Fix certificate type identification

This commit is contained in:
Mariano Cano 2022-02-16 18:09:20 -08:00
parent b3316c4a56
commit d424159200

View file

@ -1,7 +1,6 @@
package vaultcas
import (
"bytes"
"context"
"crypto/sha256"
"crypto/x509"
@ -162,12 +161,12 @@ func getCertificateAndChain(certb certutil.CertBundle) (*Certificate, error) {
continue
}
used[cert.SerialNumber.String()] = true
if cert.IsCA && bytes.Equal(cert.RawIssuer, cert.RawSubject) {
if isRoot(cert) {
root = cert
} else if !cert.IsCA {
leaf = cert
} else {
} else if cert.BasicConstraintsValid && cert.IsCA {
intermediates = append(intermediates, cert)
} else {
leaf = cert
}
}
}
@ -402,3 +401,11 @@ func unmarshalMap(m map[string]interface{}, v interface{}) error {
return json.Unmarshal(b, v)
}
// isRoot returns true if the given certificate is a root certificate.
func isRoot(cert *x509.Certificate) bool {
if cert.BasicConstraintsValid && cert.IsCA {
return cert.CheckSignatureFrom(cert) == nil
}
return false
}