tls 双向认证 client端代码例子

时间:2025-02-07 08:33:38

example:

python

 import httplib

 import json

 import ssl

 import urllib2

 import requests

 CA_FILE = "etc/rdtagent/cert/server/ca.pem"

 CLIENT_CERT_FILE = "etc/rdtagent/cert/client/cert.pem"

 CLIENT_KEY_FILE = "etc/rdtagent/cert/client/key.pem" # This is your client cert!

 HOST = "127.0.0.1"

 PORT = 8443

 CACHE_URL = "/v1/cache"

 context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=CA_FILE)

 context.load_cert_chain(certfile=CLIENT_CERT_FILE, keyfile=CLIENT_KEY_FILE)

 connection = httplib.HTTPSConnection(HOST, port=PORT, context=context)

 # pem code

 # auth_header = 'Basic %s' % (":".join(["myusername","mypassword"]).encode('Base64').strip('\r\n'))

 # connection.request("POST", "/","",{'Authorization':auth_header})

 connection.request('GET', CACHE_URL)

 response = connection.getresponse()

 print(response.status, response.reason)

 data = response.read()

 print(json.loads(data))

 connection.close()

 # http://docs.python-requests.org/en/latest/

 res = requests.get("https://"+HOST+":"+str(PORT)+CACHE_URL, verify=CA_FILE, cert=(CLIENT_CERT_FILE, CLIENT_KEY_FILE), auth=('user', 'pass'))

 print res.json()

 # HTTPS Client Auth solution for urllib2, inspired by

 # http://bugs.python.org/issue3466

 # and improved by David Norton of Three Pillar Software. In this

 # implementation, we use properties passed in rather than static module

 # fields.

 class HTTPSClientAuthHandler(urllib2.HTTPSHandler):

     def __init__(self, ca, key, cert):

         urllib2.HTTPSHandler.__init__(self)

         self.ca = ca

         self.key = key

         self.cert = cert

     def https_open(self, req):

         #Rather than pass in a reference to a connection class, we pass in

         # a reference to a function which, for all intents and purposes,

         # will behave as a constructor

         return self.do_open(self.getConnection, req)

     def getConnection(self, host):

         print "*" * 80

         print host

         context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=self.ca)

         context.load_cert_chain(certfile=self.cert, keyfile=self.key)

         return httplib.HTTPSConnection(host, key_file=self.key, cert_file=self.cert, context=context)

 # cert_handler = HTTPSClientAuthHandler(CA_FILE, CLIENT_KEY_FILE, CLIENT_CERT_FILE)

 # opener = urllib2.build_opener(cert_handler)

 # urllib2.install_opener(opener)

 # https://docs.python.org/2/library/urllib2.html#examples

 f = urllib2.urlopen("https://"+HOST+":"+str(PORT)+CACHE_URL, context=context)

 print json.loads(f.read())

shell中直接执行:

python -c '

import requests

CA_FILE = "etc/rdtagent/cert/server/ca.pem"

CLIENT_CERT_FILE = "etc/rdtagent/cert/client/cert.pem"

CLIENT_KEY_FILE = "etc/rdtagent/cert/client/key.pem" # This is your client cert!

HOST = "127.0.0.1"

PORT = 8443

CACHE_URL = "/v1/cache"

print requests.get("https://"+HOST+":"+str(PORT)+CACHE_URL, verify=CA_FILE, cert=(CLIENT_CERT_FILE, CLIENT_KEY_FILE), auth=("user", "pass")).json()

'
CA_FILE="etc/rdtagent/cert/server/ca.pem"

CLIENT_CERT_FILE="etc/rdtagent/cert/client/cert.pem"

CLIENT_KEY_FILE="etc/rdtagent/cert/client/key.pem" # This is your client cert!

HOST="127.0.0.1"

PORT=8443

CACHE_URL="/v1/cache"

PASSWORD="pass"

USER="user"

python -c "

import requests

print requests.get('https://'+'$HOST'+':'+str($PORT)+'$CACHE_URL', verify='$CA_FILE', cert=('$CLIENT_CERT_FILE', '$CLIENT_KEY_FILE'), auth=('$USER', '$PASSWORD')).json()

"

Golang

$ cat goclient.go

 package main

 import (

         "crypto/tls"

         "crypto/x509"

         "flag"

         "fmt"

         "io/ioutil"

         "log"

         "net/http"

         _ "os"

 )

 var (

         certFile = flag.String("cert", "someCertFile", "A PEM eoncoded certificate file.")

         keyFile  = flag.String("key", "someKeyFile", "A PEM encoded private key file.")

         caFile   = flag.String("CA", "someCertCAFile", "A PEM eoncoded CA's certificate file.")

         url      = flag.String("url", "resource url", "The url of resource that client request.")

 )

 func main() {

         flag.Parse()

         //os.Getenv("HOST"))

         // Load client cert

         cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)

         if err != nil {

                 log.Fatal(err)

         }

         // Load CA cert

         caCert, err := ioutil.ReadFile(*caFile)

         if err != nil {

                 log.Fatal(err)

         }

         caCertPool := x509.NewCertPool()

         caCertPool.AppendCertsFromPEM(caCert)

         // Setup HTTPS client

         tlsConfig := &tls.Config{

                 Certificates: []tls.Certificate{cert},

                 RootCAs:      caCertPool,

         }

         tlsConfig.BuildNameToCertificate()

         transport := &http.Transport{TLSClientConfig: tlsConfig}

         client := &http.Client{Transport: transport}

         resp, err := client.Get(*url)

         if err != nil {

                 fmt.Println(err)

         }

         contents, err := ioutil.ReadAll(resp.Body)

         fmt.Printf("%s\n", string(contents))

 }

$

CA_FILE="etc/rdtagent/cert/server/ca.pem"

CLIENT_CERT_FILE="etc/rdtagent/cert/client/cert.pem"

CLIENT_KEY_FILE="etc/rdtagent/cert/client/key.pem" # This is your client cert!

PASSWORD="pass"

USER="user"

CACHE_URL="https://127.0.0.1:8443/v1/cache"

$ go run goclient.go -CA $CA_FILE -cert $CLIENT_CERT_FILE -key $CLIENT_KEY_FILE -url $CACHE_URL

How Certificate Revocation Works

相关文章