Documentation ¶
Overview ¶
Package nss provides functionality for parsing NSS certdata.txt formatted certificate lists and extracting serverAuth roots. Most users should not use this package themselves, and should instead rely on the golang.org/x/crypto/x509roots/fallback package which calls x509.SetFallbackRoots on a pre-parsed set of roots.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Certificate ¶
type Certificate struct { // Certificate is the parsed certificate X509 *x509.Certificate // Constraints contains a list of additional constraints that should be // applied to any certificates that chain to Certificate. If there are // any unknown constraints in the slice, Certificate should not be // trusted. Constraints []Constraint }
A Certificate represents a single trusted serverAuth certificate in the NSS certdata.txt list and any constraints that should be applied to chains rooted by it.
func Parse ¶
func Parse(r io.Reader) ([]*Certificate, error)
Parse parses a NSS certdata.txt formatted file, returning only trusted serverAuth roots, as well as any additional constraints. This parser is very opinionated, only returning roots that are currently trusted for serverAuth. As such roots returned by this package should only be used for making trust decisions about serverAuth certificates, as the trust status for other uses is not considered. Using the roots returned by this package for trust decisions should be done carefully.
Some roots returned by the parser may include additional constraints (currently only DistrustAfter) which need to be considered when verifying certificates which chain to them.
Parse is not intended to be a general purpose parser for certdata.txt.
type Constraint ¶
type Constraint interface {
Kind() Kind
}
Constraint is a constraint to be applied to a certificate or certificate chain.
type DistrustAfter ¶
DistrustAfter is a Constraint that indicates a certificate has a CKA_NSS_SERVER_DISTRUST_AFTER constraint. This constraint defines a date after which any certificate issued which is rooted by the constrained certificate should be distrusted.
func (DistrustAfter) Kind ¶
func (DistrustAfter) Kind() Kind