Last active
October 11, 2022 04:18
-
-
Save hnakamur/cc513f7f12b020d8e13db0680728e238 to your computer and use it in GitHub Desktop.
Validate certificate key pair and hostname in Go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"crypto/tls" | |
"crypto/x509" | |
"flag" | |
"fmt" | |
"log" | |
"golang.org/x/net/idna" | |
) | |
func main() { | |
var ( | |
certFile string | |
keyFile string | |
hostname string | |
) | |
flag.StringVar(&certFile, "cert", "", "certificate file path") | |
flag.StringVar(&keyFile, "key", "", "key file path") | |
flag.StringVar(&hostname, "hostname", "", "hostname") | |
flag.Parse() | |
err := ValidateCertificateKeyPairAndHostname(certFile, keyFile, hostname) | |
if err != nil { | |
log.Fatal(err) | |
} | |
} | |
func ValidateCertificateKeyPairAndHostname(certFile, keyFile, hostname string) error { | |
pair, err := tls.LoadX509KeyPair(certFile, keyFile) | |
if err != nil { | |
return fmt.Errorf("failed to load certificate and key file; %s", err) | |
} | |
cert, err := x509.ParseCertificate(pair.Certificate[0]) | |
if err != nil { | |
return fmt.Errorf("failed to parse certificate; %s", err) | |
} | |
roots, err := x509.SystemCertPool() | |
if err != nil { | |
return fmt.Errorf("failed to get system certificate pool; %s", err) | |
} | |
intermediates := x509.NewCertPool() | |
for i := 1; i < len(pair.Certificate); i++ { | |
inter, err := x509.ParseCertificate(pair.Certificate[1]) | |
if err != nil { | |
return fmt.Errorf("failed to parse intermediate certificate; %s", err) | |
} | |
intermediates.AddCert(inter) | |
} | |
asciiHostname, err := idna.ToASCII(hostname) | |
if err != nil { | |
return fmt.Errorf("fail to convert to punycode; %s", err) | |
} | |
opts := x509.VerifyOptions{ | |
DNSName: asciiHostname, | |
Intermediates: intermediates, | |
Roots: roots, | |
} | |
_, err = cert.Verify(opts) | |
if err != nil { | |
return fmt.Errorf("failed to verify certificate; %s", err.Error()) | |
} | |
return nil | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
example outputs: