Merge pull request #174 from nelhage/multi-ca-cert

Allow multiple PEM-encoded certificates in the ca_file.

consul/config.go

@@ -3,16 +3,16 @@ package consul
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/pem"
 	"fmt"
-	"github.com/hashicorp/memberlist"
-	"github.com/hashicorp/raft"
-	"github.com/hashicorp/serf/serf"
 	"io"
 	"io/ioutil"
 	"net"
 	"os"
 	"time"
+
+	"github.com/hashicorp/memberlist"
+	"github.com/hashicorp/raft"
+	"github.com/hashicorp/serf/serf"
 )
 
 const (
@@ -131,30 +131,24 @@ func (c *Config) CheckVersion() error {
 	return nil
 }
 
-// CACertificate is used to open and parse a CA file
+// AppendCA opens and parses the CA file and adds the certificates to
-func (c *Config) CACertificate() (*x509.Certificate, error) {
+// the provided CertPool.
+func (c *Config) AppendCA(pool *x509.CertPool) error {
 	if c.CAFile == "" {
-		return nil, nil
+		return nil
 	}
 
 	// Read the file
 	data, err := ioutil.ReadFile(c.CAFile)
 	if err != nil {
-		return nil, fmt.Errorf("Failed to read CA file: %v", err)
+		return fmt.Errorf("Failed to read CA file: %v", err)
 	}
 
-	// Decode from the PEM format
+	if !pool.AppendCertsFromPEM(data) {
-	block, _ := pem.Decode(data)
+		return fmt.Errorf("Failed to parse any CA certificates")
-	if block == nil {
-		return nil, fmt.Errorf("Failed to decode CA PEM!")
 	}
 
-	// Parse the certificate
+	return nil
-	cert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		return nil, fmt.Errorf("Failed to parse CA file: %v", err)
-	}
-	return cert, nil
 }
 
 // KeyPair is used to open and parse a certificate and key file
@@ -178,17 +172,15 @@ func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
 		InsecureSkipVerify: !c.VerifyOutgoing,
 	}
 
-	// Parse the CA cert if any
+	// Ensure we have a CA if VerifyOutgoing is set
-	ca, err := c.CACertificate()
+	if c.VerifyOutgoing && c.CAFile == "" {
-	if err != nil {
+		return nil, fmt.Errorf("VerifyOutgoing set, and no CA certificate provided!")
-		return nil, err
-	} else if ca != nil {
-		tlsConfig.RootCAs.AddCert(ca)
 	}
 
-	// Ensure we have a CA if VerifyOutgoing is set
+	// Parse the CA cert if any
-	if c.VerifyOutgoing && ca == nil {
+	err := c.AppendCA(tlsConfig.RootCAs)
-		return nil, fmt.Errorf("VerifyOutgoing set, and no CA certificate provided!")
+	if err != nil {
+		return nil, err
 	}
 
 	// Add cert/key
@@ -212,11 +204,9 @@ func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
 	}
 
 	// Parse the CA cert if any
-	ca, err := c.CACertificate()
+	err := c.AppendCA(tlsConfig.ClientCAs)
 	if err != nil {
 		return nil, err
-	} else if ca != nil {
-		tlsConfig.ClientCAs.AddCert(ca)
 	}
 
 	// Add cert/key
@@ -230,7 +220,7 @@ func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
 	// Check if we require verification
 	if c.VerifyIncoming {
 		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
-		if ca == nil {
+		if c.CAFile == "" {
 			return nil, fmt.Errorf("VerifyIncoming set, and no CA certificate provided!")
 		}
 		if cert == nil {

consul/config_test.go

@@ -2,17 +2,19 @@ package consul
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"testing"
 )
 
-func TestConfig_CACertificate_None(t *testing.T) {
+func TestConfig_AppendCA_None(t *testing.T) {
 	conf := &Config{}
-	cert, err := conf.CACertificate()
+	pool := x509.NewCertPool()
+	err := conf.AppendCA(pool)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
-	if cert != nil {
+	if len(pool.Subjects()) != 0 {
-		t.Fatalf("bad: %v", cert)
+		t.Fatalf("bad: %v", pool.Subjects())
 	}
 }
 
@@ -20,11 +22,12 @@ func TestConfig_CACertificate_Valid(t *testing.T) {
 	conf := &Config{
 		CAFile: "../test/ca/root.cer",
 	}
-	cert, err := conf.CACertificate()
+	pool := x509.NewCertPool()
+	err := conf.AppendCA(pool)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
-	if cert == nil {
+	if len(pool.Subjects()) == 0 {
 		t.Fatalf("expected cert")
 	}
 }