type CertBlacklistEntry struct { IssuerCN string serialNum *big.Int } var CertBlacklist []CertBlacklistEntry // RejectBlacklistedCerts returns an error if the remote server of conn has // presented a certificate present in the blacklist. func RejectBlacklistedCerts(conn *tls.Conn, cfg *tls.Config) error { cs := conn.ConnectionState() if cs.VerifiedChains == nil { return errors.New("http: TLS verification completed but no verified chains") } for _, chain := range cs.VerifiedChains { serverCert := chain[0] for j := range CertBlacklist { if serverCert.Issuer.CommonName != CertBlacklist[j].IssuerCN { continue } if serverCert.SerialNumber.Cmp(CertBlacklist[j].serialNum) != 0 { continue } return fmt.Errorf("server presented a blacklisted cert: %q (serial %s) issued by %q", serverCert.Subject.CommonName, serverCert.SerialNumber, serverCert.Issuer.CommonName, ) } } return nil }