-
Notifications
You must be signed in to change notification settings - Fork 0
/
revoke_modern.go
84 lines (63 loc) · 1.5 KB
/
revoke_modern.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
//go:build go1.19
package revoke
import (
"crypto/x509"
"time"
)
// CRLSet associates a PKIX certificate list with the URL the CRL is
// fetched from.
var (
CRLSet = map[string]*x509.RevocationList{}
)
// fetchCRL fetches and parses a CRL.
func fetchCRL(url string) (*x509.RevocationList, error) {
resp, err := HTTPClient.Get(url)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode >= 300 {
return nil, ErrFailedGetCRL
}
body, err := crlRead(resp.Body)
if err != nil {
return nil, err
}
return x509.ParseRevocationList(body)
}
// check a cert against a specific CRL. Returns the same bool pair
// as revCheck, plus an error if one occurred.
func certIsRevokedCRL(cert *x509.Certificate, url string) (revoked, ok bool, err error) {
var crl *x509.RevocationList
crlLock.Lock()
if crl, ok = CRLSet[url]; ok && crl == nil {
ok = false
delete(CRLSet, url)
}
crlLock.Unlock()
var shouldFetchCRL = true
if ok && time.Now().Before(crl.NextUpdate) {
shouldFetchCRL = false
}
issuer := getIssuer(cert)
if shouldFetchCRL {
if crl, err = fetchCRL(url); err != nil {
return false, false, err
}
// Check the CRL signature.
if issuer != nil {
if err = crl.CheckSignatureFrom(issuer); err != nil {
return false, false, err
}
}
crlLock.Lock()
CRLSet[url] = crl
crlLock.Unlock()
}
for _, rcert := range crl.RevokedCertificates {
if cert.SerialNumber.Cmp(rcert.SerialNumber) == 0 {
return true, true, err
}
}
return false, true, err
}