我正在与url.
client.Get(url)
我可以获得用于验证服务器证书的根证书吗?
我看了看crypto/tls包裹
PeerCertificates []*x509.Certificate // certificate chain presented by remote peer
VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates
ConnectionState 似乎没有来自信任存储的证书。
谢谢
正如代码中的注释所示,PeerCertificates 仅包含服务器返回的证书。VerifiedChains 应包含本地证书存储中受信任证书的链(假设验证通过)。
例如,这是一个简单的示例代码片段:
client := &http.Client{}
resp, err := client.Get("https://www.microsoft.com")
if err != nil {
panic(err)
}
for _, cert := range resp.TLS.PeerCertificates {
fmt.Printf("Peer certificate \"%v\", ISSUED BY \"%v\"\n", cert.Subject.CommonName, cert.Issuer.CommonName)
}
for i, chain := range resp.TLS.VerifiedChains {
for _, cert := range chain {
fmt.Printf("Verified Chain %v Certificate \"%v\", ISSUED BY \"%v\"\n", i, cert.Subject.CommonName, cert.Issuer.CommonName)
}
}
它打印以下输出:
Peer certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
Peer certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
Verified Chain 0 Certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
Verified Chain 0 Certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
Verified Chain 0 Certificate "VeriSign Class 3 Public Primary Certification Authority - G5", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
现在,请注意,微软证书是由赛门铁克签署的,微软服务器返回两个证书——它自己的证书和用于签署它的赛门铁克证书。您可以看到对等证书和已验证链中列出的两个证书。但赛门铁克的证书通常不存在于信任存储中,但它是由 VeriSign 证书签名的,该证书是在我的计算机的信任存储中找到的根证书。Verified Chain 包含此可信证书。