certlint
X.509 certificate linter written in Go
General
This package is a work in progress.
Please keep in mind that:
- This is an early release and may contain bugs or false reports
- Not all checks have been fully implemented or verified against the standard
- CLI flag, APIs and CSV export are subject to change
Code contributions and tests are highly welcome!
Installation
To install from source, just run:
go get -u github.com/globalsign/certlint
go install github.com/globalsign/certlint
CLI: Usage
The 'certlint' command line utility included with this package can be used to test a single certificate or a large pem container to bulk test millions of certificates. The command is used to test the linter on a large number of certificates but could use fresh up to reduce code complexity.
Usage of ./certlint:
-bulk string
Bulk certificates file
-cert string
Certificate file
-errlevel string
Exit non-zero for Errors at this level (default "error")
-expired
Test expired certificates
-help
Show this help
-include
Include certificates in report
-issuer string
Certificate file
-pprof
Generate pprof profile
-report string
Report filename (default "report.csv")
-revoked
Check if certificates are revoked
CLI: One certificate
$ certlint -cert certificate.pem
CLI: One certificate, exiting non-zero for Warning and above
$ certlint -errlevel warning -cert certificate.pem
CLI: A series of PEM encoded certificates
$ certlint -bulk largestore.pem
CLI: Testing expired certificates
$ certlint -expired -bulk largestore.pem
API: Usage
Import one or all of these packages:
import "github.com/globalsign/certlint/asn1"
import "github.com/globalsign/certlint/certdata"
import "github.com/globalsign/certlint/checks"
You can import all available checks:
_ "github.com/globalsign/certlint/checks/extensions/all"
_ "github.com/globalsign/certlint/checks/certificate/all"
Or you can just import a restricted set:
// Check for certificate (ext) KeyUsage extension
_ "github.com/globalsign/certlint/checks/extensions/extkeyusage"
_ "github.com/globalsign/certlint/checks/extensions/keyusage"
// Also check the parsed certificate (ext) keyusage content
_ "github.com/globalsign/certlint/checks/certificate/extkeyusage"
_ "github.com/globalsign/certlint/checks/certificate/keyusage"
API: Check ASN.1 value formatting
al := new(asn1.Linter)
e := al.CheckStruct(der)
if e != nil {
for _, err := range e.List() {
fmt.Println(err)
}
}
API: Check certificate details
d, err := certdata.Load(der)
if err == nil {
e := checks.Certificate.Check(d)
if e != nil {
for _, err := range e.List() {
fmt.Println(err)
}
}
}