(*crypto/x509.Certificate).Verify
does not use the system time for verification GO-S1032(*crypto/x509.Certificate).Verify
accepts a CurrentTime
parameter to specify the system time used to verify the certificate. Providing
something other than the current system time may allow expired certificates to
be marked as valid.
package main
import (
"crypto/x509"
"encoding/pem"
"time"
)
func main() {
const rootPEM = "..."
const certPEM = "..."
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
// ...
}
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
// ...
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
// ...
}
opts := x509.VerifyOptions{
DNSName: "deepsource.io",
Roots: roots,
CurrentTime: time.Parse(time.RFC822Z, "02 April 2022 10:10 +0530"),
}
if _, err := cert.Verify(opts); err != nil { // it uses some other time for verification
panic("failed to verify certificate: " + err.Error())
}
}
package main
import (
"crypto/x509"
"encoding/pem"
"time"
)
func main() {
const rootPEM = "..."
const certPEM = "..."
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
// ...
}
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
// ...
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
// ...
}
opts := x509.VerifyOptions{
DNSName: "deepsource.io",
Roots: roots,
CurrentTime: time.Now(),
}
// or
opts := x509.VerifyOptions{
DNSName: "deepsource.io",
Roots: roots,
}
if _, err := cert.Verify(opts); err != nil {
panic("failed to verify certificate: " + err.Error())
}
}