// Initially published by [redacted] on gist.github.com on 2022-06-07
// Also available here: https://gist.github.com/christinaa/398b7607dc471daaad1fba14fb35f186


// This code is in the public domain.
// Inspired by the postgres_get_server_cert.py script.
package main
import (
	"net"
	"log"
	"encoding/hex"
	"crypto/tls"
)

func main() {
	log.Println("PG TLS magic in Go!")
	// Whatever.
	sslRequestBlob, err := hex.DecodeString("0000000804D2162F")
	if err != nil {
		log.Fatalf("Failed to get PG magic from blob: %v", err)
	}
	
	log.Printf("PG handshake blob: % x\n", sslRequestBlob)
	conn, err := net.Dial("tcp", "localhost:5432")
	if err != nil {
		log.Fatalf("Failed to dial socket: %v", err)
	}
	defer conn.Close()
	
	_, err = conn.Write(sslRequestBlob)
	if err != nil {
		log.Fatalf("Failed to write SSLRequest blob: %v", err)
	}
	
	reply := make([]byte, 1)
	_, err = conn.Read(reply)
	if err != nil {
		log.Fatalf("Failed to read: %v", err)
	}
	log.Printf("PG server said: % x\n", reply)
	
	// Upgrade to TLS.
	client := tls.Client(conn, &tls.Config{
		InsecureSkipVerify: true,
	})
	
	err = client.Handshake()
	if err != nil {
		log.Fatalf("Failed TLS handshake with PG server: %v", err)
	}
	
	// Extract the certificates.
	peerCerts := client.ConnectionState().PeerCertificates
	for i, cert := range peerCerts {
		// x509.Certificate
		log.Printf("Cert #%d:\n\tIssuer: %s\n\tSubject:%s\n\tNotAfter: %s", i, cert.Issuer, cert.Subject, cert.NotAfter)
	}
}
