AWS API Gateway客户端证书在Go语言中的使用

huangapple go评论79阅读模式
英文:

AWS API Gateway client certificates in Go lang

问题

我正在尝试按照文档中描述的方式,确保AWS API Gateway与我的API端点服务之间的连接安全。根据我所了解,我需要复制AWS API Gateway中的证书,并使用http.ListenAndServeTLS方法。但是该方法需要两个文件:keyFilecertFile,即func ListenAndServeTLS(addr, certFile, keyFile string, handler Handler)

当我点击复制链接时(参见下面的图片),我得到的只是证书的格式(为了解释方便,我将其缩短了):

-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIJAKbyiCf2f5J2MA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNV
fYe+dxR0PMFvfUpZaGgaY1ykQG1sNaw/b6NjNg9c1aEVSZ7b1eU/cBmb6XqHw0Ih
7yHtBm+p8Px4NMAT9YhytTxPRBYpApfUsfPMa3qfUWvvj4TD0LR6bW980bebyxUn
BigXToSFlPeiNGdU/Zpiw9crzplojNBFc=
-----END CERTIFICATE-----

所以,我的问题是,我需要如何配置ListenAndServeTLS方法,以确保对我的服务的任何请求都来自API Gateway?我在哪里可以找到私钥?这对我来说相当困惑。

英文:

I'm trying to secure connection between AWS API Gateway and my API endpoint services exactly as it is described int his documentation: http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html

AFAIK I need to copy the cert form AWS API Gateway and use http.ListenAndServeTLS method. But it accepts two files: keyFile and certFile
func ListenAndServeTLS(addr, certFile, keyFile string, handler Handler).

When I click on copy link (see image below)
AWS API Gateway客户端证书在Go语言中的使用

the only thing I get is the certificate in such format (I've shortened it for explanation purposes):

-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIJAKbyiCf2f5J2MA0GCSqGSIb3DQEBCwUAMDQxCzAJBgNV
fYe+dxR0PMFvfUpZaGgaY1ykQG1sNaw/b6NjNg9c1aEVSZ7b1eU/cBmb6XqHw0Ih
7yHtBm+p8Px4NMAT9YhytTxPRBYpApfUsfPMa3qfUWvvj4TD0LR6bW980bebyxUn
BigXToSFlPeiNGdU/Zpiw9crzplojNBFc=
-----END CERTIFICATE-----

So my question is, how exactly I need to configure ListenAndServeTLS method to make sure the any request to my service is from API Gateway? Where I can find private key? It's quite confusing for me.

答案1

得分: 3

给你的AWS客户端证书用于验证发送请求到你的服务的客户端,也就是AWS网关。

这个证书不是用来启动你的服务器的,而是用来验证请求的身份。

以下是一个示例用法,未经测试的代码,仅供参考。

func Hello(w http.ResponseWriter, req *http.Request) {
    io.WriteString(w, "hello, world!\n")
}

func main() {
    http.HandleFunc("/hello", Hello)

    certBytes, err := ioutil.ReadFile("aws-gateway.pem")
    if err != nil {
        log.Fatal(err)
    }
    block, certBytes := pem.Decode(certBytes)

    cert, err := x509.ParseCertificate(block.Bytes)
    if err != nil {
        log.Fatal(err)
    }

    clientCertPool := x509.NewCertPool()
    clientCertPool.AddCerts(cert)

    tlsConfig := &tls.Config{
        ClientCAs: clientCertPool,
        // NoClientCert
        // RequestClientCert
        // RequireAnyClientCert
        // VerifyClientCertIfGiven
        // RequireAndVerifyClientCert
        ClientAuth: tls.RequireAndVerifyClientCert,
    }
    tlsConfig.BuildNameToCertificate()

    server := &http.Server{
        Addr:      ":8080",
        TLSConfig: tlsConfig,
    }

    server.ListenAndServeTLS("server.crt", "server.key")
}

这样,你的服务将要求所有请求提供证书,并将其与ClientCA池进行验证。如果需要,你当然可以向客户端池中添加更多证书。

英文:

The client certificate AWS is given you is for authenticating the client that send requests to your service, which is the AWS gateway.

This cert is not to be used to start your server, but to authenticates requests.

See an example of use below, untested code, but as a lead.

func Hello(w http.ResponseWriter, req *http.Request) {
	io.WriteString(w, "hello, world!\n")
}

func main() {
	http.HandleFunc("/hello", Hello)

	certBytes, err := ioutil.ReadFile("aws-gateway.pem")
	if err != nil {
		log.Fatal(err)
	}
    block, certBytes := pem.Decode(certBytes)

    cert, err := x509.ParseCertificate(block.Bytes)
    if err != nil {
       log.Fatal(err)
    }

	clientCertPool := x509.NewCertPool()
	clientCertPool.AddCerts(cert)

	tlsConfig := &tls.Config{
		ClientCAs: clientCertPool,
		// NoClientCert
		// RequestClientCert
		// RequireAnyClientCert
		// VerifyClientCertIfGiven
		// RequireAndVerifyClientCert
		ClientAuth: tls.RequireAndVerifyClientCert,
	}
	tlsConfig.BuildNameToCertificate()

	server := &http.Server{
		Addr:      ":8080",
		TLSConfig: tlsConfig,
	}

	server.ListenAndServeTLS("server.crt", "server.key")
}

This way, your service will require that all requests provide a certificate and will verify it against the pool of ClientCA. You could, of course, add more certificates to the client pool if desired.

huangapple
  • 本文由 发表于 2017年5月9日 16:35:11
  • 转载请务必保留本文链接:https://go.coder-hub.com/43864955.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定