1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
11 // CertPool is a set of certificates.
12 type CertPool
struct {
13 bySubjectKeyId
map[string][]int
14 byName
map[string][]int
18 // NewCertPool returns a new, empty CertPool.
19 func NewCertPool() *CertPool
{
21 make(map[string][]int),
22 make(map[string][]int),
27 // findVerifiedParents attempts to find certificates in s which have signed the
28 // given certificate. If no such certificate can be found or the signature
29 // doesn't match, it returns nil.
30 func (s
*CertPool
) findVerifiedParents(cert
*Certificate
) (parents
[]int) {
36 if len(cert
.AuthorityKeyId
) > 0 {
37 candidates
= s
.bySubjectKeyId
[string(cert
.AuthorityKeyId
)]
39 if len(candidates
) == 0 {
40 candidates
= s
.byName
[string(cert
.RawIssuer
)]
43 for _
, c
:= range candidates
{
44 if cert
.CheckSignatureFrom(s
.certs
[c
]) == nil {
45 parents
= append(parents
, c
)
52 // AddCert adds a certificate to a pool.
53 func (s
*CertPool
) AddCert(cert
*Certificate
) {
55 panic("adding nil Certificate to CertPool")
58 // Check that the certificate isn't being added twice.
59 for _
, c
:= range s
.certs
{
66 s
.certs
= append(s
.certs
, cert
)
68 if len(cert
.SubjectKeyId
) > 0 {
69 keyId
:= string(cert
.SubjectKeyId
)
70 s
.bySubjectKeyId
[keyId
] = append(s
.bySubjectKeyId
[keyId
], n
)
72 name
:= string(cert
.RawSubject
)
73 s
.byName
[name
] = append(s
.byName
[name
], n
)
76 // AppendCertsFromPEM attempts to parse a series of PEM encoded certificates.
77 // It appends any certificates found to s and returns true if any certificates
78 // were successfully parsed.
80 // On many Linux systems, /etc/ssl/cert.pem will contain the system wide set
81 // of root CAs in a format suitable for this function.
82 func (s
*CertPool
) AppendCertsFromPEM(pemCerts
[]byte) (ok
bool) {
83 for len(pemCerts
) > 0 {
85 block
, pemCerts
= pem
.Decode(pemCerts
)
89 if block
.Type
!= "CERTIFICATE" ||
len(block
.Headers
) != 0 {
93 cert
, err
:= ParseCertificate(block
.Bytes
)
105 // Subjects returns a list of the DER-encoded subjects of
106 // all of the certificates in the pool.
107 func (s
*CertPool
) Subjects() (res
[][]byte) {
108 res
= make([][]byte, len(s
.certs
))
109 for i
, c
:= range s
.certs
{
110 res
[i
] = c
.RawSubject