1
0
mirror of https://github.com/golang/go synced 2024-11-25 13:07:57 -07:00

crypto/tls: load a chain of certificates from a file.

Many recently issued certificates are chained: there's one or more
intermediate certificates between the host certificate and the root CA
certificate. This change causes the code to load any number of
certificates from the certificate file. This matches the behaviour of
common webservers, and the output of OpenSSL's command line tools.

R=golang-dev, r2
CC=golang-dev
https://golang.org/cl/4119057
This commit is contained in:
Adam Langley 2011-02-05 13:54:25 -05:00
parent c63a88072b
commit 5626bd9e38

View File

@ -124,14 +124,22 @@ func LoadX509KeyPair(certFile string, keyFile string) (cert Certificate, err os.
return return
} }
certDERBlock, _ := pem.Decode(certPEMBlock) var certDERBlock *pem.Block
for {
certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
if certDERBlock == nil { if certDERBlock == nil {
break
}
if certDERBlock.Type == "CERTIFICATE" {
cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
}
}
if len(cert.Certificate) == 0 {
err = os.ErrorString("crypto/tls: failed to parse certificate PEM data") err = os.ErrorString("crypto/tls: failed to parse certificate PEM data")
return return
} }
cert.Certificate = [][]byte{certDERBlock.Bytes}
keyPEMBlock, err := ioutil.ReadFile(keyFile) keyPEMBlock, err := ioutil.ReadFile(keyFile)
if err != nil { if err != nil {
return return
@ -153,7 +161,7 @@ func LoadX509KeyPair(certFile string, keyFile string) (cert Certificate, err os.
// We don't need to parse the public key for TLS, but we so do anyway // We don't need to parse the public key for TLS, but we so do anyway
// to check that it looks sane and matches the private key. // to check that it looks sane and matches the private key.
x509Cert, err := x509.ParseCertificate(certDERBlock.Bytes) x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
if err != nil { if err != nil {
return return
} }