transparency-dev · phbnf · Mar 18, 2025 · Mar 18, 2025 · Mar 18, 2025
diff --git a/internal/x509fork/README.md → internal/lax509/README.md b/internal/x509fork/README.md → internal/lax509/README.md
@@ -1,4 +1,4 @@
-# x509fork
+# lax509
 
 This is a minimalist fork of [`crypto/x509`](https://pkg.go.dev/crypto/x509). 
 

diff --git a/internal/x509fork/cert_pool.go → internal/lax509/cert_pool.go b/internal/x509fork/cert_pool.go → internal/lax509/cert_pool.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package x509fork
+package lax509
 
 import (
 	"bytes"

diff --git a/internal/x509fork/cert_pool_test.go → internal/lax509/cert_pool_test.go b/internal/x509fork/cert_pool_test.go → internal/lax509/cert_pool_test.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package x509fork
+package lax509
 
 import (
 	"crypto/x509"

diff --git a/internal/x509fork/verify.go → internal/lax509/verify.go b/internal/x509fork/verify.go → internal/lax509/verify.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package x509fork
+package lax509
 
 import (
 	"bytes"

diff --git a/internal/x509fork/verify_test.go → internal/lax509/verify_test.go b/internal/x509fork/verify_test.go → internal/lax509/verify_test.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package x509fork
+package lax509
 
 import (
 	"crypto"
@@ -1232,7 +1232,7 @@ func TestPathBuilding(t *testing.T) {
 			//   * Trust Anchor -> A -> B -> EE
 			//   * Trust Anchor -> C -> A -> B -> EE
 			//
-			// [x509fork edit]: These paths should also be valid since EKU checks have been disabled.
+			// [lax509 edit]: These paths should also be valid since EKU checks have been disabled.
 			//   * Trust Anchor -> A -> C -> B -> EE
 			//   * Trust Anchor -> C -> B -> EE
 			//
@@ -1315,7 +1315,7 @@ func TestPathBuilding(t *testing.T) {
 			//   * Trust Anchor -> A -> B -> EE
 			//   * Trust Anchor -> C -> A -> B -> EE
 			//
-			// [x509fork edit]: These paths should also be valid since EKU checks have been disabled.
+			// [lax509 edit]: These paths should also be valid since EKU checks have been disabled.
 			//   * Trust Anchor -> C -> B -> EE
 			//   * Trust Anchor -> A -> C -> B -> EE
 			//
@@ -1561,7 +1561,7 @@ func TestPathBuilding(t *testing.T) {
 			// Build a basic graph with two paths from leaf to root, but the path passing
 			// through C should be ignored, because it has invalid EKU nesting.
 			//
-			// [x509fork edit]: the second path should not be ignored since EKU checks
+			// [lax509 edit]: the second path should not be ignored since EKU checks
 			// have been disabled.
 			name: "ignore invalid EKU path",
 			graph: trustGraphDescription{

diff --git a/internal/x509fork/x509.go → internal/lax509/x509.go b/internal/x509fork/x509.go → internal/lax509/x509.go
@@ -1,4 +1,4 @@
-package x509fork
+package lax509
 
 var (
 	oidExtensionSubjectAltName = []int{2, 5, 29, 17}

diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go
@@ -24,8 +24,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/transparency-dev/static-ct/internal/lax509"
 	"github.com/transparency-dev/static-ct/internal/types"
-	"github.com/transparency-dev/static-ct/internal/x509fork"
 	"github.com/transparency-dev/static-ct/internal/x509util"
 	"k8s.io/klog/v2"
 )
@@ -231,18 +231,18 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5
 		}
 	}
 
-	// We can now do the verification. Use x509fork with looser verification
+	// We can now do the verification. Use lax509 with looser verification
 	// constraints to:
 	//  - allow pre-certificates and chains with pre-issuers
 	//  - allow certificate without policing them since this is not CT's responsibility
-	// See /internal/x509fork/README.md for further information.
-	verifyOpts := x509fork.VerifyOptions{
+	// See /internal/lax509/README.md for further information.
+	verifyOpts := lax509.VerifyOptions{
 		Roots:         validationOpts.trustedRoots.CertPool(),
 		Intermediates: intermediatePool.CertPool(),
 		KeyUsages:     validationOpts.extKeyUsages,
 	}
 
-	verifiedChains, err := x509fork.Verify(cert, verifyOpts)
+	verifiedChains, err := lax509.Verify(cert, verifyOpts)
 	if err != nil {
 		return nil, err
 	}

diff --git a/internal/x509util/pem_cert_pool.go b/internal/x509util/pem_cert_pool.go
@@ -22,7 +22,7 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/transparency-dev/static-ct/internal/x509fork"
+	"github.com/transparency-dev/static-ct/internal/lax509"
 	"k8s.io/klog/v2"
 )
 
@@ -37,12 +37,12 @@ type PEMCertPool struct {
 	// maps from sha-256 to certificate, used for dup detection
 	fingerprintToCertMap map[[sha256.Size]byte]x509.Certificate
 	rawCerts             []*x509.Certificate
-	certPool             *x509fork.CertPool
+	certPool             *lax509.CertPool
 }
 
 // NewPEMCertPool creates a new, empty, instance of PEMCertPool.
 func NewPEMCertPool() *PEMCertPool {
-	return &PEMCertPool{fingerprintToCertMap: make(map[[sha256.Size]byte]x509.Certificate), certPool: x509fork.NewCertPool()}
+	return &PEMCertPool{fingerprintToCertMap: make(map[[sha256.Size]byte]x509.Certificate), certPool: lax509.NewCertPool()}
 }
 
 // AddCert adds a certificate to a pool. Uses fingerprint to weed out duplicates.
@@ -111,7 +111,7 @@ func (p *PEMCertPool) Subjects() (res [][]byte) {
 }
 
 // CertPool returns the underlying CertPool.
-func (p *PEMCertPool) CertPool() *x509fork.CertPool {
+func (p *PEMCertPool) CertPool() *lax509.CertPool {
 	return p.certPool
 }