在Go中检测根x509证书

I have an X509 certificate obtained using something like this:

block, additionalData := pem.Decode([]byte(str))
cert, err := x509.ParseCertificate(block.Bytes)

I'd like to check if the certificate is a root certificate. I've tried checking IsCA, but this appears to be true for intermediate certificates too. I've also tried something like this:

if cert.KeyUsage & x509.KeyUsageCertSign { //.....

But this is also true for intermediates, since they are permitted to sign the leaf certs.

Should I be doing something else? Perhaps comparing RawSubject and RawIssuer byte for byte and expecting identical contents (won't this false positive for self-signed leaves)?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

dsj2222222 2017-05-16 14:57

关注

Checking both the IsCA flag and whether the subject == the issuer appears to work.

block, _ := pem.Decode([]byte("-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----"))
cert, _ := x509.ParseCertificate(block.Bytes)

if bytes.Compare(cert.RawIssuer, cert.RawSubject) == 0 && cert.IsCA {
    println("It's a CA")
}

本回答被题主选为最佳回答 , 对您是否有帮助呢?

报告相同问题？

关注问题

在Go中检测根x509证书
2017-05-16 14:34

回答 1 已采纳 Checking both the IsCA flag and whether the subject == the issuer appears to work. block, _ := pe
如何在Go中从x509证书公钥中获取字符串？
2019-05-10 09:09

回答 1 已采纳 NOTE: Jump to #3 if you already have the x509.Certificate object. You would need to do the foll
在Go中生成X.509证书时出错
2015-11-18 20:25

回答 2 已采纳 The crypto/tls package contains a file called generate_cert.go which shows the proper and idiomati
ROOT证书、CA证书和使用CA签发的X.509证书
2020-07-14 10:37

沐恩_的博客 ROOT证书、CA证书和使用CA签发的X.509证书简介概念使用Bouncy Castle 生成一个签名证书验证证书的签名使用来自Oracle的证书支持加载Keystore文件验证签名是否合法验证Trust Chain 结尾简介日常开发中，...
如何在Go中从http客户端获取x509证书
2019-02-28 17:01

回答 1 已采纳 The response has a TLS *tls.ConnectionState field, which in turn has: type ConnectionState struct
在Kubernetes中运行时，Firebase Admin Go SDK仅获得x509证书错误 kubernetes
2019-03-30 20:38

回答 1 已采纳 If you are using alpine based images try running apk add ca-certificates it looks like a tls error
检查X509证书是否与CertificateRequest（CSR）匹配
2019-05-08 09:59

回答 1 已采纳 If your signing request is in the DER format there's a couple of functions in the standard library
php cunstruct,crypto/x509（加密/x509）
2021-04-22 04:08

weixin_39852688的博客 import "crypto/x509"概述索引示例子目录概述软件包x509 分析 X.509 编码的密钥和证书。在 UNIX 系统上，环境变量 SSL_CERT_FILE和SSL_CERT_DIR 可分别用于覆盖 SSL 证书文件和 SSL 证书文件目录的系统默认位置。...
Golang：验证x509证书是否使用与指定公钥相对应的私钥签名
2017-03-02 15:44

回答 2 已采纳 If I properly understood what you are trying to do, then answer is simple. Your certificate inclu
由未知权限签署的x509证书-Go-pingdom docker http
2018-11-08 16:10

回答 2 已采纳 So the alpine containers are very minimal, including not having certs. You can either install the
Go语言将Modulus指数转换为X.509证书
2016-12-13 17:22

回答 1 已采纳 You can put the values directly into an rsa.PublicKey, which can be used as is. Since you want to
golang加载双向认证加密的证书key文件
2019-03-29 17:27

XR风云的博客证书的key是可以加密保存的，我们需要进行解密加载 func MyLoadX509KeyPair(certFile, keyFile, password string) (tls.Certificate, error) { certPEMByte, err := ioutil.ReadFile(certFile) if err != nil { ...
Go smtp.SendMail的X509证书问题 ssl
2014-09-22 17:29

回答 1 已采纳 Using http://www.checktls.com/, it's clear that the Zendesk TLS cert is incorrect in that it doesn
利用x509数字证书实现数据渗透
2019-10-10 10:41

TENCENTSYS的博客数据泄露可能是内部人员和黑客的主要目标。因此，你就需要思考如何发送这些数据。大多数公司对这方面的问题几乎没有什么防护措施...本文我们将讨论如何将数据嵌入到自定义SSL证书中，并通过mTLS针对一个远程侦听...
go与证书crl实践
2017-01-12 00:07

hsulei的博客 go与证书crl实践一些说明在证书中，CRL(证书注销列表)是一个很重要的东西，证书一旦发出，那么就无法收回。证书的有效性的判断就会有点麻烦。一种方法就是通过证书的有效期，但是这种方法存在问题，万一用户的私钥...
没有解决我的问题, 去提问

悬赏问题

¥15 gradio的web端页面格式不对的问题
¥15 求大家看看Nonce如何配置
¥15 Matlab怎么求解含参的二重积分？
¥15 苹果手机突然连不上wifi了？
¥15 cgictest.cgi文件无法访问
¥20 删除和修改功能无法调用
¥15 kafka topic 所有分副本数修改
¥15 小程序中fit格式等运动数据文件怎样实现可视化？（包含心率信息））
¥15 如何利用mmdetection3d中的get_flops.py文件计算fcos3d方法的flops？
¥40 串口调试助手打开串口后,keil5的代码就停止了

码龄粉丝数原力等级 --

在Go中检测根x509证书

1条回答默认最新

码龄粉丝数原力等级 --

悬赏问题

在Go中检测根x509证书

1条回答 默认 最新

悬赏问题

1条回答默认最新