I want to create a tls client using the net/http in GO how can I create it given the ca certificates?
package main
import (
"crypto/tls"
"crypto/x509"
"flag"
"io/ioutil"
"log"
"net/http"
)
var (
certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
keyFile = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
caFile = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")
)
func main() {
flag.Parse()
// Load client cert
cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
if err != nil {
log.Fatal(err)
}
// Load CA cert
caCert, err := ioutil.ReadFile(*caFile)
if err != nil {
log.Fatal(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
// Setup HTTPS client
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig}
client := &http.Client{Transport: transport}
// Do GET something
resp, err := client.Get("https://localdev.local:8443")
if err != nil {
log.Fatal(err)
}
defer resp.Body.Close()
// Dump response
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Fatal(err)
}
log.Println(string(data))
}
Mostly borrowed from this gist. And here is a great article to work with TLS in Go: https://ericchiang.github.io/tls/go/https/2015/06/21/go-tls.html
Related
I'm currently developing a custom scanner in go for OpenVAS. Problem is that the handshake with my custom server fails.
I traced the problem down to error -73: GNUTLS_E_ASN1_TAG_ERROR from gnutls_handshake, but I can't find any resources on that problem. I read something about the certificates being incorrect then but I can't do anything other than regenerating the OpenVAS certificates. The tls functionality in the go server just uses a simple ListenAndServeTLS and gets the server cert and key.
edit:
So this is the relevant network part on the custom scanner:
var (
port = ":1234"
cert = "/usr/local/var/lib/openvas/CA/servercert.pem"
ca = "/usr/local/var/lib/openvas/CA/cacert.pem"
key = "/usr/local/var/lib/openvas/private/CA/serverkey.pem"
)
func start_server() {
ca_file, err := ioutil.ReadFile(ca)
if err != nil {
panic(err)
}
blocks, _ := pem.Decode( ca_file )
ca, err := x509.ParseCertificate(blocks.Bytes)
if err != nil {
panic(err)
}
priv_file, _ := ioutil.ReadFile(key)
blocks2, _ := pem.Decode( priv_file )
priv, err := x509.ParsePKCS1PrivateKey(blocks2.Bytes)
if err != nil {
panic(err)
}
pool := x509.NewCertPool()
pool.AddCert(ca)
cert := tls.Certificate{
Certificate: [][]byte{ca_file},
PrivateKey: priv,
}
config := tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{cert},
ClientCAs: pool,
}
config.Rand = rand.Reader
service := "0.0.0.0" + port
listener, err := tls.Listen("tcp", service, &config)
if err != nil {
log.Fatalf("server: listen: %s", err)
}
log.Print("server: listening")
for {
conn, err := listener.Accept()
if err != nil {
log.Printf("server: accept: %s", err)
break
}
defer conn.Close()
log.Printf("server: accepted from %s", conn.RemoteAddr())
go handle(conn)
}
}
func handle(conn net.Conn) {
str := "Hello"
defer conn.Close()
buf := make([]byte, 512)
for {
log.Print("server: conn: waiting")
conn.Write( ([]byte)(str) )
n, err := conn.Read(buf)
if err != nil {
if err != nil {
fmt.Println (err)
}
break
}
tlscon, ok := conn.(*tls.Conn)
if ok {
state := tlscon.ConnectionState()
sub := state.PeerCertificates[0].Subject
log.Println(sub)
}
log.Printf("server: conn: echo %q\n", string(buf[:n]))
n, err = conn.Write(buf[:n])
n, err = conn.Write(buf[:n])
log.Printf("server: conn: wrote %d bytes", n)
if err != nil {
log.Printf("server: write: %s", err)
break
}
}
log.Println("server: conn: closed")
}
func main() {
start_server()
}
It's taken from an example but it didn't work properly at first ( there was no decode before parsecertificates). Maybe the certificate is mal-formatted now because of that? Before adding the two decodes I had a similar error about the asn1 tags not matching. So also an asn1 error. I thought of generating my own certificate but I don't know if this will not break OpenVAS for the other scanners. I had the same results when just using listenandservetls from go. The error is definitely produced in gnutls_handshake. It's frustrating that I only get an error code from that.
I am working on some code for a device that will not be able to query a DNS. I will only have ports 80 and 443 available.
