...
Run Format

Source file src/crypto/x509/cert_pool.go

Documentation: crypto/x509

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package x509
     6  
     7  import (
     8  	"encoding/pem"
     9  	"errors"
    10  	"runtime"
    11  )
    12  
    13  // CertPool is a set of certificates.
    14  type CertPool struct {
    15  	bySubjectKeyId map[string][]int
    16  	byName         map[string][]int
    17  	certs          []*Certificate
    18  }
    19  
    20  // NewCertPool returns a new, empty CertPool.
    21  func NewCertPool() *CertPool {
    22  	return &CertPool{
    23  		bySubjectKeyId: make(map[string][]int),
    24  		byName:         make(map[string][]int),
    25  	}
    26  }
    27  
    28  func (s *CertPool) copy() *CertPool {
    29  	p := &CertPool{
    30  		bySubjectKeyId: make(map[string][]int, len(s.bySubjectKeyId)),
    31  		byName:         make(map[string][]int, len(s.byName)),
    32  		certs:          make([]*Certificate, len(s.certs)),
    33  	}
    34  	for k, v := range s.bySubjectKeyId {
    35  		indexes := make([]int, len(v))
    36  		copy(indexes, v)
    37  		p.bySubjectKeyId[k] = indexes
    38  	}
    39  	for k, v := range s.byName {
    40  		indexes := make([]int, len(v))
    41  		copy(indexes, v)
    42  		p.byName[k] = indexes
    43  	}
    44  	copy(p.certs, s.certs)
    45  	return p
    46  }
    47  
    48  // SystemCertPool returns a copy of the system cert pool.
    49  //
    50  // Any mutations to the returned pool are not written to disk and do
    51  // not affect any other pool.
    52  //
    53  // New changes in the the system cert pool might not be reflected
    54  // in subsequent calls.
    55  func SystemCertPool() (*CertPool, error) {
    56  	if runtime.GOOS == "windows" {
    57  		// Issue 16736, 18609:
    58  		return nil, errors.New("crypto/x509: system root pool is not available on Windows")
    59  	}
    60  
    61  	if sysRoots := systemRootsPool(); sysRoots != nil {
    62  		return sysRoots.copy(), nil
    63  	}
    64  
    65  	return loadSystemRoots()
    66  }
    67  
    68  // findPotentialParents returns the indexes of certificates in s which might
    69  // have signed cert. The caller must not modify the returned slice.
    70  func (s *CertPool) findPotentialParents(cert *Certificate) []int {
    71  	if s == nil {
    72  		return nil
    73  	}
    74  	if len(cert.AuthorityKeyId) > 0 {
    75  		return s.bySubjectKeyId[string(cert.AuthorityKeyId)]
    76  	}
    77  	return s.byName[string(cert.RawIssuer)]
    78  }
    79  
    80  func (s *CertPool) contains(cert *Certificate) bool {
    81  	if s == nil {
    82  		return false
    83  	}
    84  
    85  	candidates := s.byName[string(cert.RawSubject)]
    86  	for _, c := range candidates {
    87  		if s.certs[c].Equal(cert) {
    88  			return true
    89  		}
    90  	}
    91  
    92  	return false
    93  }
    94  
    95  // AddCert adds a certificate to a pool.
    96  func (s *CertPool) AddCert(cert *Certificate) {
    97  	if cert == nil {
    98  		panic("adding nil Certificate to CertPool")
    99  	}
   100  
   101  	// Check that the certificate isn't being added twice.
   102  	if s.contains(cert) {
   103  		return
   104  	}
   105  
   106  	n := len(s.certs)
   107  	s.certs = append(s.certs, cert)
   108  
   109  	if len(cert.SubjectKeyId) > 0 {
   110  		keyId := string(cert.SubjectKeyId)
   111  		s.bySubjectKeyId[keyId] = append(s.bySubjectKeyId[keyId], n)
   112  	}
   113  	name := string(cert.RawSubject)
   114  	s.byName[name] = append(s.byName[name], n)
   115  }
   116  
   117  // AppendCertsFromPEM attempts to parse a series of PEM encoded certificates.
   118  // It appends any certificates found to s and reports whether any certificates
   119  // were successfully parsed.
   120  //
   121  // On many Linux systems, /etc/ssl/cert.pem will contain the system wide set
   122  // of root CAs in a format suitable for this function.
   123  func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool) {
   124  	for len(pemCerts) > 0 {
   125  		var block *pem.Block
   126  		block, pemCerts = pem.Decode(pemCerts)
   127  		if block == nil {
   128  			break
   129  		}
   130  		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
   131  			continue
   132  		}
   133  
   134  		cert, err := ParseCertificate(block.Bytes)
   135  		if err != nil {
   136  			continue
   137  		}
   138  
   139  		s.AddCert(cert)
   140  		ok = true
   141  	}
   142  
   143  	return
   144  }
   145  
   146  // Subjects returns a list of the DER-encoded subjects of
   147  // all of the certificates in the pool.
   148  func (s *CertPool) Subjects() [][]byte {
   149  	res := make([][]byte, len(s.certs))
   150  	for i, c := range s.certs {
   151  		res[i] = c.RawSubject
   152  	}
   153  	return res
   154  }
   155  

View as plain text