Last active
April 21, 2021 12:50
-
-
Save amukherj/584046a6291000cf0a21e8944a41df2a to your computer and use it in GitHub Desktop.
HTTPS with client authentication using Go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
// Code copied from open source repos and customized | |
import ( | |
"crypto/tls" | |
"crypto/x509" | |
"flag" | |
"io/ioutil" | |
"log" | |
"net/http" | |
) | |
var ( | |
certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.") | |
keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.") | |
caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.") | |
) | |
func main() { | |
flag.Parse() | |
// Load client cert | |
cert, err := tls.LoadX509KeyPair(*certFile, *keyFile) | |
if err != nil { | |
log.Fatal(err) | |
} | |
// Load CA cert | |
caCert, err := ioutil.ReadFile(*caFile) | |
if err != nil { | |
log.Fatal(err) | |
} | |
caCertPool := x509.NewCertPool() | |
caCertPool.AppendCertsFromPEM(caCert) | |
// Setup HTTPS client | |
tlsConfig := &tls.Config{ | |
Certificates: []tls.Certificate{cert}, | |
RootCAs: caCertPool, | |
} | |
tlsConfig.BuildNameToCertificate() | |
transport := &http.Transport{TLSClientConfig: tlsConfig} | |
client := &http.Client{Transport: transport} | |
// Do GET something | |
resp, err := client.Get("https://127.0.0.1:8443") | |
if err != nil { | |
log.Fatal(err) | |
} | |
defer resp.Body.Close() | |
// Dump response | |
data, err := ioutil.ReadAll(resp.Body) | |
if err != nil { | |
log.Fatal(err) | |
} | |
log.Println(string(data)) | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
## Edit the file /etc/ssl/openssl.cnf to add the following | |
## line at the start of the section `[ v3_ca ]`. Remov the leading # | |
# subjectAltName = IP:127.0.0.1 | |
## Generate server private key | |
openssl genrsa -out pvtkey.key 2048 | |
## Generate server certificates | |
openssl req -x509 -new -nodes -key pvtkey.key -sha256 -days 3650 -out RootCA.pem | |
## Generate client private key | |
openssl genrsa -out cl_pvtkey.pem 2048 | |
## Generate certificate signing request | |
openssl req -new -key cl_pvtkey.pem -out client_csr.csr | |
## Generate client certificate based on the CA certificate | |
openssl x509 -req -in client_csr.csr -CA RootCA.pem -CAkey pvtkey.key -CAcreateserial -out client_cert.pem -days 3650 -sha256 | |
# Run the server | |
go run server.go -CA RootCA.pem -key pvtkey.key & | |
# Run the client | |
go run client.go -CA RootCA.pem -key cl_pvtkey.pem -cert client_cert.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
// Code copied from open source repos and customized | |
import ( | |
"crypto/rand" | |
"crypto/tls" | |
"crypto/x509" | |
"flag" | |
"fmt" | |
"io/ioutil" | |
"log" | |
"net" | |
"net/http" | |
) | |
var ( | |
keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.") | |
caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.") | |
) | |
func main() { | |
flag.Parse() | |
cert, err := tls.LoadX509KeyPair(*caFile, *keyFile) | |
if err != nil { | |
log.Fatalf("server: loadkeys: %s", err) | |
} | |
certpool := x509.NewCertPool() | |
pem, err := ioutil.ReadFile(*caFile) | |
if err != nil { | |
log.Fatalf("Failed to read client certificate authority: %v", err) | |
} | |
if !certpool.AppendCertsFromPEM(pem) { | |
log.Fatalf("Can't parse client certificate authority") | |
} | |
config := tls.Config{ | |
Certificates: []tls.Certificate{cert}, | |
ClientAuth: tls.RequireAndVerifyClientCert, | |
ClientCAs: certpool, | |
} | |
config.Rand = rand.Reader | |
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { | |
fmt.Fprintf(w, "Hello cert") | |
}) | |
service := "0.0.0.0:8443" | |
server := &http.Server{ | |
Addr: service, | |
TLSConfig: &config, | |
} | |
err = server.ListenAndServeTLS(*caFile, *keyFile) | |
if err != nil { | |
log.Fatalf("server: listen: %s", err) | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment