cloudflare/cfssl_trust

Public

mirrored from https://github.com/cloudflare/cfssl_trustAvailable

CodeCommitsIssuesPull requestsActionsInsightsSecurity
trust-store-2026.3.0

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

model/certdb/bundle.go

62lines · modecode

1package certdb
2
3import (
4 "crypto/x509"
5 "database/sql"
6 "errors"
7 "fmt"
8)
9
10// CollectRelease grabs all the certificates in a release, ordering
11// them by the oldest.
12func CollectRelease(bundle, version string, tx *sql.Tx) ([]*Certificate, error) {
13 rel, err := NewRelease(bundle, version)
14 if err != nil {
15 return nil, err
16 }
17
18 err = rel.Select(tx)
19 if err != nil {
20 if err == sql.ErrNoRows {
21 err = errors.New("model/certdb: invalid release " + version)
22 }
23 return nil, err
24 }
25
26 var certs []*Certificate
27 tbl := rel.table()
28 query := fmt.Sprintf(`
29SELECT certificates.ski, aki, certificates.serial, not_before, not_after, raw
30 FROM certificates
31 INNER JOIN %ss ON certificates.ski = %ss.ski AND
32 certificates.serial = %ss.serial AND
33 %ss.release = ?
34 ORDER BY certificates.not_before`,
35 tbl, tbl, tbl, tbl)
36 rows, err := tx.Query(query, rel.Version)
37 if err != nil {
38 return nil, err
39 }
40
41 for rows.Next() {
42 cert := &Certificate{}
43
44 err = rows.Scan(&cert.SKI, &cert.AKI, &cert.Serial, &cert.NotBefore, &cert.NotAfter, &cert.Raw)
45 if err != nil {
46 return nil, err
47 }
48
49 cert.cert, err = x509.ParseCertificate(cert.Raw)
50 if err != nil {
51 // Tolerate certificates with negative serial numbers, which are non-compliant
52 // but exist in some real-world CA bundles. Return error for other parse failures.
53 if err.Error() != "x509: negative serial number" {
54 return nil, err
55 }
56 }
57
58 certs = append(certs, cert)
59 }
60
61 return certs, nil
62}
63