比较go中的客户端证书
我的用例看起来好像我知道客户机的公共证书,只想允许它们。我有一个基于gin的go服务器和一个TLS配置,其中我为属性“VerifyPeerCertificate”分配了一个方法。 函数看起来像比较go中的客户端证书,go,x509certificate,Go,X509certificate,我的用例看起来好像我知道客户机的公共证书,只想允许它们。我有一个基于gin的go服务器和一个TLS配置,其中我为属性“VerifyPeerCertificate”分配了一个方法。 函数看起来像 func customVerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { if len(verifiedChains) < 1 { return errors.New(
func customVerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
if len(verifiedChains) < 1 {
return errors.New("Verified certificate chains is empty.")
}
if len(verifiedChains[0]) < 1 {
return errors.New("No certificates in certificate chains.")
}
if len(verifiedChains[0][0].Subject.CommonName) < 1 {
return errors.New("Common name can not be empty.")
}
fmt.Println(verifiedChains[0][0].Raw)
publicKeyDer, _ := x509.MarshalPKIXPublicKey(verifiedChains[0][0].PublicKey)
publicKeyBlock := pem.Block{
Type: "CERTIFICATE",
Bytes: publicKeyDer,
}
publicKeyPem := string(pem.EncodeToMemory(&publicKeyBlock))
}
func customVerifyPeerCertificate(rawCerts[][]字节,verifiedChains[]][]*x509.证书)错误{
如果len(验证链)<1{
返回错误。新建(“已验证的证书链为空”)
}
如果len(验证链[0])<1{
返回错误。新建(“证书链中没有证书”)
}
如果len(验证链[0][0].Subject.CommonName)<1{
返回错误。新建(“公用名称不能为空”)
}
fmt.Println(验证链[0][0].Raw)
publicKeyDer,:=x509.MarshallPKIxPublicKey(验证链[0][0]。PublicKey)
publicKeyBlock:=pem.Block{
键入:“证书”,
字节:publicKeyDer,
}
publicKeyPem:=字符串(pem.EncodeTomery(&publicKeyBlock))
}
但是,问题是变量“publicKeyPem”中的字符串看起来不像我用来向服务器发送请求的客户端公共证书,它的长度也较短。证书的长度大于其公钥。整个对象表示客户端提供的证书,公钥字段只是公钥的实际值 如果要比较证书的严格相等性,应使用传递给回调函数的
rawCerts[][]byte
参数。这在VerifyPeerCertificate
的注释中提到:
VerifyPeerCertificate, if not nil, is called after normal
certificate verification by either a TLS client or server. It
receives the raw ASN.1 certificates provided by the peer and also
any verified chains that normal processing found. If it returns a
non-nil error, the handshake is aborted and that error results.
证书不仅仅是它的公钥。整个对象表示客户端提供的证书,公钥字段只是公钥的实际值 如果要比较证书的严格相等性,应使用传递给回调函数的
rawCerts[][]byte
参数。这在VerifyPeerCertificate
的注释中提到:
VerifyPeerCertificate, if not nil, is called after normal
certificate verification by either a TLS client or server. It
receives the raw ASN.1 certificates provided by the peer and also
any verified chains that normal processing found. If it returns a
non-nil error, the handshake is aborted and that error results.
多亏了马克,我知道我用错了变量。要将证书转换为客户端使用的字符串,请使用以下代码
publicKeyBlock := pem.Block{
Type: "CERTIFICATE",
Bytes: rawCerts[0],
}
publicKeyPem := string(pem.EncodeToMemory(&publicKeyBlock))
多亏了马克,我知道我用错了变量。要将证书转换为客户端使用的字符串,请使用以下代码
publicKeyBlock := pem.Block{
Type: "CERTIFICATE",
Bytes: rawCerts[0],
}
publicKeyPem := string(pem.EncodeToMemory(&publicKeyBlock))