X.509 certificate linter written in Go
This package is a work in progress.
Please keep in mind that:
- This is an early release and may contain bugs or false reports
- Not all checks have been fully implemented or verified against the standard
- CLI flag, APIs and CSV export are subject to change
Code contributions and tests are highly welcome!
To install from source, just run:
go get -u github.com/globalsign/certlint
go install github.com/globalsign/certlint
The 'certlint' command line utility included with this package can be used to test a single certificate or a large pem container to bulk test millions of certificates. The command is used to test the linter on a large number of certificates but could use fresh up to reduce code complexity.
Usage of ./certlint:
-bulk string
Bulk certificates file
-cert string
Certificate file
-errlevel string
Exit non-zero for Errors at this level (default "error")
-expired
Test expired certificates
-help
Show this help
-include
Include certificates in report
-issuer string
Certificate file
-pprof
Generate pprof profile
-report string
Report filename (default "report.csv")
-revoked
Check if certificates are revoked
$ certlint -cert certificate.pem
$ certlint -errlevel warning -cert certificate.pem
$ certlint -bulk largestore.pem
$ certlint -expired -bulk largestore.pem
Import one or all of these packages:
import "github.com/globalsign/certlint/asn1"
import "github.com/globalsign/certlint/certdata"
import "github.com/globalsign/certlint/checks"
You can import all available checks:
_ "github.com/globalsign/certlint/checks/extensions/all"
_ "github.com/globalsign/certlint/checks/certificate/all"
Or you can just import a restricted set:
// Check for certificate (ext) KeyUsage extension
_ "github.com/globalsign/certlint/checks/extensions/extkeyusage"
_ "github.com/globalsign/certlint/checks/extensions/keyusage"
// Also check the parsed certificate (ext) keyusage content
_ "github.com/globalsign/certlint/checks/certificate/extkeyusage"
_ "github.com/globalsign/certlint/checks/certificate/keyusage"
al := new(asn1.Linter)
e := al.CheckStruct(der)
if e != nil {
for _, err := range e.List() {
fmt.Println(err)
}
}
d, err := certdata.Load(der)
if err == nil {
e := checks.Certificate.Check(d)
if e != nil {
for _, err := range e.List() {
fmt.Println(err)
}
}
}