From 02fbf00fcb964173ea436c89fd0f64bfb335c919 Mon Sep 17 00:00:00 2001
From: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
Date: Wed, 1 Mar 2017 15:44:39 -0300
Subject: [PATCH] Checks if the TLS secret contains a valid keypair structure,
 with 'CERTIFICATE' before the Private Key

---
 core/pkg/net/ssl/ssl.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/core/pkg/net/ssl/ssl.go b/core/pkg/net/ssl/ssl.go
index 62d2f6b7e..ea492940f 100644
--- a/core/pkg/net/ssl/ssl.go
+++ b/core/pkg/net/ssl/ssl.go
@@ -71,6 +71,11 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
 		return nil, fmt.Errorf("No valid PEM formatted block found")
 	}
 
+	// If the file does not start with 'BEGIN CERTIFICATE' it's invalid and must not be used.
+	if pemBlock.Type != "CERTIFICATE" {
+		return nil, fmt.Errorf("Certificate %v contains invalid data, and must be created with 'kubectl create secret tls'", name)
+	}
+
 	pemCert, err := x509.ParseCertificate(pemBlock.Bytes)
 	if err != nil {
 		return nil, err
@@ -138,6 +143,10 @@ func AddCertAuth(name string, ca []byte) (*ingress.SSLCert, error) {
 	if pemCABlock == nil {
 		return nil, fmt.Errorf("No valid PEM formatted block found")
 	}
+	// If the first certificate does not start with 'BEGIN CERTIFICATE' it's invalid and must not be used.
+	if pemCABlock.Type != "CERTIFICATE" {
+		return nil, fmt.Errorf("CA File %v contains invalid data, and must be created only with PEM formated certificates", name)
+	}
 
 	_, err := x509.ParseCertificate(pemCABlock.Bytes)
 	if err != nil {