From 0dc5a1d2e2d4e1059fa886ee3accf1fcf9574317 Mon Sep 17 00:00:00 2001 From: Elvin Efendi Date: Fri, 8 Mar 2019 17:19:47 -0500 Subject: [PATCH] do not repeat cert verification against root ca --- internal/net/ssl/ssl.go | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/internal/net/ssl/ssl.go b/internal/net/ssl/ssl.go index b16cfa325..8c1fb0ecf 100644 --- a/internal/net/ssl/ssl.go +++ b/internal/net/ssl/ssl.go @@ -52,6 +52,21 @@ func getPemFileName(fullSecretName string) (string, string) { return fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, pemName), pemName } +func verifyPemCertAgainstRootCA(pemCert *x509.Certificate, ca []byte) error { + bundle := x509.NewCertPool() + bundle.AppendCertsFromPEM(ca) + opts := x509.VerifyOptions{ + Roots: bundle, + } + + _, err := pemCert.Verify(opts) + if err != nil { + return err + } + + return nil +} + // AddOrUpdateCertAndKey creates a .pem file with the cert and the key with the specified name func AddOrUpdateCertAndKey(name string, cert, key, ca []byte, fs file.Filesystem) (*ingress.SSLCert, error) { @@ -138,13 +153,7 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte, } if len(ca) > 0 { - bundle := x509.NewCertPool() - bundle.AppendCertsFromPEM(ca) - opts := x509.VerifyOptions{ - Roots: bundle, - } - - _, err := pemCert.Verify(opts) + err := verifyPemCertAgainstRootCA(pemCert, ca) if err != nil { oe := fmt.Sprintf("failed to verify certificate chain: \n\t%s\n", err) return nil, errors.New(oe) @@ -247,13 +256,7 @@ func CreateSSLCert(name string, cert, key, ca []byte) (*ingress.SSLCert, error) } if len(ca) > 0 { - bundle := x509.NewCertPool() - bundle.AppendCertsFromPEM(ca) - opts := x509.VerifyOptions{ - Roots: bundle, - } - - _, err := pemCert.Verify(opts) + err := verifyPemCertAgainstRootCA(pemCert, ca) if err != nil { oe := fmt.Sprintf("failed to verify certificate chain: \n\t%s\n", err) return nil, errors.New(oe)