continue if non-CA policy is not found

2016-03-01 16:43:51 -05:00 · 2016-03-01 16:43:51 -05:00 · 44208455f6
parent 9a3ddc9696
commit 44208455f6
1 changed files with 4 additions and 2 deletions
--- a/builtin/credential/cert/path_login.go
+++ b/builtin/credential/cert/path_login.go
@ -140,8 +140,10 @@ func (b *backend) verifyCredentials(req *logical.Request) (*ParsedCert, *logical
 	// If trustedNonCAs is not empty it means that client had registered a non-CA cert
 	// with the backend.
 	if len(trustedNonCAs) != 0 {
-		// Match the trusted chain with the policy
-		return b.matchNonCAPolicy(connState.PeerCertificates[0], trustedNonCAs), nil, nil
+		policy := b.matchNonCAPolicy(connState.PeerCertificates[0], trustedNonCAs)
+		if policy != nil {
+			return policy, nil, nil
+		}
 	}

 	// Validate the connection state is trusted