获取连接的根CA证书

Question

我正在通过https连接到url。

client.Get(url) 

我可以得到用于验证服务器证书的根证书吗？

我看着crypto/tls包

PeerCertificates   []*x509.Certificate // certificate chain presented by remote peer 
VerifiedChains    [][]*x509.Certificate // verified chains built from PeerCertificates 

的ConnectionState似乎不具有信任存储证书。

感谢

Answer 1

如上代码注释说PeerCertificates仅包含由服务器返回的证书。 VerifiedChains应该包含到本地证书存储中的可信证书链（假设验证通过）。

E.g.这里是一个简单的示例代码段：

client := &http.Client{} 

resp, err := client.Get("https://www.microsoft.com") 
if err != nil { 
    panic(err) 
} 

for _, cert := range resp.TLS.PeerCertificates { 
    fmt.Printf("Peer certificate \"%v\", ISSUED BY \"%v\"\n", cert.Subject.CommonName, cert.Issuer.CommonName) 
} 
for i, chain := range resp.TLS.VerifiedChains { 
    for _, cert := range chain { 
     fmt.Printf("Verified Chain %v Certificate \"%v\", ISSUED BY \"%v\"\n", i, cert.Subject.CommonName, cert.Issuer.CommonName) 
    } 
} 

而且它打印输出如下：

Peer certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4" 
Peer certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5" 
Verified Chain 0 Certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4" 
Verified Chain 0 Certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5" 
Verified Chain 0 Certificate "VeriSign Class 3 Public Primary Certification Authority - G5", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5" 

现在，请注意，Microsoft证书是由赛门铁克签署和Microsoft服务器返回两个证书 - 它自己和赛门铁克证书用于签署它。您可以看到同时在对等证书和已验证链中列出的两个证书。但是，赛门铁克的证书通常不存在于信任存储中，但它是由VeriSign证书签署的，该证书是在我的计算机信任存储中找到的根证书。并且已验证链包含此可信证书。