Skip to content

Commit

Permalink
fix: return order of certs when unable to construct chain (#1701)
Browse files Browse the repository at this point in the history 
Signed-off-by: Anish Ramasekar <[email protected]>
  • Loading branch information
@aramase
aramase authored Dec 11, 2024
1 parent 41b07df commit 8b7aad9
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 3 deletions.
8 changes: 6 additions & 2 deletions pkg/provider/provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -665,10 +665,12 @@ func fetchCertChains(data []byte) ([]byte, error) {
var pemData []byte
nodes := make([]*node, 0)

currData := data

for {
// decode pem to der first
block, rest := pem.Decode(data)
data = rest
block, rest := pem.Decode(currData)
currData = rest

if block == nil {
break
Expand Down Expand Up @@ -743,6 +745,8 @@ func fetchCertChains(data []byte) ([]byte, error) {

if len(nodes) != len(newCertChain) {
klog.Warning("certificate chain is not complete due to missing intermediate/root certificates in the cert from key vault")
// if we're unable to construct the full chain, return the original order we got from the key vault
return data, nil
}

for _, cert := range newCertChain {
Expand Down
14 changes: 13 additions & 1 deletion pkg/provider/provider_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1074,7 +1074,8 @@ kzqEt441cQasPp5ohL5U4cJN6lAuwA==
-----END CERTIFICATE-----
`

expectedCert := `-----BEGIN CERTIFICATE-----
expectedCert := `
-----BEGIN CERTIFICATE-----
MIIBwjCCAWmgAwIBAgIQGIPRUsQ/sFI1fkxZHCSU6jAKBggqhkjOPQQDAjAkMSIw
IAYDVQQDExlFeGFtcGxlIEludGVybWVkaWF0ZSBDQSAxMB4XDTIwMTIwMzAwMTAz
NloXDTIwMTIwNDAwMTAzNlowFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wWTATBgcq
Expand All @@ -1086,6 +1087,17 @@ D5Xx2B5kE4YnMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA
MEQCIH9NxXnWaip9fZyv9VJcfFz7tcdxTq10SrTO7gKhyJkpAiAljZFFK687kc6J
kzqEt441cQasPp5ohL5U4cJN6lAuwA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBeTCCAR6gAwIBAgIRAM3RAPH7k1Q+bICMC0mzKhkwCgYIKoZIzj0EAwIwGjEY
MBYGA1UEAxMPRXhhbXBsZSBSb290IENBMB4XDTIwMTIwMzAwMTAxNFoXDTMwMTIw
MTAwMTAxNFowGjEYMBYGA1UEAxMPRXhhbXBsZSBSb290IENBMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE1/AGExuSemtxPRzFECpefowtkcOQr7jaq355kfb2hUR2
LnMn+71fD4mZmMXT0kuxgeE2zC2CxOHdoJ/FmcQJxaNFMEMwDgYDVR0PAQH/BAQD
AgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFKTuLl7BATUYGD6ZeUV3
2f8UAWoqMAoGCCqGSM49BAMCA0kAMEYCIQDEz2XKXPb0Q/Y40Gtxo8r6sa0Ra6U0
fpTPteqfpl8iGQIhAOo8tpUYiREVSYZu130fN0Gvy4WmJMFAi7JrVeSnZ7uP
-----END CERTIFICATE-----
`

var buf bytes.Buffer
Expand Down

0 comments on commit 8b7aad9

Please sign in to comment.