Check fingerprints of server SSL/TLS certificates in http.NewRequest

How can I check the fingerprints of the server SSL/TLS certificates during a http request in golang?

This ruby code shows what I want to do in Go:

  @verify_callback = proc do |preverify_ok, store_context|
if preverify_ok and store_context.error == 0
certificate = OpenSSL::X509::Certificate.new(store_context.chain[0])
fingerprint = Digest::SHA1.hexdigest(certificate.to_der).upcase.scan(/../).join(":")
$valid_fingerprints.include?(fingerprint)
else
false
end
end

In general the process of generating a certificate fingerprint in Go is pretty simple. If you already have an x509.Certificate struct, stored in cert, all you need to do is

sha1Fingerprint := sha1.Sum(cert.Raw)

Getting certificates from an HTTP response struct after the request is complete is also pretty easy (use resp.TLS.PeerCertificates), but it doesn't seem like that's what you need.

If you need access to the server's certificate at TLS connection set up time, I think you'll need to create your own http.Transport and hand it a custom implementation of DialTLS. You'd then use that transport when configuring an http.Client to make your outbound requests.

Within your custom DialTLS func you'd have access to connection state information like the server's certificate chain, and you could perform the SHA1 fingerprint generation from there.

You probably shouldn't implement certificate checking yourself, but let the net/http do the checking based on the valid CAs you provide. Also, usually working directly with fingerprints isn't worth the trouble.

For example, this is how you set up a HTTPS server that requires clients to authenticate by using a certificate. The client certificate must be signed by the CA, or the SSL/TLS handshake stops.

    // Server's own certificate & key
cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
if err != nil {
panic(err)
}
// Load the CA certificate(s)
capool := x509.NewCertPool()
cacert, err := ioutil.ReadFile("ca.crt")
if err != nil {
panic(err)
}
capool.AppendCertsFromPEM(cacert)
// Server configuration
config := tls.Config{Certificates: []tls.Certificate{cert}, ClientCAs: capool, ClientAuth: tls.RequireAndVerifyClientCert}
config.NextProtos = []string{"http/1.1"}
config.Rand = rand.Reader // Strictly not necessary, should be default
// TLS web server
myTLSWebServer := &http.Server{Addr: "myaddress", TLSConfig: &config, Handler: nil}
// .. proceed with setting handlers etc
http.HandleFunc("/", myHandler)
// Bind to port and start the server up
conn, err := net.Listen("tcp", settings.ServiceAddress)
if err != nil {
panic(err)
}
tlsListener := tls.NewListener(conn, &config)
myTLSWebServer.Serve(tlsListener)

Reading the documentation for tls.Config will show you that by changing the parameters (ClientAuth, ClientCAs, Certificates, RootCAs) you can easily select different modes for checking the certificates. You usually get failures returned in error.

If you really insist on checking fingerprints, you can retrieve the TLS status from Request TLS *tls.ConnectionState. I think you should probably use the Signature from that struct for fingerprinting.. Off the top of my head, something roughly along the lines of

func lol(r *http.Request) {
tls := r.TLS
if tls != nil {
// Try the first one for simplicity
cert := tls.PeerCertificates[0]
signature := cert.Signature
// Do something with the signature
}
}

should do the trick.