doujia2090 2017-11-18 05:22
浏览 260
已采纳

获取连接的根CA证书

I am making a https connection to a url.

client.Get(url)

Can i get the root certificate that was used to verify the server certificate.

I looked at the crypto/tls package

PeerCertificates            []*x509.Certificate   // certificate chain presented by remote peer
VerifiedChains              [][]*x509.Certificate // verified chains built from PeerCertificates

The ConnectionState doesnt seem to have certificate from the trust store.

Thanks

  • 写回答

1条回答 默认 最新

  • douqi1625 2017-11-19 01:47
    关注

    As the comment in the code says PeerCertificates only includes certificates returned by the server. VerifiedChains should contain the chain up to a trusted certificate in your local certificate store (assuming that verification passed ok).

    E.g. here is a simple sample code snippet:

    client := &http.Client{}
    
    resp, err := client.Get("https://www.microsoft.com")
    if err != nil {
        panic(err)
    }
    
    for _, cert := range resp.TLS.PeerCertificates {
        fmt.Printf("Peer certificate \"%v\", ISSUED BY \"%v\"
    ", cert.Subject.CommonName, cert.Issuer.CommonName)
    }
    for i, chain := range resp.TLS.VerifiedChains {
        for _, cert := range chain {
            fmt.Printf("Verified Chain %v Certificate \"%v\", ISSUED BY \"%v\"
    ", i, cert.Subject.CommonName, cert.Issuer.CommonName)
        }
    }
    

    And it prints following output:

    Peer certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
    Peer certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
    Verified Chain 0 Certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
    Verified Chain 0 Certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
    Verified Chain 0 Certificate "VeriSign Class 3 Public Primary Certification Authority - G5", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
    

    Now, note that microsoft certificate is signed by Symantec and microsoft server returns both certificates - its own and Symantec certificate used to sign it. You can see both certificates listed in both Peer certificates and Verified chain. But Symantec's certificate isn't commonly present in trust store, but it is signed by VeriSign certificate which is a root certificate that was found in my computer's trust store. And Verified Chain includes this trusted certificate.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 帮我写一段可以读取LD2450数据并计算距离的Arduino代码
  • ¥15 C#调用python代码(python带有库)
  • ¥15 矩阵加法的规则是两个矩阵中对应位置的数的绝对值进行加和
  • ¥15 活动选择题。最多可以参加几个项目?
  • ¥15 飞机曲面部件如机翼,壁板等具体的孔位模型
  • ¥15 vs2019中数据导出问题
  • ¥20 云服务Linux系统TCP-MSS值修改?
  • ¥20 关于#单片机#的问题:项目:使用模拟iic与ov2640通讯环境:F407问题:读取的ID号总是0xff,自己调了调发现在读从机数据时,SDA线上并未有信号变化(语言-c语言)
  • ¥20 怎么在stm32门禁成品上增加查询记录功能
  • ¥15 Source insight编写代码后使用CCS5.2版本import之后,代码跳到注释行里面