github.com/angenalZZZ/gofunc@v0.0.0-20210507121333-48ff1be3917b/f/crypto_cert.go

github.com/angenalZZZ/gofunc@v0.0.0-20210507121333-48ff1be3917b/f/crypto_cert.go (about)

     1  package f
     2  
     3  import (
     4  	"crypto/rand"
     5  	"crypto/rsa"
     6  	"crypto/tls"
     7  	"crypto/x509"
     8  	"encoding/pem"
     9  	"math/big"
    10  	"net/http"
    11  	"strings"
    12  
    13  	"golang.org/x/crypto/acme/autocert"
    14  )
    15  
    16  // NewTLSLoadConfig Load X509 Key Pair.
    17  func NewTLSLoadConfig(crtFile, keyFile string, insecureSkipVerify bool) *tls.Config {
    18  	cer, err := tls.LoadX509KeyPair(crtFile, keyFile)
    19  	Must(err)
    20  
    21  	return &tls.Config{
    22  		InsecureSkipVerify: insecureSkipVerify, // 忽略服务器证书校验; 忽略自签名的服务器证书.
    23  		Certificates:       []tls.Certificate{cer},
    24  	}
    25  }
    26  
    27  // NewTLSServerAutoCertConfig serve over tls with autoCerts from let's encrypt.
    28  func NewTLSServerAutoCertConfig(email string, domains string) *tls.Config {
    29  	certDomains := strings.Split(domains, " ")
    30  	certManager := &autocert.Manager{
    31  		Prompt:     autocert.AcceptTOS,
    32  		Email:      email,                                  // Email for problems with certs
    33  		HostPolicy: autocert.HostWhitelist(certDomains...), // Domains to request certs for
    34  		Cache:      autocert.DirCache("secrets"),           // Cache certs in secrets folder
    35  	}
    36  
    37  	return &tls.Config{
    38  		// Pass in a cert manager if you want one set
    39  		// this will only be used if the server Certificates are empty
    40  		GetCertificate: certManager.GetCertificate,
    41  
    42  		// VersionTLS11 or VersionTLS12 would exclude many browsers
    43  		// inc. Android 4.x, IE 10, Opera 12.17, Safari 6
    44  		// So unfortunately not acceptable as a default yet
    45  		// Current default here for clarity
    46  		MinVersion: tls.VersionTLS10,
    47  
    48  		// Causes servers to use Go's default cipherSuite preferences,
    49  		// which are tuned to avoid attacks. Does nothing on clients.
    50  		PreferServerCipherSuites: true,
    51  		// Only use curves which have assembly implementations
    52  		CurvePreferences: []tls.CurveID{
    53  			tls.CurveP256,
    54  			tls.X25519, // Go 1.8 only
    55  		},
    56  	}
    57  }
    58  
    59  // NewTLSServerTestConfig Setup a bare-bones TLS config for the server.
    60  func NewTLSServerTestConfig(nextProto string) *tls.Config {
    61  	key, err := rsa.GenerateKey(rand.Reader, 1024)
    62  	Must(err)
    63  
    64  	template := x509.Certificate{SerialNumber: big.NewInt(1)}
    65  	certPEMBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
    66  	Must(err)
    67  
    68  	keyPEMBytes := x509.MarshalPKCS1PrivateKey(key)
    69  
    70  	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certPEMBytes})
    71  	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: keyPEMBytes})
    72  
    73  	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
    74  	Must(err)
    75  
    76  	return &tls.Config{
    77  		Certificates: []tls.Certificate{tlsCert},
    78  		NextProtos:   []string{nextProto},
    79  	}
    80  }
    81  
    82  // NewTLSClientTestConfig Setup a bare-bones TLS config for the client.
    83  func NewTLSClientTestConfig(nextProto string) *tls.Config {
    84  	return &tls.Config{
    85  		InsecureSkipVerify: true, // 忽略服务器证书校验; 忽略自签名的服务器证书.
    86  		NextProtos:         []string{nextProto},
    87  	}
    88  }
    89  
    90  // NewHttpsTransportSkipVerify 用于 Client Dial 忽略服务器证书校验; 忽略自签名的服务器证书.
    91  func NewHttpsTransportSkipVerify() *http.Transport {
    92  	return &http.Transport{
    93  		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
    94  	}
    95  }