Source file src/pkg/crypto/x509/cert_pool.go
1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 package x509
6
7 import (
8 "encoding/pem"
9 )
10
11 // CertPool is a set of certificates.
12 type CertPool struct {
13 bySubjectKeyId map[string][]int
14 byName map[string][]int
15 certs []*Certificate
16 }
17
18 // NewCertPool returns a new, empty CertPool.
19 func NewCertPool() *CertPool {
20 return &CertPool{
21 make(map[string][]int),
22 make(map[string][]int),
23 nil,
24 }
25 }
26
27 // findVerifiedParents attempts to find certificates in s which have signed the
28 // given certificate. If no such certificate can be found or the signature
29 // doesn't match, it returns nil.
30 func (s *CertPool) findVerifiedParents(cert *Certificate) (parents []int) {
31 if s == nil {
32 return
33 }
34 var candidates []int
35
36 if len(cert.AuthorityKeyId) > 0 {
37 candidates = s.bySubjectKeyId[string(cert.AuthorityKeyId)]
38 }
39 if len(candidates) == 0 {
40 candidates = s.byName[string(cert.RawIssuer)]
41 }
42
43 for _, c := range candidates {
44 if cert.CheckSignatureFrom(s.certs[c]) == nil {
45 parents = append(parents, c)
46 }
47 }
48
49 return
50 }
51
52 // AddCert adds a certificate to a pool.
53 func (s *CertPool) AddCert(cert *Certificate) {
54 if cert == nil {
55 panic("adding nil Certificate to CertPool")
56 }
57
58 // Check that the certificate isn't being added twice.
59 for _, c := range s.certs {
60 if c.Equal(cert) {
61 return
62 }
63 }
64
65 n := len(s.certs)
66 s.certs = append(s.certs, cert)
67
68 if len(cert.SubjectKeyId) > 0 {
69 keyId := string(cert.SubjectKeyId)
70 s.bySubjectKeyId[keyId] = append(s.bySubjectKeyId[keyId], n)
71 }
72 name := string(cert.RawSubject)
73 s.byName[name] = append(s.byName[name], n)
74 }
75
76 // AppendCertsFromPEM attempts to parse a series of PEM encoded certificates.
77 // It appends any certificates found to s and returns true if any certificates
78 // were successfully parsed.
79 //
80 // On many Linux systems, /etc/ssl/cert.pem will contain the system wide set
81 // of root CAs in a format suitable for this function.
82 func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool) {
83 for len(pemCerts) > 0 {
84 var block *pem.Block
85 block, pemCerts = pem.Decode(pemCerts)
86 if block == nil {
87 break
88 }
89 if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
90 continue
91 }
92
93 cert, err := ParseCertificate(block.Bytes)
94 if err != nil {
95 continue
96 }
97
98 s.AddCert(cert)
99 ok = true
100 }
101
102 return
103 }
104
105 // Subjects returns a list of the DER-encoded subjects of
106 // all of the certificates in the pool.
107 func (s *CertPool) Subjects() (res [][]byte) {
108 res = make([][]byte, len(s.certs))
109 for i, c := range s.certs {
110 res[i] = c.RawSubject
111 }
112 return
113 }