首頁(yè) 猿問在 go 中比較客戶端證書

在 go 中比較客戶端證書

Go

慕田峪7331174 2023-07-17 16:28:46

我的用例看起來像我知道客戶的公共證書并且只想允許它們。我有一個(gè)基于 gin 的 go 服務(wù)器和一個(gè) TLS 配置，其中我為屬性“VerifyPeerCertificate”分配了一個(gè)方法。該函數(shù)看起來像func customVerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {if len(verifiedChains) < 1 { return errors.New("Verified certificate chains is empty.")}if len(verifiedChains[0]) < 1 { return errors.New("No certificates in certificate chains.")}if len(verifiedChains[0][0].Subject.CommonName) < 1 { return errors.New("Common name can not be empty.")}fmt.Println(verifiedChains[0][0].Raw)publicKeyDer, _ := x509.MarshalPKIXPublicKey(verifiedChains[0][0].PublicKey)publicKeyBlock := pem.Block{ Type: "CERTIFICATE", Bytes: publicKeyDer,}publicKeyPem := string(pem.EncodeToMemory(&publicKeyBlock))}然而，問題是變量“publicKeyPem”中的字符串看起來不像我用來向服務(wù)器發(fā)送請(qǐng)求的客戶端公共證書，它的長(zhǎng)度也較短。

查看完整描述

2 回答

繁花不似錦

TA貢獻(xiàn)1851條經(jīng)驗(yàn) 獲得超4個(gè)贊

證書不僅僅是它的公鑰。整個(gè)x509.Certificate對(duì)象代表了客戶端提交的證書，公鑰字段只是公鑰的實(shí)際值。

如果您想比較證書的嚴(yán)格相等性，您應(yīng)該使用rawCerts [][]byte傳遞給回調(diào)的參數(shù)。這在tls.Config注釋中提到VerifyPeerCertificate：

VerifyPeerCertificate,?if?not?nil,?is?called?after?normal
????certificate?verification?by?either?a?TLS?client?or?server.?It
????receives?the?raw?ASN.1?certificates?provided?by?the?peer?and?also
????any?verified?chains?that?normal?processing?found.?If?it?returns?a
????non-nil?error,?the?handshake?is?aborted?and?that?error?results.

反對(duì) 回復(fù) 2023-07-17