(*crypto/x509.Certificate).Verify
does not check for certificate revocation GO-S1031168 }
169 }
170
171 _, err = newCerts[0].Verify(x509.VerifyOptions{Roots: roots, Intermediates: intermediates})172 if err != nil {
173 err = errors.Wrap(err, "new CA cert cannot be verified using old CA chain")
174 }
151 }
152 }
153 }
154 if chains, err := certs[0].Verify(x509.VerifyOptions{Roots: roots, Intermediates: intermediates}); err == nil {155 // It's possible but unlikely that there could be multiple valid chains back to a root
156 // certificate. Just use the first.
157 chain := chains[0]
(*crypto/x509.Certificate).Verify
only checks for other parameters such as the
validity of the certificate chain and the expiration, but does not check if a
certificate has been revoked.
One may use CRLs (Certificate Revocation Lists) or OCSP (Online Certificate Status Protocol) servers to check if the certificate has been revoked.
package main
import (
"crypto/x509"
"encoding/pem"
)
func main() {
const rootPEM = "..."
const certPEM = "..."
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
// ...
}
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
// ...
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
// ...
}
opts := x509.VerifyOptions{
DNSName: "deepsource.io",
Roots: roots,
}
if _, err := cert.Verify(opts); err != nil { // it doesn't check for revocation
panic("failed to verify certificate: " + err.Error())
}
}