@@ -12,10 +12,12 @@ import (
1212func parsePEM (pemCerts []byte ) (certs []* x509.Certificate , err error ) {
1313 for len (pemCerts ) > 0 {
1414 var block * pem.Block
15+
1516 block , pemCerts = pem .Decode (pemCerts )
1617 if block == nil {
1718 break
1819 }
20+
1921 if block .Type != "CERTIFICATE" || len (block .Headers ) != 0 {
2022 continue
2123 }
@@ -24,14 +26,13 @@ func parsePEM(pemCerts []byte) (certs []*x509.Certificate, err error) {
2426 if err != nil {
2527 return nil , err
2628 }
29+
2730 certs = append (certs , cert )
2831 }
2932 return
3033}
3134
3235func checkRootCertsPEM (t * testing.T , pemCerts []byte , whenFail time.Time , whenWarn time.Time ) (ok bool ) {
33- const warnEmoji = "\u26a0 \ufe0f "
34- // t.Logf("%#v %[1]x %x", warnEmoji, []rune(warnEmoji))
3536 now := time .Now ()
3637 t .Logf ("Checking certificate validity on %s..." , whenFail )
3738 certs , err := parsePEM (pemCerts )
@@ -46,6 +47,7 @@ func checkRootCertsPEM(t *testing.T, pemCerts []byte, whenFail time.Time, whenWa
4647 }
4748
4849 var minExpires time.Time
50+ var minExpiresName string
4951 ok = true
5052 for _ , cert := range certs {
5153 name := cert .Subject .CommonName
@@ -57,42 +59,53 @@ func checkRootCertsPEM(t *testing.T, pemCerts []byte, whenFail time.Time, whenWa
5759 }
5860
5961 if ! cert .IsCA {
60- t .Errorf ("\u274C %s: not a certificate authority" , name )
62+ t .Errorf ("❌ %s: not a certificate authority" , name )
6163 }
64+
6265 const keyUsageExpected = x509 .KeyUsageCertSign | x509 .KeyUsageCRLSign | x509 .KeyUsageDigitalSignature
6366 if (cert .KeyUsage &^ keyUsageExpected ) != 0 {
64- t .Logf (warnEmoji + " %s: unexpected key usage %#x (expecting %#x, see constants at https://pkg.go.dev/crypto/x509#KeyUsage)"name , cert .KeyUsage , keyUsageExpected )
67+ t .Logf ("⚠️ %s: unexpected key usage %#x (expecting %#x, see constants at https://pkg.go.dev/crypto/x509#KeyUsage)"name , cert .KeyUsage , keyUsageExpected )
6568 }
69+
6670 if minExpires .IsZero () || cert .NotAfter .Before (minExpires ) {
6771 minExpires = cert .NotAfter
72+ minExpiresName = name
6873 }
74+
6975 // Check that the certificate is valid now
7076 if cert .NotBefore .After (now ) {
71- t .Errorf ("\u274C %s: fails NotBefore check: %s" , name , cert .NotBefore )
77+ t .Errorf ("❌ %s: fails NotBefore check: %s" , name , cert .NotBefore )
7278 continue
7379 }
80+
7481 // ... and that it will still be valid later
7582 if cert .NotAfter .Before (whenFail ) {
76- t .Errorf ("\u274C %s: fails NotAfter check: %s" , name , cert .NotAfter )
83+ t .Errorf ("❌ %s: fails NotAfter check: %s" , name , cert .NotAfter )
7784 continue
78- } else if cert .NotAfter .Before (whenWarn ) {
79- t .Logf (warnEmoji + " %s: fails NotAfter check: %s" , name , cert .NotAfter )
8085 }
86+
87+ if cert .NotAfter .Before (whenWarn ) {
88+ t .Logf ("⚠️ %s: fails NotAfter check: %s" , name , cert .NotAfter )
89+ }
90+
8191 _ , err := cert .Verify (x509.VerifyOptions {
8292 Roots : roots ,
8393 CurrentTime : whenFail ,
8494 })
8595 if err != nil {
86- t .Errorf ("\u274C %s: %s" , name , err )
96+ t .Errorf ("❌ %s: %s" , name , err )
8797 ok = false
88- } else {
89- t .Logf ("\u2705 %s (expires: %s)" , name , cert .NotAfter )
98+ continue
9099 }
100+
101+ t .Logf ("✅ %s (expires: %s)" , name , cert .NotAfter )
91102 }
103+
92104 if ok {
93105 t .Log ("Success." )
94- t .Logf ("MinExpire: %s" , minExpires )
106+ t .Logf ("MinExpire: %s (Certificate: %s) " , minExpires , minExpiresName )
95107 }
108+
96109 return
97110}
98111
@@ -101,5 +114,5 @@ func TestCerts(t *testing.T) {
101114 checkRootCertsPEM (t , []byte (embedded .MozillaCACertificatesPEM ()), time .Now ().AddDate (0 , 1 , 0 ), time .Now ().AddDate (0 , 3 , 0 ))
102115
103116 // Should fail
104- //checkRootCertsPEM(t, []byte(embedded.MozillaCACertificatesPEM()), time.Now().AddDate(20, 0, 0), time.Now().AddDate(30, 0, 0))
117+ // checkRootCertsPEM(t, []byte(embedded.MozillaCACertificatesPEM()), time.Now().AddDate(20, 0, 0), time.Now().AddDate(30, 0, 0))
105118}
0 commit comments