distribution/vendor/github.com/docker/libtrust/tlsdemo/README.md
Olivier Gambier 77e69b9cf3 Move to vendor
Signed-off-by: Olivier Gambier <olivier@docker.com>
2016-03-22 10:45:49 -07:00

2.7 KiB

Libtrust TLS Config Demo

This program generates key pairs and trust files for a TLS client and server.

To generate the keys, run:

$ go run genkeys.go

The generated files are:

$ ls -l client_data/ server_data/
client_data/:
total 24
-rw-------  1 jlhawn  staff  281 Aug  8 16:21 private_key.json
-rw-r--r--  1 jlhawn  staff  225 Aug  8 16:21 public_key.json
-rw-r--r--  1 jlhawn  staff  275 Aug  8 16:21 trusted_hosts.json

server_data/:
total 24
-rw-r--r--  1 jlhawn  staff  348 Aug  8 16:21 trusted_clients.json
-rw-------  1 jlhawn  staff  281 Aug  8 16:21 private_key.json
-rw-r--r--  1 jlhawn  staff  225 Aug  8 16:21 public_key.json

The private key and public key for the client and server are stored in private_key.json and public_key.json, respectively, and in their respective directories. They are represented as JSON Web Keys: JSON objects which represent either an ECDSA or RSA private key. The host keys trusted by the client are stored in trusted_hosts.json and contain a mapping of an internet address, <HOSTNAME_OR_IP>:<PORT>, to a JSON Web Key which is a JSON object representing either an ECDSA or RSA public key of the trusted server. The client keys trusted by the server are stored in trusted_clients.json and contain an array of JSON objects which contain a comment field which can be used describe the key and a JSON Web Key which is a JSON object representing either an ECDSA or RSA public key of the trusted client.

To start the server, run:

$ go run server.go

This starts an HTTPS server which listens on localhost:8888. The server configures itself with a certificate which is valid for both localhost and 127.0.0.1 and uses the key from server_data/private_key.json. It accepts connections from clients which present a certificate for a key that it is configured to trust from the trusted_clients.json file and returns a simple 'hello' message.

To make a request using the client, run:

$ go run client.go

This command creates an HTTPS client which makes a GET request to https://localhost:8888. The client configures itself with a certificate using the key from client_data/private_key.json. It only connects to a server which presents a certificate signed by the key specified for the localhost:8888 address from client_data/trusted_hosts.json and made to be used for the localhost hostname. If the connection succeeds, it prints the response from the server.

The file gencert.go can be used to generate PEM encoded version of the client key and certificate. If you save them to key.pem and cert.pem respectively, you can use them with curl to test out the server (if it is still running).

curl --cert cert.pem --key key.pem -k https://localhost:8888