func main() { // Load server key. serverKey, err := libtrust.LoadKeyFile(privateKeyFilename) if err != nil { log.Fatal(err) } // Generate server certificate. selfSignedServerCert, err := libtrust.GenerateSelfSignedServerCert( serverKey, []string{"localhost"}, []net.IP{net.ParseIP("127.0.0.1")}, ) if err != nil { log.Fatal(err) } // Load authorized client keys. authorizedClients, err := libtrust.LoadKeySetFile(authorizedClientsFilename) if err != nil { log.Fatal(err) } // Create CA pool using trusted client keys. caPool, err := libtrust.GenerateCACertPool(serverKey, authorizedClients) if err != nil { log.Fatal(err) } // Create TLS config, requiring client certificates. tlsConfig := &tls.Config{ Certificates: []tls.Certificate{ tls.Certificate{ Certificate: [][]byte{selfSignedServerCert.Raw}, PrivateKey: serverKey.CryptoPrivateKey(), Leaf: selfSignedServerCert, }, }, ClientAuth: tls.RequireAndVerifyClientCert, ClientCAs: caPool, } // Create HTTP server with simple request handler. server := &http.Server{ Addr: serverAddress, Handler: http.HandlerFunc(requestHandler), } // Listen and server HTTPS using the libtrust TLS config. listener, err := net.Listen("tcp", server.Addr) if err != nil { log.Fatal(err) } tlsListener := tls.NewListener(listener, tlsConfig) server.Serve(tlsListener) }
func main() { // Load Client Key. clientKey, err := libtrust.LoadKeyFile(privateKeyFilename) if err != nil { log.Fatal(err) } // Generate Client Certificate. selfSignedClientCert, err := libtrust.GenerateSelfSignedClientCert(clientKey) if err != nil { log.Fatal(err) } // Load trusted host keys. hostKeys, err := libtrust.LoadKeySetFile(trustedHostsFilename) if err != nil { log.Fatal(err) } // Ensure the host we want to connect to is trusted! host, _, err := net.SplitHostPort(serverAddress) if err != nil { log.Fatal(err) } serverKeys, err := libtrust.FilterByHosts(hostKeys, host, false) if err != nil { log.Fatalf("%q is not a known and trusted host", host) } // Generate a CA pool with the trusted host's key. caPool, err := libtrust.GenerateCACertPool(clientKey, serverKeys) if err != nil { log.Fatal(err) } // Create HTTP Client. client := &http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ Certificates: []tls.Certificate{ tls.Certificate{ Certificate: [][]byte{selfSignedClientCert.Raw}, PrivateKey: clientKey.CryptoPrivateKey(), Leaf: selfSignedClientCert, }, }, RootCAs: caPool, }, }, } var makeRequest = func(url string) { resp, err := client.Get(url) if err != nil { log.Fatal(err) } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil { log.Fatal(err) } log.Println(resp.Status) log.Println(string(body)) } // Make the request to the trusted server! makeRequest(fmt.Sprintf("https://%s", serverAddress)) }