From 0a17e4d3932d3648bfe0245ecada26dd7de865a2 Mon Sep 17 00:00:00 2001 From: ht <22350747@qq.com> Date: Tue, 26 Apr 2022 17:27:10 +0800 Subject: [PATCH 1/5] =?UTF-8?q?grpcOption=E5=A2=9E=E5=8A=A0TLS=E7=9A=84?= =?UTF-8?q?=E9=85=8D=E7=BD=AE=E9=A1=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- types/config.go | 22 ++++++++++++++++++++-- types/utils.go | 29 +++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/types/config.go b/types/config.go index dc9416e..f93ee91 100644 --- a/types/config.go +++ b/types/config.go @@ -1,10 +1,12 @@ package types import ( + "crypto/x509" "fmt" "os" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" "github.com/irisnet/core-sdk-go/common/crypto" "github.com/irisnet/core-sdk-go/types/store" @@ -333,9 +335,25 @@ func WSAddrOption(wsAddr string) Option { } } -func GRPCOptions(gRPCOptions []grpc.DialOption) Option { +func GRPCOptions(gRPCOptions []grpc.DialOption, TLS bool, grpcAddr string) Option { return func(cfg *ClientConfig) error { - cfg.GRPCOptions = gRPCOptions + if !TLS { + cfg.GRPCOptions = gRPCOptions + return nil + } + + certificateList, err := GetTLSCertPool(grpcAddr) + if err != nil { + panic(err) + } + + roots := x509.NewCertPool() + for i := range certificateList { + roots.AddCert(certificateList[i]) + } + cert := credentials.NewClientTLSFromCert(roots, "") + cfg.GRPCOptions = append(gRPCOptions, grpc.WithTransportCredentials(cert)) + return nil } } diff --git a/types/utils.go b/types/utils.go index 7cc3347..bda4b51 100644 --- a/types/utils.go +++ b/types/utils.go @@ -1,8 +1,13 @@ package types import ( + "crypto/tls" + "crypto/x509" "encoding/binary" "encoding/json" + "errors" + "net/http" + "strings" "time" ) @@ -73,3 +78,27 @@ func CopyBytes(bz []byte) (ret []byte) { copy(ret, bz) return ret } + +func GetTLSCertPool(gateWayURL string) ([]*x509.Certificate, error) { + if !strings.Contains(strings.ToLower(gateWayURL), "https://") { + return nil, errors.New("TLS is enabled, but the address is http") + } + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + client := &http.Client{Transport: tr} + + resp, err := client.Get(gateWayURL) + defer func() { + closeErr := resp.Body.Close() + if err == nil { + err = closeErr + } + }() + + if err != nil { + return nil, err + } + + return resp.TLS.PeerCertificates, err +} From 103fc662fc8c2082c920241c089987b205b7210a Mon Sep 17 00:00:00 2001 From: ht <22350747@qq.com> Date: Tue, 26 Apr 2022 17:38:11 +0800 Subject: [PATCH 2/5] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E5=8F=98=E9=87=8F?= =?UTF-8?q?=E5=90=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- types/config.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/types/config.go b/types/config.go index f93ee91..3531e6f 100644 --- a/types/config.go +++ b/types/config.go @@ -335,14 +335,14 @@ func WSAddrOption(wsAddr string) Option { } } -func GRPCOptions(gRPCOptions []grpc.DialOption, TLS bool, grpcAddr string) Option { +func GRPCOptions(gRPCOptions []grpc.DialOption, TLS bool, rpcAddr string) Option { return func(cfg *ClientConfig) error { if !TLS { cfg.GRPCOptions = gRPCOptions return nil } - certificateList, err := GetTLSCertPool(grpcAddr) + certificateList, err := GetTLSCertPool(rpcAddr) if err != nil { panic(err) } From 1a5aedcbfff53f2e3e0a0c9e70d56ca9eb1fe0d1 Mon Sep 17 00:00:00 2001 From: ht <22350747@qq.com> Date: Tue, 26 Apr 2022 18:03:25 +0800 Subject: [PATCH 3/5] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E6=B3=A8=E9=87=8A?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- types/utils.go | 1 + 1 file changed, 1 insertion(+) diff --git a/types/utils.go b/types/utils.go index bda4b51..53b726c 100644 --- a/types/utils.go +++ b/types/utils.go @@ -79,6 +79,7 @@ func CopyBytes(bz []byte) (ret []byte) { return ret } +// GetTLSCertPool get certificates from gateWayURL func GetTLSCertPool(gateWayURL string) ([]*x509.Certificate, error) { if !strings.Contains(strings.ToLower(gateWayURL), "https://") { return nil, errors.New("TLS is enabled, but the address is http") From 1f06636de3e286368e2be00ddd94a122525c31bf Mon Sep 17 00:00:00 2001 From: ht <22350747@qq.com> Date: Tue, 26 Apr 2022 18:05:13 +0800 Subject: [PATCH 4/5] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E6=B3=A8=E9=87=8A?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- types/utils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/types/utils.go b/types/utils.go index 53b726c..6285674 100644 --- a/types/utils.go +++ b/types/utils.go @@ -79,7 +79,7 @@ func CopyBytes(bz []byte) (ret []byte) { return ret } -// GetTLSCertPool get certificates from gateWayURL +// GetTLSCertPool get certificates from target server func GetTLSCertPool(gateWayURL string) ([]*x509.Certificate, error) { if !strings.Contains(strings.ToLower(gateWayURL), "https://") { return nil, errors.New("TLS is enabled, but the address is http") From 621b55e51bdeb8ede4f46030f26912ad679c2808 Mon Sep 17 00:00:00 2001 From: ht <22350747@qq.com> Date: Tue, 26 Apr 2022 18:19:55 +0800 Subject: [PATCH 5/5] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E9=94=99=E8=AF=AF?= =?UTF-8?q?=E4=BF=A1=E6=81=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- types/utils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/types/utils.go b/types/utils.go index 6285674..51e3983 100644 --- a/types/utils.go +++ b/types/utils.go @@ -82,7 +82,7 @@ func CopyBytes(bz []byte) (ret []byte) { // GetTLSCertPool get certificates from target server func GetTLSCertPool(gateWayURL string) ([]*x509.Certificate, error) { if !strings.Contains(strings.ToLower(gateWayURL), "https://") { - return nil, errors.New("TLS is enabled, but the address is http") + return nil, errors.New("this function requires HTTPS protocol") } tr := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},