{"id":208333,"date":"2025-07-08T16:15:22","date_gmt":"2025-07-08T08:15:22","guid":{"rendered":"https:\/\/server.hk\/cnblog\/208333\/"},"modified":"2025-07-08T16:15:22","modified_gmt":"2025-07-08T08:15:22","slug":"%e5%a6%82%e4%bd%95%e6%a0%b9%e6%8d%ae-go-%e4%b8%ad%e7%9a%84%e5%8f%91%e8%a1%8c%e9%93%be%e9%aa%8c%e8%af%81%e8%af%81%e4%b9%a6%ef%bc%9f","status":"publish","type":"post","link":"https:\/\/server.hk\/cnblog\/208333\/","title":{"rendered":"\u5982\u4f55\u6839\u636e Go \u4e2d\u7684\u53d1\u884c\u94fe\u9a8c\u8bc1\u8bc1\u4e66\uff1f"},"content":{"rendered":"

<\/b> <\/p>\n

\u5f53\u524d\u4f4d\u7f6e\uff1a ><\/span> ><\/span> ><\/span> ><\/span> \u5982\u4f55\u6839\u636e Go \u4e2d\u7684\u53d1\u884c\u94fe\u9a8c\u8bc1\u8bc1\u4e66\uff1f<\/span><\/p>\n

\u6765\u6e90\uff1astackoverflow<\/span>
\n2024-05-01 21:21:35<\/span>
\n<\/i>0\u6d4f\u89c8<\/span>
\n<\/i>\u6536\u85cf<\/span> <\/p>\n

\u54c8\u55bd\uff01\u5927\u5bb6\u597d\uff0c\u5f88\u9ad8\u5174\u53c8\u89c1\u9762\u4e86\uff0c\u6211\u662f\u7684\u4e00\u540d\u4f5c\u8005\uff0c\u4eca\u5929\u7531\u6211\u7ed9\u5927\u5bb6\u5e26\u6765\u4e00\u7bc7\u300a\u5982\u4f55\u6839\u636e Go \u4e2d\u7684\u53d1\u884c\u94fe\u9a8c\u8bc1\u8bc1\u4e66\uff1f\u300b<\/span>\uff0c\u672c\u6587\u4e3b\u8981\u4f1a\u8bb2\u5230<\/span>\u7b49\u7b49\u77e5\u8bc6\u70b9\uff0c\u5e0c\u671b\u5927\u5bb6\u4e00\u8d77\u5b66\u4e60\u8fdb\u6b65\uff0c\u4e5f\u6b22\u8fce\u5927\u5bb6\u5173\u6ce8\u3001\u70b9\u8d5e\u3001\u6536\u85cf\u3001\u8f6c\u53d1! \u4e0b\u9762\u5c31\u4e00\u8d77\u6765\u770b\u770b\u5427\uff01<\/p>\n

\u95ee\u9898\u5185\u5bb9
\n <\/p>\n

\u6211\u60f3\u6839\u636e\u53d1\u884c\u94fe\u9a8c\u8bc1 pem \u8bc1\u4e66\uff0c\u8be5\u53d1\u884c\u94fe\u4e5f\u662f\u4e00\u4e2a .pem<\/code> \u6587\u4ef6\uff0c\u5176\u4e2d\u5305\u542b\u591a\u4e2a\u7531\u6362\u884c\u7b26\u5206\u9694\u7684\u8bc1\u4e66\uff0c\u5982\u672c\u8981\u70b9\u6240\u793a\uff0chttps:\/\/gist.github.com\/kurtpeek\/8bf3282e344c781a20c5deadac75059f \u3002\u6211\u5df2\u7ecf\u4f7f\u7528 certpool.appendcertsfrompem<\/code> \u5c1d\u8bd5\u8fc7\u6b64\u64cd\u4f5c\uff0c\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n

