aboutsummaryrefslogtreecommitdiff
path: root/x509.go
diff options
context:
space:
mode:
Diffstat (limited to 'x509.go')
-rw-r--r--x509.go43
1 files changed, 43 insertions, 0 deletions
diff --git a/x509.go b/x509.go
new file mode 100644
index 0000000..cdcd523
--- /dev/null
+++ b/x509.go
@@ -0,0 +1,43 @@
+package stfe
+
+import (
+ "fmt"
+
+ "crypto/x509"
+ "encoding/pem"
+ "io/ioutil"
+)
+
+// LoadTrustAnchors loads a list of PEM-encoded certificates from file
+func LoadTrustAnchors(path string) ([]*x509.Certificate, *x509.CertPool, error) {
+ rest, err := ioutil.ReadFile(path)
+ if err != nil {
+ return nil, nil, fmt.Errorf("failed reading trust anchors: %v", err)
+ }
+
+ pool := x509.NewCertPool()
+ var anchors []*x509.Certificate
+ for len(rest) > 0 {
+ var block *pem.Block
+ block, rest = pem.Decode(rest)
+ if block == nil {
+ break
+ }
+ if block.Type != "CERTIFICATE" {
+ return nil, nil, fmt.Errorf("unexpected PEM block type: %s", block.Type)
+ }
+
+ certificate, err := x509.ParseCertificate(block.Bytes)
+ if err != nil {
+ return nil, nil, fmt.Errorf("invalid trust anchor before rest(%s): %v", rest, err)
+ }
+
+ anchors = append(anchors, certificate)
+ pool.AddCert(certificate)
+ }
+
+ if len(anchors) == 0 {
+ return nil, nil, fmt.Errorf("found no valid trust anchor in: %s", path)
+ }
+ return anchors, pool, nil
+}