Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adds get chain with root CA for spiffe ID searching #55

Merged
merged 2 commits into from
Jul 1, 2024
Merged

adds get chain with root CA for spiffe ID searching #55

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b5d20b1
adds get chain with root CA for spiffe ID searching
andrewpmartinez Jul 1, 2024
cdc4da8
nil defense checks and doc
andrewpmartinez Jul 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions ca_pool.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,13 @@ func (self *CaPool) isSelfSignedCA(cert *x509.Certificate) bool {
return cert.IsCA && cert.CheckSignatureFrom(cert) == nil
}

// GetChainMinusRoot returns a chain from `cert` up to, but not including, the root CA if possible. If no cert is
// provided, nil is returned, if no chains is assembled the resulting chain will be the target cert only.
func (self *CaPool) GetChainMinusRoot(cert *x509.Certificate, extraCerts ...*x509.Certificate) []*x509.Certificate {
if cert == nil {
return nil
}

var result []*x509.Certificate
result = append(result, cert)

Expand All @@ -53,6 +59,35 @@ func (self *CaPool) GetChainMinusRoot(cert *x509.Certificate, extraCerts ...*x50
}
}

// GetChain returns a chain from `cert` up and including the root CA if possible. If no cert is provided, nil is
// returned. If no chains is assembled the resulting chain will be the target cert only.
func (self *CaPool) GetChain(cert *x509.Certificate, extraCerts ...*x509.Certificate) []*x509.Certificate {
if cert == nil {
return nil
}

var result []*x509.Certificate
result = append(result, cert)
andrewpmartinez marked this conversation as resolved.
Show resolved Hide resolved

certs := map[*x509.Certificate]struct{}{}

for _, curCert := range self.certs {
certs[curCert] = struct{}{}
}
for _, curCert := range extraCerts {
certs[curCert] = struct{}{}
}

for {
if parent := self.getParent(cert, certs); parent != nil {
result = append(result, parent)
cert = parent
} else {
return result
}
}
}

func (self *CaPool) addNonSelfSignedCasToCertsMap(certMap map[*x509.Certificate]struct{}, certs []*x509.Certificate) {
for _, cert := range certs {
if cert.IsCA && !self.isSelfSignedCA(cert) {
Expand Down
Loading