golang https的单向认证,双向认证
1、服务端私钥与证书
server 代码
1 package main
2
3 import (
4 "fmt"
5 "net/http"
6 )
7
8 func main() {
9
10 http.HandleFunc("/test", handler)
11 // http.ListenAndServe(":9898", nil)
13 http.ListenAndServeTLS(":9898", "cert/ca.crt", "cert/ca.key", nil)
14 }
15
16 func handler(w http.ResponseWriter, r *http.Request) {
17 fmt.Fprintf(w,"测试!")
18 }
client 代码
1 package main
2
3 import (
4 "crypto/tls"
5 "io/ioutil"
6 "log"
7 "net/http"
8 )
9
10 func main() {
11 var (
12 resp *http.Response
13 err error
14 body []byte
15 tr *http.Transport
16 client *http.Client
17 )
18 // 配置tls参数
19 tr = &http.Transport{
20 TLSClientConfig: &tls.Config{
21 InsecureSkipVerify: true,
22 },
23 }
24
25 client = &http.Client{Transport: tr}
26 // 请求接口
27 resp, err = client.Get("https://127.0.0.1:9898/test")
28
29 if err != nil {
30 log.Fatalln("接口请求失败", err)
31 }
32
33 defer resp.Body.Close()
34 // 读取body数据
35 body, err = ioutil.ReadAll(resp.Body)
36
37 log.Println("请求结果", string(body))
39 }
2、对服务端的证书进行校验
server 代码
1 package main
2
3 import (
4 "fmt"
5 "net/http"
6 )
7
8 func main() {
9
10 http.HandleFunc("/test", handler)
11 // http.ListenAndServe(":9898", nil)
12
13 http.ListenAndServeTLS(":9898", "cert/server.crt", "cert/server.key", nil)
14 }
15
16 func handler(w http.ResponseWriter, r *http.Request) {
17 fmt.Fprintf(w,"测试")
18 }
client 代码
1 package main
2
3 import (
4 "crypto/tls"
5 "crypto/x509"
6 "io/ioutil"
7 "log"
8 "net/http"
9 )
10
11 func main() {
12 var (
13 resp *http.Response
14 err error
15 body []byte
16 tr *http.Transport
17 client *http.Client
18 pool *x509.CertPool
19 crt []byte
20 )
21 pool = x509.NewCertPool()
22 // 读取证书
23 crt, err = ioutil.ReadFile("cert/ca.crt")
24 if err != nil {
25 log.Fatalln("读取证书错误", err)
26 }
27 pool.AppendCertsFromPEM(crt)
28
29 tr = &http.Transport{
30 TLSClientConfig: &tls.Config{
31 // InsecureSkipVerify: true,
32 RootCAs: pool,
33 },
34 DisableCompression: true,
35 }
36
37 client = &http.Client{Transport: tr}
38
39 // resp, err = client.Get("https://127.0.0.1:9898/test")
40 resp,err=client.Get("https//server:9898/test")
41 if err != nil {
42 log.Fatalln("接口请求失败", err)
43 }
44
45 defer resp.Body.Close()
46
47 body, err = ioutil.ReadAll(resp.Body)
48
49 log.Println("请求结果", string(body))
50
51 }
3、server/client的双向校验
server代码
package main
// 双向认证
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"log"
"net/http"
)
type ServerHandler struct{}
func (s *ServerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w,"测试")
}
func main() {
pool := x509.NewCertPool()
caPath := "cert/ca.crt"
crt, err := ioutil.ReadFile(caPath)
if err != nil {
log.Fatalln("读取证书错误", err)
}
pool.AppendCertsFromPEM(crt)
s := &http.Server{
Addr: ":9898",
Handler: &ServerHandler{},
TLSConfig: &tls.Config{
ClientCAs: pool,
ClientAuth: tls.RequireAndVerifyClientCert,
},
}
s.ListenAndServeTLS("cert/server.crt", "cert/server.key")
}
client 代码
package main
import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"log"
"net/http"
)
func main() {
var (
resp *http.Response
err error
body []byte
tr *http.Transport
client *http.Client
pool *x509.CertPool
crt []byte
cliCrt tls.Certificate
)
pool = x509.NewCertPool()
// 读取证书
crt, err = ioutil.ReadFile("cert/ca.crt")
if err != nil {
log.Fatalln("读取证书错误", err)
}
pool.AppendCertsFromPEM(crt)
// 加载X509 client证书和秘钥
cliCrt,err=tls.LoadX509KeyPair("cert/client.crt","cert/client.key")
if err!=nil{
panic(err)
}
tr = &http.Transport{
TLSClientConfig: &tls.Config{
// InsecureSkipVerify: true,
RootCAs: pool,
Certificates:[]tls.Certificate{cliCrt},
},
// DisableCompression: true,
}
client = &http.Client{Transport: tr}
resp, err = client.Get("https://127.0.0.1:9898/test")
if err != nil {
log.Fatalln("接口请求失败", err)
}
defer resp.Body.Close()
body, err = ioutil.ReadAll(resp.Body)
log.Println("请求结果", string(body))
}