maksadbek · March 20, 2025 14:07
diff --git a/readme.txt b/readme.txt
 openssl genrsa -out ca.key 2048
 openssl req -x509 -new -nodes -key ca.key -subj "/CN=Test CA" -days 365 -out ca.crt

 # Generate server key and certificate signing request (CSR)
 openssl genrsa -out server.key 2048
 openssl req -new -key server.key -subj "/CN=localhost" -out server.csr
 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365

 # Generate client key and certificate
 openssl genrsa -out client.key 2048
 openssl req -new -key client.key -subj "/CN=client" -out client.csr
 openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365

 # Convert client certificate to PEM format
 cat client.key client.crt > client.pem

 # Create PFX (PKCS12) package
 openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile ca.crt -passout pass:password
diff --git a/main.go b/main.go
 package main

 import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
 )

 // LoadClientCerts loads client certificates from provided paths
 func LoadClientCerts(certPaths []string) (*tls.Config, error) {
 	certPool := x509.NewCertPool()

 	for _, certPath := range certPaths {
 		// Load client certificate file
 		certData, err := ioutil.ReadFile(certPath)
 		if err != nil {
 			log.Printf("Failed to read certificate: %s\n", certPath)
 			return nil, err
 		}

 		// Append client certificate to pool
 		if ok := certPool.AppendCertsFromPEM(certData); !ok {
 			log.Printf("Failed to append cert for %s", certPath)
 			return nil, fmt.Errorf("failed to append certificate")
 		}
 	}

 	// Configure mTLS with Client Cert Validation
 	tlsConfig := &tls.Config{
 		ClientCAs:  certPool,
 		ClientAuth: tls.RequireAndVerifyClientCert, // Require a valid client certificate
 	}
 	return tlsConfig, nil
 }

 func secureHandler(w http.ResponseWriter, r *http.Request) {
 	clientCert := r.TLS.PeerCertificates[0] // Get the client certificate
 	fmt.Fprintf(w, "Hello, Secure World! Authenticated CN: %s", clientCert.Subject.CommonName)
 }

 func main() {
 	// Define test certs
 	certConfigs := []string{
 	     "./client.pem",
 	}

 	tlsConfig, err := LoadClientCerts(certConfigs)
 	if err != nil {
 		log.Fatalf("Failed to load client certs: %v", err)
 	}

 	server := &http.Server{
 		Addr:      ":8443",
 		TLSConfig: tlsConfig,
 		Handler:   http.HandlerFunc(secureHandler),
 	}

 	log.Println("Starting mTLS API on https://localhost:8443")
 	err = server.ListenAndServeTLS("server.crt", "server.key")
 	if err != nil {
 		log.Fatalf("Server failed: %s", err)
 	}
 }
	openssl genrsa -out ca.key 2048
	openssl req -x509 -new -nodes -key ca.key -subj "/CN=Test CA" -days 365 -out ca.crt

	# Generate server key and certificate signing request (CSR)
	openssl genrsa -out server.key 2048
	openssl req -new -key server.key -subj "/CN=localhost" -out server.csr
	openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365

	# Generate client key and certificate
	openssl genrsa -out client.key 2048
	openssl req -new -key client.key -subj "/CN=client" -out client.csr
	openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365

	# Convert client certificate to PEM format
	cat client.key client.crt > client.pem

	# Create PFX (PKCS12) package
	openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile ca.crt -passout pass:password
	package main

	import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io/ioutil"
	"log"
	"net/http"
	)

	// LoadClientCerts loads client certificates from provided paths
	func LoadClientCerts(certPaths []string) (*tls.Config, error) {
	certPool := x509.NewCertPool()

	for _, certPath := range certPaths {
	// Load client certificate file
	certData, err := ioutil.ReadFile(certPath)
	if err != nil {
	log.Printf("Failed to read certificate: %s\n", certPath)
	return nil, err
	}

	// Append client certificate to pool
	if ok := certPool.AppendCertsFromPEM(certData); !ok {
	log.Printf("Failed to append cert for %s", certPath)
	return nil, fmt.Errorf("failed to append certificate")
	}
	}

	// Configure mTLS with Client Cert Validation
	tlsConfig := &tls.Config{
	ClientCAs: certPool,
	ClientAuth: tls.RequireAndVerifyClientCert, // Require a valid client certificate
	}
	return tlsConfig, nil
	}

	func secureHandler(w http.ResponseWriter, r *http.Request) {
	clientCert := r.TLS.PeerCertificates[0] // Get the client certificate
	fmt.Fprintf(w, "Hello, Secure World! Authenticated CN: %s", clientCert.Subject.CommonName)
	}

	func main() {
	// Define test certs
	certConfigs := []string{
	"./client.pem",
	}

	tlsConfig, err := LoadClientCerts(certConfigs)
	if err != nil {
	log.Fatalf("Failed to load client certs: %v", err)
	}

	server := &http.Server{
	Addr: ":8443",
	TLSConfig: tlsConfig,
	Handler: http.HandlerFunc(secureHandler),
	}

	log.Println("Starting mTLS API on https://localhost:8443")
	err = server.ListenAndServeTLS("server.crt", "server.key")
	if err != nil {
	log.Fatalf("Server failed: %s", err)
	}
	}