Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CertPool ¶ added in v0.13.0
type CertPool struct {
// contains filtered or unexported fields
}
CertPool is a set of certificates.
func NewCertPool ¶ added in v0.13.0
NewCertPool returns a new, empty CertPool. It will deduplicate certificates based on their SHA256 hash. Optionally, it can filter out expired certificates.
func (*CertPool) AddCertsFromPEM ¶ added in v0.13.0
AddCertsFromPEM strictly validates a given input PEM bundle to confirm it contains only valid CERTIFICATE PEM blocks. If successful, returns the validated PEM blocks with any comments or extra data stripped.
This validation is broadly similar to the standard library function crypto/x509.CertPool.AppendCertsFromPEM - that is, we decode each PEM block at a time and parse it as a certificate.
The difference here is that we want to ensure that the bundle _only_ contains certificates, and not just skip over things which aren't certificates.
If, for example, someone accidentally used a combined cert + private key as an input to a trust bundle, we wouldn't want to then distribute the private key in the target.
In addition, the standard library AppendCertsFromPEM also silently skips PEM blocks with non-empty Headers. We error on such PEM blocks, for the same reason as above; headers could contain (accidental) private information. They're also non-standard according to https://www.rfc-editor.org/rfc/rfc7468
Additionally, if the input PEM bundle contains no non-expired certificates, an error is returned. TODO: Reconsider what should happen if the input only contains expired certificates.
func (*CertPool) Certificates ¶ added in v0.13.0
func (certPool *CertPool) Certificates() []*x509.Certificate
Get the list of all x509 Certificates in the certificates pool
Source Files