如上代码注释说PeerCertificates仅包含由服务器返回的证书。 VerifiedChains应该包含到本地证书存储中的可信证书链(假设验证通过)。
E.g.这里是一个简单的示例代码段:
client := &http.Client{}
resp, err := client.Get("https://www.microsoft.com")
if err != nil {
panic(err)
}
for _, cert := range resp.TLS.PeerCertificates {
fmt.Printf("Peer certificate \"%v\", ISSUED BY \"%v\"\n", cert.Subject.CommonName, cert.Issuer.CommonName)
}
for i, chain := range resp.TLS.VerifiedChains {
for _, cert := range chain {
fmt.Printf("Verified Chain %v Certificate \"%v\", ISSUED BY \"%v\"\n", i, cert.Subject.CommonName, cert.Issuer.CommonName)
}
}
而且它打印输出如下:
Peer certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
Peer certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
Verified Chain 0 Certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
Verified Chain 0 Certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
Verified Chain 0 Certificate "VeriSign Class 3 Public Primary Certification Authority - G5", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
现在,请注意,Microsoft证书是由赛门铁克签署和Microsoft服务器返回两个证书 - 它自己和赛门铁克证书用于签署它。您可以看到同时在对等证书和已验证链中列出的两个证书。但是,赛门铁克的证书通常不存在于信任存储中,但它是由VeriSign证书签署的,该证书是在我的计算机信任存储中找到的根证书。并且已验证链包含此可信证书。