Addition to GO based service to add chain verification and signature verification for X509, CRL and OCSP

The existing API looks like this: Decode an X509 certificate curl --fail -F "content=@[login to view URL]" "[login to view URL]" Request and issue an X509 certificate openssl genrsa -out [login to view URL] 2048 openssl req -config [login to view URL] -subj "/CN=[login to view URL]" -new -x509 -set_serial 01 -days 1 -key [login to view URL] -out [login to view URL] curl --fail -F "content=@[login to view URL]" "[login to view URL]" Decode a set of X509 certificates curl --fail -F "content=@[login to view URL]" "[login to view URL]" Decode an X509 crl curl --fail -F "content=@[login to view URL]" "[login to view URL]" Decode an OCSP response openssl ocsp -noverify -no_nonce -respout [login to view URL] -reqout [login to view URL] -issuer [login to view URL] -cert [login to view URL] -url "[login to view URL]" -header "HOST" "[login to view URL]" -text curl --fail -F "content=@[login to view URL]" "[login to view URL]" I want the following added: ----- X509Certificate\action=verify [login to view URL] [login to view URL] [login to view URL] [login to view URL] curl --fail -F "content=@[login to view URL]" [login to view URL],example.com&time=zzz action = verify -- generic certificate validation Passin: A certificate to be verified A bag of certificates that may be usefull for validating the certificate to be verified (aka a bag of intermediate CA certificates) Hostnames to make sure the certificte is good for (Only required for action eku=ExtKeyUsageServerAuth) ku=KeyUsageDigitalSignature,KeyUsageContentCommitment,KeyUsageKeyEncipherment,KeyUsageDataEncipherment,KeyUsageKeyAgreement,KeyUsageCertSign,KeyUsageCRLSign,KeyUsageEncipherOnly,KeyUsageDecipherOnly, eku=ExtKeyUsageAny, ExtKeyUsageServerAuth, ExtKeyUsageClientAuth, ExtKeyUsageCodeSigning, ExtKeyUsageEmailProtection, ExtKeyUsageTimeStamping, ExtKeyUsageOCSPSigning time=time If hostnames passed in call VerifyHostname if verify passes If eku=ExtKeyUsageServerAuth and no hostname error If hostnames provided they go in [login to view URL] If time not specified use current time. Use host side configured nss roots as trust anchors Passout: Success / Fail If fail why: CANotAuthorizedForThisName, Expired, NotAuthorizedToSign, TooManyIntermediates, HostnameError, ConstraintViolationError, CertificateInvalidError(Reason), UnhandledCriticalExtension, UnknownAuthorityError Returns bags of PEM encoded certificates, each bag representing a chain, bag is ordered. ----- X509crl\action=verify Call [login to view URL] Passin: A certificate to be verified A certificate to verify against time=time Passout: Success / Fail If fail why: Invalid siganture, unsupported algorithm, expired, ---- X509ocsp\action=verify&type=response Passin: A ocsp response to be verified time=time Passout: Success / Fail If fail why: Invalid siganture, unsupported algorithm, expired,