Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Verify a certificate with chain with golang crypto library
package main
import (
"crypto/x509"
"encoding/pem"
"io/ioutil"
"log"
"os"
)
func main() {
log.Printf("Usage: verify_certificate SERVER_NAME CERT.pem CHAIN.pem")
serverName := os.Args[1]
certPEM, err := ioutil.ReadFile(os.Args[2])
if err != nil {
log.Fatal(err)
}
rootPEM, err := ioutil.ReadFile(os.Args[3])
if err != nil {
log.Fatal(err)
}
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
panic("failed to parse root certificate")
}
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
panic("failed to parse certificate PEM")
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
panic("failed to parse certificate: " + err.Error())
}
opts := x509.VerifyOptions{
Roots: roots,
DNSName: serverName,
Intermediates: x509.NewCertPool(),
}
if _, err := cert.Verify(opts); err != nil {
panic("failed to verify certificate: " + err.Error())
}
log.Printf("verification succeeds")
}
@dimalinux

This comment has been minimized.

Copy link

dimalinux commented May 27, 2019

This example is not solving what people are searching for when they find it. The so-called "chain" in this example is trusted and all of its certs are put into the root store. While it is common to place some intermediate certs into a root store for faster verification, certs in the root store do not form a chain. Any certificate in the root store is trusted absolutely without having traverse further up a chain. Hence the word "root".

Can you modify the example to do what the title says? Start with a root certificate and verify a certificate that has one or more intermediate certificates attached to it as a chain.

@davbo

This comment has been minimized.

Copy link

davbo commented Aug 21, 2019

This example from the docs is likely what people landing here are looking for: https://golang.org/pkg/crypto/x509/#example_Certificate_Verify

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.