55package lax509
66
77import (
8- "bytes"
98 "crypto/sha256"
109 "crypto/x509"
1110 "encoding/pem"
@@ -78,12 +77,6 @@ func (s *CertPool) len() int {
7877 return len (s .lazyCerts )
7978}
8079
81- // cert returns cert index n in s.
82- func (s * CertPool ) cert (n int ) (* x509.Certificate , func ([]* x509.Certificate ) error , error ) {
83- cert , err := s .lazyCerts [n ].getCert ()
84- return cert , s .lazyCerts [n ].constraint , err
85- }
86-
8780// Clone returns a copy of s.
8881func (s * CertPool ) Clone () * CertPool {
8982 p := & CertPool {
@@ -104,60 +97,6 @@ func (s *CertPool) Clone() *CertPool {
10497 return p
10598}
10699
107- type potentialParent struct {
108- cert * x509.Certificate
109- constraint func ([]* x509.Certificate ) error
110- }
111-
112- // findPotentialParents returns the certificates in s which might have signed
113- // cert.
114- func (s * CertPool ) findPotentialParents (cert * x509.Certificate ) []potentialParent {
115- if s == nil {
116- return nil
117- }
118-
119- // consider all candidates where cert.Issuer matches cert.Subject.
120- // when picking possible candidates the list is built in the order
121- // of match plausibility as to save cycles in buildChains:
122- // AKID and SKID match
123- // AKID present, SKID missing / AKID missing, SKID present
124- // AKID and SKID don't match
125- var matchingKeyID , oneKeyID , mismatchKeyID []potentialParent
126- for _ , c := range s .byName [string (cert .RawIssuer )] {
127- candidate , constraint , err := s .cert (c )
128- if err != nil {
129- continue
130- }
131- kidMatch := bytes .Equal (candidate .SubjectKeyId , cert .AuthorityKeyId )
132- switch {
133- case kidMatch :
134- matchingKeyID = append (matchingKeyID , potentialParent {candidate , constraint })
135- case (len (candidate .SubjectKeyId ) == 0 && len (cert .AuthorityKeyId ) > 0 ) ||
136- (len (candidate .SubjectKeyId ) > 0 && len (cert .AuthorityKeyId ) == 0 ):
137- oneKeyID = append (oneKeyID , potentialParent {candidate , constraint })
138- default :
139- mismatchKeyID = append (mismatchKeyID , potentialParent {candidate , constraint })
140- }
141- }
142-
143- found := len (matchingKeyID ) + len (oneKeyID ) + len (mismatchKeyID )
144- if found == 0 {
145- return nil
146- }
147- candidates := make ([]potentialParent , 0 , found )
148- candidates = append (candidates , matchingKeyID ... )
149- candidates = append (candidates , oneKeyID ... )
150- candidates = append (candidates , mismatchKeyID ... )
151- return candidates
152- }
153-
154- func (s * CertPool ) contains (cert * x509.Certificate ) bool {
155- if s == nil {
156- return false
157- }
158- return s .haveSum [sha256 .Sum224 (cert .Raw )]
159- }
160-
161100// AddCert adds a certificate to a pool.
162101func (s * CertPool ) AddCert (cert * x509.Certificate ) {
163102 if cert == nil {
0 commit comments