我正在通過https連接到url。獲取連接的根CA證書
client.Get(url)
我可以得到用於驗證服務器證書的根證書嗎?
我看着crypto/tls包
PeerCertificates []*x509.Certificate // certificate chain presented by remote peer
VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates
的ConnectionState似乎不具有信任存儲證書。
感謝
如上代碼註釋說PeerCertificates僅包含由服務器返回的證書。 VerifiedChains應該包含到本地證書存儲中的可信證書鏈(假設驗證通過)。
E.g.這裏是一個簡單的示例代碼段:
client := &http.Client{}
resp, err := client.Get("https://www.microsoft.com")
if err != nil {
panic(err)
}
for _, cert := range resp.TLS.PeerCertificates {
fmt.Printf("Peer certificate \"%v\", ISSUED BY \"%v\"\n", cert.Subject.CommonName, cert.Issuer.CommonName)
}
for i, chain := range resp.TLS.VerifiedChains {
for _, cert := range chain {
fmt.Printf("Verified Chain %v Certificate \"%v\", ISSUED BY \"%v\"\n", i, cert.Subject.CommonName, cert.Issuer.CommonName)
}
}
而且它打印輸出如下:
Peer certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
Peer certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
Verified Chain 0 Certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
Verified Chain 0 Certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
Verified Chain 0 Certificate "VeriSign Class 3 Public Primary Certification Authority - G5", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
現在,請注意,Microsoft證書是由賽門鐵克簽署和Microsoft服務器返回兩個證書 - 它自己和賽門鐵克證書用於簽署它。您可以看到同時在對等證書和已驗證鏈中列出的兩個證書。但是,賽門鐵克的證書通常不存在於信任存儲中,但它是由VeriSign證書籤署的,該證書是在我的計算機信任存儲中找到的根證書。並且已驗證鏈包含此可信證書。