golang實現openssl自簽名雙向認證

第一步：生成CA、服務端、客戶端證書

1. 生成CA根證書

生成CA證書私鑰

openssl genrsa -out ca.key 4096

創建ca.conf 文件

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName                = Locality Name (eg, city)
localityName_default        = NanJing
organizationName            = Organization Name (eg, company)
organizationName_default    = Sheld
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = localhost

生成根證書簽發申請文件(csr文件)

openssl req \-new \-sha256 \-out ca.csr \-key ca.key \-config ca.conf

生成自簽發根證書(crt文件)

openssl x509 \-req \-days 3650 \-in ca.csr \-signkey ca.key \-out ca.pem

2. 生成服務端證書

生成服務端私鑰

openssl genrsa -out server.key 2048

創建 server.conf 文件

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName                = Locality Name (eg, city)
localityName_default        = NanJing
organizationName            = Organization Name (eg, company)
organizationName_default    = Sheld
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = localhost    # 此處尤為重要，需要用該服務名字填寫到客戶端的代碼中[ req_ext ]
subjectAltName = @alt_names[alt_names]
DNS.1   = localhost
IP.1      = 127.0.0.1

生成服務端簽發申請文件(csr文件)

openssl req \-new \-sha256 \-out server.csr \-key server.key \-config server.conf

使用CA證書簽署服務器證書

openssl x509 \-req \-days 3650 \-CA ca.pem \-CAkey ca.key \-CAcreateserial \-in server.csr \-out server.pem \-extensions req_ext \-extfile server.conf

3. 生成客戶端證書

生成客戶端私鑰

openssl genrsa -out client.key 2048

創建 client.conf 文件

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName                = Locality Name (eg, city)
localityName_default        = NanJing
organizationName            = Organization Name (eg, company)
organizationName_default    = Sheld
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = localhost

生成客戶端端簽發申請文件(csr文件)

openssl req \-new \-sha256 \-out client.csr \-key client.key \-config client.conf

使用CA證書簽署客戶端器證書

openssl x509 \-req \-days 3650 \-CA ca.pem \-CAkey ca.key \-CAcreateserial \-in client.csr \-out client.pem

第二步：golang 服務端、客戶端代碼編寫

1. 項目目錄結構

在這里插入圖片描述

2. 服務端代碼：server.go

package mainimport ("crypto/tls""crypto/x509""fmt""net/http""os"
)type MyHandler struct {
}func (h *MyHandler) ServeHTTP(w http.ResponseWriter,r *http.Request) {fmt.Fprint(w, "Hello, HTTPS!")
}func main() {pool := x509.NewCertPool() // 創建證書池caCertPath := "./cert/ca.pem"caCrt, err := os.ReadFile(caCertPath) // 讀取本地CA證書文件if err != nil {fmt.Println("ReadFile err:", err)return}pool.AppendCertsFromPEM(caCrt) // 將證書添加到證書池中s := &http.Server{ // 創建 HTTP服務器實例，并設置服務器的監聽地址（本例中是127.0.0.1:8088）、處理器（即上面定義的myhandler結構體）、以及TLS配置。Addr:    "127.0.0.1:8088",Handler: &MyHandler{},TLSConfig: &tls.Config{ClientCAs:  pool,                           // 指定客戶端需要驗證的CA證書池（即上面創建的pool）ClientAuth: tls.RequireAndVerifyClientCert, // 要求客戶端在發送請求時必須攜帶證書},}err = s.ListenAndServeTLS("./cert/server.pem", "./cert/server.key")if err != nil {fmt.Println("ListenAndServeTLS err:", err)}
}

3. 客戶端代碼：client.go

package mainimport ("crypto/tls""crypto/x509""fmt""io""net/http""os"
)func main() {pool := x509.NewCertPool()    // 創建 x509.CertPool，用于存儲CA證書caCertPath := "./cert/ca.pem" // 從文件中讀取CA證書的內容caCrt, err := os.ReadFile(caCertPath)if err != nil {fmt.Println("ReadFile err:", err)return}pool.AppendCertsFromPEM(caCrt)                                               // 將CA證書添加到CertPool中cliCrt, err := tls.LoadX509KeyPair("./cert/client.pem", "./cert/client.key") //加載客戶端證書和私鑰if err != nil {fmt.Println("Loadx509keypair err:", err)return}tr := &http.Transport{ // 創建一個http.Transport，并配置TLS相關信息TLSClientConfig: &tls.Config{RootCAs:      pool,                      // 設置根證書池Certificates: []tls.Certificate{cliCrt}, // 設置客戶端證書和私鑰},}client := &http.Client{Transport: tr}             // 創建一個http.Client，并設置Transport為上面創建的Transport對象resp, err := client.Get("https://127.0.0.1:8088") // 使用創建的Client發送GET請求if err != nil {fmt.Println("Http Get error:", err)return}defer resp.Body.Close()body, err := io.ReadAll(resp.Body) // 讀取并打印響應體的內容fmt.Println(string(body))
}

第三步：驗證

1. 運行服務端

go run ./server/server.go

在這里插入圖片描述

2. 運行客戶端

運行客戶端

go run ./client/client.go

在這里插入圖片描述

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/news/718556.shtml
繁體地址，請注明出處：http://hk.pswp.cn/news/718556.shtml
英文地址，請注明出處：http://en.pswp.cn/news/718556.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！