执行tls.Config.GetCertificate与自签名证书

Question

我试图弄清楚如何我可以实现一个函数，饲养tls.Config.GetCertificate与自签名证书。

我用这个彬源为基础，https://golang.org/src/crypto/tls/generate_cert.go

而且阅读， https://ericchiang.github.io/tls/go/https/2015/06/21/go-tls.html

遗憾的是，到目前为止，即时通讯坚持这个错误 2016/11/03 23:18:20 http2: server: error reading preface from client 127.0.0.1:34346: remote error: tls: unknown certificate authority

我想我需要生成一个CA证书，然后用它签署密钥，但我不知道如何继续（....）。

这是我的代码，有人可以帮助吗？

package gssc 

import (
    "crypto/rand" 
    "crypto/rsa" 
    "crypto/tls" 
    "crypto/x509" 
    "crypto/x509/pkix" 
    "github.com/pkg/errors" 
    "math/big" 
    "net" 
    "strings" 
    "time" 
) 

func GetCertificate(arg interface{}) func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { 
    var opts Certopts 
    var err error 
    if host, ok := arg.(string); ok { 
     opts = Certopts{ 
      RsaBits: 2048, 
      Host:  host, 
      ValidFrom: time.Now(), 
     } 
    } else if o, ok := arg.(Certopts); ok { 
     opts = o 
    } else { 
     err = errors.New("Invalid arg type, must be string(hostname) or Certopt{...}") 
    } 
    return func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { 
     if err != nil { 
      return nil, err 
     } 
     return generate(opts) 
    } 
} 

type Certopts struct { 
    RsaBits int 
    Host  string 
    IsCA  bool 
    ValidFrom time.Time 
    ValidFor time.Duration 
} 

func generate(opts Certopts) (*tls.Certificate, error) { 

    priv, err := rsa.GenerateKey(rand.Reader, opts.RsaBits) 
    if err != nil { 
     return nil, errors.Wrap(err, "failed to generate private key") 
    } 

    notAfter := opts.ValidFrom.Add(opts.ValidFor) 

    serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) 
    serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) 
    if err != nil { 
     return nil, errors.Wrap(err, "Failed to generate serial number\n") 
    } 

    template := x509.Certificate{ 
     SerialNumber: serialNumber, 
     Subject: pkix.Name{ 
      Organization: []string{"Acme Co"}, 
     }, 
     NotBefore: opts.ValidFrom, 
     NotAfter: notAfter, 

     KeyUsage:    x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 
     ExtKeyUsage:   []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, 
     BasicConstraintsValid: true, 
    } 

    hosts := strings.Split(opts.Host, ",") 
    for _, h := range hosts { 
     if ip := net.ParseIP(h); ip != nil { 
      template.IPAddresses = append(template.IPAddresses, ip) 
     } else { 
      template.DNSNames = append(template.DNSNames, h) 
     } 
    } 

    if opts.IsCA { 
     template.IsCA = true 
     template.KeyUsage |= x509.KeyUsageCertSign 
    } 

    derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) 
    if err != nil { 
     return nil, errors.Wrap(err, "Failed to create certificate") 
    } 

    return &tls.Certificate{ 
     Certificate: [][]byte{derBytes}, 
     PrivateKey: priv, 
    }, nil 
} 

这是测试代码，我使用

package main 

import (
    "crypto/tls" 
    "github.com/mh-cbon/gssc" 
    "net/http" 
) 

type ww struct{} 

func (s *ww) ServeHTTP(w http.ResponseWriter, req *http.Request) { 
    w.Header().Set("Content-Type", "text/plain") 
    w.Write([]byte("This is an example server.\n")) 
} 

func main() { 
    s := &http.Server{ 
     Handler: &ww{}, 
     Addr: ":8080", 
     TLSConfig: &tls.Config{ 
      InsecureSkipVerify: true, 
      GetCertificate:  gssc.GetCertificate("example.org"), 
     }, 
    } 
    s.ListenAndServeTLS("", "") 

} 

非常感谢！

Answer 1

您的tls.Config.GetCertificate的实施导致了这个问题。

您每次调用tls.Config.GetCertificate时都会生成证书。您需要生成一次证书，然后在匿名函数中返回。

在gssc.GetCertificate：

cert, err := generate(opts) 

return func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { 
     if err != nil { 
      return nil, err 
     } 
     return cert, err 
    }