summaryrefslogtreecommitdiffstats
path: root/tlsdemo/README.md
blob: 24124db216c20a8eb33e42229257d90f11817c83 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

## Libtrust TLS Config Demo

This program generates key pairs and trust files for a TLS client and server.

To generate the keys, run:

```
$ go run genkeys.go
```

The generated files are:

```
$ ls -l client_data/ server_data/
client_data/:
total 24
-rw-------  1 jlhawn  staff  281 Aug  8 16:21 private_key.json
-rw-r--r--  1 jlhawn  staff  225 Aug  8 16:21 public_key.json
-rw-r--r--  1 jlhawn  staff  275 Aug  8 16:21 trusted_hosts.json

server_data/:
total 24
-rw-r--r--  1 jlhawn  staff  348 Aug  8 16:21 trusted_clients.json
-rw-------  1 jlhawn  staff  281 Aug  8 16:21 private_key.json
-rw-r--r--  1 jlhawn  staff  225 Aug  8 16:21 public_key.json
```

The private key and public key for the client and server are stored in `private_key.json` and `public_key.json`, respectively, and in their respective directories. They are represented as JSON Web Keys: JSON objects which represent either an ECDSA or RSA private key. The host keys trusted by the client are stored in `trusted_hosts.json` and contain a mapping of an internet address, `<HOSTNAME_OR_IP>:<PORT>`, to a JSON Web Key which is a JSON object representing either an ECDSA or RSA public key of the trusted server. The client keys trusted by the server are stored in `trusted_clients.json` and contain an array of JSON objects which contain a comment field which can be used describe the key and a JSON Web Key which is a JSON object representing either an ECDSA or RSA public key of the trusted client.

To start the server, run:

```
$ go run server.go
```

This starts an HTTPS server which listens on `localhost:8888`. The server configures itself with a certificate which is valid for both `localhost` and `127.0.0.1` and uses the key from `server_data/private_key.json`. It accepts connections from clients which present a certificate for a key that it is configured to trust from the `trusted_clients.json` file and returns a simple 'hello' message.

To make a request using the client, run:

```
$ go run client.go
```

This command creates an HTTPS client which makes a GET request to `https://localhost:8888`. The client configures itself with a certificate using the key from `client_data/private_key.json`. It only connects to a server which presents a certificate signed by the key specified for the `localhost:8888` address from `client_data/trusted_hosts.json` and made to be used for the `localhost` hostname. If the connection succeeds, it prints the response from the server.

The file `gencert.go` can be used to generate PEM encoded version of the client key and certificate. If you save them to `key.pem` and `cert.pem` respectively, you can use them with `curl` to test out the server (if it is still running).

```
curl --cert cert.pem --key key.pem -k https://localhost:8888
```
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 14:46:18 +0000