Audit required:
(*crypto/x509.Certificate).Verify does not check for certificate revocation GO-S1031Verify does not check for certificate revocation
168 }
169 }
170
171 _, err = newCerts[0].Verify(x509.VerifyOptions{Roots: roots, Intermediates: intermediates})172 if err != nil {
173 err = errors.Wrap(err, "new CA cert cannot be verified using old CA chain")
174 }Verify does not check for certificate revocation
151 }
152 }
153 }
154 if chains, err := certs[0].Verify(x509.VerifyOptions{Roots: roots, Intermediates: intermediates}); err == nil {155 // It's possible but unlikely that there could be multiple valid chains back to a root
156 // certificate. Just use the first.
157 chain := chains[0]
Description
(*crypto/x509.Certificate).Verify only checks for other parameters such as the
validity of the certificate chain and the expiration, but does not check if a
certificate has been revoked.
One may use CRLs (Certificate Revocation Lists) or OCSP (Online Certificate Status Protocol) servers to check if the certificate has been revoked.
Bad practice
package main
import (
"crypto/x509"
"encoding/pem"
)
func main() {
const rootPEM = "..."
const certPEM = "..."
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
// ...
}
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
// ...
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
// ...
}
opts := x509.VerifyOptions{
DNSName: "deepsource.io",
Roots: roots,
}
if _, err := cert.Verify(opts); err != nil { // it doesn't check for revocation
panic("failed to verify certificate: " + err.Error())
}
}