(endpoint string, cert, issuer *x509.Certificate, httpClient *http.Client, insecure bool)
| 414 | } |
| 415 | |
| 416 | func VerifyCRLEndpoint(endpoint string, cert, issuer *x509.Certificate, httpClient *http.Client, insecure bool) (bool, error) { |
| 417 | resp, err := httpClient.Get(endpoint) |
| 418 | if err != nil { |
| 419 | return false, errors.Wrap(err, "error downloading crl") |
| 420 | } |
| 421 | defer resp.Body.Close() |
| 422 | |
| 423 | if resp.StatusCode >= 400 { |
| 424 | return false, errors.Errorf("error downloading crl: status code %d", resp.StatusCode) |
| 425 | } |
| 426 | |
| 427 | b, err := io.ReadAll(resp.Body) |
| 428 | if err != nil { |
| 429 | return false, errors.Wrap(err, "error downloading crl") |
| 430 | } |
| 431 | |
| 432 | crl, err := x509.ParseRevocationList(b) |
| 433 | if err != nil { |
| 434 | return false, errors.Wrap(err, "error parsing crl") |
| 435 | } |
| 436 | |
| 437 | crlJSON, err := crlutil.ParseCRL(b) |
| 438 | if err != nil { |
| 439 | return false, errors.Wrap(err, "error parsing crl into json") |
| 440 | } |
| 441 | |
| 442 | if issuer != nil && !insecure { |
| 443 | err = crl.CheckSignatureFrom(issuer) |
| 444 | if err != nil { |
| 445 | return false, errors.Wrap(err, "error validating the CRL against the CA issuer") |
| 446 | } |
| 447 | } |
| 448 | |
| 449 | for _, revoked := range crlJSON.RevokedCertificates { |
| 450 | if cert.SerialNumber.String() == revoked.SerialNumber { |
| 451 | return true, errors.Errorf("certificate marked as revoked in CRL %s", endpoint) |
| 452 | } |
| 453 | } |
| 454 | |
| 455 | return true, nil |
| 456 | } |
no test coverage detected
searching dependent graphs…