| 158 | } |
| 159 | |
| 160 | func buildSPIFFEVerifyFunc(spiffeBundleMap map[string]*spiffebundle.Bundle) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { |
| 161 | return func(rawCerts [][]byte, _ [][]*x509.Certificate) error { |
| 162 | rawCertList := make([]*x509.Certificate, len(rawCerts)) |
| 163 | for i, asn1Data := range rawCerts { |
| 164 | cert, err := x509.ParseCertificate(asn1Data) |
| 165 | if err != nil { |
| 166 | return fmt.Errorf("spiffe: verify function could not parse input certificate: %v", err) |
| 167 | } |
| 168 | rawCertList[i] = cert |
| 169 | } |
| 170 | if len(rawCertList) == 0 { |
| 171 | return fmt.Errorf("spiffe: verify function has no valid input certificates") |
| 172 | } |
| 173 | leafCert := rawCertList[0] |
| 174 | roots, err := spiffe.GetRootsFromSPIFFEBundleMap(spiffeBundleMap, leafCert) |
| 175 | if err != nil { |
| 176 | return err |
| 177 | } |
| 178 | |
| 179 | opts := x509.VerifyOptions{ |
| 180 | Roots: roots, |
| 181 | CurrentTime: time.Now(), |
| 182 | Intermediates: x509.NewCertPool(), |
| 183 | } |
| 184 | |
| 185 | for _, cert := range rawCertList[1:] { |
| 186 | opts.Intermediates.AddCert(cert) |
| 187 | } |
| 188 | // The verified chain is (surprisingly) unused. |
| 189 | if _, err = rawCertList[0].Verify(opts); err != nil { |
| 190 | return fmt.Errorf("spiffe: x509 certificate Verify failed: %v", err) |
| 191 | } |
| 192 | return nil |
| 193 | } |
| 194 | } |