certchain

func Find ¶

func Find(store Store, cert *x509.Certificate) ([]*x509.Certificate, error)

Find will look for the full certificate chain for the given certificate from the given cert store.

Implementation note: this searches for a set of candidates to include in the chain, however, this does NOT follow strict binding rules. Instead, the best candidate matches are found based on the key ID followed by CN.

If this function were following strict binding rules the key identifier, issuer name, and certificate serial numbers must match (which again, this function is NOT doing).

Specifically: "Issuer certificate must match all these values in the Subject Key Identifier (SKI) extension, Subject and Serial Number fields respectively. In other words: KeyID value in the particular certificate AKI extension must match the value in the Subject Key Identifier (SKI) extension of the issuer certificate. Certificate Issuer value in the particular certificate must match the value in the Subject field of the issuer certificate. And Serial Number in the particular certificate must match the value in the Serial Number of the issuer certificate. If one of them doesn't match, certificate binding will fail and CCE will attempt to find another certificate that can be considered as a particular certificate issuer."

source: https://www.sysadmins.lv/blog-en/certificate-chaining-engine-how-this-works.aspx

func Sort ¶

func Sort(certs []*x509.Certificate) []*x509.Certificate

func ToPEM ¶

func ToPEM(certs ...*x509.Certificate) ([]byte, error)

func ToPEMs ¶

func ToPEMs(certs ...*x509.Certificate) ([][]byte, error)

func VerifyForCodeSigning ¶

func VerifyForCodeSigning(certs []*x509.Certificate, failWithoutFullChain bool) error