From 1abb987e0753b4b72ca773e2cbe6822521f47852 Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@golang.org>
Date: Sat, 5 Feb 2011 13:54:25 -0500
Subject: [PATCH] crypto/tls: load a chain of certificates from a file.

Many recently issued certificates are chained: there's one or more
intermediate certificates between the host certificate and the root CA
certificate. This change causes the code to load any number of
certificates from the certificate file. This matches the behaviour of
common webservers, and the output of OpenSSL's command line tools.

R=golang-dev, r2
CC=golang-dev
https://golang.org/cl/4119057
---
 tls.go | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/tls.go b/tls.go
index b11d322..e8290d7 100644
--- a/tls.go
+++ b/tls.go
@@ -124,14 +124,22 @@ func LoadX509KeyPair(certFile string, keyFile string) (cert Certificate, err os.
 		return
 	}
 
-	certDERBlock, _ := pem.Decode(certPEMBlock)
-	if certDERBlock == nil {
+	var certDERBlock *pem.Block
+	for {
+		certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
+		if certDERBlock == nil {
+			break
+		}
+		if certDERBlock.Type == "CERTIFICATE" {
+			cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
+		}
+	}
+
+	if len(cert.Certificate) == 0 {
 		err = os.ErrorString("crypto/tls: failed to parse certificate PEM data")
 		return
 	}
 
-	cert.Certificate = [][]byte{certDERBlock.Bytes}
-
 	keyPEMBlock, err := ioutil.ReadFile(keyFile)
 	if err != nil {
 		return
@@ -153,7 +161,7 @@ func LoadX509KeyPair(certFile string, keyFile string) (cert Certificate, err os.
 
 	// We don't need to parse the public key for TLS, but we so do anyway
 	// to check that it looks sane and matches the private key.
-	x509Cert, err := x509.ParseCertificate(certDERBlock.Bytes)
+	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
 	if err != nil {
 		return
 	}