-
Notifications
You must be signed in to change notification settings - Fork 18
/
certificate_list.go
119 lines (103 loc) · 2.78 KB
/
certificate_list.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
package ua
import (
"crypto/x509"
"encoding/pem"
)
// CertificateList is a set of certificates.
type CertificateList struct {
bySubjectKeyID map[string][]int
byName map[string][]int
certs []*x509.Certificate
}
// NewCertificateList returns a new, empty CertificateList.
func NewCertificateList() *CertificateList {
return &CertificateList{
bySubjectKeyID: make(map[string][]int),
byName: make(map[string][]int),
}
}
// FindPotentialParents returns the certificates which might have signed cert.
func (s *CertificateList) FindPotentialParents(cert *x509.Certificate) []*x509.Certificate {
if s == nil {
return nil
}
if len(cert.AuthorityKeyId) > 0 {
ids := s.bySubjectKeyID[string(cert.AuthorityKeyId)]
res := make([]*x509.Certificate, len(ids))
for i, j := range ids {
res[i] = s.certs[j]
}
return res
}
ids := s.byName[string(cert.RawIssuer)]
res := make([]*x509.Certificate, len(ids))
for i, j := range ids {
res[i] = s.certs[j]
}
return res
}
// Contains returns true if the list contains the certificate.
func (s *CertificateList) Contains(cert *x509.Certificate) bool {
if s == nil {
return false
}
candidates := s.byName[string(cert.RawSubject)]
for _, c := range candidates {
if s.certs[c].Equal(cert) {
return true
}
}
return false
}
// AddCert adds a certificate to a list.
func (s *CertificateList) AddCert(cert *x509.Certificate) {
if cert == nil {
panic("adding nil Certificate to CertificateList")
}
// Check that the certificate isn't being added twice.
if s.Contains(cert) {
return
}
n := len(s.certs)
s.certs = append(s.certs, cert)
if len(cert.SubjectKeyId) > 0 {
keyID := string(cert.SubjectKeyId)
s.bySubjectKeyID[keyID] = append(s.bySubjectKeyID[keyID], n)
}
name := string(cert.RawSubject)
s.byName[name] = append(s.byName[name], n)
}
// AppendCertsFromPEM attempts to parse a series of PEM encoded certificates.
// It appends any certificates found to s and reports whether any certificates
// were successfully parsed.
//
// On many Linux systems, /etc/ssl/cert.pem will contain the system wide set
// of root CAs in a format suitable for this function.
func (s *CertificateList) AppendCertsFromPEM(pemCerts []byte) (ok bool) {
for len(pemCerts) > 0 {
var block *pem.Block
block, pemCerts = pem.Decode(pemCerts)
if block == nil {
break
}
if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
continue
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
continue
}
s.AddCert(cert)
ok = true
}
return
}
// Subjects returns a list of the DER-encoded subjects of
// all of the certificates in the pool.
func (s *CertificateList) Subjects() [][]byte {
res := make([][]byte, len(s.certs))
for i, c := range s.certs {
res[i] = c.RawSubject
}
return res
}