adds get chain with root CA for spiffe ID searching

openziti · Jul 1, 2024 · b5d20b1 · b5d20b1
1 parent 60b7f39
commit b5d20b1
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/ca_pool.go b/ca_pool.go
@@ -35,6 +35,7 @@ func (self *CaPool) isSelfSignedCA(cert *x509.Certificate) bool {
 	return cert.IsCA && cert.CheckSignatureFrom(cert) == nil
 }
 
+// GetChainMinusRoot returns a chain from `cert` up to, but not including, the root CA if possible
 func (self *CaPool) GetChainMinusRoot(cert *x509.Certificate, extraCerts ...*x509.Certificate) []*x509.Certificate {
 	var result []*x509.Certificate
 	result = append(result, cert)
@@ -53,6 +54,30 @@ func (self *CaPool) GetChainMinusRoot(cert *x509.Certificate, extraCerts ...*x50
 	}
 }
 
+// GetChain returns a chain from `cert` up and including the root CA if possible
+func (self *CaPool) GetChain(cert *x509.Certificate, extraCerts ...*x509.Certificate) []*x509.Certificate {
+	var result []*x509.Certificate
+	result = append(result, cert)
+
+	certs := map[*x509.Certificate]struct{}{}
+
+	for _, curCert := range self.certs {
+		certs[curCert] = struct{}{}
+	}
+	for _, curCert := range extraCerts {
+		certs[curCert] = struct{}{}
+	}
+
+	for {
+		if parent := self.getParent(cert, certs); parent != nil {
+			result = append(result, parent)
+			cert = parent
+		} else {
+			return result
+		}
+	}
+}
+
 func (self *CaPool) addNonSelfSignedCasToCertsMap(certMap map[*x509.Certificate]struct{}, certs []*x509.Certificate) {
 	for _, cert := range certs {
 		if cert.IsCA && !self.isSelfSignedCA(cert) {