douping6871
2017-05-09 08:35
浏览 190
已采纳

Go lang中的AWS API Gateway客户端证书

I'm trying to secure connection between AWS API Gateway and my API endpoint services exactly as it is described int his documentation: http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html

AFAIK I need to copy the cert form AWS API Gateway and use http.ListenAndServeTLS method. But it accepts two files: keyFile and certFile func ListenAndServeTLS(addr, certFile, keyFile string, handler Handler).

When I click on copy link (see image below) example of certificate generated by AWS

the only thing I get is the certificate in such format (I've shortened it for explanation purposes):

-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIJAKbyiCf2f5J2MA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNV
fYe+dxR0PMFvfUpZaGgaY1ykQG1sNaw/b6NjNg9c1aEVSZ7b1eU/cBmb6XqHw0Ih
7yHtBm+p8Px4NMAT9YhytTxPRBYpApfUsfPMa3qfUWvvj4TD0LR6bW980bebyxUn
BigXToSFlPeiNGdU/Zpiw9crzplojNBFc=
-----END CERTIFICATE-----

So my question is, how exactly I need to configure ListenAndServeTLS method to make sure the any request to my service is from API Gateway? Where I can find private key? It's quite confusing for me.

图片转代码服务由CSDN问答提供 功能建议

我正在尝试完全按照其文档中的描述保护AWS API Gateway和我的API终端服务之间的连接 : http:// docs .aws.amazon.com / apigateway / latest / developerguide / getting-started-client-side-ssl-authentication.html

AFAIK我需要复制证书表格AWS API网关并使用 http.ListenAndServeTLS 方法。 但它接受两个文件: keyFile certFile func ListenAndServeTLS(addr,certFile,keyFile字符串,处理程序Handler)

当我单击复制链接时(请参见下图) “

我唯一得到的信息 是这种格式的证书(出于解释目的,我已将其简称):

  ----- BEGIN证书----- 
MIIC6TCCAdGgAwIBAgIJAKbyiCf2f5J2MA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNG1U  b6NjNg9c1aEVSZ7b1eU / cBmb6XqHw0Ih 
7yHtBm + p8Px4NMAT9YhytTxPRBYpApfUsfPMa3qfUWvvj4TD0LR6bW980bebyxUn 
BigXToSFl_n_n是 我需要配置 ListenAndServeTLS 方法以确保对我的服务的任何请求均来自API网关? 在哪里可以找到私钥? 对我来说很困惑。 
 
  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dsjq6977 2017-05-09 09:32
    已采纳

    The client certificate AWS is given you is for authenticating the client that send requests to your service, which is the AWS gateway.

    This cert is not to be used to start your server, but to authenticates requests.

    See an example of use below, untested code, but as a lead.

    func Hello(w http.ResponseWriter, req *http.Request) {
        io.WriteString(w, "hello, world!
    ")
    }
    
    func main() {
        http.HandleFunc("/hello", Hello)
    
        certBytes, err := ioutil.ReadFile("aws-gateway.pem")
        if err != nil {
            log.Fatal(err)
        }
        block, certBytes := pem.Decode(certBytes)
    
        cert, err := x509.ParseCertificate(block.Bytes)
        if err != nil {
           log.Fatal(err)
        }
    
        clientCertPool := x509.NewCertPool()
        clientCertPool.AddCerts(cert)
    
        tlsConfig := &tls.Config{
            ClientCAs: clientCertPool,
            // NoClientCert
            // RequestClientCert
            // RequireAnyClientCert
            // VerifyClientCertIfGiven
            // RequireAndVerifyClientCert
            ClientAuth: tls.RequireAndVerifyClientCert,
        }
        tlsConfig.BuildNameToCertificate()
    
        server := &http.Server{
            Addr:      ":8080",
            TLSConfig: tlsConfig,
        }
    
        server.ListenAndServeTLS("server.crt", "server.key")
    }
    

    This way, your service will require that all requests provide a certificate and will verify it against the pool of ClientCA. You could, of course, add more certificates to the client pool if desired.

    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题