checkChainRevocation checks the verified certificate chain for revoked certificates based on RFC5280.
(verifiedChains [][]*x509.Certificate, cfg RevocationOptions)
| 117 | // checkChainRevocation checks the verified certificate chain |
| 118 | // for revoked certificates based on RFC5280. |
| 119 | func checkChainRevocation(verifiedChains [][]*x509.Certificate, cfg RevocationOptions) error { |
| 120 | // Iterate the verified chains looking for one that is RevocationUnrevoked. |
| 121 | // A single RevocationUnrevoked chain is enough to allow the connection, and a single RevocationRevoked |
| 122 | // chain does not mean the connection should fail. |
| 123 | count := make(map[revocationStatus]int) |
| 124 | for _, chain := range verifiedChains { |
| 125 | switch checkChain(chain, cfg) { |
| 126 | case RevocationUnrevoked: |
| 127 | // If any chain is RevocationUnrevoked then return no error. |
| 128 | return nil |
| 129 | case RevocationRevoked: |
| 130 | // If this chain is revoked, keep looking for another chain. |
| 131 | count[RevocationRevoked]++ |
| 132 | continue |
| 133 | case RevocationUndetermined: |
| 134 | count[RevocationUndetermined]++ |
| 135 | if cfg.DenyUndetermined { |
| 136 | continue |
| 137 | } |
| 138 | return nil |
| 139 | } |
| 140 | } |
| 141 | return fmt.Errorf("no unrevoked chains found: %v", count) |
| 142 | } |
| 143 | |
| 144 | // checkChain will determine and check all certificates in chain against the CRL |
| 145 | // defined in the certificate with the following rules: |