go - 如何在 Golang 中测试 https 服务器我的客户端是否有证书

Question

有没有一种简单的方法可以确定我从 http.Client 与之通信的服务器是否接受并验证了我在 mTLS 中的客户端证书？

在我的代码中，我想知道远程服务器是否接受了我在执行 http.Client.Get 调用时为客户端传输的客户端证书。

http.Response 结构有一个包含 ConnectionState 的 TLS 字段，但是当我没有在传输中提供客户端证书时也会设置它。我确实看到，当我使用客户端证书执行 Get 时，我在 VerifiedChains 中获得了更多元素，而不是没有客户端证书。

Answer 1

感谢所有的建议和意见。我将对这些进行评论并分享我想出的解决方案，以获取我所寻求的信息。

我正在测试服务器，需要查看服务器是否要求提供客户端证书以及它向客户端提供哪些 CA 以进行签名。我想要一份类似于此命令生成的报告：

openssl s_client -state -connect example.org:443

问题是我们的服务器只为特定路径提供客户端证书，而不是单独为服务器名称提供客户端证书。

我想出的代码如下所示：

...
// Client wraps http.Client and has a callback for flagging a certificate request.
type client struct {
    http.Client
    clientAutenticated bool
}

// SetClientAuthenticated 
func (c *client) SetClientAutenticated(auth bool) {
    c.clientAutenticated = auth
}

...
// This prepares a tls config with customized GetClientCertificate

func prepareTLSConfig(setAuth func(bool)) *tls.Config {
    certPool := x509.NewCertPool()
    err := loadCertFiles(certPool, config.cacerts)
    if err != nil {
        log.Fatalf("%s", err)
    }
    cert, err := tls.LoadX509KeyPair(config.cert, config.key)
    if err != nil {
        log.Fatalf("error loading key pair: %s", err)
    }

    tlsConfig := &tls.Config{
        // Certificates:  []tls.Certificate{cert},
        RootCAs:              certPool,
        MinVersion:           config.tlsver,
        Renegotiation:        tls.RenegotiateOnceAsClient,
        GetClientCertificate: buildGetClientCertificate([]tls.Certificate{cert}, setAuth),
    }
    return tlsConfig
}

// buildGetClientCertificate returns a closure that returns an verified client cert
// or an error
func buildGetClientCertificate(certs []tls.Certificate, setAuth func(bool)) 
    func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
    // return as closure
    return func(requestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {
        logCertificates(requestInfo.AcceptableCAs)
        setAuth(false)
        log.Printf("Client cert requested by server")
        var err error
        for _, c := range certs {
            if err = requestInfo.SupportsCertificate(&c); err == nil {
                var cert *x509.Certificate
                if c.Leaf != nil {
                    cert = c.Leaf
                } else {
                    cert, _ = x509.ParseCertificate(c.Certificate[0])
                }
                subject := cert.Subject
                issuer := cert.Issuer
                log.Printf("Client cert accepted")
                log.Printf("   s:/C=%v/ST=%v/L=%v/O=%v/OU=%v/CN=%s", subject.Country, 
                    subject.Province, subject.Locality, subject.Organization, 
                    subject.OrganizationalUnit, subject.CommonName)
                log.Printf("   i:/C=%v/ST=%v/L=%v/O=%v/OU=%v/CN=%s", issuer.Country,
                    issuer.Province, issuer.Locality, issuer.Organization, 
                    issuer.OrganizationalUnit, issuer.CommonName)
                // Signal that a suitable CA has been found and therefore 
                // the client has been authenticated.
                setAuth(true)
                return &c, nil
            }
            err = fmt.Errorf("cert not supported: %w", err)
        }
        log.Print("Could not find suitable client cert for authentication")
        return nil, err
    }
}

...
// logCertificates logs the acceptableCAs for client certification
func logCertificates(acceptableCAs [][]byte) {
    log.Printf("CA Names offered by server")
    for _, ca := range acceptableCAs {
        var name pkix.RDNSequence
        if _, err := asn1.Unmarshal(ca, &name); err == nil {
            log.Printf("   %s", name.String()           )
        }else {
            log.Printf("error unmarshalling name: %s", err)
        }
    }
}