《GO語言高級編程》設計中案例,僅作爲筆記進行收藏。gRPC建⽴在HTTP/2協議之上,對TLS提供了很好的⽀持。客戶端在鏈接服務器中通過 grpc.WithInsecure() 選項跳過了對服務器證書的驗證,沒有啓⽤證書的gRPC服務在和客戶端進⾏的是明⽂通訊,信息⾯臨被任何第三⽅監聽的⻛險。爲了保障gRPC通信不被第三⽅監聽篡改或僞造,可以對服務器啓動TLS加密特性。
1.結構目錄
2.爲服務器和客戶端分別生成私鑰和證書,存放在 tls-config/ 目錄下,命令如下:
// Makefile
default:
# ca
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 \
-subj "/C=GB/L=China/O=gobook/CN=github.com" \
-key ca.key -out ca.crt
# server
openssl genrsa \
-out server.key 2048
openssl req -new \
-subj "/C=GB/L=China/O=server/CN=server.io" \
-key server.key \
-out server.csr
openssl x509 -req -sha256 \
-CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 \
-in server.csr \
-out server.crt
# client
openssl genrsa \
-out client.key 2048
openssl req -new \
-subj "/C=GB/L=China/O=client/CN=client.io" \
-key client.key \
-out client.csr
openssl x509 -req -sha256 \
-CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 \
-in client.csr \
-out client.crt
clean:
-rm *.key *.crt *.csr *.srl
3.Helloworld.proto
syntax = "proto3";
package main;
service Greeter{
rpc SayHello(HelloRequest) returns(HelloReply);
}
message HelloRequest{
string name = 1;
}
message HelloReply{
string message = 1;
}
4.Helloworld.pb.go
// Code generated by protoc-gen-go. DO NOT EDIT.
// source: helloworld.proto
package main
import proto "github.com/golang/protobuf/proto"
import fmt "fmt"
import math "math"
import (
context "golang.org/x/net/context"
grpc "google.golang.org/grpc"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
type HelloRequest struct {
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *HelloRequest) Reset() { *m = HelloRequest{} }
func (m *HelloRequest) String() string { return proto.CompactTextString(m) }
func (*HelloRequest) ProtoMessage() {}
func (*HelloRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_helloworld_04dfe859c9b956ba, []int{0}
}
func (m *HelloRequest) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_HelloRequest.Unmarshal(m, b)
}
func (m *HelloRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
return xxx_messageInfo_HelloRequest.Marshal(b, m, deterministic)
}
func (dst *HelloRequest) XXX_Merge(src proto.Message) {
xxx_messageInfo_HelloRequest.Merge(dst, src)
}
func (m *HelloRequest) XXX_Size() int {
return xxx_messageInfo_HelloRequest.Size(m)
}
func (m *HelloRequest) XXX_DiscardUnknown() {
xxx_messageInfo_HelloRequest.DiscardUnknown(m)
}
var xxx_messageInfo_HelloRequest proto.InternalMessageInfo
func (m *HelloRequest) GetName() string {
if m != nil {
return m.Name
}
return ""
}
type HelloReply struct {
Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *HelloReply) Reset() { *m = HelloReply{} }
func (m *HelloReply) String() string { return proto.CompactTextString(m) }
func (*HelloReply) ProtoMessage() {}
func (*HelloReply) Descriptor() ([]byte, []int) {
return fileDescriptor_helloworld_04dfe859c9b956ba, []int{1}
}
func (m *HelloReply) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_HelloReply.Unmarshal(m, b)
}
func (m *HelloReply) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
return xxx_messageInfo_HelloReply.Marshal(b, m, deterministic)
}
func (dst *HelloReply) XXX_Merge(src proto.Message) {
xxx_messageInfo_HelloReply.Merge(dst, src)
}
func (m *HelloReply) XXX_Size() int {
return xxx_messageInfo_HelloReply.Size(m)
}
func (m *HelloReply) XXX_DiscardUnknown() {
xxx_messageInfo_HelloReply.DiscardUnknown(m)
}
var xxx_messageInfo_HelloReply proto.InternalMessageInfo
func (m *HelloReply) GetMessage() string {
if m != nil {
return m.Message
}
return ""
}
func init() {
proto.RegisterType((*HelloRequest)(nil), "main.HelloRequest")
proto.RegisterType((*HelloReply)(nil), "main.HelloReply")
}
// Reference imports to suppress errors if they are not otherwise used.
var _ context.Context
var _ grpc.ClientConn
// This is a compile-time assertion to ensure that this generated file
// is compatible with the grpc package it is being compiled against.