The following works, but of course hits the DNS. The domain used is my personal domain, not the real domain the problem is for - it’s work related and redacted. This is simply used to illustrate the issue.
package main
import (
“log”
“net/http”
)
func main() {
client := &http.Client{}
req, err := http.NewRequest(“GET”, “https://donatstudios.com/images/Spacecat/spacecat.svg”, nil)
if err != nil {
log.Fatal(err)
}
_, err = client.Do(req)
if err != nil {
log.Fatal(err)
}
log.Fatal(“no errors”)
}
I change the code to hit the specific IP address ala:
package main
import (
“log”
“net/http”
)
func main() {
client := &http.Client{}
req, err := http.NewRequest(“GET”, “https://162.243.23.224/images/Spacecat/spacecat.svg”, nil)
if err != nil {
log.Fatal(err)
}
req.Host = “donatstudios.com”
_, err = client.Do(req)
if err != nil {
log.Fatal(err)
}
log.Fatal(“no errors”)
}
And now receive “cannot validate certificate for 162.243.23.224 because it doesn't contain any IP SANs”
When not using an https domain the above code works.
Presumably this is something to do with SSL. #go-nuts told me they believe this to happen before it ever hit the HTTP layer? I’ve been poking this for hours and cannot figure out how to make it work.
I'm assuming your server is using SNI like the one used in the example. Give this a try and see if it works for you.
package main
import (
"crypto/tls"
"log"
"net/http"
)
func main() {
tlsConfig := &tls.Config{
ServerName: "moupon.co",
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig}
client := &http.Client{Transport: transport}
req, err := http.NewRequest("GET", "https://216.239.32.21/s/img/logo.png", nil)
if err != nil {
log.Fatal(err)
}
req.Host = "moupon.co"
_, err = client.Do(req)
if err != nil {
log.Fatal(err)
}
log.Fatal("no errors")
}
I'm using JWT. This is how I create the token.
func createToken(user User) (string, error) {
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["Name"] = user.Name
token.Claims["Email"] = user.Email
//token.Claims["ExpDate"] = time.Now().Add(time.Hour * 1).Unix()
tokenString, err := token.SignedString([]byte(config.PrivateKey))
if err != nil {
return "", err
}
return tokenString, nil
}
This is how I verify the token.
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
return []byte(config.PublicKey), nil
})
I generated my public and private keys with this python code
from Crypto.PublicKey import RSA
private = RSA.generate(1024)
public = private.publickey()
priv = private.exportKey()
pub = public.exportKey()
I get crypto/rsa: verification error. When I print the parsed token everything looks fine except token.Valid which is false and token.Signature is empty.
type Token struct {
Raw string // The raw token. Populated when you Parse a token
Method SigningMethod // The signing method used or to be used
Header map[string]interface{} // The first segment of the token
Claims map[string]interface{} // The second segment of the token
Signature string // The third segment of the token. Populated when you Parse a token
Valid bool // Is the token valid? Populated when you Parse/Verify a token
}
tokenString--> eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJFbWFpbCI6InRlc3RAaG90bWFpbC5jb20iLCJOYW1lIjoidGVzdE5hbWUifQ.fgd1h4LB1zzAiPFLKMOJrQu12rTLeXBDKHdnqiNc04NRn-1v7cHEQpDNawvScMIGrcQLbZo6WrldZQT9ImYWpUyy3CcD2uMO95I5PN6aXOSPb26nNGQpmIi1HNZrq5359hKZ6BWEJnW9iTg7RgmMvZGmIqlGLsOY2a6UiiwBsI0
token.Raw--> eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJFbWFpbCI6InRlc3RAaG90bWFpbC5jb20iLCJOYW1lIjoidGVzdE5hbWUifQ.fgd1h4LB1zzAiPFLKMOJrQu12rTLeXBDKHdnqiNc04NRn-1v7cHEQpDNawvScMIGrcQLbZo6WrldZQT9ImYWpUyy3CcD2uMO95I5PN6aXOSPb26nNGQpmIi1HNZrq5359hKZ6BWEJnW9iTg7RgmMvZGmIqlGLsOY2a6UiiwBsI0
token.Header--> map[alg:RS256 typ:JWT]
token.Claims--> map[Email:test#hotmail.com Name:testName]
token.Signature-->
token.Valid--> false
PS: I don't have any SSL-Certificates.
This worked for me. I generated the private.pem and public.pem using these commands.
openssl genrsa -des3 -out private.pem 1024
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
Code:
package main
import (
"fmt"
"github.com/dgrijalva/jwt-go"
"io/ioutil"
"log"
"time"
)
//Claims can have user id.. etc for Identification purpose
type AppClaims struct {
UserId string `json:"userId"`
jwt.StandardClaims
}
var (
privateKey []byte
publicKey []byte
err error
)
const (
longForm = "Jan 2, 2006 at 3:04pm (MST)"
)
func errLog(err error) {
if err != nil {
log.Fatal("Error:", err.Error())
}
}
func init() {
privateKey, err = ioutil.ReadFile("../private.pem")
errLog(err)
publicKey, err = ioutil.ReadFile("../public.pem")
errLog(err)
}
func jwtTokenGen() (interface{}, error) {
privateRSA, err := jwt.ParseRSAPrivateKeyFromPEM(privateKey)
if err != nil {
return nil, err
}
claims := AppClaims{
"RAJINIS*",
jwt.StandardClaims{
ExpiresAt: time.Now().Add(time.Minute * 15).Unix(),
Issuer: "test",
},
}
token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
ss, err := token.SignedString(privateRSA)
return ss, err
}
func jwtTokenRead(inToken interface{}) (interface{}, error) {
publicRSA, err := jwt.ParseRSAPublicKeyFromPEM(publicKey)
if err != nil {
return nil, err
}
token, err := jwt.Parse(inToken.(string), func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
return publicRSA, err
})
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
return claims, nil
} else {
return nil, err
}
}
func getTokenRemainingValidity(timestamp interface{}) int {
expireOffset := 0
if validity, ok := timestamp.(float64); ok {
tm := time.Unix(int64(validity), 0)
remainder := tm.Sub(time.Now())
if remainder > 0 {
fmt.Println(remainder)
return int(remainder.Seconds()) + expireOffset
}
}
return expireOffset
}
func main() {
signedString, err := jwtTokenGen()
fmt.Println(signedString, err)
claims, err := jwtTokenRead(signedString)
if err != nil {
errLog(err)
}
claimValue := claims.(jwt.MapClaims)
fmt.Println(claimValue["iss"], claimValue["exp"], claimValue["userId"])
// t, _ := time.Parse(longForm, string(claimValue["exp"].(float64)))
fmt.Println(getTokenRemainingValidity(claimValue["exp"]))
}
I'm trying to connect to an amazon AWS linux server with a key using the [ssh][1] package of Go programming language. However the package documentation is a bit cryptic/confusing. Does anyone know how to connect through ssh using a key or at least if it's possible ? What bothers me is that in the [Dial][3] example it says
// An SSH client is represented with a ClientConn. Currently only
// the "password" authentication method is supported.
I basically want to mimic the ssh -i x.pem root#server.com behavior and execute a command inside the server ( e.g. whoami )
You need to use ssh.PublicKeys to turn a list of ssh.Signers into an ssh.AuthMethod. You can use ssh.ParsePrivateKey to get a Signer from the pem bytes, or if you need to use an rsa, dsa or ecdsa private key, you can give those to ssh.NewSignerFromKey.
Here's an example fleshed out a bit with Agent support too (since using an agent is usually the next step after simply using a key file).
sock, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
if err != nil {
log.Fatal(err)
}
agent := agent.NewClient(sock)
signers, err := agent.Signers()
if err != nil {
log.Fatal(err)
}
// or get the signer from your private key file directly
// signer, err := ssh.ParsePrivateKey(pemBytes)
// if err != nil {
// log.Fatal(err)
// }
auths := []ssh.AuthMethod{ssh.PublicKeys(signers...)}
cfg := &ssh.ClientConfig{
User: "username",
Auth: auths,
}
cfg.SetDefaults()
client, err := ssh.Dial("tcp", "aws-hostname:22", cfg)
if err != nil {
log.Fatal(err)
}
session, err = client.NewSession()
if err != nil {
log.Fatal(err)
}
log.Println("we have a session!")
...
Here is an example to run ls remotely using your "plain private key file".
pemBytes, err := ioutil.ReadFile("/location/to/YOUR.pem")
if err != nil {
log.Fatal(err)
}
signer, err := ssh.ParsePrivateKey(pemBytes)
if err != nil {
log.Fatalf("parse key failed:%v", err)
}
config := &ssh.ClientConfig{
User: "ubuntu",
Auth: []ssh.AuthMethod{ssh.PublicKeys(signer)},
HostKeyCallback: ssh.InsecureIgnoreHostKey(),
}
conn, err := ssh.Dial("tcp", "yourhost.com:22", config)
if err != nil {
log.Fatalf("dial failed:%v", err)
}
defer conn.Close()
session, err := conn.NewSession()
if err != nil {
log.Fatalf("session failed:%v", err)
}
defer session.Close()
var stdoutBuf bytes.Buffer
session.Stdout = &stdoutBuf
err = session.Run("ls -l")
if err != nil {
log.Fatalf("Run failed:%v", err)
}
log.Printf(">%s", stdoutBuf)
I'm trying to generate a keypair to be used for SSH in Go. I seem to be creating a private key just fine, although I can't figure out how to generate a public key in the correct format.
Here's the code:
privateKey, err := rsa.GenerateKey(rand.Reader, 2014)
if err != nil {
return nil, err
}
privateKeyDer := x509.MarshalPKCS1PrivateKey(privateKey)
privateKeyBlock := pem.Block{
Type: "RSA PRIVATE KEY",
Headers: nil,
Bytes: privateKeyDer,
}
privateKeyPem := string(pem.EncodeToMemory(&privateKeyBlock))
publicKey := privateKey.PublicKey
publicKeyDer, err := x509.MarshalPKIXPublicKey(&publicKey)
if err != nil {
return nil, err
}
publicKeyBlock := pem.Block{
Type: "PUBLIC KEY",
Headers: nil,
Bytes: publicKeyDer,
}
publicKeyPem := string(pem.EncodeToMemory(&publicKeyBlock))
fmt.Println(privateKeyPem)
fmt.Println(publicKeyPem)
I get this output:
-----BEGIN RSA PRIVATE KEY-----
MIIEhgIBAAKB/DFnL5O2LCGJQJ/6W299AsrXsHU3nsGVTbjoDqXjdHboSqAuv0ap
oyTPQuBVNff1X0AdVDwjat2vSAukST/3PmRX4TNU4jV0rog/z6grexOCSl3oatJO
i80t+F6uuTD6XTh5C5yDQNI/sTyaPpydbI+P87UuY4UapZaei7fwc3MfurJ+jwEJ
c+jOWbll2YhIgCOuIe0GRX4e4CDC2KiO/BqAWCPQNjk0Y0iC2+J+2Qy3QBOJTVO8
E2DzIhIe4VjKK6OVVesYmJWSXX/Jx382CvUDv5ss8mxGEs3yge4zeQ0GPPDaqTFw
OJ1uppsdj10ZiW92E8v/fYwlBNGfrQIDAQABAoH8C2OCMEcavVBquXZ5haYH8sLu
RtdfnbjRhgLY/Z0FyDOcoHimV5/boCy3egeqvVKvdpRMSuDPTfOOZECnMjvJAlDP
9Yln7HLNmVM8h8QeR00N38Aof/rjd5VVYF5fCs9slgwxhQ8s7ksIjLPyIyCXWjER
OX9MKe8OpT4/b1Pa1X6I28PaC3LVjDHEkigPd705i8VuF2nvZ3+Kb5uQHeczsq6f
LfJTME0uewB2UhKokJRUlqNpRMp+N4DUhChwC9yN0EXlxzbTUsW8ouLFNKLCqlxZ
YAJqWfCFFe14f++Ie4tfyFI0e1VP7Gge+5vxiIkuPapj5MMg47bVQHtxAn5olgFT
/RWHAGsGPS8cyFZ3sh01qmfaPl4mgthTQdSKj/YKUXy8/u9Wqdk7DK5wfTxD6/Go
HUpNtXkEhL5HmWxq85lhXzos98C/hNlo2GIP1X3D7IgGTwe3z2nlKUCAXLdc3Wwf
GmpBsg3HXZ7ZBL2WwH6JNn/KgbjSioZChvMCfnjtHZMoYfgoD3ncUey4Db5K2/cu
mWPGosswouUOnEFjYHKxo2glxxPgtOK2EgURxE/t/Tz+WPak4gl8fMjg4v8cjuxo
kZdH6Izm0wqMrPOdKFFwFFSdwhl5DG9Ikg/UTznAprvkfmtF32/sX1Ux4NBD6paq
XvMSLPz67VIm3wJ+JAvvkT8deFZQjOnxnv39r2uYXbLJ8JKmaKeYX7nEw60ypAPJ
9mn3m+sWkB+iz+qaJt7ff4342ie9+iy2WH8suwAS0Vi8+Fq7+EaVmGlcAxEWM70G
dQYwJs46NV2ueY97M2qtpVq5XMM9tIU0BqB3p8nY0voRuX5UcVyFQdC5An493VDc
EDTOt+/y7/wZlq+xQqr18ikXGm/+c4tik+7spOKayrZGec03JiZkNbFSVpyQJ7j+
k0EALapWIBHW0vZOfVXBLF4PfwJB03T0WLPCjgwqXaSJBYxfa8YoyH+xCXTenuiu
B1+FkeGVaN/8vd+9rIE/QzoAMLRDWDxBYxECfkAVgjWSiLoK3fJcdwsh6e9bxgK7
EI8yFnWyFhymHTLjACcw9DIZyiaFkpjkXjB7NX0EzWtM5FPUmfrFFLlCpHAzZ8P6
FjXyOcfVlE9IF4gZHNUXHj8R0HflPWg9K9pfAxBhmc5+GJ6aL4smjvpp05fwPD6u
0yYyxcpe8iznsQ==
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIIBHDANBgkqhkiG9w0BAQEFAAOCAQkAMIIBBAKB/DFnL5O2LCGJQJ/6W299AsrX
sHU3nsGVTbjoDqXjdHboSqAuv0apoyTPQuBVNff1X0AdVDwjat2vSAukST/3PmRX
4TNU4jV0rog/z6grexOCSl3oatJOi80t+F6uuTD6XTh5C5yDQNI/sTyaPpydbI+P
87UuY4UapZaei7fwc3MfurJ+jwEJc+jOWbll2YhIgCOuIe0GRX4e4CDC2KiO/BqA
WCPQNjk0Y0iC2+J+2Qy3QBOJTVO8E2DzIhIe4VjKK6OVVesYmJWSXX/Jx382CvUD
v5ss8mxGEs3yge4zeQ0GPPDaqTFwOJ1uppsdj10ZiW92E8v/fYwlBNGfrQIDAQAB
-----END PUBLIC KEY-----
If you're looking for generating keys in the format that will be included in an OpenSSH authorized_key file, below is a helper I wrote recently:
// MakeSSHKeyPair make a pair of public and private keys for SSH access.
// Public key is encoded in the format for inclusion in an OpenSSH authorized_keys file.
// Private Key generated is PEM encoded
func MakeSSHKeyPair(pubKeyPath, privateKeyPath string) error {
privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
return err
}
// generate and write private key as PEM
privateKeyFile, err := os.Create(privateKeyPath)
defer privateKeyFile.Close()
if err != nil {
return err
}
privateKeyPEM := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}
if err := pem.Encode(privateKeyFile, privateKeyPEM); err != nil {
return err
}
// generate and write public key
pub, err := ssh.NewPublicKey(&privateKey.PublicKey)
if err != nil {
return err
}
return ioutil.WriteFile(pubKeyPath, ssh.MarshalAuthorizedKey(pub), 0655)
}
You can use the OpenSSH ssh-keygen to convert the file.
Write the PEM out to a file (e.g. pubkey.pem) and convert it like so:
ssh-keygen -m PKCS8 -f pubkey.pem -i
Or you can use the MarshalAuthorizedKey function from the ssh package:
// using publicKey from above.
// though NewPublicKey takes an interface{}, it must be a pointer to a key.
pub, err := ssh.NewPublicKey(&publicKey)
if err != nil {
// do something
}
pubBytes := ssh.MarshalAuthorizedKey(pub)
fmt.Println(string(pubBytes))
Adapted #Greg's version to return strings:
func MakeSSHKeyPair() (string, string, error) {
privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
return "", "", err
}
// generate and write private key as PEM
var privKeyBuf strings.Builder
privateKeyPEM := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}
if err := pem.Encode(&privKeyBuf, privateKeyPEM); err != nil {
return "", "", err
}
// generate and write public key
pub, err := ssh.NewPublicKey(&privateKey.PublicKey)
if err != nil {
return "", "", err
}
var pubKeyBuf strings.Builder
pubKeyBuf.Write(ssh.MarshalAuthorizedKey(pub))
return pubKeyBuf.String(), privKeyBuf.String(), nil
}