var ErrLinting = fmt.Errorf("failed lint(s)")
func Check(tbs *x509.Certificate, subjectPubKey crypto.PublicKey, realIssuer *x509.Certificate, realSigner crypto.Signer, skipLints []string) ([]byte, error)
Check accomplishes the entire process of linting: it generates a throwaway signing key, uses that to create a linting cert, and runs a default set of lints (everything except for the ETSI and EV lints) against it. If the subjectPubKey and realSigner indicate that this is a self-signed cert, the cert will have its pubkey replaced to also be self-signed. This is the primary public interface of this package, but it can be inefficient; creating a new signer and a new lint registry are expensive operations which performance-sensitive clients may want to cache via linter.New().
func CheckCRL(tbs *x509.RevocationList, realIssuer *x509.Certificate, realSigner crypto.Signer, skipLints []string) error
CheckCRL is like Check, but for CRLs.
func ProcessResultSet(lintRes *zlint.ResultSet) error
Linter is capable of linting a to-be-signed (TBS) certificate. It does so by signing that certificate with a throwaway private key and a fake issuer whose public key matches the throwaway private key, and then running the resulting certificate through a registry of zlint lints.
type Linter struct {
// contains filtered or unexported fields
}
func New(realIssuer *x509.Certificate, realSigner crypto.Signer, skipLints []string) (*Linter, error)
New constructs a Linter. It uses the provided real certificate and signer (private key) to generate a matching fake keypair and issuer cert that will be used to sign the lint certificate. It uses the provided list of lint names to skip to filter the zlint global registry to only those lints which should be run.
func (l Linter) Check(tbs *x509.Certificate, subjectPubKey crypto.PublicKey) ([]byte, error)
Check signs the given TBS certificate using the Linter's fake issuer cert and private key, then runs the resulting certificate through all non-filtered lints. If the subjectPubKey is identical to the public key of the real signer used to create this linter, then the throwaway cert will have its pubkey replaced with the linter's pubkey so that it appears self-signed. It returns an error if any lint fails. On success it also returns the DER bytes of the linting certificate.
func (l Linter) CheckCRL(tbs *x509.RevocationList) error
CheckCRL signs the given RevocationList template using the Linter's fake issuer cert and private key, then runs the resulting CRL through our suite of CRL checks. It returns an error if any check fails.