如何在Golang中测试https服务器我的客户端证书

Question

是否有一种简单的方法可以确定我通过 http.Client 与之通信的服务器是否接受并验证了我在 mTLS 中的客户端证书？

在我的代码中，我想知道远程服务器是否接受了我在执行 http.Client.Get 调用时为客户端放入传输中的客户端证书。

http.Response 结构有一个包含 ConnectionState 的 TLS 字段，但是当我没有在传输中提供客户端证书时也会设置此字段。我确实看到，当我使用客户端证书执行 Get 时，我在 VerifiedChains 中获得了比没有客户端证书时更多的元素。

Answer 1

感谢所有建议和 cmets。我将对这些进行评论并分享我想出的解决方案以获得我所寻求的信息。

我正在测试服务器，需要查看服务器是否要求提供客户端证书以及它向客户端提供哪些 CA 以进行签名。我想要一份类似于此命令生成的报告：

openssl s_client -state -connect example.org:443

问题是我们的服务器只为特定路径提供客户端证书，而不是单独为服务器名称提供。

我想出的代码是这样的：

...
// Client wraps http.Client and has a callback for flagging a certificate request.
type client struct {
    http.Client
    clientAutenticated bool
}

// SetClientAuthenticated 
func (c *client) SetClientAutenticated(auth bool) {
    c.clientAutenticated = auth
}

...
// This prepares a tls config with customized GetClientCertificate

func prepareTLSConfig(setAuth func(bool)) *tls.Config {
    certPool := x509.NewCertPool()
    err := loadCertFiles(certPool, config.cacerts)
    if err != nil {
        log.Fatalf("%s", err)
    }
    cert, err := tls.LoadX509KeyPair(config.cert, config.key)
    if err != nil {
        log.Fatalf("error loading key pair: %s", err)
    }

    tlsConfig := &tls.Config{
        // Certificates:  []tls.Certificate{cert},
        RootCAs:              certPool,
        MinVersion:           config.tlsver,
        Renegotiation:        tls.RenegotiateOnceAsClient,
        GetClientCertificate: buildGetClientCertificate([]tls.Certificate{cert}, setAuth),
    }
    return tlsConfig
}

// buildGetClientCertificate returns a closure that returns an verified client cert
// or an error
func buildGetClientCertificate(certs []tls.Certificate, setAuth func(bool)) 
    func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
    // return as closure
    return func(requestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {
        logCertificates(requestInfo.AcceptableCAs)
        setAuth(false)
        log.Printf("Client cert requested by server")
        var err error
        for _, c := range certs {
            if err = requestInfo.SupportsCertificate(&c); err == nil {
                var cert *x509.Certificate
                if c.Leaf != nil {
                    cert = c.Leaf
                } else {
                    cert, _ = x509.ParseCertificate(c.Certificate[0])
                }
                subject := cert.Subject
                issuer := cert.Issuer
                log.Printf("Client cert accepted")
                log.Printf("   s:/C=%v/ST=%v/L=%v/O=%v/OU=%v/CN=%s", subject.Country, 
                    subject.Province, subject.Locality, subject.Organization, 
                    subject.OrganizationalUnit, subject.CommonName)
                log.Printf("   i:/C=%v/ST=%v/L=%v/O=%v/OU=%v/CN=%s", issuer.Country,
                    issuer.Province, issuer.Locality, issuer.Organization, 
                    issuer.OrganizationalUnit, issuer.CommonName)
                // Signal that a suitable CA has been found and therefore 
                // the client has been authenticated.
                setAuth(true)
                return &c, nil
            }
            err = fmt.Errorf("cert not supported: %w", err)
        }
        log.Print("Could not find suitable client cert for authentication")
        return nil, err
    }
}

...
// logCertificates logs the acceptableCAs for client certification
func logCertificates(acceptableCAs [][]byte) {
    log.Printf("CA Names offered by server")
    for _, ca := range acceptableCAs {
        var name pkix.RDNSequence
        if _, err := asn1.Unmarshal(ca, &name); err == nil {
            log.Printf("   %s", name.String()           )
        }else {
            log.Printf("error unmarshalling name: %s", err)
        }
    }
}