const _ = grpc.SupportPackageIsVersion4
// GreeterClient is the client API for Greeter service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
type GreeterClient interface {
SayHello(ctx context.Context, in *HelloRequest, opts ...grpc.CallOption) (*HelloReply, error)
}
type greeterClient struct {
cc *grpc.ClientConn
}
func NewGreeterClient(cc *grpc.ClientConn) GreeterClient {
return &greeterClient{cc}
}
func (c *greeterClient) SayHello(ctx context.Context, in *HelloRequest, opts ...grpc.CallOption) (*HelloReply, error) {
out := new(HelloReply)
err := c.cc.Invoke(ctx, "/main.Greeter/SayHello", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
// GreeterServer is the server API for Greeter service.
type GreeterServer interface {
SayHello(context.Context, *HelloRequest) (*HelloReply, error)
}
func RegisterGreeterServer(s *grpc.Server, srv GreeterServer) {
s.RegisterService(&_Greeter_serviceDesc, srv)
}
func _Greeter_SayHello_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(HelloRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(GreeterServer).SayHello(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/main.Greeter/SayHello",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(GreeterServer).SayHello(ctx, req.(*HelloRequest))
}
return interceptor(ctx, in, info, handler)
}
var _Greeter_serviceDesc = grpc.ServiceDesc{
ServiceName: "main.Greeter",
HandlerType: (*GreeterServer)(nil),
Methods: []grpc.MethodDesc{
{
MethodName: "SayHello",
Handler: _Greeter_SayHello_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "helloworld.proto",
}
func init() { proto.RegisterFile("helloworld.proto", fileDescriptor_helloworld_04dfe859c9b956ba) }
var fileDescriptor_helloworld_04dfe859c9b956ba = []byte{
// 142 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x12, 0xc8, 0x48, 0xcd, 0xc9,
0xc9, 0x2f, 0xcf, 0x2f, 0xca, 0x49, 0xd1, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x62, 0xc9, 0x4d,
0xcc, 0xcc, 0x53, 0x52, 0xe2, 0xe2, 0xf1, 0x00, 0xc9, 0x04, 0xa5, 0x16, 0x96, 0xa6, 0x16, 0x97,
0x08, 0x09, 0x71, 0xb1, 0xe4, 0x25, 0xe6, 0xa6, 0x4a, 0x30, 0x2a, 0x30, 0x6a, 0x70, 0x06, 0x81,
0xd9, 0x4a, 0x6a, 0x5c, 0x5c, 0x50, 0x35, 0x05, 0x39, 0x95, 0x42, 0x12, 0x5c, 0xec, 0xb9, 0xa9,
0xc5, 0xc5, 0x89, 0xe9, 0x30, 0x45, 0x30, 0xae, 0x91, 0x35, 0x17, 0xbb, 0x7b, 0x51, 0x6a, 0x6a,
0x49, 0x6a, 0x91, 0x90, 0x01, 0x17, 0x47, 0x70, 0x62, 0x25, 0x58, 0x97, 0x90, 0x90, 0x1e, 0xc8,
0x26, 0x3d, 0x64, 0x6b, 0xa4, 0x04, 0x50, 0xc4, 0x0a, 0x72, 0x2a, 0x93, 0xd8, 0xc0, 0xae, 0x32,
0x06, 0x04, 0x00, 0x00, 0xff, 0xff, 0x18, 0x38, 0x13, 0xf1, 0xa9, 0x00, 0x00, 0x00,
}
5.main.go
package main
import (
"log"
"net"
"time"
"crypto/tls"
"crypto/x509"
"io/ioutil"
"golang.org/x/net/context"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
)
var (
port = ":5000"
tlsDir = "./tls-config"
tlsServerName = "server.io"
ca = tlsDir + "/ca.crt"
server_crt = tlsDir + "/server.crt"
server_key = tlsDir + "/server.key"
client_crt = tlsDir + "/client.crt"
client_key = tlsDir + "/client.key"
)
type myGrpcServer struct{}
func (s *myGrpcServer) SayHello(ctx context.Context, in *HelloRequest) (*HelloReply, error) {
return &HelloReply{Message: "Hello " + in.Name}, nil
}
func main() {
go startServer()
time.Sleep(time.Second)
doClientWork()
}
func startServer() {
certificate, err := tls.LoadX509KeyPair(server_crt, server_key)
if err != nil {
log.Panicf("could not load server key pair: %s", err)
}
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile(ca)
if err != nil {
log.Panicf("could not read ca certificate: %s", err)
}
// Append the client certificates from the CA
if ok := certPool.AppendCertsFromPEM(ca); !ok {
log.Panic("failed to append client certs")
}
// Create the TLS credentials
creds := credentials.NewTLS(&tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert, // NOTE: this is optional!
