linter

package
v0.0.0-...-242d746 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: MPL-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrLinting = fmt.Errorf("failed lint(s)")

Functions

func Check

func Check(tbs *x509.Certificate, subjectPubKey crypto.PublicKey, realIssuer *x509.Certificate, realSigner crypto.Signer, skipLints []string) ([]byte, error)

Check accomplishes the entire process of linting: it generates a throwaway signing key, uses that to create a linting cert, and runs a default set of lints (everything except for the ETSI and EV lints) against it. If the subjectPubKey and realSigner indicate that this is a self-signed cert, the cert will have its pubkey replaced to also be self-signed. This is the primary public interface of this package, but it can be inefficient; creating a new signer and a new lint registry are expensive operations which performance-sensitive clients may want to cache via linter.New().

func CheckCRL

func CheckCRL(tbs *x509.RevocationList, realIssuer *x509.Certificate, realSigner crypto.Signer, skipLints []string) error

CheckCRL is like Check, but for CRLs.

func NewRegistry

func NewRegistry(skipLints []string) (lint.Registry, error)

NewRegistry returns a zlint Registry with irrelevant (ETSI, EV) lints excluded. This registry also includes all custom lints defined in Boulder.

func ProcessResultSet

func ProcessResultSet(lintRes *zlint.ResultSet) error

Types

type Linter

type Linter struct {
	// contains filtered or unexported fields
}

Linter is capable of linting a to-be-signed (TBS) certificate. It does so by signing that certificate with a throwaway private key and a fake issuer whose public key matches the throwaway private key, and then running the resulting certificate through a registry of zlint lints.

func New

func New(realIssuer *x509.Certificate, realSigner crypto.Signer) (*Linter, error)

New constructs a Linter. It uses the provided real certificate and signer (private key) to generate a matching fake keypair and issuer cert that will be used to sign the lint certificate. It uses the provided list of lint names to skip to filter the zlint global registry to only those lints which should be run.

func (Linter) Check

func (l Linter) Check(tbs *x509.Certificate, subjectPubKey crypto.PublicKey, reg lint.Registry) ([]byte, error)

Check signs the given TBS certificate using the Linter's fake issuer cert and private key, then runs the resulting certificate through all lints in reg. If the subjectPubKey is identical to the public key of the real signer used to create this linter, then the throwaway cert will have its pubkey replaced with the linter's pubkey so that it appears self-signed. It returns an error if any lint fails. On success it also returns the DER bytes of the linting certificate.

func (Linter) CheckCRL

func (l Linter) CheckCRL(tbs *x509.RevocationList, reg lint.Registry) error

CheckCRL signs the given RevocationList template using the Linter's fake issuer cert and private key, then runs the resulting CRL through all CRL lints in the registry. It returns an error if any check fails.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL