From 4febf95c0b1376f7b7e6cdbb17e21e12ee63c3b8 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Thu, 7 Nov 2019 10:29:55 +0700 Subject: [PATCH] fix certificate check in the example client --- example/client/main.go | 8 +++++++- internal/testdata/cert.go | 24 +++++++++++------------- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/example/client/main.go b/example/client/main.go index 3eaf71a5d..1f6e520cf 100644 --- a/example/client/main.go +++ b/example/client/main.go @@ -3,6 +3,7 @@ package main import ( "bytes" "crypto/tls" + "crypto/x509" "flag" "io" "net/http" @@ -29,9 +30,14 @@ func main() { } logger.SetLogTimeFormat("") + pool, err := x509.SystemCertPool() + if err != nil { + panic(err) + } + testdata.AddRootCA(pool) roundTripper := &http3.RoundTripper{ TLSClientConfig: &tls.Config{ - RootCAs: testdata.GetRootCA(), + RootCAs: pool, InsecureSkipVerify: *insecure, }, } diff --git a/internal/testdata/cert.go b/internal/testdata/cert.go index 0f67e0759..f862b0cbc 100644 --- a/internal/testdata/cert.go +++ b/internal/testdata/cert.go @@ -3,7 +3,6 @@ package testdata import ( "crypto/tls" "crypto/x509" - "encoding/pem" "io/ioutil" "path" "runtime" @@ -36,22 +35,21 @@ func GetTLSConfig() *tls.Config { } } -// GetRootCA returns an x509.CertPool containing the CA certificate -func GetRootCA() *x509.CertPool { +// AddRootCA adds the root CA certificate to a cert pool +func AddRootCA(certPool *x509.CertPool) { caCertPath := path.Join(certPath, "ca.pem") caCertRaw, err := ioutil.ReadFile(caCertPath) if err != nil { panic(err) } - p, _ := pem.Decode(caCertRaw) - if p.Type != "CERTIFICATE" { - panic("expected a certificate") + if ok := certPool.AppendCertsFromPEM(caCertRaw); !ok { + panic("Could not add root ceritificate to pool.") } - caCert, err := x509.ParseCertificate(p.Bytes) - if err != nil { - panic(err) - } - certPool := x509.NewCertPool() - certPool.AddCert(caCert) - return certPool +} + +// GetRootCA returns an x509.CertPool containing (only) the CA certificate +func GetRootCA() *x509.CertPool { + pool := x509.NewCertPool() + AddRootCA(pool) + return pool }