100daysofcode - day51 - grpc mtls client

Author: deepns

go/learning/grpc/features/mTLS/client/main.go

@@ -0,0 +1,58 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"flag"
+	"io/ioutil"
+	"log"
+
+	pb "github.com/deepns/codegym/go/learning/grpc/echo/echo"
+	"github.com/deepns/codegym/go/learning/grpc/features/sslcerts"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+)
+
+func getCredentials() credentials.TransportCredentials {
+	cert, err := tls.LoadX509KeyPair(
+		sslcerts.Path("client_cert.pem"), sslcerts.Path("client_key.pem"))
+	if err != nil {
+		log.Fatalf("failed to load key pair: %v", err)
+	}
+
+	certPool := x509.NewCertPool()
+	ca, err := ioutil.ReadFile(sslcerts.Path("ca_cert.pem"))
+	if err != nil {
+		log.Fatalf("failed to read CA certificate: %v", err)
+	}
+
+	if ok := certPool.AppendCertsFromPEM(ca); !ok {
+		log.Fatalf("failed to append CA certificate")
+	}
+
+	return credentials.NewTLS(&tls.Config{
+		Certificates: []tls.Certificate{cert},
+		ServerName:   "abc.test.example.com",
+		RootCAs:      certPool,
+	})
+}
+
+func main() {
+	addr := flag.String("addr", "localhost:50505", "address to connect to")
+	flag.Parse()
+
+	conn, err := grpc.Dial(*addr, grpc.WithTransportCredentials(getCredentials()))
+	if err != nil {
+		log.Fatalf("failed to dial: %v", err)
+	}
+	defer conn.Close()
+
+	client := pb.NewEchoServiceClient(conn)
+	resp, err := client.UnaryEcho(context.Background(), &pb.EchoRequest{Message: "hello from mtls client"})
+	if err != nil {
+		log.Fatalf("failed to call UnaryEcho: %v", err)
+	}
+
+	log.Printf("echo: %s", resp.Message)
+}

go/learning/grpc/features/mTLS/readme.md

@@ -57,3 +57,49 @@ if err != nil {
 The AddCert method is typically used to add a single self-signed certificate to a pool, whereas in the case of mutual TLS, the CA may have issued multiple certificates that are needed to validate the client's certificate.
 
 ## Client side
+
+When I configured TLS on the client side, I used the convenient function `NewClientTLSFromFile` to get the transport credentials.
+
+```go
+	creds, err := credentials.NewClientTLSFromFile(sslcerts.Path("ca_cert.pem"), "abc.test.example.com")
+	if err != nil {
+		log.Fatalf("failed to load TLS cert: %v", err)
+	}
+```
+
+Like the server side, this also creates a new cert pool, include the root CA to validate server certificate and create a TL config with those parameters. If client certificate needs to be included for mutual TLS, I got to use **NewTLS** instead.
+
+```go
+// NewClientTLSFromFile constructs TLS credentials from the provided root
+// certificate authority certificate file(s) to validate server connections. If
+// certificates to establish the identity of the client need to be included in
+// the credentials (eg: for mTLS), use NewTLS instead, where a complete
+// tls.Config can be specified.
+// serverNameOverride is for testing only. If set to a non empty string,
+// it will override the virtual host name of authority (e.g. :authority header
+// field) in requests.
+func NewClientTLSFromFile(certFile, serverNameOverride string) (TransportCredentials, error) {
+	b, err := os.ReadFile(certFile)
+	if err != nil {
+		return nil, err
+	}
+	cp := x509.NewCertPool()
+	if !cp.AppendCertsFromPEM(b) {
+		return nil, fmt.Errorf("credentials: failed to append certificates")
+	}
+	return NewTLS(&tls.Config{ServerName: serverNameOverride, RootCAs: cp}), nil
+```
+
+In addition to the **ServerName** and **RootCAs**, need to provide client certificate in **Certificates**.
+
+```go
+    cert, err := tls.LoadX509KeyPair(
+		sslcerts.Path("client_cert.pem"), sslcerts.Path("client_key.pem"))
+    //...
+    //...
+    return credentials.NewTLS(&tls.Config{
+		Certificates: []tls.Certificate{cert},
+		ServerName:   "abc.test.example.com",
+		RootCAs:      certPool,
+	})
+```

go/learning/grpc/features/mTLS/server/main.go

@@ -26,12 +26,13 @@ func (s *echoServer) UnaryEcho(_ context.Context, req *pb.EchoRequest) (*pb.Echo
 }
 
 func getTLSConfig() *tls.Config {
-	serverCert, err := tls.LoadX509KeyPair(sslcerts.Path("server_cert.pem"), sslcerts.Path("server_key.pem"))
+	serverCert, err := tls.LoadX509KeyPair(
+		sslcerts.Path("server_cert.pem"), sslcerts.Path("server_key.pem"))
 	if err != nil {
 		log.Fatalf("failed to load server key pair: %v", err)
 	}
 
-	caCert, err := ioutil.ReadFile(sslcerts.Path("ca_cert.pem"))
+	caCert, err := ioutil.ReadFile(sslcerts.Path("client_ca_cert.pem"))
 	if err != nil {
 		log.Fatalf("failed to load CA certificate: %v", err)
 	}

notes/journal.md

@@ -72,6 +72,8 @@
     - [ ] authorization
     - [x] debugging
     - [ ] encryption
+      - [x] tls
+      - [x] mtls
     - [x] metadata
     - [x] interceptor
     - [x] metadata-interceptor
@@ -89,6 +91,11 @@
 
 Been a while I lost in touch with my daily exercise. Restarting the practice.
 
+### Day 51 (grpc mutual TLS client)
+
+- added the client side code for mTLS client
+- fixed the certificate issue on the server side. had the wrong CA configured on the server
+
 ### Day 50 (grpc mutual TLS)
 
 - Yay, day 50 successfully. Started with gRPC basics on day 1, ~50 days ago.