Golang双向校验
服务端
服务端需要校验客户端的证书,代码如下:
package main
import (
"crypto/tls"
"crypto/x509"
"github.com/gin-gonic/gin"
"github.com/unrolled/secure"
"io/ioutil"
)
func TlsHandler() gin.HandlerFunc {
return func(c *gin.Context) {
secureMiddleware := secure.New(secure.Options{
SSLRedirect: true,
SSLHost: "localhost:8081",
})
err := secureMiddleware.Process(c.Writer, c.Request)
if err != nil {
c.Abort()
return
}
if status := c.Writer.Status(); status > 300 && status < 399 {
c.Abort()
}
c.Next()
}
}
func Android(context *gin.Context){
context.JSON(200,gin.H{
"message":"data",
})
}
func generateConfig()(config *tls.Config,err error){
pool := x509.NewCertPool()
caCertPath := "F:\\test\\ca.crt"
caCrt, err := ioutil.ReadFile(caCertPath)
if err != nil {
return
}
pool.AppendCertsFromPEM(caCrt)
config = &tls.Config{
ClientCAs: pool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
return
}
func StartServer(){
config,err:=generateConfig()
if err!=nil{
return
}
r := gin.Default()
r.Use(TlsHandler())
r.GET("/android",Android)
r.RunTLSWithConfig(":8081", "F:\\test\\server.crt", "F:\\test\\server.key",config)
}
func main() {
StartServer()
}
结果:
启动浏览器进行访问,会无法访问
同时服务端打印了错误日志:
浏览器这条路是走不通了,只能自己发请求并带上受信任的证书
客户端
代码如下:
package main
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net/http"
)
func addTrust(pool*x509.CertPool, path string) {
aCrt, err := ioutil.ReadFile(path)
if err!= nil {
fmt.Println("ReadFile err:",err)
return
}
pool.AppendCertsFromPEM(aCrt)
}
func TwoWaySSlCheck(){
pool := x509.NewCertPool()
// 这里加载服务端提供的证书,用于校验服务端返回的数据
addTrust(pool,"F:\\test\\ca.crt")
// 这里加载客户端自己的证书,要与提供给服务端的证书一致,不然服务端校验会不通过
cliCrt, err := tls.LoadX509KeyPair("F:\\test\\server.crt", "F:\\test\\server.key")
if err != nil {
fmt.Println("Loadx509 keypair err:", err)
return
}
tr := &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: pool,
Certificates: []tls.Certificate{cliCrt},
},
}
client := &http.Client{Transport: tr}
resp, err := client.Get("https://lance.com:8081/android")
if err != nil {
fmt.Println("Get error:", err)
return
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
fmt.Println(string(body))
}
func main(){
TwoWaySSlCheck()
}
结果如下:
正常访问,同时服务端也没有错误信息,说明这个双向校验成功了!!!
Android与服务器进行双向校验
服务端不用做改动,只需要Android端在握手时提供证书,本次双向检验新建一个HttpsUtil.java文件,用来存放双向校验的代码:
HttpsUtil.java代码如下:
package com.example.safeapp.sslfactory;
import android.content.Context;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
public class HttpsUtil {
private final static String CLIENT_PRI_KEY = "client.bks";
private final static String TRUSTSTORE_PUB_KEY = "ca.bks";
private final static String CLIENT_BKS_PASSWORD = "123456";
private final static String TRUSTSTORE_BKS_PASSWORD = "123456";
private final static String KEYSTORE_TYPE = "BKS";
private final static String PROTOCOL_TYPE = "TLS";
private final static String CERTIFICATE_STANDARD = "X509";
public static SSLSocketFactory getSSLCertifcation(Context context) {
SSLSocketFactory sslSocketFactory = null;
try {
// 服务器端需要验证的客户端证书,其实就是客户端的keystore
KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
// 客户端信任的服务器端证书
KeyStore trustStore = KeyStore.getInstance(KEYSTORE_TYPE);
//读取证书
InputStream ksIn = context.getAssets().open(CLIENT_PRI_KEY);
InputStream tsIn = context.getAssets().open(TRUSTSTORE_PUB_KEY);
//加载证书
keyStore.load(ksIn, CLIENT_BKS_PASSWORD.toCharArray());
trustStore.load(tsIn, TRUSTSTORE_BKS_PASSWORD.toCharArray());
ksIn.close();
tsIn.close();
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(CERTIFICATE_STANDARD);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(CERTIFICATE_STANDARD);
trustManagerFactory.init(trustStore);
keyManagerFactory.init(keyStore, CLIENT_BKS_PASSWORD.toCharArray());
//初始化SSLContext
SSLContext sslContext = SSLContext.getInstance(PROTOCOL_TYPE);
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new java.security.SecureRandom());
sslSocketFactory = sslContext.getSocketFactory();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (UnrecoverableKeyException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
}
return sslSocketFactory;
}
public static class UnSafeHostnameVerifier implements HostnameVerifier
{
@Override
public boolean verify(String hostname, SSLSession session)
{
return true;
}
}
public static class UnSafeTrustManager implements X509TrustManager
{
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
{
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
{
}
@Override
public X509Certificate[] getAcceptedIssuers()
{
return new X509Certificate[]{};
}
}
}
HttpsRequest.java中稍微改动一下:
OkHttpClient mOkhttpClient = new OkHttpClient().newBuilder()
.sslSocketFactory(
HttpsUtil.getSSLCertifcation(context),
new HttpsUtil.UnSafeTrustManager()
)
.hostnameVerifier(new HttpsUtil.UnSafeHostnameVerifier())//由于还没有域名,此处设置忽略掉域名校验
.build();
结果如下:
至此双向校验完成!!!!
抓包欣赏一下
Emmmmm,完美!!!
查阅资料,发现只是实现了弱校验,后续在跟进,详情请参考:https://www.cnblogs.com/alisecurity/p/5939336.html