2021-04-18 21:41:13 +02:00
|
|
|
// Copyright (c) 2015-2021 MinIO, Inc.
|
|
|
|
|
//
|
|
|
|
|
// This file is part of MinIO Object Storage stack
|
|
|
|
|
//
|
|
|
|
|
// This program is free software: you can redistribute it and/or modify
|
|
|
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
|
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
// (at your option) any later version.
|
|
|
|
|
//
|
|
|
|
|
// This program is distributed in the hope that it will be useful
|
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
// GNU Affero General Public License for more details.
|
|
|
|
|
//
|
|
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
|
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2020-08-11 17:29:50 +02:00
|
|
|
|
|
|
|
|
package certs
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/x509"
|
2021-05-11 03:15:11 +02:00
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
2020-08-11 17:29:50 +02:00
|
|
|
"io/ioutil"
|
|
|
|
|
"os"
|
2021-05-11 03:15:11 +02:00
|
|
|
"path/filepath"
|
2020-08-11 17:29:50 +02:00
|
|
|
)
|
|
|
|
|
|
2021-05-11 03:15:11 +02:00
|
|
|
// GetRootCAs loads all X.509 certificates at the given path and adds them
|
|
|
|
|
// to the list of system root CAs, if available. The returned CA pool
|
|
|
|
|
// is a conjunction of the system root CAs and the certificate(s) at
|
|
|
|
|
// the given path.
|
|
|
|
|
//
|
|
|
|
|
// If path is a regular file, LoadCAs simply adds it to the CA pool
|
|
|
|
|
// if the file contains a valid X.509 certificate
|
|
|
|
|
//
|
|
|
|
|
// If the path points to a directory, LoadCAs iterates over all top-level
|
|
|
|
|
// files within the directory and adds them to the CA pool if they contain
|
|
|
|
|
// a valid X.509 certificate.
|
|
|
|
|
func GetRootCAs(path string) (*x509.CertPool, error) {
|
2020-12-02 11:23:51 +01:00
|
|
|
rootCAs, _ := loadSystemRoots()
|
2020-08-11 17:29:50 +02:00
|
|
|
if rootCAs == nil {
|
2020-12-02 11:23:51 +01:00
|
|
|
// In some systems system cert pool is not supported
|
|
|
|
|
// or no certificates are present on the
|
2020-08-11 17:29:50 +02:00
|
|
|
// system - so we create a new cert pool.
|
|
|
|
|
rootCAs = x509.NewCertPool()
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-11 03:15:11 +02:00
|
|
|
// Open the file path and check whether its a regular file
|
|
|
|
|
// or a directory.
|
|
|
|
|
f, err := os.Open(path)
|
|
|
|
|
if errors.Is(err, os.ErrNotExist) {
|
|
|
|
|
return rootCAs, nil
|
|
|
|
|
}
|
|
|
|
|
if errors.Is(err, os.ErrPermission) {
|
|
|
|
|
return rootCAs, nil
|
|
|
|
|
}
|
2020-08-11 17:29:50 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return rootCAs, err
|
|
|
|
|
}
|
2021-05-11 03:15:11 +02:00
|
|
|
defer f.Close()
|
2020-08-11 17:29:50 +02:00
|
|
|
|
2021-05-11 03:15:11 +02:00
|
|
|
stat, err := f.Stat()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return rootCAs, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// In case of a file add it to the root CAs.
|
|
|
|
|
if !stat.IsDir() {
|
|
|
|
|
bytes, err := ioutil.ReadAll(f)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return rootCAs, err
|
|
|
|
|
}
|
|
|
|
|
if !rootCAs.AppendCertsFromPEM(bytes) {
|
|
|
|
|
return rootCAs, fmt.Errorf("cert: %q does not contain a valid X.509 PEM-encoded certificate", path)
|
2020-08-11 17:29:50 +02:00
|
|
|
}
|
2021-05-11 03:15:11 +02:00
|
|
|
return rootCAs, nil
|
2020-08-11 17:29:50 +02:00
|
|
|
}
|
|
|
|
|
|
2021-05-11 03:15:11 +02:00
|
|
|
// Otherwise iterate over the files in the directory
|
|
|
|
|
// and add each on to the root CAs.
|
|
|
|
|
files, err := f.Readdirnames(0)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return rootCAs, err
|
|
|
|
|
}
|
|
|
|
|
for _, file := range files {
|
|
|
|
|
bytes, err := ioutil.ReadFile(filepath.Join(path, file))
|
|
|
|
|
if err == nil { // ignore files which are not readable.
|
|
|
|
|
rootCAs.AppendCertsFromPEM(bytes)
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-08-11 17:29:50 +02:00
|
|
|
return rootCAs, nil
|
|
|
|
|
}
|
