Issue: 2236 - adds an option to append CA certificates (#2237)

* adding append option for custom CA certs * updated test for changed GetCertPool signature, added testing to check functionality of empty and non-empty store * adding legacy options as well * update associated documentation * fixing code climate complaints - reduce number of return statements * Apply suggestions from code review Changes caFilesAppend (and variants) to useSystemTrustStore Co-authored-by: Jan Larwig <jan@larwig.com> * Apply suggestions from code review Fixes extra whitespaces and grammar. Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> * fix indentation * update changelog --------- Co-authored-by: Jan Larwig <jan@larwig.com> Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2025-06-21 00:29:44 +02:00 · 2023-10-25 06:36:17 -04:00
parent 601477a52c
commit a5006fd606
8 changed files with 82 additions and 27 deletions
--- a/pkg/util/util_test.go
+++ b/pkg/util/util_test.go
@ -190,7 +190,7 @@ func makeTestCertFile(t *testing.T, pem, dir string) *os.File {
 }

 func TestGetCertPool_NoRoots(t *testing.T) {
-	_, err := GetCertPool([]string(nil))
+	_, err := GetCertPool([]string(nil), false)
 	assert.Error(t, err, "invalid empty list of Root CAs file paths")
 }

@ -204,34 +204,52 @@ func TestGetCertPool(t *testing.T) {
 		}
 	}(tempDir)

+	rootPool, _ := x509.SystemCertPool()
+	cleanPool := x509.NewCertPool()
+
+	tests := []struct {
+		appendCerts bool
+		pool        *x509.CertPool
+	}{
+		{false, cleanPool},
+		{true, rootPool},
+	}
+
 	certFile1 := makeTestCertFile(t, root1Cert, tempDir)
 	certFile2 := makeTestCertFile(t, root2Cert, tempDir)

-	certPool, err := GetCertPool([]string{certFile1.Name(), certFile2.Name()})
-	assert.NoError(t, err)
+	for _, tc := range tests {
+		// Append certs to "known" pool so we can compare them
+		assert.True(t, tc.pool.AppendCertsFromPEM([]byte(root1Cert)))
+		assert.True(t, tc.pool.AppendCertsFromPEM([]byte(root2Cert)))

-	cert1Block, _ := pem.Decode([]byte(cert1Cert))
-	cert1, _ := x509.ParseCertificate(cert1Block.Bytes)
-	assert.Equal(t, cert1.Subject.String(), cert1CertSubj)
+		certPool, err := GetCertPool([]string{certFile1.Name(), certFile2.Name()}, tc.appendCerts)
+		assert.NoError(t, err)
+		assert.True(t, tc.pool.Equal(certPool))

-	cert2Block, _ := pem.Decode([]byte(cert2Cert))
-	cert2, _ := x509.ParseCertificate(cert2Block.Bytes)
-	assert.Equal(t, cert2.Subject.String(), cert2CertSubj)
+		cert1Block, _ := pem.Decode([]byte(cert1Cert))
+		cert1, _ := x509.ParseCertificate(cert1Block.Bytes)
+		assert.Equal(t, cert1.Subject.String(), cert1CertSubj)

-	cert3Block, _ := pem.Decode([]byte(cert3Cert))
-	cert3, _ := x509.ParseCertificate(cert3Block.Bytes)
-	assert.Equal(t, cert3.Subject.String(), cert3CertSubj)
+		cert2Block, _ := pem.Decode([]byte(cert2Cert))
+		cert2, _ := x509.ParseCertificate(cert2Block.Bytes)
+		assert.Equal(t, cert2.Subject.String(), cert2CertSubj)

-	opts := x509.VerifyOptions{
-		Roots: certPool,
+		cert3Block, _ := pem.Decode([]byte(cert3Cert))
+		cert3, _ := x509.ParseCertificate(cert3Block.Bytes)
+		assert.Equal(t, cert3.Subject.String(), cert3CertSubj)
+
+		opts := x509.VerifyOptions{
+			Roots: certPool,
+		}
+
+		// "cert1" and "cert2" should be valid because "root1" and "root2" are in the certPool
+		// "cert3" should not be valid because "root3" is not in the certPool
+		_, err1 := cert1.Verify(opts)
+		assert.NoError(t, err1)
+		_, err2 := cert2.Verify(opts)
+		assert.NoError(t, err2)
+		_, err3 := cert3.Verify(opts)
+		assert.Error(t, err3)
 	}
-
-	// "cert1" and "cert2" should be valid because "root1" and "root2" are in the certPool
-	// "cert3" should not be valid because "root3" is not in the certPool
-	_, err1 := cert1.Verify(opts)
-	assert.NoError(t, err1)
-	_, err2 := cert2.Verify(opts)
-	assert.NoError(t, err2)
-	_, err3 := cert3.Verify(opts)
-	assert.Error(t, err3)
 }