-
Notifications
You must be signed in to change notification settings - Fork 17.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: crypto/x509: allow certificates to be exported from CertPool #26614
Comments
@mastahyeti I assume by |
Yes. Thanks. I updated the OP. |
Is there a use-case for reading all certificates returned? I could see removing certificates from a Would inspecting the chains from a certificate perhaps solve the problem better? There's already a method for this. func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) |
I'm starting to think that my use case is outside the intended purpose of this type. I'm working on a library that creates/verifies CMS (PKCS#7 / S/MIME) func (sd *SignedData) Verify(opts x509.VerifyOptions) (chains [][][]*x509.Certificate, err error) In the rare case where the While this makes for a convenient API for my library, I'm realizing that I may be abusing the |
I'd like to reopen this issue. We have, due to business requirements, a drop-in replacement for Because I'd like to propose this API: // Certificates returns a copy of the certificates inside the CertPool, if any.
// The bool indicates the availability of full Certificates.
func (p *CertPool) Certificates() ([]*Certificate, bool) |
I tried making a tool today that would try and verify if particular system certificates were present on the host, rather than blow up at runtime. And it's impossible to build that tool without this API change, or cloning most of the code here and building my own library. Also: https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go#L151-L159 Hopefully no one finds this, but should you happen to try and actually iterate on the for i, rawSubject := range subjects {
var rdnSequence pkix.RDNSequence
_, err := asn1.Unmarshal(rawSubject, &rdnSequence)
if err != nil {
log.Fatal("could not unmarshal der formatted subject")
}
var name pkix.Name
name.FillFromRDNSequence(&rdnSequence)
fmt.Printf("cert %d: %s\n", i, name.CommonName)
} |
There is no way to compare x509.CertPools now that it has an unexpected function field. This comparison is as close as we can get. See golang/go#26614 for a related issue.
Copied from review 126016 (@FiloSottile asked me to open a proposal issue):
In the review, @FiloSottile said:
I admit, I hadn't looked too carefully into how
SystemCertPool
was implemented on various systems. My desire for this change is a situation where a certificate from theIntermediates
of aVerifyOptions
needs to be inspected. In my case, theCertPool
is is not going to be theSystemRoots
, but something the user has constructed.Maybe, to support my use case, as well as to support system stores where the actual certs aren't available, the function could be changed to return an error if the certs aren't available. We could check this by seeing if the length of the subject list matches the length of the
certs
member. Does that sound reasonable?Edit: Just to decouple this a bit from the premature review I opened, here's the signature I'm suggesting:
The text was updated successfully, but these errors were encountered: