From 8b7aad92717a23000a8c0cac54b0f598c657d67e Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Wed, 11 Dec 2024 14:18:47 -0800 Subject: [PATCH] fix: return order of certs when unable to construct chain (#1701) Signed-off-by: Anish Ramasekar --- pkg/provider/provider.go | 8 ++++++-- pkg/provider/provider_test.go | 14 +++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 3938cf355..b47cdc0da 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -665,10 +665,12 @@ func fetchCertChains(data []byte) ([]byte, error) { var pemData []byte nodes := make([]*node, 0) + currData := data + for { // decode pem to der first - block, rest := pem.Decode(data) - data = rest + block, rest := pem.Decode(currData) + currData = rest if block == nil { break @@ -743,6 +745,8 @@ func fetchCertChains(data []byte) ([]byte, error) { if len(nodes) != len(newCertChain) { klog.Warning("certificate chain is not complete due to missing intermediate/root certificates in the cert from key vault") + // if we're unable to construct the full chain, return the original order we got from the key vault + return data, nil } for _, cert := range newCertChain { diff --git a/pkg/provider/provider_test.go b/pkg/provider/provider_test.go index fa694fb3c..9cf9d74c9 100644 --- a/pkg/provider/provider_test.go +++ b/pkg/provider/provider_test.go @@ -1074,7 +1074,8 @@ kzqEt441cQasPp5ohL5U4cJN6lAuwA== -----END CERTIFICATE----- ` - expectedCert := `-----BEGIN CERTIFICATE----- + expectedCert := ` +-----BEGIN CERTIFICATE----- MIIBwjCCAWmgAwIBAgIQGIPRUsQ/sFI1fkxZHCSU6jAKBggqhkjOPQQDAjAkMSIw IAYDVQQDExlFeGFtcGxlIEludGVybWVkaWF0ZSBDQSAxMB4XDTIwMTIwMzAwMTAz NloXDTIwMTIwNDAwMTAzNlowFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wWTATBgcq @@ -1086,6 +1087,17 @@ D5Xx2B5kE4YnMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cA MEQCIH9NxXnWaip9fZyv9VJcfFz7tcdxTq10SrTO7gKhyJkpAiAljZFFK687kc6J kzqEt441cQasPp5ohL5U4cJN6lAuwA== -----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +MIIBeTCCAR6gAwIBAgIRAM3RAPH7k1Q+bICMC0mzKhkwCgYIKoZIzj0EAwIwGjEY +MBYGA1UEAxMPRXhhbXBsZSBSb290IENBMB4XDTIwMTIwMzAwMTAxNFoXDTMwMTIw +MTAwMTAxNFowGjEYMBYGA1UEAxMPRXhhbXBsZSBSb290IENBMFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAE1/AGExuSemtxPRzFECpefowtkcOQr7jaq355kfb2hUR2 +LnMn+71fD4mZmMXT0kuxgeE2zC2CxOHdoJ/FmcQJxaNFMEMwDgYDVR0PAQH/BAQD +AgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFKTuLl7BATUYGD6ZeUV3 +2f8UAWoqMAoGCCqGSM49BAMCA0kAMEYCIQDEz2XKXPb0Q/Y40Gtxo8r6sa0Ra6U0 +fpTPteqfpl8iGQIhAOo8tpUYiREVSYZu130fN0Gvy4WmJMFAi7JrVeSnZ7uP +-----END CERTIFICATE----- ` var buf bytes.Buffer