Merge pull request #1934 from jheiss/token_ssl_pem_type

Check PEM block type when reading token cert file
2016-09-13 09:45:06 -07:00 · 2016-09-13 09:45:06 -07:00 · 17fb0bb6b3
parent cb744efe8b d04481e388
commit 17fb0bb6b3
2 changed files with 60 additions and 5 deletions
--- a/registry/auth/token/accesscontroller.go
+++ b/registry/auth/token/accesscontroller.go
@ -176,12 +176,14 @@ func newAccessController(options map[string]interface{}) (auth.AccessController,
 	var rootCerts []*x509.Certificate
 	pemBlock, rawCertBundle := pem.Decode(rawCertBundle)
 	for pemBlock != nil {
+		if pemBlock.Type == "CERTIFICATE" {
 			cert, err := x509.ParseCertificate(pemBlock.Bytes)
 			if err != nil {
 				return nil, fmt.Errorf("unable to parse token auth root certificate: %s", err)
 			}

 			rootCerts = append(rootCerts, cert)
+		}

 		pemBlock, rawCertBundle = pem.Decode(rawCertBundle)
 	}
--- a/registry/auth/token/token_test.go
+++ b/registry/auth/token/token_test.go
@ -455,3 +455,56 @@ func TestAccessController(t *testing.T) {
 		t.Fatalf("expected user name %q, got %q", "foo", userInfo.Name)
 	}
 }
+
+// This tests that newAccessController can handle PEM blocks in the certificate
+// file other than certificates, for example a private key.
+func TestNewAccessControllerPemBlock(t *testing.T) {
+	rootKeys, err := makeRootKeys(2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rootCertBundleFilename, err := writeTempRootCerts(rootKeys)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(rootCertBundleFilename)
+
+	// Add something other than a certificate to the rootcertbundle
+	file, err := os.OpenFile(rootCertBundleFilename, os.O_WRONLY|os.O_APPEND, 0666)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keyBlock, err := rootKeys[0].PEMBlock()
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = pem.Encode(file, keyBlock)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = file.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	realm := "https://auth.example.com/token/"
+	issuer := "test-issuer.example.com"
+	service := "test-service.example.com"
+
+	options := map[string]interface{}{
+		"realm":          realm,
+		"issuer":         issuer,
+		"service":        service,
+		"rootcertbundle": rootCertBundleFilename,
+	}
+
+	ac, err := newAccessController(options)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(ac.(*accessController).rootCerts.Subjects()) != 2 {
+		t.Fatal("accessController has the wrong number of certificates")
+	}
+}