Load loads the certificate chain and (optional) private key from the corresponding files, using the configured format. If a private key is read, it will be verified to belong to the first certificate in the chain.
()
| 89 | // private key is read, it will be verified to belong to the first |
| 90 | // certificate in the chain. |
| 91 | func (kp KeyPair) Load() ([]*x509.Certificate, crypto.Signer, error) { |
| 92 | switch kp.Format { |
| 93 | case "", "pem_file": |
| 94 | certData, err := os.ReadFile(kp.Certificate) |
| 95 | if err != nil { |
| 96 | return nil, nil, err |
| 97 | } |
| 98 | chain, err := pemDecodeCertificateChain(certData) |
| 99 | if err != nil { |
| 100 | return nil, nil, err |
| 101 | } |
| 102 | |
| 103 | var key crypto.Signer |
| 104 | if kp.PrivateKey != "" { |
| 105 | keyData, err := os.ReadFile(kp.PrivateKey) |
| 106 | if err != nil { |
| 107 | return nil, nil, err |
| 108 | } |
| 109 | key, err = certmagic.PEMDecodePrivateKey(keyData) |
| 110 | if err != nil { |
| 111 | return nil, nil, err |
| 112 | } |
| 113 | if err := verifyKeysMatch(chain[0], key); err != nil { |
| 114 | return nil, nil, err |
| 115 | } |
| 116 | } |
| 117 | |
| 118 | return chain, key, nil |
| 119 | |
| 120 | default: |
| 121 | return nil, nil, fmt.Errorf("unsupported format: %s", kp.Format) |
| 122 | } |
| 123 | } |
| 124 | |
| 125 | // verifyKeysMatch verifies that the public key in the [x509.Certificate] matches |
| 126 | // the public key of the [crypto.Signer]. |