Golang 客户端对服务器端的证书进行校验（单向证书校验）

[root@contoso ~]# echo "192.168.10.100 zigoo.com" >> /etc/hosts
[root@contoso ~]# more /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.100 zigoo.com
[root@contoso ~]#

[root@contoso ~]# tree $GOPATH/src/contoso.org -L 3 ##查看项目目录结构

[root@contoso ~]#

[root@contoso ~]# cd $GOPATH/src/contoso.org/client
[root@contoso client]# openssl genrsa -out ca.key 2048 ## 1). 生成一个CA私钥
Generating RSA private key,2048 bit long modulus
.......................................................................................................................................................+++
..........+++
e is 65537 (0x10001)
[root@contoso client]# openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt## 2).使用ca私钥生成客户端的数字证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.',the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg,city) [Default City]:ShenZhen
Organization Name (eg,company) [Default Company Ltd]:ZiGoo
Organizational Unit Name (eg,section) []: ## 直接按回车键跳过
Common Name (eg,your name or your server's hostname) []:zigoo.com
Email Address []:24759362@qq.com
[root@contoso client]#
客户端：
私钥文件 ca.key
数字证书 ca.crt

[root@contoso client]#tree $GOPATH/src/contoso.org -L 3 ##查看项目目录结构
/root/code/go/src/contoso.org
├── client
│ ├── ca.crt
│ ├── ca.key
│ ├── client.go
│ └── debug
└── server
├── debug
└── server.go

2 directories,6 files
[root@contoso client]#

[root@contoso client]#cp ca.key ca.crt $GOPATH/src/contoso.org/server

[root@contoso client]#cd $GOPATH/src/contoso.org/server

[root@contoso server]#openssl genrsa -out server.key 2048## 3). 生成一个服务器端私钥
Generating RSA private key,2048 bit long modulus
........+++
......................................+++
e is 65537 (0x10001)
[root@contoso server]# openssl req -new -key server.key -out server.csr## 4).使用服务器端私钥生成数字证书请求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,section) []:
Common Name (eg,your name or your server's hostname) []:zigoo.com
Email Address []:24759362@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:

## 5). 使用客户端CA私钥签发服务器端的数字证书

[root@contoso server]#openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365

Signature ok
subject=/C=CN/ST=GuangDong/L=ShenZhen/O=ZiGoo/CN=zigoo.com/emailAddress=24759362@qq.com
Getting CA Private Key

服务器端：
私钥文件 server.key
数字证书 server.crt

[root@contoso server]#tree $GOPATH/src/contoso.org -L 3 ##查看项目目录结构
/root/code/go/src/contoso.org
├── client
│ ├── ca.crt
│ ├── ca.key
│ ├── client.go
│ └── debug
└── server
├── ca.crt
├── ca.key
├── ca.srl
├── debug
├── server.crt
├── server.csr
├── server.go
└── server.key

2 directories,12 files
[root@contoso server]#

使用Go创建一个HTTPS Web Server

/root/code/go/src/contoso.org/server/server.go :

package main

import (
"fmt"
"net/http"
)

func handler(res http.ResponseWriter,req *http.Request) {
fmt.Fprintf(res,"Hi,This is an example of https service in golang!n")
fmt.Fprintf(res,
`[{"Name":"jason","Age":35,"Weight":60.3,"Speciality":"computer science","Hobby":["tennis","swimming","reading"],"Score":725.5,"Secret":"SRRMb3ZlFFlvdSE="}]`)
}

func main() {
http.HandleFunc("/",handler)
http.ListenAndServeTLS(":8081","server.crt","server.key",nil)
}

[root@contoso ~]# cd $GOPATH/src/contoso.org/server ##服务器端路径
[root@contoso server]# go run server.go ##临时性非全局执行程序，注意，要先启动服务器端

在浏览器地址栏输入：https://zigoo.com:8081
页面显示：“Your connection is not secure” 浏览器无法访问HTTPS Web Server

该浏览器跳过单向证书校验的临时办法：

Advanced ---> Add Exception...---> Confirm Security Exception
取消在该浏览器上添加的安全异常，恢复到这个浏览器需要的单向证书校验状态：

Preferences ---> Advanced ---> View Certificates ---> Servers ---> Unknown (Not Stored) zigoo.com:8081 ---> Delete...---> OK

a). 在Servers选项卡内滚动列表到下面，发现与zigoo.com内容相关的行删掉；

b) 在Authorities选项卡内滚动列表到下面，发现与ZiGoo内容相关的行删掉；

注意：必须重新启动HTTPS Web Server，按组合键 Ctrl + C 退出 go run server.go 启动的HTTPS Web Server，

这样刷新浏览器才会再一次地看到“Your connection is not secure”

[root@contoso ~]#cd $GOPATH/src/contoso.org/server ##服务器端路径
[root@contoso server]# go run server.go ##临时性非全局执行程序，注意，要先启动服务器端，再一次启动HTTPS Web Server

使用Go创建一个HTTPS Web Client

/root/code/go/src/contoso.org/client/client.go :

package main

import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net/http"
)

func main() {
pool := x509.NewCertPool()
caCertPath := "ca.crt"

caCrt,err := ioutil.ReadFile(caCertPath)
if err != nil {
fmt.Println("ReadFile err:",err)
return
}
pool.AppendCertsFromPEM(caCrt)

tr := &http.Transport{
TLSClientConfig: &tls.Config{RootCAs: pool},
}
client := &http.Client{Transport: tr}
resp,err := client.Get("https://zigoo.com:8081")
if err != nil {
fmt.Println("Get error:",err)
return
}
defer resp.Body.Close()
body,err := ioutil.ReadAll(resp.Body)
fmt.Println(string(body))
}

[root@contoso ~]# cd $GOPATH/src/contoso.org/client ##客户端路径
[root@contoso client]# go run client.go ##临时性非全局执行程序，注意，要先启动服务器端
Hi,This is an example of https service in golang!
[{"Name":"jason","Secret":"SRRMb3ZlFFlvdSE="}]
[root@contoso client]#

客户端的另外一种实现，服务器端代码保持不变，让客户端跳过对证书的校验：

/root/code/go/src/contoso.org/client/client.go :

package main

import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
)

func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},//InsecureSkipVerify参数值只能在客户端上设置有效
}
client := &http.Client{Transport: tr}
resp,err := client.Get("https://zigoo.com:8081")

if err != nil {
fmt.Println("error:",err := ioutil.ReadAll(resp.Body)
fmt.Println(string(body))
}

[root@contoso ~]# cd $GOPATH/src/contoso.org/client ##客户端路径
[root@contoso client]# go run client.go ##临时性非全局执行程序，注意，要先启动服务器端
Hi,"Secret":"SRRMb3ZlFFlvdSE="}]
[root@contoso client]#

我们可以看一下服务器端没有报错，客户端却同样地从服务器端api接口获得了我们需要的数据。

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!