handleCACerts returns the certificate chain for a particular CA by its ID. If the CA ID is the default, then the CA will be provisioned if it has not already been. Other CA IDs will return an error if they have not been previously provisioned.
(w http.ResponseWriter, r *http.Request)
| 142 | // provisioned if it has not already been. Other CA IDs will return an |
| 143 | // error if they have not been previously provisioned. |
| 144 | func (a *adminAPI) handleCACerts(w http.ResponseWriter, r *http.Request) error { |
| 145 | if r.Method != http.MethodGet { |
| 146 | return caddy.APIError{ |
| 147 | HTTPStatus: http.StatusMethodNotAllowed, |
| 148 | Err: fmt.Errorf("method not allowed: %v", r.Method), |
| 149 | } |
| 150 | } |
| 151 | |
| 152 | ca, err := a.getCAFromAPIRequestPath(r) |
| 153 | if err != nil { |
| 154 | return err |
| 155 | } |
| 156 | |
| 157 | rootCert, interCert, err := rootAndIntermediatePEM(ca) |
| 158 | if err != nil { |
| 159 | return caddy.APIError{ |
| 160 | HTTPStatus: http.StatusInternalServerError, |
| 161 | Err: fmt.Errorf("failed to get root and intermediate cert for CA %s: %v", ca.ID, err), |
| 162 | } |
| 163 | } |
| 164 | |
| 165 | w.Header().Set("Content-Type", "application/pem-certificate-chain") |
| 166 | _, err = w.Write(interCert) //nolint:gosec // false positive... no XSS in a PEM for cryin' out loud |
| 167 | if err == nil { |
| 168 | _, _ = w.Write(rootCert) //nolint:gosec // false positive... no XSS in a PEM for cryin' out loud |
| 169 | } |
| 170 | |
| 171 | return nil |
| 172 | } |
| 173 | |
| 174 | func (a *adminAPI) getCAFromAPIRequestPath(r *http.Request) (*CA, error) { |
| 175 | // Grab the CA ID from the request path, it should be the 4th segment (/pki/ca/<ca>) |
no test coverage detected