dongyou2305
2015-12-10 01:32
浏览 166
已采纳

如何在Go中将x509.Certificate转换为tls.Certificate?

I'm using x/crypto/pkcs12 to load a DER formatted *.p12 file. There is an example in the documentation that uses tls.X509KeyPair to make a tls.Certificate which can be used for an HTTP client.

That's perfect, and works fine. But then I also want to verify that the certificate hasn't expired. The pkcs12 library also has a Decode function which returns an x509 certificate, that I can than use the Verify method on. This also works fine.

It just seems odd to me that I'm decoding the DER twice. Once for an x509.Certificate to verify, and again to get a tls.Certificate. I don't know the relationship between these two Certificate structures, but seeing as the tls package has a function named tls.X509KeyPair that takes some bytes, shouldn't there also be an obvious way to get a tls.Certificate from an x509.Certificate or visa versa? What am I missing?

图片转代码服务由CSDN问答提供 功能建议

我正在使用 x / crypto / pkcs12 即可加载DER格式的* .p12文件。 在文档中有示例,其中使用了 tls .X509KeyPair 生成一个可以用于HTTP客户端的 tls.Certificate

那是完美的,并且工作正常。 但是,然后我还想验证证书尚未过期。 pkcs12 库还具有解码功能 它返回一个x509证书,然后我可以使用 Verify 方法。

对我来说,两次解码DER对我来说似乎很奇怪。 一次用于 x509.Certificate 进行验证,然后再次获得 tls.Certificate 。 我不知道这两个证书结构之间的关系,但是看到tls包具有一个名为tls.X509KeyPair的函数,该函数占用一些字节,应该不是从x509中获取tls.Certificate的明显方法。 证书还是签证? 我想念什么?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • doubleyou1001 2015-12-10 05:07
    已采纳

    A tls.Certificate often stores a certificate chain - in other words, > 1 certificate. Notice its Certificate field is of type [][]byte, where each certificate is a []byte.

    The tls package imports the x509 package, so there isn't a function in x509 to get a tls.Certificate; that would cause an import cycle. But if you have an x509.Certificate, you already have a tls.Certificate; just put the x509.Certificate's Raw bytes into a tls.Certificate's Certificate slice.

    点赞 评论

相关推荐 更多相似问题