package main\n\nimport (\n    \"crypto\/x509\"\n    \"encoding\/pem\"\n    \"io\/ioutil\"\n\n    \"github.com\/sirupsen\/logrus\"\n)\n\nfunc main() {\n    cacertpem, err := ioutil.readfile(\"issuing_chain.pem\")\n    if err != nil {\n        logrus.witherror(err).fatal(\"read ca pem file\")\n    }\n\n    certpem, err := ioutil.readfile(\"3007e750-e769-440b-9075-41dc2b5b1787.pem\")\n    if err != nil {\n        logrus.witherror(err).fatal(\"read cert pem file\")\n    }\n\n    block, rest := pem.decode(certpem)\n    if block == nil {\n        logrus.withfield(\"rest\", rest).fatal(\"decode ca pem\")\n    }\n\n    cert, err := x509.parsecertificate(block.bytes)\n    if err != nil {\n        logrus.witherror(err).fatal(\"parse certificate\")\n    }\n\n    roots := x509.newcertpool()\n    roots.appendcertsfrompem(cacertpem)\n\n    chain, err := cert.verify(x509.verifyoptions{roots: roots})\n    if err != nil {\n        logrus.witherror(err).fatal(\"failed to verify cert\")\n    }\n\n    logrus.infof(\"issuing chain: %+v\", chain)\n}<\/pre>\n
\u4f46\u662f\uff0c\u5982\u679c\u6211\u8fd0\u884c\u6b64\u547d\u4ee4\uff0c\u5219\u4f1a\u6536\u5230\u4ee5\u4e0b\u9519\u8bef\uff1a<\/p>\n
fata[0000] failed to verify cert                         error=\"x509: certificate specifies an incompatible key usage\"\nexit status 1<\/pre>\n
\u6211\u76f8\u4fe1\u6b64\u9519\u8bef\u662f\u5728 https:\/\/golang.org\/src\/crypto\/x509\/verify.go \u7684\u7b2c 790 \u884c\u8fd4\u56de\u7684\uff1a<\/p>\n
if len(chains) == 0 {\n    return nil, CertificateInvalidError{c, IncompatibleUsage, \"\"}\n}<\/pre>\n
\u6362\u53e5\u8bdd\u8bf4\uff0cverify()<\/code> \u65b9\u6cd5\u65e0\u6cd5\u4ece\u63d0\u4f9b\u7684\u9009\u9879\u6784\u5efa\u4efb\u4f55 chains<\/code>\u3002\u6211\u5c1d\u8bd5\u5c06\u4e2d\u95f4\u4f53\uff08\u8981\u70b9\u4e2d\u663e\u793a\u7684 issuing_chain.pem<\/code> \u4e2d\u7684\u524d\u4e24\u4e2a\uff09\u62c6\u5206\u4e3a\u5355\u72ec\u7684 pem \u6587\u4ef6\uff0c\u5e76\u5c06\u5b83\u4eec\u4f5c\u4e3a intermediates<\/code> \u6dfb\u52a0\u5230 x509.verifyoptions<\/code>\uff0c\u4f46\u6211\u4ecd\u7136\u9047\u5230\u76f8\u540c\u7684\u9519\u8bef\u3002<\/p>\n
\u5728 go \u4e2d\u6839\u636e\u53d1\u884c\u94fe\u9a8c\u8bc1\u8bc1\u4e66\u7684\u6b63\u786e\u65b9\u6cd5\u662f\u4ec0\u4e48\uff1f<\/p>\n
 <\/p>\n
\u89e3\u51b3\u65b9\u6848<\/h2>\n
 <\/p>\n
\u60a8\u7684\u53f6\u8bc1\u4e66\u4ec5\u7528\u4e8e\u5ba2\u6237\u7aef\u8eab\u4efd\u9a8c\u8bc1\u3002 <\/p>\n
$ openssl x509 -noout -text -in leaf.pem  | grep -a1 'key usage'\n            x509v3 key usage: critical\n                digital signature, key encipherment\n            x509v3 extended key usage: \n                tls web client authentication<\/pre>\n
\u5982\u679c\u8fd9\u662f\u6545\u610f\u7684\uff0c\u60a8\u5fc5\u987b\u6307\u5b9a keyusages \u9009\u9879\uff0c\u56e0\u4e3a \u3002\u60a8\u8fd8\u5fc5\u987b\u8fd4\u56de\u5230\u5355\u72ec\u63d0\u4f9b\u4e2d\u95f4\u8bc1\u4e66\u7684\u4ee3\u7801\u7248\u672c\uff1a<\/p>\n
chain, err := cert.Verify(x509.VerifyOptions{\n    Roots:         roots,\n    Intermediates: inters,\n    KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},\n})<\/pre>\n
\u5c1d\u8bd5\u4e00\u4e0b\u6f14\u793a\uff1a\u3002\u8bf7\u6ce8\u610f\uff0c\u8be5\u6f14\u793a\u9700\u8981 currenttime \u9009\u9879\u624d\u80fd\u6b63\u786e\u9a8c\u8bc1\u3002\u590d\u5236\u5230\u5176\u4ed6\u5730\u65b9\u65f6\u5220\u9664\u5b83\uff01<\/p>\n
\u7406\u8bba\u8981\u638c\u63e1\uff0c\u5b9e\u64cd\u4e0d\u80fd\u843d\uff01\u4ee5\u4e0a\u5173\u4e8e\u300a\u5982\u4f55\u6839\u636e Go \u4e2d\u7684\u53d1\u884c\u94fe\u9a8c\u8bc1\u8bc1\u4e66\uff1f\u300b\u7684\u8be6\u7ec6\u4ecb\u7ecd\uff0c\u5927\u5bb6\u90fd\u638c\u63e1\u4e86\u5427\uff01\u5982\u679c\u60f3\u8981\u7ee7\u7eed\u63d0\u5347\u81ea\u5df1\u7684\u80fd\u529b\uff0c\u90a3\u4e48\u5c31\u6765\u5173\u6ce8\u516c\u4f17\u53f7\u5427\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5f53\u524d\u4f4d\u7f6e\uff1a > > ...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4925],"tags":[],"class_list":["post-208333","post","type-post","status-publish","format-standard","hentry","category-4925"],"_links":{"self":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts\/208333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/comments?post=208333"}],"version-history":[{"count":0,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts\/208333\/revisions"}],"wp:attachment":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/media?parent=208333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/categories?post=208333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/tags?post=208333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}