Created
May 8, 2019 01:28
-
-
Save sebito91/21d6b6536a3f3add1d8be2738ee1fcae to your computer and use it in GitHub Desktop.
golang tls using rootCA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"crypto/tls" | |
"crypto/x509" | |
"encoding/pem" | |
"fmt" | |
"io/ioutil" | |
"log" | |
"net/http" | |
"github.com/go-chi/chi" | |
mw "github.com/go-chi/chi/middleware" | |
"github.com/go-chi/cors" | |
) | |
func main() { | |
tls, err := genTLS() | |
if err != nil { | |
log.Fatal(err) | |
} | |
r := chi.NewRouter() | |
r.Use(mw.RequestID) | |
r.Use(mw.RealIP) | |
r.Use(mw.NoCache) | |
r.Use(mw.Heartbeat("/ping")) | |
cors := cors.New(cors.Options{ | |
AllowedOrigins: []string{"*"}, | |
AllowedMethods: []string{"GET", "OPTIONS"}, | |
AllowedHeaders: []string{"Accept", "Content-Type"}, | |
AllowCredentials: true, | |
MaxAge: 300, | |
}) | |
r.Use(cors.Handler) | |
r.Get("/", confirm) | |
srv := &http.Server{ | |
Addr: ":9443", | |
Handler: r, | |
TLSConfig: tls, | |
} | |
log.Fatal(srv.ListenAndServeTLS("/home/sborza/sborza_dev.pem", "/home/sborza/sborza_dev.key")) | |
} | |
func confirm(w http.ResponseWriter, r *http.Request) { | |
defer r.Body.Close() | |
w.Write([]byte("Hello, world!")) | |
} | |
func genTLS() (*tls.Config, error) { | |
caCert, err := ioutil.ReadFile("/home/sborza/gd_bundle-g2.crt") | |
if err != nil { | |
return nil, fmt.Errorf("read root cert: %s", err.Error()) | |
} | |
// **** START PRIV KEY PROCESSING **** | |
clientBytes, err := ioutil.ReadFile("/home/sborza/sborza_dev.key") | |
if err != nil { | |
return nil, fmt.Errorf("read client priv key: %s", err.Error()) | |
} | |
cb, _ := pem.Decode(clientBytes) | |
k, err := x509.ParsePKCS8PrivateKey(cb.Bytes) | |
if err != nil { | |
return nil, fmt.Errorf("parse client privkey: %s", err.Error()) | |
} | |
clientKey, _ := x509.MarshalPKCS8PrivateKey(k) | |
clientKeyPEM := pem.EncodeToMemory(&pem.Block{ | |
Type: "PRIVATE KEY", | |
Bytes: clientKey, | |
}) | |
// **** END PRIV KEY PROCESSING **** | |
// **** START CERT PROCESSING **** | |
certBytes, err := ioutil.ReadFile("/home/sborza/sborza_dev.pem") | |
if err != nil { | |
return nil, fmt.Errorf("read client cert: %s", err.Error()) | |
} | |
cbk, _ := pem.Decode(certBytes) | |
certs, err := x509.ParseCertificates(cbk.Bytes) | |
if err != nil { | |
return nil, fmt.Errorf("parse client cert: %s", err.Error()) | |
} | |
clientCertPEM := pem.EncodeToMemory(&pem.Block{ | |
Type: "CERTIFICATE", | |
Bytes: certs[0].Raw, | |
}) | |
// **** END CERT PROCESSING **** | |
// **** START TLS CONFIG **** | |
cert, err := tls.X509KeyPair(clientCertPEM, clientKeyPEM) | |
if err != nil { | |
return nil, fmt.Errorf("tls key pair: %s", err.Error()) | |
} | |
caCertPool := x509.NewCertPool() | |
if ok := caCertPool.AppendCertsFromPEM(caCert); !ok { | |
return nil, fmt.Errorf("append cert: %s", err.Error()) | |
} | |
return &tls.Config{ | |
RootCAs: caCertPool, | |
Certificates: []tls.Certificate{cert}, | |
}, nil | |
// **** END TLS CONFIG **** | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment