amukherj/client.go

## client.go
package main


// Code copied from open source repos and customized

import (
    "crypto/tls"
    "crypto/x509"
    "flag"
    "io/ioutil"
    "log"
    "net/http"
)

var (
    certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
    keyFile  = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
    caFile   = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")
)

func main() {
    flag.Parse()

    // Load client cert
    cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
    if err != nil {
        log.Fatal(err)
    }

    // Load CA cert
    caCert, err := ioutil.ReadFile(*caFile)
    if err != nil {
        log.Fatal(err)
    }
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)

    // Setup HTTPS client
    tlsConfig := &tls.Config{
        Certificates: []tls.Certificate{cert},
        RootCAs:      caCertPool,
    }
    tlsConfig.BuildNameToCertificate()
    transport := &http.Transport{TLSClientConfig: tlsConfig}
    client := &http.Client{Transport: transport}

    // Do GET something
    resp, err := client.Get("https://127.0.0.1:8443")
    if err != nil {
        log.Fatal(err)
    }
    defer resp.Body.Close()

    // Dump response
    data, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        log.Fatal(err)
    }
    log.Println(string(data))
}

## run_secure.sh
#!/bin/sh

## Edit the file /etc/ssl/openssl.cnf to add the following
## line at the start of the section `[ v3_ca ]`. Remov the leading #
# subjectAltName = IP:127.0.0.1

## Generate server private key
openssl genrsa -out pvtkey.key 2048

## Generate server certificates
openssl req -x509 -new -nodes -key pvtkey.key -sha256 -days 3650 -out RootCA.pem

## Generate client private key
openssl genrsa -out cl_pvtkey.pem 2048

## Generate certificate signing request
openssl req -new -key cl_pvtkey.pem -out client_csr.csr

## Generate client certificate based on the CA certificate
openssl x509 -req -in client_csr.csr -CA RootCA.pem -CAkey pvtkey.key -CAcreateserial -out client_cert.pem -days 3650 -sha256

# Run the server
go run server.go -CA RootCA.pem -key pvtkey.key &

# Run the client
go run client.go -CA RootCA.pem -key cl_pvtkey.pem -cert client_cert.pem

## server.go
package main

// Code copied from open source repos and customized

import (
    "crypto/rand"
    "crypto/tls"
    "crypto/x509"
    "flag"
    "fmt"
    "io/ioutil"
    "log"
    "net"
    "net/http"
)

var (
    keyFile  = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
    caFile   = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")
)

func main() {
    flag.Parse()
    cert, err := tls.LoadX509KeyPair(*caFile, *keyFile)
    if err != nil {
        log.Fatalf("server: loadkeys: %s", err)

    }
    certpool := x509.NewCertPool()
    pem, err := ioutil.ReadFile(*caFile)
    if err != nil {
        log.Fatalf("Failed to read client certificate authority: %v", err)
    }
    if !certpool.AppendCertsFromPEM(pem) {
        log.Fatalf("Can't parse client certificate authority")
    }

    config := tls.Config{
        Certificates: []tls.Certificate{cert},
        ClientAuth:   tls.RequireAndVerifyClientCert,
        ClientCAs:    certpool,
    }
    config.Rand = rand.Reader

    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        fmt.Fprintf(w, "Hello cert")
    })

    service := "0.0.0.0:8443"
    server := &http.Server{
        Addr:      service,
        TLSConfig: &config,
    }
    err = server.ListenAndServeTLS(*caFile, *keyFile)
    if err != nil {
        log.Fatalf("server: listen: %s", err)
    }
}
	package main


	// Code copied from open source repos and customized

	import (
	"crypto/tls"
	"crypto/x509"
	"flag"
	"io/ioutil"
	"log"
	"net/http"
	)

	var (
	certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
	keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
	caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")
	)

	func main() {
	flag.Parse()

	// Load client cert
	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
	if err != nil {
	log.Fatal(err)
	}

	// Load CA cert
	caCert, err := ioutil.ReadFile(*caFile)
	if err != nil {
	log.Fatal(err)
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)

	// Setup HTTPS client
	tlsConfig := &tls.Config{
	Certificates: []tls.Certificate{cert},
	RootCAs: caCertPool,
	}
	tlsConfig.BuildNameToCertificate()
	transport := &http.Transport{TLSClientConfig: tlsConfig}
	client := &http.Client{Transport: transport}

	// Do GET something
	resp, err := client.Get("https://127.0.0.1:8443")
	if err != nil {
	log.Fatal(err)
	}
	defer resp.Body.Close()

	// Dump response
	data, err := ioutil.ReadAll(resp.Body)
	if err != nil {
	log.Fatal(err)
	}
	log.Println(string(data))
	}
	#!/bin/sh

	## Edit the file /etc/ssl/openssl.cnf to add the following
	## line at the start of the section `[ v3_ca ]`. Remov the leading #
	# subjectAltName = IP:127.0.0.1

	## Generate server private key
	openssl genrsa -out pvtkey.key 2048

	## Generate server certificates
	openssl req -x509 -new -nodes -key pvtkey.key -sha256 -days 3650 -out RootCA.pem

	## Generate client private key
	openssl genrsa -out cl_pvtkey.pem 2048

	## Generate certificate signing request
	openssl req -new -key cl_pvtkey.pem -out client_csr.csr

	## Generate client certificate based on the CA certificate
	openssl x509 -req -in client_csr.csr -CA RootCA.pem -CAkey pvtkey.key -CAcreateserial -out client_cert.pem -days 3650 -sha256

	# Run the server
	go run server.go -CA RootCA.pem -key pvtkey.key &

	# Run the client
	go run client.go -CA RootCA.pem -key cl_pvtkey.pem -cert client_cert.pem