Extract Subject Key Identifier with golang

huangapple go评论94阅读模式
英文:

Extract Subject Key Identifier with golang

问题

我正在尝试使用golang的crypto/tls库来提取服务器返回的证书链中所有证书的SubjectKeyIdentifiers。

根据文档,SubjectKeyId应该已经填充了ASN1解析的数据。

问题在于,我得到的结果是4E16C14EFCD46B0A09F8090F1C00278C6F992C65,而实际上应该是30:A1:48:01:DB:2B:C3:EE:D3:84:54:4B:66:AF:0C:4C:66:F7:69:47。

请问我在这里做错了什么?

英文:

I am trying to use golang crypto/tls library to extract SubjectKeyIdentifiers for all the Certificates in a Chain that a server returns.

package main

import (
	"crypto/tls"
	"fmt"
)

func main() {
	conn, err := tls.Dial("tcp", "mail.google.com:443", &tls.Config{
		InsecureSkipVerify: true,
	})
	if err != nil {
			panic("failed to connect: " + err.Error())
		}
	state := conn.ConnectionState()
		if err != nil {
                	panic("failed to get ConnState: " + err.Error())
        	}
	for _, cert := range state.PeerCertificates {
		fmt.Printf("%s\n", cert.Subject.CommonName)
		fmt.Printf("%X\n", cert.SubjectKeyId)
	}
	conn.Close()
}

As per the docs SubjectKeyId should have already been populated with ASN1 parsed data.
The problem is that I get
4E16C14EFCD46B0A09F8090F1C00278C6F992C65

while the real one is

30:A1:48:01:DB:2B:C3:EE:D3:84:54:4B:66:AF:0C:4C:66:F7:69:47

What I am doing wrongly here ?

答案1

得分: 2

问题是我在使用openssl进行检查时没有指定SNI。
结论是:始终在ClientHello中设置SNI

$ echo q |openssl s_client -showcerts -connect mail.google.com:443 -servername mail.google.com -showcerts 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -text -noout | grep -P -A1 'Subject Key'
X509v3 Subject Key Identifier:
4E:16:C1:4E:FC:D4:6B:0A:09:F8:09:0F:1C:00:27:8C:6F:99:2C:65
$ echo q |openssl s_client -showcerts -connect mail.google.com:443 -showcerts 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -text -noout | grep -P -A1 'Subject Key'
X509v3 Subject Key Identifier:
30:A1:48:01:DB:2B:C3:EE:D3:84:54:4B:66:AF:0C:4C:66:F7:69:47
$

英文:

The problem was that I did not specify the SNI when checking with openssl.
The conclusion is: Always set SNI in ClientHello

$ echo q |openssl s_client -showcerts -connect mail.google.com:443 -servername mail.google.com -showcerts 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -text -noout | grep -P -A1 'Subject Key'
            X509v3 Subject Key Identifier: 
                4E:16:C1:4E:FC:D4:6B:0A:09:F8:09:0F:1C:00:27:8C:6F:99:2C:65
$ echo q |openssl s_client -showcerts -connect mail.google.com:443 -showcerts 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -text -noout | grep -P -A1 'Subject Key' 
           X509v3 Subject Key Identifier: 
                30:A1:48:01:DB:2B:C3:EE:D3:84:54:4B:66:AF:0C:4C:66:F7:69:47
$

huangapple
  • 本文由 发表于 2017年9月13日 01:14:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/46182134.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定