MCPcopy Index your code
hub / github.com/smallstep/cli / VerifyCRLEndpoint

Function VerifyCRLEndpoint

command/certificate/verify.go:416–456  ·  view source on GitHub ↗
(endpoint string, cert, issuer *x509.Certificate, httpClient *http.Client, insecure bool)

Source from the content-addressed store, hash-verified

414}
415
416func VerifyCRLEndpoint(endpoint string, cert, issuer *x509.Certificate, httpClient *http.Client, insecure bool) (bool, error) {
417 resp, err := httpClient.Get(endpoint)
418 if err != nil {
419 return false, errors.Wrap(err, "error downloading crl")
420 }
421 defer resp.Body.Close()
422
423 if resp.StatusCode >= 400 {
424 return false, errors.Errorf("error downloading crl: status code %d", resp.StatusCode)
425 }
426
427 b, err := io.ReadAll(resp.Body)
428 if err != nil {
429 return false, errors.Wrap(err, "error downloading crl")
430 }
431
432 crl, err := x509.ParseRevocationList(b)
433 if err != nil {
434 return false, errors.Wrap(err, "error parsing crl")
435 }
436
437 crlJSON, err := crlutil.ParseCRL(b)
438 if err != nil {
439 return false, errors.Wrap(err, "error parsing crl into json")
440 }
441
442 if issuer != nil && !insecure {
443 err = crl.CheckSignatureFrom(issuer)
444 if err != nil {
445 return false, errors.Wrap(err, "error validating the CRL against the CA issuer")
446 }
447 }
448
449 for _, revoked := range crlJSON.RevokedCertificates {
450 if cert.SerialNumber.String() == revoked.SerialNumber {
451 return true, errors.Errorf("certificate marked as revoked in CRL %s", endpoint)
452 }
453 }
454
455 return true, nil
456}

Callers 1

verifyActionFunction · 0.85

Calls 3

ParseCRLFunction · 0.92
StringMethod · 0.65
CloseMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…