Certificates: []tls.Certificate{certificate},
ClientCAs: certPool,
})
server := grpc.NewServer(grpc.Creds(creds))
RegisterGreeterServer(server, new(myGrpcServer))
lis, err := net.Listen("tcp", port)
if err != nil {
log.Panicf("could not list on %s: %s", port, err)
}
if err := server.Serve(lis); err != nil {
log.Panicf("grpc serve error: %s", err)
}
}
func doClientWork() {
certificate, err := tls.LoadX509KeyPair(client_crt, client_key)
if err != nil {
log.Panicf("could not load client key pair: %s", err)
}
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile(ca)
if err != nil {
log.Panicf("could not read ca certificate: %s", err)
}
if ok := certPool.AppendCertsFromPEM(ca); !ok {
log.Panic("failed to append ca certs")
}
creds := credentials.NewTLS(&tls.Config{
InsecureSkipVerify: false, // NOTE: this is required!
ServerName: tlsServerName, // NOTE: this is required!
Certificates: []tls.Certificate{certificate},
RootCAs: certPool,
})
conn, err := grpc.Dial("localhost"+port, grpc.WithTransportCredentials(creds))
if err != nil {
log.Fatal(err)
}
defer conn.Close()
c := NewGreeterClient(conn)
r, err := c.SayHello(context.Background(), &HelloRequest{Name: "gopher"})
if err != nil {
log.Fatalf("could not greet: %v", err)
}
log.Printf("doClientWork: %s", r.Message)
}
6.OpenSSL
6.1 genrsa
功能:
用於生成RSA私鑰,不會生成公鑰,因爲公鑰提取自私鑰
參數:
openssl genrsa [-help] [-out filename] [-passout arg] [-aes128] [-aes192] [-aes256] [-aria128] [-aria192] [-aria256] [-camellia128] [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]
說明:
-help:打印出使用情況消息。
-out filename:將密鑰輸出到指定文件。如果未指定此參數,則使用標準輸出。
-passout arg:加密私鑰文件時,傳遞密碼的格式,如果要加密私鑰文件時單未指定該項,則提示輸入密碼。傳遞密碼的args的格式如下:
pass: password表示傳遞的明文密碼,僅應在安全性不重要的地方使用。
env:從環境變量var獲取密碼。由於其他進程的環境在某些平臺上可見,因此應謹慎使用此選項。
file:filename的第一行是密碼。如果爲-passin和-passout參數提供了相同的路徑名參數,則第一行將用於輸入密碼,下一行將用於輸出密碼。filename不必引用常規文件:例如可以引用設備或命名管道。
stdin:從標準輸入中讀取密碼。
-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea:在輸出私鑰之前使用指定的密碼對其進行加密。如果未指定,則不使用加密;如果使用加密,如果密碼沒有通過-passout參數提供,則將提示您輸入密碼。
-F4 | -3:要使用的公共指數,即65537或3。默認值爲65537。
-rand file(s):一個或多個文件,這些文件包含用於爲隨機數生成器提供種子的隨機數據,或者是EGD套接字。可以指定多個文件,並由與操作系統相關的字符分隔。
-engine id:指定引擎(通過其唯一的ID字符串)將使genrsa嘗試獲取對指定引擎的功能引用,從而在需要時對其進行初始化。然後,引擎將被設置爲所有可用算法的默認引擎。
-numbits:生成的私鑰的大小(以位爲單位)。這必須是指定的最後一個選項。默認值爲2048。
例如:
openssl genrsa -des -passout pass:"1234546" -out prikey.pem 2048
6.2 req
功能:
創建並在PKCS#10格式的過程的證書請求。例如:可以創建自簽名證書以用作根CA。
參數:
openssl req [-help] [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-new] [-rand file(s)] [-newkey rsa:bits] [-newkey alg:file] [-nodes] [-key filename] [-keyform PEM|DER] [-keyout filename] [-keygen_engine id] [-[digest]] [-config filename] [-multivalue-rdn] [-x509] [-days n] [-set_serial n] [-newhdr] [-extensions section] [-reqexts section] [-utf8] [-nameopt] [-reqopt] [-subject] [-subj arg] [-batch] [-verbose] [-engine id]
說明:
-out filename:證書請求或自簽署證書的輸出文件,也可以是其他內容的輸出文件,默認指定要寫入的輸出文件名或標準輸出(stdout)。
-in filename:如果未指定此選項,則它指定從中讀取請求的輸入文件名或標準輸入。如果未指定創建選項(-new和-newkey),則僅讀取請求。
-passin arg:輸入文件密碼源,傳遞解密密碼。
-passout arg:輸出文件密碼源,指定加密輸出文件時的密碼。
-text:以文本形式打印出證書申請。
-verify:驗證請求上的簽名。
-new:此選項生成一個新的證書請求。它將提示用戶輸入相關的字段值。提示的實際字段及其最大和最小大小在配置文件和任何請求的擴展名中指定。如果未使用-key選項,它將使用配置文件中指定的信息生成新的RSA私鑰。
-key filename:這指定從中讀取私鑰的文件。它還接受PEM格式文件的PKCS#8格式私鑰。
-subj arg:替換或自定義證書請求時需要輸入的信息,並輸出修改後的請求信息。arg 參數:C是Country、ST是state、L是localcity、O是Organization、OU是Organization Unit、CN是common name