Two-way certification of Golang

This article mainly introduces the process of HTTPS authentication with Golang generated certificate and Golang, as for the knowledge Point of SSL/TLS, I will attach the article at the end of the article that I personally think is useful to the reader.

One-way verification process:

Customer point contains ca.crt, the service side contains Server.key and SERVER.CRT;

Client: The client generates a random number random-client, which is uploaded to the server side;

Server: After receiving the message, generate a random number random-server and the certificate containing the public key, and give back to the client;

Client: The client received something intact, plus premaster secret (through Random-client, random-server through a certain algorithm generated data), once again to the server side, This pass through the service side of the public key to encrypt the data;

Service side: The service side passes through the private key (Server.key), decrypts, obtains the Premaster secret (negotiates the key process);

At this point both the client and the server have three elements: Random-client, Random-server and Premaster secret, the security channel has been established, the subsequent communication will be checked above the three elements through the algorithm to calculate the session key And the two-way authentication process is equivalent to the client and the service side in turn to perform authentication, encryption, negotiation again.

How certificates are generated:

1. OpenSSL tool Generation:

The first step is to generate the CA keys and CA certificates

OpenSSL genrsa-out Ca.key 2048

# Add-SUBJ to save the interaction after creating a request

OpenSSL req-new nodes-key ca.key-subj "//cn=nzh.com"-days 5000-out ca.crt

Step two, generate the server key and certificate

OpenSSL genrsa-out Server.key 2048

#//CN must be added, server-side domain name, or IP alias in the Hosts file, equivalent to localhost

OpenSSL req-new-key server.key-subj "//cn=server"-out SERVER.CSR

OpenSSL x509-req-in server.csr-ca ca.crt-cakey ca.key-cacreateserial-out server.crt-days 5000

Step three, generate the client key and certificate

OpenSSL genrsa-out Client.key 2048

OpenSSL req-new-key server.key-subj "//cn=client"-out CLIENT.CSR

echo Extendedkeyusage=clientauth >/extfile.cnf

OpenSSL x509-req-in client.csr-ca ca.crt-cakey ca.key-cacreateserial-extfile./extfile.cnf-out client.crt-days 500 0

2. Golang code Generation:

First, the certificate structure is constructed and the corresponding parameters are initialized before the certificate is generated;

Construct the certificate request structure body

The second step, the certificate signing, if not the CA certificate, load the certificate to be signed;

Load the certificate to be signed

The third step, the certificate signature, the figure in 46 rows and 49 lines The main difference between the generation of CA self-signed certificate or the generation of CA certificate signature;

Certificate signing Process

The final build Certificate directory structure is as follows:

Certificate directory Structure

The Golang code implements a two-way authentication process:

Server-side:

Two-way authentication process, as long as the structure of the implementation of the SERVEHTTP structure is equivalent to the realization of a handler;

The public and private keys of the server are loaded to decrypt the random characters sent by the client;

The CA certificate is loaded to verify that the client's certificate is qualified;

Service-side code

Client:

Client public key, private key and CA certificate processing are equivalent to service-side certificate processing, then send request, print return value;

Client code

The follow-up will continue to complement the Curl command and the entire implementation source.