英文:
Extract Subject Key Identifier with golang
问题
我正在尝试使用golang的crypto/tls库来提取服务器返回的证书链中所有证书的SubjectKeyIdentifiers。
根据文档,SubjectKeyId应该已经填充了ASN1解析的数据。
问题在于,我得到的结果是4E16C14EFCD46B0A09F8090F1C00278C6F992C65,而实际上应该是30:A1:48:01:DB:2B:C3:EE:D3:84:54:4B:66:AF:0C:4C:66:F7:69:47。
请问我在这里做错了什么?
英文:
I am trying to use golang crypto/tls library to extract SubjectKeyIdentifiers for all the Certificates in a Chain that a server returns.
package main
import (
"crypto/tls"
"fmt"
)
func main() {
conn, err := tls.Dial("tcp", "mail.google.com:443", &tls.Config{
InsecureSkipVerify: true,
})
if err != nil {
panic("failed to connect: " + err.Error())
}
state := conn.ConnectionState()
if err != nil {
panic("failed to get ConnState: " + err.Error())
}
for _, cert := range state.PeerCertificates {
fmt.Printf("%s\n", cert.Subject.CommonName)
fmt.Printf("%X\n", cert.SubjectKeyId)
}
conn.Close()
}
As per the docs SubjectKeyId should have already been populated with ASN1 parsed data.
The problem is that I get
4E16C14EFCD46B0A09F8090F1C00278C6F992C65
while the real one is
30:A1:48:01:DB:2B:C3:EE:D3:84:54:4B:66:AF:0C:4C:66:F7:69:47
What I am doing wrongly here ?
答案1
得分: 2
问题是我在使用openssl进行检查时没有指定SNI。
结论是:始终在ClientHello中设置SNI
$ echo q |openssl s_client -showcerts -connect mail.google.com:443 -servername mail.google.com -showcerts 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -text -noout | grep -P -A1 'Subject Key'
X509v3 Subject Key Identifier:
4E:16:C1:4E:FC:D4:6B:0A:09:F8:09:0F:1C:00:27:8C:6F:99:2C:65
$ echo q |openssl s_client -showcerts -connect mail.google.com:443 -showcerts 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -text -noout | grep -P -A1 'Subject Key'
X509v3 Subject Key Identifier:
30:A1:48:01:DB:2B:C3:EE:D3:84:54:4B:66:AF:0C:4C:66:F7:69:47
$
英文:
The problem was that I did not specify the SNI when checking with openssl.
The conclusion is: Always set SNI in ClientHello
$ echo q |openssl s_client -showcerts -connect mail.google.com:443 -servername mail.google.com -showcerts 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -text -noout | grep -P -A1 'Subject Key'
X509v3 Subject Key Identifier:
4E:16:C1:4E:FC:D4:6B:0A:09:F8:09:0F:1C:00:27:8C:6F:99:2C:65
$ echo q |openssl s_client -showcerts -connect mail.google.com:443 -showcerts 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -text -noout | grep -P -A1 'Subject Key'
X509v3 Subject Key Identifier:
30:A1:48:01:DB:2B:C3:EE:D3:84:54:4B:66:AF:0C:4C:66:F7:69:47
$
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论