From dd19521190f39a8b1704adb724f5f812040f91e4 Mon Sep 17 00:00:00 2001
From: Rasmus Dahlberg <rasmus.dahlberg@kau.se>
Date: Tue, 27 Oct 2020 15:16:24 +0100
Subject: decoupled log instance and info

Makes things a bit more modular.  As part of this process I also
replaced ct/x509 with crypto/x509, which already suits our needs.
---
 x509.go | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 x509.go

(limited to 'x509.go')

diff --git a/x509.go b/x509.go
new file mode 100644
index 0000000..cdcd523
--- /dev/null
+++ b/x509.go
@@ -0,0 +1,43 @@
+package stfe
+
+import (
+	"fmt"
+
+	"crypto/x509"
+	"encoding/pem"
+	"io/ioutil"
+)
+
+// LoadTrustAnchors loads a list of PEM-encoded certificates from file
+func LoadTrustAnchors(path string) ([]*x509.Certificate, *x509.CertPool, error) {
+	rest, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed reading trust anchors: %v", err)
+	}
+
+	pool := x509.NewCertPool()
+	var anchors []*x509.Certificate
+	for len(rest) > 0 {
+		var block *pem.Block
+		block, rest = pem.Decode(rest)
+		if block == nil {
+			break
+		}
+		if block.Type != "CERTIFICATE" {
+			return nil, nil, fmt.Errorf("unexpected PEM block type: %s", block.Type)
+		}
+
+		certificate, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, nil, fmt.Errorf("invalid trust anchor before rest(%s): %v", rest, err)
+		}
+
+		anchors = append(anchors, certificate)
+		pool.AddCert(certificate)
+	}
+
+	if len(anchors) == 0 {
+		return nil, nil, fmt.Errorf("found no valid trust anchor in: %s", path)
+	}
+	return anchors, pool, nil
+}
-- 
cgit v1.2.3