Skip to content

Instantly share code, notes, and snippets.

@RobotSail

RobotSail/tsl-client.go Secret

Last active April 12, 2022 18:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save RobotSail/a8f4af3d4cfe23f542409bf456774d17 to your computer and use it in GitHub Desktop.
Save RobotSail/a8f4af3d4cfe23f542409bf456774d17 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
tsl-client.go
package main
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"log"
"net/http"
)
func main() {
log.SetFlags(log.Lshortfile)
// add the cert to the pool of certs
caCert, err := ioutil.ReadFile("server.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
conf := &tls.Config{
RootCAs: caCertPool,
}
// create an HTTPS client to hit 127.0.0.1:8443/hello
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: conf,
},
}
// hit the server
resp, err := client.Get("https://127.0.0.1:8443/hello")
if err != nil {
log.Println(err)
return
}
// read response
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Println(err)
return
}
fmt.Printf("%s\n", body)
}
Raw
tsl-server.go
package main
import (
"bytes"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"io/ioutil"
"log"
"math/big"
"net"
"net/http"
"time"
)
func main() {
// get our ca and server certificate
_, _, err := certsetup()
if err != nil {
panic(err)
}
http.HandleFunc("/hello", HelloServer)
// // load the certificates through tls lib
// cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
err = http.ListenAndServeTLS(":8443", "server.crt", "server.key", nil)
if err != nil {
log.Fatal("ListenAndServe: ", err)
}
}
func certsetup() (serverTLSConf *tls.Config, clientTLSConf *tls.Config, err error) {
// set up our CA certificate
ca := &x509.Certificate{
SerialNumber: big.NewInt(2019),
Subject: pkix.Name{
Organization: []string{"Company, INC."},
Country: []string{"US"},
Province: []string{""},
Locality: []string{"San Francisco"},
StreetAddress: []string{"Golden Gate Bridge"},
PostalCode: []string{"94016"},
},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 0, 0),
IsCA: true,
SignatureAlgorithm: x509.ECDSAWithSHA256,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
}
// create our private and public key
// caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
caPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, nil, err
}
// create the CA
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
if err != nil {
return nil, nil, err
}
// pem encode
caPEM := new(bytes.Buffer)
pem.Encode(caPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: caBytes,
})
caPrivKeyPEM := new(bytes.Buffer)
caPrivKeyPEMBytes, err := x509.MarshalECPrivateKey(caPrivKey)
if err != nil {
return nil, nil, err
}
pem.Encode(caPrivKeyPEM, &pem.Block{
Type: "EC PRIVATE KEY",
Bytes: caPrivKeyPEMBytes,
})
// pem.Encode(caPrivKeyPEM, &pem.Block{
// Type: "RSA PRIVATE KEY",
// Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey),
// })
// set up our server certificate
cert := &x509.Certificate{
SerialNumber: big.NewInt(2019),
Subject: pkix.Name{
Organization: []string{"Company, INC."},
Country: []string{"US"},
Province: []string{""},
Locality: []string{"San Francisco"},
StreetAddress: []string{"Golden Gate Bridge"},
PostalCode: []string{"94016"},
},
DNSNames: []string{"localhost"},
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 10, 10),
SignatureAlgorithm: x509.ECDSAWithSHA256,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
}
// certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
// if err != nil {
// return nil, nil, err
// }
certPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, nil, err
}
certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey)
if err != nil {
return nil, nil, err
}
certPEM := new(bytes.Buffer)
pem.Encode(certPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
})
certPrivKeyPEM := new(bytes.Buffer)
certPrivKeyPEMBytes, err := x509.MarshalECPrivateKey(certPrivKey)
if err != nil {
return nil, nil, err
}
pem.Encode(certPrivKeyPEM, &pem.Block{
Type: "EC PRIVATE KEY",
Bytes: certPrivKeyPEMBytes,
})
// write the keys to disk
err = WriteTLSKeys(certPEM, certPrivKeyPEM)
if err != nil {
return nil, nil, err
}
serverCert, err := tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes())
if err != nil {
return nil, nil, err
}
// use our generated certificates to create a tls config
serverTLSConf = &tls.Config{
Certificates: []tls.Certificate{serverCert},
}
certpool := x509.NewCertPool()
certpool.AppendCertsFromPEM(caPEM.Bytes())
clientTLSConf = &tls.Config{
RootCAs: certpool,
}
return
}
func HelloServer(w http.ResponseWriter, req *http.Request) {
w.Header().Set("Content-Type", "text/plain")
w.Write([]byte("This is an example server.\n"))
// fmt.Fprintf(w, "This is an example server.\n")
// io.WriteString(w, "This is an example server.\n")
}
// WriteTLSKeys writes the given certificate and private key to files server.crt and server.key, respectively.
func WriteTLSKeys(certPEM *bytes.Buffer, certPrivKeyPEM *bytes.Buffer) error {
// write out the server certificate to server.crt
err := ioutil.WriteFile("server.crt", certPEM.Bytes(), 0644)
if err != nil {
return err
}
// write out to server.key
err = ioutil.WriteFile("server.key", certPrivKeyPEM.Bytes(), 0644)
return err
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment