go - 如何为 tls 客户端身份验证正确生成客户端证书
问题描述
我正在尝试在 Go 中生成一个客户端证书以与 tls 客户端身份验证一起使用。
为此,我使用此模板生成并签署(使用一些根证书)客户端证书:
var clientTemplate = x509.Certificate{
SerialNumber: big.NewInt(1),
NotBefore: time.Now().Add(-10 * time.Second),
NotAfter: time.Now().AddDate(10, 0, 0),
KeyUsage: x509.KeyUsageCRLSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
IsCA: false,
MaxPathLenZero: true,
IPAddresses: []net.IP{net.IP([]byte{10, 10,0,4})},
DNSNames: []string{},
}
但是当我尝试验证此证书时:
verifyOptions := x509.VerifyOptions{
DNSName: "10.10.0.4",
Roots: certPool,
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
}
_, err = ClientCert.Verify(verifyOptions)
我得到错误:
certificate specifies an incompatible key usage
但是我的密钥用法有什么问题?我必须指定什么?
这是一个完整的测试,我是如何尝试的:
func TestClientCertVerify(t *testing.T) {
// Generate Root CA
var rootTemplate = x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
Country: []string{"DE"},
Organization: []string{"Company Co."},
CommonName: "Root CA",
},
NotBefore: time.Now().Add(-10 * time.Second),
NotAfter: time.Now().AddDate(10, 0, 0),
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
IsCA: true,
MaxPathLen: 2,
IPAddresses: []net.IP{},
DNSNames: []string{},
}
rootPrivKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
panic(err)
}
rootCertBytes, err := x509.CreateCertificate(rand.Reader, &rootTemplate, &rootTemplate, &rootPrivKey.PublicKey, rootPrivKey)
if err != nil {
panic("Failed to create certificate:" + err.Error())
}
rootCert, err := x509.ParseCertificate(rootCertBytes)
if err != nil {
panic("failed to parse certificate:" + err.Error())
}
// Generate client certificate
clientPrivKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
panic(err)
}
var clientTemplate = x509.Certificate{
SerialNumber: big.NewInt(1),
NotBefore: time.Now().Add(-10 * time.Second),
NotAfter: time.Now().AddDate(10, 0, 0),
KeyUsage: x509.KeyUsageCRLSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
IsCA: false,
MaxPathLenZero: true,
IPAddresses: []net.IP{net.IP([]byte{10, 10,0,4})},
DNSNames: []string{},
}
clientCertBytes, err := x509.CreateCertificate(rand.Reader, &clientTemplate, rootCert, &clientPrivKey.PublicKey, rootPrivKey)
if err != nil {
panic("Failed to create certificate:" + err.Error())
}
ClientCert, err := x509.ParseCertificate(clientCertBytes)
if err != nil {
panic("failed to parse certificate:" + err.Error())
}
// Create cert pool for verification
certPool := x509.NewCertPool()
certPool.AddCert(rootCert)
// Verify a client
verifyOptions := x509.VerifyOptions{
DNSName: "10.10.0.4",
Roots: certPool,
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
}
_, err = ClientCert.Verify(verifyOptions)
if err != nil {
t.Error(err)
}
}
解决方案
推荐阅读
- php - WordPress:自定义用户角色无法访问自定义帖子类型 | “对不起,您无权访问此页面”
- python - 如何从我的输出列表中删除“TextBlob”
- pip - 错误:找不到满足 apache-airflow 要求的版本(来自版本:无)
- android - 带有 ID 选择器的 CSS 未在 android Webview 上加载
- node.js - 编辑 DiscordJS 斜线命令权限
- ruby-on-rails - 有没有办法用 Webpack 清除 FontAwesome?
- r - 拆分字符串并从拆分中创建变量
- c# - 如何使 Windows Forms C# 中的表单不可点击?
- c# - 解析不同语言的星期几字符串
- python - 尝试对 SAP 应用程序执行操作时出现 COM 错误