DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Audit required: (*crypto/x509.Certificate).Verify does not check for certificate revocation GO-S1031

Security
Major
 a02 owasp top 10 cwe-370

(*crypto/x509.Certificate).Verify only checks for other parameters such as the validity of the certificate chain and the expiration, but does not check if a certificate has been revoked.

One may use CRLs (Certificate Revocation Lists) or OCSP (Online Certificate Status Protocol) servers to check if the certificate has been revoked.

Bad practice

package main

import (
    "crypto/x509"
    "encoding/pem"
)

func main() {
    const rootPEM = "..."
    const certPEM = "..."

    roots := x509.NewCertPool()
    ok := roots.AppendCertsFromPEM([]byte(rootPEM))
    if !ok {
        // ...
    }

    block, _ := pem.Decode([]byte(certPEM))
    if block == nil {
        // ...
    }
    cert, err := x509.ParseCertificate(block.Bytes)
    if err != nil {
        // ...
    }

    opts := x509.VerifyOptions{
        DNSName: "deepsource.io",
        Roots:   roots,
    }

    if _, err := cert.Verify(opts); err != nil { // it doesn't check for revocation
        panic("failed to verify certificate: " + err.Error())
    }
}

References