douping6871 2017-05-09 08:35
浏览 194
已采纳

Go lang中的AWS API Gateway客户端证书

I'm trying to secure connection between AWS API Gateway and my API endpoint services exactly as it is described int his documentation: http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html

AFAIK I need to copy the cert form AWS API Gateway and use http.ListenAndServeTLS method. But it accepts two files: keyFile and certFile func ListenAndServeTLS(addr, certFile, keyFile string, handler Handler).

When I click on copy link (see image below) example of certificate generated by AWS

the only thing I get is the certificate in such format (I've shortened it for explanation purposes):

-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIJAKbyiCf2f5J2MA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNV
fYe+dxR0PMFvfUpZaGgaY1ykQG1sNaw/b6NjNg9c1aEVSZ7b1eU/cBmb6XqHw0Ih
7yHtBm+p8Px4NMAT9YhytTxPRBYpApfUsfPMa3qfUWvvj4TD0LR6bW980bebyxUn
BigXToSFlPeiNGdU/Zpiw9crzplojNBFc=
-----END CERTIFICATE-----

So my question is, how exactly I need to configure ListenAndServeTLS method to make sure the any request to my service is from API Gateway? Where I can find private key? It's quite confusing for me.

  • 写回答

1条回答 默认 最新

  • dsjq6977 2017-05-09 09:32
    关注

    The client certificate AWS is given you is for authenticating the client that send requests to your service, which is the AWS gateway.

    This cert is not to be used to start your server, but to authenticates requests.

    See an example of use below, untested code, but as a lead.

    func Hello(w http.ResponseWriter, req *http.Request) {
    io.WriteString(w, "hello, world!
")
}

func main() {
    http.HandleFunc("/hello", Hello)

    certBytes, err := ioutil.ReadFile("aws-gateway.pem")
    if err != nil {
        log.Fatal(err)
    }
    block, certBytes := pem.Decode(certBytes)

    cert, err := x509.ParseCertificate(block.Bytes)
    if err != nil {
       log.Fatal(err)
    }

    clientCertPool := x509.NewCertPool()
    clientCertPool.AddCerts(cert)

    tlsConfig := &tls.Config{
        ClientCAs: clientCertPool,
        // NoClientCert
        // RequestClientCert
        // RequireAnyClientCert
        // VerifyClientCertIfGiven
        // RequireAndVerifyClientCert
        ClientAuth: tls.RequireAndVerifyClientCert,
    }
    tlsConfig.BuildNameToCertificate()

    server := &http.Server{
        Addr:      ":8080",
        TLSConfig: tlsConfig,
    }

    server.ListenAndServeTLS("server.crt", "server.key")
}

    This way, your service will require that all requests provide a certificate and will verify it against the pool of ClientCA. You could, of course, add more certificates to the client pool if desired.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 永磁型步进电机PID算法
  • ¥15 sqlite 附加(attach database)加密数据库时,返回26是什么原因呢?
  • ¥88 找成都本地经验丰富懂小程序开发的技术大咖
  • ¥15 如何处理复杂数据表格的除法运算
  • ¥15 如何用stc8h1k08的片子做485数据透传的功能?(关键词-串口)
  • ¥15 有兄弟姐妹会用word插图功能制作类似citespace的图片吗?
  • ¥200 uniapp长期运行卡死问题解决
  • ¥15 latex怎么处理论文引理引用参考文献
  • ¥15 请教:如何用postman调用本地虚拟机区块链接上的合约?
  • ¥15 为什么使用javacv转封装rtsp为rtmp时出现如下问题:[h264 @ 000000004faf7500]no frame?