tls 双向认证 client端代码例子

example:

python

 1 import httplib
 2 import json
 3 import ssl
 4 import urllib2
 5 import requests
 6 
 7 
 8 CA_FILE = "etc/rdtagent/cert/server/ca.pem"
 9 CLIENT_CERT_FILE = "etc/rdtagent/cert/client/cert.pem"
10 CLIENT_KEY_FILE = "etc/rdtagent/cert/client/key.pem" # This is your client cert!
11 HOST = "127.0.0.1"
12 PORT = 8443
13 
14 CACHE_URL = "/v1/cache"
15 
16 context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=CA_FILE)
17 context.load_cert_chain(certfile=CLIENT_CERT_FILE, keyfile=CLIENT_KEY_FILE)
18 
19 connection = httplib.HTTPSConnection(HOST, port=PORT, context=context)
20 # pem code
21 # auth_header = 'Basic %s' % (":".join(["myusername","mypassword"]).encode('Base64').strip('\r\n'))
22 # connection.request("POST", "/","",{'Authorization':auth_header})
23 connection.request('GET', CACHE_URL)
24 response = connection.getresponse()
25 print(response.status, response.reason)
26 
27 data = response.read()
28 print(json.loads(data))
29 
30 connection.close()
31 
32 
33 
34 # http://docs.python-requests.org/en/latest/
35 res = requests.get("https://"+HOST+":"+str(PORT)+CACHE_URL, verify=CA_FILE, cert=(CLIENT_CERT_FILE, CLIENT_KEY_FILE), auth=('user', 'pass'))
36 print res.json()
37 
38 
39 # HTTPS Client Auth solution for urllib2, inspired by
40 # http://bugs.python.org/issue3466
41 # and improved by David Norton of Three Pillar Software. In this
42 # implementation, we use properties passed in rather than static module
43 # fields.
44 class HTTPSClientAuthHandler(urllib2.HTTPSHandler):
45     def __init__(self, ca, key, cert):
46         urllib2.HTTPSHandler.__init__(self)
47         self.ca = ca
48         self.key = key
49         self.cert = cert
50     def https_open(self, req):
51         #Rather than pass in a reference to a connection class, we pass in
52         # a reference to a function which, for all intents and purposes,
53         # will behave as a constructor
54         return self.do_open(self.getConnection, req)
55     def getConnection(self, host):
56         print "*" * 80
57         print host
58         context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=self.ca)
59         context.load_cert_chain(certfile=self.cert, keyfile=self.key)
60         return httplib.HTTPSConnection(host, key_file=self.key, cert_file=self.cert, context=context)
61 
62 
63 # cert_handler = HTTPSClientAuthHandler(CA_FILE, CLIENT_KEY_FILE, CLIENT_CERT_FILE)
64 # opener = urllib2.build_opener(cert_handler)
65 # urllib2.install_opener(opener)
66 
67 # https://docs.python.org/2/library/urllib2.html#examples
68 f = urllib2.urlopen("https://"+HOST+":"+str(PORT)+CACHE_URL, context=context)
69 print json.loads(f.read())
View Code

 

shell中直接执行:

python -c '
import requests
CA_FILE = "etc/rdtagent/cert/server/ca.pem"
CLIENT_CERT_FILE = "etc/rdtagent/cert/client/cert.pem"
CLIENT_KEY_FILE = "etc/rdtagent/cert/client/key.pem" # This is your client cert!
HOST = "127.0.0.1"
PORT = 8443

CACHE_URL = "/v1/cache"
print requests.get("https://"+HOST+":"+str(PORT)+CACHE_URL, verify=CA_FILE, cert=(CLIENT_CERT_FILE, CLIENT_KEY_FILE), auth=("user", "pass")).json()
'
CA_FILE="etc/rdtagent/cert/server/ca.pem"
CLIENT_CERT_FILE="etc/rdtagent/cert/client/cert.pem"
CLIENT_KEY_FILE="etc/rdtagent/cert/client/key.pem" # This is your client cert!
HOST="127.0.0.1"
PORT=8443
CACHE_URL="/v1/cache"
PASSWORD="pass"
USER="user"
python -c "
import requests
print requests.get('https://'+'$HOST'+':'+str($PORT)+'$CACHE_URL', verify='$CA_FILE', cert=('$CLIENT_CERT_FILE', '$CLIENT_KEY_FILE'), auth=('$USER', '$PASSWORD')).json()
"

 

Golang

$ cat goclient.go

 1 package main
 2 
 3 import (
 4         "crypto/tls"
 5         "crypto/x509"
 6         "flag"
 7         "fmt"
 8         "io/ioutil"
 9         "log"
10         "net/http"
11         _ "os"
12 )
13 
14 var (
15         certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")
16         keyFile  = flag.String("key", "someKeyFile", "A PEM encoded private key file.")
17         caFile   = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")
18         url      = flag.String("url", "resource url", "The url of resource that client request.")
19 )
20 
21 func main() {
22 
23         flag.Parse()
24         //os.Getenv("HOST"))
25         // Load client cert
26         cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
27         if err != nil {
28                 log.Fatal(err)
29         }
30 
31         // Load CA cert
32         caCert, err := ioutil.ReadFile(*caFile)
33         if err != nil {
34                 log.Fatal(err)
35         }
36         caCertPool := x509.NewCertPool()
37         caCertPool.AppendCertsFromPEM(caCert)
38 
39         // Setup HTTPS client
40         tlsConfig := &tls.Config{
41                 Certificates: []tls.Certificate{cert},
42                 RootCAs:      caCertPool,
43         }
44         tlsConfig.BuildNameToCertificate()
45         transport := &http.Transport{TLSClientConfig: tlsConfig}
46         client := &http.Client{Transport: transport}
47 
48         resp, err := client.Get(*url)
49         if err != nil {
50                 fmt.Println(err)
51         }
52         contents, err := ioutil.ReadAll(resp.Body)
53         fmt.Printf("%s\n", string(contents))
54 }
View Code

CA_FILE="etc/rdtagent/cert/server/ca.pem"
CLIENT_CERT_FILE="etc/rdtagent/cert/client/cert.pem"
CLIENT_KEY_FILE="etc/rdtagent/cert/client/key.pem" # This is your client cert!
PASSWORD="pass"
USER="user"
CACHE_URL="https://127.0.0.1:8443/v1/cache"
$ go run goclient.go -CA $CA_FILE -cert $CLIENT_CERT_FILE -key $CLIENT_KEY_FILE -url $CACHE_URL

 

How Certificate Revocation Works

posted @ 2017-10-20 14:59  lvmxh  阅读(3280)  评论(0编辑  收藏  举报