CA證書自簽單向驗證Openssl命令

//openssl 下載
//https://slproweb.com/products/Win32OpenSSL.html

openssl
//生成key
genrsa -des3 -out server.key 2048 //需要輸入密碼
req -new -key server.key -out server.csr    //common name填寫域名,不正確填寫會被報警告
//去密碼
rsa -in server.key -out server_no_passwd.key
//生成證書
x509 -req -days 365 -in server.csr -signkey server_no_passwd.key -out server.crt

// export  1. server_no_passwd.key 2. server.crt

應用

//服務器
cred, err := credentials.NewServerTLSFromFile("keys/server.crt", "keys/server.key")
grpc.NewServer(grpc.Creds(cred))

//客戶端
cred, err := credentials.NewClientTLSFromFile("keys/server.crt", "localhost")   //參數(shù)二等同 common name
grpc.Dial(":8888",grpc.WithTransportCredentials(cred))

grpc server_http

//s.Serve(conn)
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
s.ServeHTTP(w, r)
})

http.ListenAndServeTLS(":8888","keys/server.crt", "keys/server.key",nil)

CA證書自簽雙向驗證Openssl命令

//使用CA證書
genrsa -out ca.key 2048
req -new -x509 -days 3650 -key ca.key -out ca.pem
//生成服務器證書
genrsa -out server.key 2048
req -new -key server.key -out server.csr
x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
//生成客戶端
ecparam -genkey -name secp384r1 -out client.key
req -new -key client.key -out client.csr
x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem

應用

//服務器 (不能使用serveHttp)
cert, _ := tls.LoadX509KeyPair("cert/server.pem", "cert/server.key")
certPool := x509.NewCertPool()
ca, _ := ioutil.ReadFile("cert/ca.pem")

certPool.AppendCertsFromPEM(ca)

cred := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth:   tls.RequireAndVerifyClientCert,
ClientCAs:    certPool,
})

//客戶端
cert, _ := tls.LoadX509KeyPair("cert/client.pem", "cert/client.key")
certPool := x509.NewCertPool()
ca, _ := ioutil.ReadFile("cert/ca.pem")

certPool.AppendCertsFromPEM(ca)

cred := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{cert},
ServerName:   "localhost",
RootCAs:      certPool,
})

grpc-gateway使用

//安裝
go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway

go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger

go get -u github.com/golang/protobuf/protoc-gen-go

//proto file修改 例如
syntax = "proto3";

package services;

import "google/api/annotations.proto";

message Request{
  string name = 1;
}


message Response {
  string msg = 1;
}

service Greeter{
  rpc Hello(Request) returns (Response){
    option (google.api.http) = {
      get: "/v1/greeter/{name}"
    };
  }
}



//** 可以將引入的proto文件拷貝到編寫的proto目錄中颜武，這樣可以在生成時節(jié)省編寫包含目錄

//文件生成

protoc --go_out=plugins=grpc:. *.proto

protoc --grpc-gateway_out=logtostderr=true:. *.proto

//http 網(wǎng)關服務器編寫 
//(GetClientCreds 為上述客戶端Creds生成代碼封裝)
//localhost:8888 為grpc服務器綁定地址
//8081為網(wǎng)關服務器綁定端口

gwmux := runtime.NewServeMux()
opts := []grpc.DialOption{grpc.WithTransportCredentials(GetClientCreds())}
services.RegisterGreeterHandlerFromEndpoint(context.Background(),gwmux,"localhost:8888",opts)

httpServer := http.Server{
    Addr:    ":8081",
    Handler: gwmux,
}
fmt.Println(httpServer.ListenAndServe())

//測試 使用瀏覽器訪問
localhost:8081/v1/greeter/jack

gRpc字段驗證

//下載
github.com/envoyproxy/protoc-gen-validate

//修改proto文件
import "validate.proto";
message People{
  string name = 1;
  int32 age = 2[(validate.rules).int32.gt = 18];
}
//生成
protoc --go_out=plugins=grpc:. --validate_out=lang=go:. *.proto

//驗證代碼
err := req.People.Validate()
//...