Skip to content

X.509 certificate linter, written in Go

License

Notifications You must be signed in to change notification settings

x19e/gs-certlint

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

certlint

Build Status Go Report Card Coverage Status GoDoc

X.509 certificate linter written in Go

General

This package is a work in progress.

Please keep in mind that:

  • This is an early release and may contain bugs or false reports
  • Not all checks have been fully implemented or verified against the standard
  • CLI flag, APIs and CSV export are subject to change

Code contributions and tests are highly welcome!

Installation

To install from source, just run:

go get -u github.com/globalsign/certlint
go install github.com/globalsign/certlint

CLI: Usage

The 'certlint' command line utility included with this package can be used to test a single certificate or a large pem container to bulk test millions of certificates. The command is used to test the linter on a large number of certificates but could use fresh up to reduce code complexity.

Usage of ./certlint:
  -bulk string
        Bulk certificates file
  -cert string
        Certificate file
  -errlevel string
        Exit non-zero for Errors at this level (default "error")
  -expired
        Test expired certificates
  -help
        Show this help
  -include
        Include certificates in report
  -issuer string
        Certificate file
  -pprof
        Generate pprof profile
  -report string
        Report filename (default "report.csv")
  -revoked
        Check if certificates are revoked
CLI: One certificate
$ certlint -cert certificate.pem
CLI: One certificate, exiting non-zero for Warning and above
$ certlint -errlevel warning -cert certificate.pem
CLI: A series of PEM encoded certificates
$ certlint -bulk largestore.pem
CLI: Testing expired certificates
$ certlint -expired -bulk largestore.pem
API: Usage

Import one or all of these packages:

import "github.com/globalsign/certlint/asn1"
import "github.com/globalsign/certlint/certdata"
import "github.com/globalsign/certlint/checks"

You can import all available checks:

_ "github.com/globalsign/certlint/checks/extensions/all"
_ "github.com/globalsign/certlint/checks/certificate/all"

Or you can just import a restricted set:

// Check for certificate (ext) KeyUsage extension
_ "github.com/globalsign/certlint/checks/extensions/extkeyusage"
_ "github.com/globalsign/certlint/checks/extensions/keyusage"

// Also check the parsed certificate (ext) keyusage content
_ "github.com/globalsign/certlint/checks/certificate/extkeyusage"
_ "github.com/globalsign/certlint/checks/certificate/keyusage"
API: Check ASN.1 value formatting
al := new(asn1.Linter)
e := al.CheckStruct(der)
if e != nil {
  for _, err := range e.List() {
    fmt.Println(err)
  }
}
API: Check certificate details
d, err := certdata.Load(der)
if err == nil {
  e := checks.Certificate.Check(d)
  if e != nil {
    for _, err := range e.List() {
      fmt.Println(err)
    }
  }
}

About

X.509 certificate linter, written in Go

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 100.0%