我正在尝试使用golang crypto / tls库为服务器返回的链中的所有证书提取SubjectKeyIdentifier。
package main
import (
"crypto/tls"
"fmt"
)
func main() {
conn, err := tls.Dial("tcp", "mail.google.com:443", &tls.Config{
InsecureSkipVerify: true,
})
if err != nil {
panic("failed to connect: " + err.Error())
}
state := conn.ConnectionState()
if err != nil {
panic("failed to get ConnState: " + err.Error())
}
for _, cert := range state.PeerCertificates {
fmt.Printf("%s\n", cert.Subject.CommonName)
fmt.Printf("%X\n", cert.SubjectKeyId)
}
conn.Close()
}
根据文档,SubjectKeyId应该已经填充了ASN1解析数据。 问题是我得到了 4E16C14EFCD46B0A09F8090F1C00278C6F992C65
而真正的
30:A1:48:01:DB:2B:C3:EE:D3:84:54:4B:66:AF:0C:4C:66:F7:69:47
我在这里做错了什么?
答案 0 :(得分:1)
问题是我在使用openssl检查时没有指定SNI。 结论是:始终在ClientHello中设置SNI
$ echo q |openssl s_client -showcerts -connect mail.google.com:443 -servername mail.google.com -showcerts 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -text -noout | grep -P -A1 'Subject Key'
X509v3 Subject Key Identifier:
4E:16:C1:4E:FC:D4:6B:0A:09:F8:09:0F:1C:00:27:8C:6F:99:2C:65
$ echo q |openssl s_client -showcerts -connect mail.google.com:443 -showcerts 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -text -noout | grep -P -A1 'Subject Key'
X509v3 Subject Key Identifier:
30:A1:48:01:DB:2B:C3:EE:D3:84:54:4B:66:AF:0C:4C:66:F7:69:47
$