(*crypto/x509.Certificate).Verify
does not check for certificate revocation GO-S1031(*crypto/x509.Certificate).Verify
only checks for other parameters such as the
validity of the certificate chain and the expiration, but does not check if a
certificate has been revoked.
One may use CRLs (Certificate Revocation Lists) or OCSP (Online Certificate Status Protocol) servers to check if the certificate has been revoked.
package main
import (
"crypto/x509"
"encoding/pem"
)
func main() {
const rootPEM = "..."
const certPEM = "..."
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
// ...
}
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
// ...
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
// ...
}
opts := x509.VerifyOptions{
DNSName: "deepsource.io",
Roots: roots,
}
if _, err := cert.Verify(opts); err != nil { // it doesn't check for revocation
panic("failed to verify certificate: " + err.Error())
}
}