From d04481e38802863e525aff8dca92979b40b56f9a Mon Sep 17 00:00:00 2001
From: Jason Heiss <jheiss@aput.net>
Date: Wed, 31 Aug 2016 13:00:12 -0400
Subject: [PATCH] Check PEM block type when reading token cert file

closes #1909

Signed-off-by: Jason Heiss <jheiss@twosigma.com>
---
 registry/auth/token/accesscontroller.go | 12 +++---
 registry/auth/token/token_test.go       | 53 +++++++++++++++++++++++++
 2 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/registry/auth/token/accesscontroller.go b/registry/auth/token/accesscontroller.go
index 5b1ff7caa..52b7f3692 100644
--- a/registry/auth/token/accesscontroller.go
+++ b/registry/auth/token/accesscontroller.go
@@ -176,12 +176,14 @@ func newAccessController(options map[string]interface{}) (auth.AccessController,
 	var rootCerts []*x509.Certificate
 	pemBlock, rawCertBundle := pem.Decode(rawCertBundle)
 	for pemBlock != nil {
-		cert, err := x509.ParseCertificate(pemBlock.Bytes)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse token auth root certificate: %s", err)
-		}
+		if pemBlock.Type == "CERTIFICATE" {
+			cert, err := x509.ParseCertificate(pemBlock.Bytes)
+			if err != nil {
+				return nil, fmt.Errorf("unable to parse token auth root certificate: %s", err)
+			}
 
-		rootCerts = append(rootCerts, cert)
+			rootCerts = append(rootCerts, cert)
+		}
 
 		pemBlock, rawCertBundle = pem.Decode(rawCertBundle)
 	}
diff --git a/registry/auth/token/token_test.go b/registry/auth/token/token_test.go
index af862df7f..27206f9b4 100644
--- a/registry/auth/token/token_test.go
+++ b/registry/auth/token/token_test.go
@@ -455,3 +455,56 @@ func TestAccessController(t *testing.T) {
 		t.Fatalf("expected user name %q, got %q", "foo", userInfo.Name)
 	}
 }
+
+// This tests that newAccessController can handle PEM blocks in the certificate
+// file other than certificates, for example a private key.
+func TestNewAccessControllerPemBlock(t *testing.T) {
+	rootKeys, err := makeRootKeys(2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rootCertBundleFilename, err := writeTempRootCerts(rootKeys)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(rootCertBundleFilename)
+
+	// Add something other than a certificate to the rootcertbundle
+	file, err := os.OpenFile(rootCertBundleFilename, os.O_WRONLY|os.O_APPEND, 0666)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keyBlock, err := rootKeys[0].PEMBlock()
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = pem.Encode(file, keyBlock)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = file.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	realm := "https://auth.example.com/token/"
+	issuer := "test-issuer.example.com"
+	service := "test-service.example.com"
+
+	options := map[string]interface{}{
+		"realm":          realm,
+		"issuer":         issuer,
+		"service":        service,
+		"rootcertbundle": rootCertBundleFilename,
+	}
+
+	ac, err := newAccessController(options)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(ac.(*accessController).rootCerts.Subjects()) != 2 {
+		t.Fatal("accessController has the wrong number of certificates")
+	}
+}