| 78 | } |
| 79 | |
| 80 | func (o Options) validate() error { |
| 81 | if o.CertFile == "" && o.KeyFile == "" && o.RootFile == "" && o.SPIFFEBundleMapFile == "" { |
| 82 | return fmt.Errorf("pemfile: at least one credential file needs to be specified") |
| 83 | } |
| 84 | if keySpecified, certSpecified := o.KeyFile != "", o.CertFile != ""; keySpecified != certSpecified { |
| 85 | return fmt.Errorf("pemfile: private key file and identity cert file should be both specified or not specified") |
| 86 | } |
| 87 | // C-core has a limitation that they cannot verify that a certificate file |
| 88 | // matches a key file. So, the only way to get around this is to make sure |
| 89 | // that both files are in the same directory and that they do an atomic |
| 90 | // read. Even though Java/Go do not have this limitation, we want the |
| 91 | // overall plugin behavior to be consistent across languages. |
| 92 | if certDir, keyDir := filepath.Dir(o.CertFile), filepath.Dir(o.KeyFile); certDir != keyDir { |
| 93 | return errors.New("pemfile: certificate and key file must be in the same directory") |
| 94 | } |
| 95 | return nil |
| 96 | } |
| 97 | |
| 98 | // NewProvider returns a new certificate provider plugin that is configured to |
| 99 | // watch the PEM files specified in the passed in options. |