GetRootsFromSPIFFEBundleMap returns the root trust certificates from the SPIFFE bundle map for the given trust domain from the leaf certificate.
(bundleMap map[string]*spiffebundle.Bundle, leafCert *x509.Certificate)
| 66 | // GetRootsFromSPIFFEBundleMap returns the root trust certificates from the |
| 67 | // SPIFFE bundle map for the given trust domain from the leaf certificate. |
| 68 | func GetRootsFromSPIFFEBundleMap(bundleMap map[string]*spiffebundle.Bundle, leafCert *x509.Certificate) (*x509.CertPool, error) { |
| 69 | // 1. Upon receiving a peer certificate, verify that it is a well-formed SPIFFE |
| 70 | // leaf certificate. In particular, it must have a single URI SAN containing |
| 71 | // a well-formed SPIFFE ID ([SPIFFE ID format]). |
| 72 | spiffeID, err := idFromCert(leafCert) |
| 73 | if err != nil { |
| 74 | return nil, fmt.Errorf("spiffe: could not get spiffe ID from peer leaf cert but verification with spiffe trust map was configured: %v", err) |
| 75 | } |
| 76 | |
| 77 | // 2. Use the trust domain in the peer certificate's SPIFFE ID to lookup |
| 78 | // the SPIFFE trust bundle. If the trust domain is not contained in the |
| 79 | // configured trust map, reject the certificate. |
| 80 | spiffeBundle, ok := bundleMap[spiffeID.TrustDomain().Name()] |
| 81 | if !ok { |
| 82 | return nil, fmt.Errorf("spiffe: no bundle found for peer certificates trust domain %q but verification with a SPIFFE trust map was configured", spiffeID.TrustDomain().Name()) |
| 83 | } |
| 84 | roots := spiffeBundle.X509Authorities() |
| 85 | rootPool := x509.NewCertPool() |
| 86 | for _, root := range roots { |
| 87 | rootPool.AddCert(root) |
| 88 | } |
| 89 | return rootPool, nil |
| 90 | } |
| 91 | |
| 92 | // idFromCert parses the SPIFFE ID from the x509.Certificate. If the certificate |
| 93 | // does not have a valid SPIFFE ID, returns an error. |