-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathverify.go
More file actions
72 lines (60 loc) · 1.65 KB
/
verify.go
File metadata and controls
72 lines (60 loc) · 1.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
package main
import (
"crypto/x509"
"time"
)
// VerifyOptions configures certificate chain verification.
type VerifyOptions struct {
Time time.Time
Roots Bundle
Intermediates Bundle
}
// Verify validates a certificate bundle and returns a report with results for each certificate.
func Verify(bundle Bundle, opts *VerifyOptions) (Report, error) {
records := make([]*Record, 0, len(bundle))
// Start verify with the full chain, skipping invalid certificates starting
// from leaf.
var s int // start of the valid chain
for s = 0; s < len(bundle); s++ {
_, err := verifyChain(bundle[s:], opts)
if err != nil {
records = append(records, NewRecord(bundle[s], err, opts))
// Continue with the smaller chain
} else {
break
}
}
// Create records for the verified chain (if any)
for i := s; i < len(bundle); i++ {
records = append(records, NewRecord(bundle[i], nil, opts))
}
return Report(records), nil
}
// verifyChain verifies the first certificate in the chain using other certs
// as intermediates.
func verifyChain(chain []*Certificate, opts *VerifyOptions) ([][]*x509.Certificate, error) {
if len(chain) == 0 {
return nil, nil
}
intermediates := x509.NewCertPool()
if len(chain) > 1 {
for _, c := range chain[1:] {
intermediates.AddCert(c.inner)
}
}
for _, c := range opts.Intermediates {
intermediates.AddCert(c.inner)
}
roots, err := x509.SystemCertPool()
if err != nil {
roots = x509.NewCertPool()
}
for _, c := range opts.Roots {
roots.AddCert(c.inner)
}
return chain[0].inner.Verify(x509.VerifyOptions{
Intermediates: intermediates,
Roots: roots,
CurrentTime: opts.Time,
})
}