From 0168f18229402b299a3fb3bb6fe3edb8e3ffa7fc Mon Sep 17 00:00:00 2001
From: Rasmus Dahlberg <rasmus.dahlberg@kau.se>
Date: Tue, 3 Nov 2020 20:01:08 +0100
Subject: added chain processing with intermediate certificates

Basic test chains can be generated manually with openssl, see details in
server/testdata/x509/README.md.
---
 x509.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'x509.go')

diff --git a/x509.go b/x509.go
index e7a45e6..b8e2885 100644
--- a/x509.go
+++ b/x509.go
@@ -164,13 +164,14 @@ func ParseB64Chain(chain []string) (*x509.Certificate, *x509.CertPool, error) {
 }
 
 func buildChainFromB64List(lp *LogParameters, b64chain []string) ([]*x509.Certificate, error) {
-	certificate, _, err := ParseB64Chain(b64chain) // TODO: use intermediatePool
+	certificate, intermediatePool, err := ParseB64Chain(b64chain)
 	if err != nil {
 		return nil, err
 	}
 
 	opts := x509.VerifyOptions{
 		Roots:     lp.AnchorPool,
+		Intermediates: intermediatePool,
 		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, // TODO: move to ld
 	}
 
-- 
cgit v1.2.3