MCPcopy
hub / github.com/grpc/grpc-go / checkChainRevocation

Function checkChainRevocation

security/advancedtls/crl.go:119–142  ·  view source on GitHub ↗

checkChainRevocation checks the verified certificate chain for revoked certificates based on RFC5280.

(verifiedChains [][]*x509.Certificate, cfg RevocationOptions)

Source from the content-addressed store, hash-verified

117// checkChainRevocation checks the verified certificate chain
118// for revoked certificates based on RFC5280.
119func checkChainRevocation(verifiedChains [][]*x509.Certificate, cfg RevocationOptions) error {
120 // Iterate the verified chains looking for one that is RevocationUnrevoked.
121 // A single RevocationUnrevoked chain is enough to allow the connection, and a single RevocationRevoked
122 // chain does not mean the connection should fail.
123 count := make(map[revocationStatus]int)
124 for _, chain := range verifiedChains {
125 switch checkChain(chain, cfg) {
126 case RevocationUnrevoked:
127 // If any chain is RevocationUnrevoked then return no error.
128 return nil
129 case RevocationRevoked:
130 // If this chain is revoked, keep looking for another chain.
131 count[RevocationRevoked]++
132 continue
133 case RevocationUndetermined:
134 count[RevocationUndetermined]++
135 if cfg.DenyUndetermined {
136 continue
137 }
138 return nil
139 }
140 }
141 return fmt.Errorf("no unrevoked chains found: %v", count)
142}
143
144// checkChain will determine and check all certificates in chain against the CRL
145// defined in the certificate with the following rules:

Callers 2

checkRevocationFunction · 0.85
buildVerifyFuncFunction · 0.85

Calls 2

checkChainFunction · 0.85
ErrorfMethod · 0.65

Tested by 1

checkRevocationFunction · 0.68