{ | |
Transport: &http.Transport{ | |
TLSClientConfig: conf, | |
}, | |
} | |
// hit the server | |
resp, err := client.Get("https://127.0.0.1:8443/hello") | |
if err != nil { | |
log.Println(err) | |
return | |
} | |
// read response | |
body, err := ioutil.ReadAll(resp.Body) | |
if err != nil { | |
log.Println(err) | |
return | |
} | |
fmt.Printf("%s\n", body) | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"bytes" | |
"crypto/ecdsa" | |
"crypto/elliptic" | |
"crypto/rand" | |
"crypto/tls" | |
"crypto/x509" | |
"crypto/x509/pkix" | |
"encoding/pem" | |
"io/ioutil" | |
"log" | |
"math/big" | |
"net" | |
"net/http" | |
"time" | |
) | |
func main() { | |
// get our ca and server certificate | |
_, _, err := certsetup() | |
if err != nil { | |
panic(err) | |
} | |
http.HandleFunc("/hello", HelloServer) | |
// // load the certificates through tls lib | |
// cert, err := tls.LoadX509KeyPair("server.crt", "server.key") | |
err = http.ListenAndServeTLS(":8443", "server.crt", "server.key", nil) | |
if err != nil { | |
log.Fatal("ListenAndServe: ", err) | |
} | |
} | |
func certsetup() (serverTLSConf *tls.Config, clientTLSConf *tls.Config, err error) { | |
// set up our CA certificate | |
ca := &x509.Certificate{ | |
SerialNumber: big.NewInt(2019), | |
Subject: pkix.Name{ | |
Organization: []string{"Company, INC."}, | |
Country: []string{"US"}, | |
Province: []string{""}, | |
Locality: []string{"San Francisco"}, | |
StreetAddress: []string{"Golden Gate Bridge"}, | |
PostalCode: []string{"94016"}, | |
}, | |
NotBefore: time.Now(), | |
NotAfter: time.Now().AddDate(10, 0, 0), | |
IsCA: true, | |
SignatureAlgorithm: x509.ECDSAWithSHA256, | |
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, | |
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, | |
BasicConstraintsValid: true, | |
} | |
// create our private and public key | |
// caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096) | |
caPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) | |
if err != nil { | |
return nil, nil, err | |
} | |
// create the CA | |
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey) | |
if err != nil { | |
return nil, nil, err | |
} | |
// pem encode | |
caPEM := new(bytes.Buffer) | |
pem.Encode(caPEM, &pem.Block{ | |
Type: "CERTIFICATE", | |
Bytes: caBytes, | |
}) | |
caPrivKeyPEM := new(bytes.Buffer) | |
caPrivKeyPEMBytes, err := x509.MarshalECPrivateKey(caPrivKey) | |
if err != nil { | |
return nil, nil, err | |
} | |
pem.Encode(caPrivKeyPEM, &pem.Block{ | |
Type: "EC PRIVATE KEY", | |
Bytes: caPrivKeyPEMBytes, | |
}) | |
// pem.Encode(caPrivKeyPEM, &pem.Block{ | |
// Type: "RSA PRIVATE KEY", | |
// Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey), | |
// }) | |
// set up our server certificate | |
cert := &x509.Certificate{ | |
SerialNumber: big.NewInt(2019), | |
Subject: pkix.Name{ | |
Organization: []string{"Company, INC."}, | |
Country: []string{"US"}, | |
Province: []string{""}, | |
Locality: []string{"San Francisco"}, | |
StreetAddress: []string{"Golden Gate Bridge"}, | |
PostalCode: []string{"94016"}, | |
}, | |
DNSNames: []string{"localhost"}, | |
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback}, | |
NotBefore: time.Now(), | |
NotAfter: time.Now().AddDate(10, 10, 10), | |
SignatureAlgorithm: x509.ECDSAWithSHA256, | |
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, | |
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, | |
} | |
// certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096) | |
// if err != nil { | |
// return nil, nil, err | |
// } | |
certPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) | |
if err != nil { | |
return nil, nil, err | |
} | |
certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey) | |
if err != nil { | |
return nil, nil, err | |
} | |
certPEM := new(bytes.Buffer) | |
pem.Encode(certPEM, &pem.Block{ | |
Type: "CERTIFICATE", | |
Bytes: certBytes, | |
}) | |
certPrivKeyPEM := new(bytes.Buffer) | |
certPrivKeyPEMBytes, err := x509.MarshalECPrivateKey(certPrivKey) | |
if err != nil { | |
return nil, nil, err | |
} | |
pem.Encode(certPrivKeyPEM, &pem.Block{ | |
Type: "EC PRIVATE KEY", | |
Bytes: certPrivKeyPEMBytes, | |
}) | |
// write the keys to disk | |
err = WriteTLSKeys(certPEM, certPrivKeyPEM) | |
if err != nil { | |
return nil, nil, err | |
} | |
serverCert, err := tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes()) | |
if err != nil { | |
return nil, nil, err | |
} | |
// use our generated certificates to create a tls config | |
serverTLSConf = &tls.Config{ | |
Certificates: []tls.Certificate{serverCert}, | |
} | |
certpool := x509.NewCertPool() | |
certpool.AppendCertsFromPEM(caPEM.Bytes()) | |
clientTLSConf = &tls.Config{ | |
RootCAs: certpool, | |
} | |
return | |
} | |
func HelloServer(w http.ResponseWriter, req *http.Request) { | |
w.Header().Set("Content-Type", "text/plain") | |
w.Write([]byte("This is an example server.\n")) | |
// fmt.Fprintf(w, "This is an example server.\n") | |
// io.WriteString(w, "This is an example server.\n") | |
} | |
// WriteTLSKeys writes the given certificate and private key to files server.crt and server.key, respectively. | |
func WriteTLSKeys(certPEM *bytes.Buffer, certPrivKeyPEM *bytes.Buffer) error { | |
// write out the server certificate to server.crt | |
err := ioutil.WriteFile("server.crt", certPEM.Bytes(), 0644) | |
if err != nil { | |
return err | |
} | |
// write out to server.key | |
err = ioutil.WriteFile("server.key", certPrivKeyPEM.Bytes(), 0644) | |
return err | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment