获取连接的根CA证书
问题描述:
我正在通过https连接到url
。获取连接的根CA证书
client.Get(url)
我可以得到用于验证服务器证书的根证书吗?
我看着crypto/tls
包
PeerCertificates []*x509.Certificate // certificate chain presented by remote peer
VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates
的ConnectionState似乎不具有信任存储证书。
感谢
答
如上代码注释说PeerCertificates仅包含由服务器返回的证书。 VerifiedChains应该包含到本地证书存储中的可信证书链(假设验证通过)。
E.g.这里是一个简单的示例代码段:
client := &http.Client{}
resp, err := client.Get("https://www.microsoft.com")
if err != nil {
panic(err)
}
for _, cert := range resp.TLS.PeerCertificates {
fmt.Printf("Peer certificate \"%v\", ISSUED BY \"%v\"\n", cert.Subject.CommonName, cert.Issuer.CommonName)
}
for i, chain := range resp.TLS.VerifiedChains {
for _, cert := range chain {
fmt.Printf("Verified Chain %v Certificate \"%v\", ISSUED BY \"%v\"\n", i, cert.Subject.CommonName, cert.Issuer.CommonName)
}
}
而且它打印输出如下:
Peer certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
Peer certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
Verified Chain 0 Certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
Verified Chain 0 Certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
Verified Chain 0 Certificate "VeriSign Class 3 Public Primary Certification Authority - G5", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
现在,请注意,Microsoft证书是由赛门铁克签署和Microsoft服务器返回两个证书 - 它自己和赛门铁克证书用于签署它。您可以看到同时在对等证书和已验证链中列出的两个证书。但是,赛门铁克的证书通常不存在于信任存储中,但它是由VeriSign证书签署的,该证书是在我的计算机信任存储中找到的根证书。并且已验证链包含此可信证书。