crypto/tls: load a chain of certificates from a file.
Many recently issued certificates are chained: there's one or more intermediate certificates between the host certificate and the root CA certificate. This change causes the code to load any number of certificates from the certificate file. This matches the behaviour of common webservers, and the output of OpenSSL's command line tools. R=golang-dev, r2 CC=golang-dev https://golang.org/cl/4119057
This commit is contained in:
parent
b8e817cbf8
commit
1abb987e07
18
tls.go
18
tls.go
@ -124,14 +124,22 @@ func LoadX509KeyPair(certFile string, keyFile string) (cert Certificate, err os.
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
certDERBlock, _ := pem.Decode(certPEMBlock)
|
var certDERBlock *pem.Block
|
||||||
if certDERBlock == nil {
|
for {
|
||||||
|
certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
|
||||||
|
if certDERBlock == nil {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if certDERBlock.Type == "CERTIFICATE" {
|
||||||
|
cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(cert.Certificate) == 0 {
|
||||||
err = os.ErrorString("crypto/tls: failed to parse certificate PEM data")
|
err = os.ErrorString("crypto/tls: failed to parse certificate PEM data")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
cert.Certificate = [][]byte{certDERBlock.Bytes}
|
|
||||||
|
|
||||||
keyPEMBlock, err := ioutil.ReadFile(keyFile)
|
keyPEMBlock, err := ioutil.ReadFile(keyFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
@ -153,7 +161,7 @@ func LoadX509KeyPair(certFile string, keyFile string) (cert Certificate, err os.
|
|||||||
|
|
||||||
// We don't need to parse the public key for TLS, but we so do anyway
|
// We don't need to parse the public key for TLS, but we so do anyway
|
||||||
// to check that it looks sane and matches the private key.
|
// to check that it looks sane and matches the private key.
|
||||||
x509Cert, err := x509.ParseCertificate(certDERBlock.Bytes)
|
x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user