Make unit testable cert parsing functions. (#3863)

2025-11-09 21:49:46 -05:00 · 2017-03-09 08:50:01 +05:30
parent 47ac410ab0
commit 8a9852220d
9 changed files with 420 additions and 245 deletions
--- a/cmd/certs.go
+++ b/cmd/certs.go
@@ -1,5 +1,5 @@
 /*
- * Minio Cloud Storage, (C) 2015, 2016 Minio, Inc.
+ * Minio Cloud Storage, (C) 2015, 2016, 2017 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -19,120 +19,90 @@ package cmd
 import (
 	"crypto/x509"
 	"encoding/pem"
-	"errors"
+	"fmt"
 	"io/ioutil"
 	"path/filepath"
 )

-// getCertsPath get certs path.
-func getCertsPath() string {
-	return filepath.Join(getConfigDir(), globalMinioCertsDir)
-}
-
-// getCertFile must get cert file.
-func getCertFile() string {
-	return filepath.Join(getCertsPath(), globalMinioCertFile)
-}
-
-// getKeyFile must get key file.
-func getKeyFile() string {
-	return filepath.Join(getCertsPath(), globalMinioKeyFile)
-}
-
-// createCertsPath create certs path.
-func createCertsPath() error {
-	rootCAsPath := filepath.Join(getCertsPath(), globalMinioCertsCADir)
-	return mkdirAll(rootCAsPath, 0700)
-}
-
-// getCAFiles must get the list of the CA certificates stored in minio config dir
-func getCAFiles() (caCerts []string) {
-	CAsDir := filepath.Join(getCertsPath(), globalMinioCertsCADir)
-	if caFiles, err := ioutil.ReadDir(CAsDir); err == nil {
-		// Ignore any error.
-		for _, cert := range caFiles {
-			caCerts = append(caCerts, filepath.Join(CAsDir, cert.Name()))
-		}
-	}
-	return caCerts
-}
-
-// getSystemCertPool returns empty cert pool in case of error (windows)
-func getSystemCertPool() *x509.CertPool {
-	pool, err := x509.SystemCertPool()
-	if err != nil {
-		pool = x509.NewCertPool()
-	}
-
-	return pool
-}
-
-// isCertFileExists verifies if cert file exists, returns true if
-// found, false otherwise.
-func isCertFileExists() bool {
-	return isFile(getCertFile())
-}
-
-// isKeyFileExists verifies if key file exists, returns true if found,
-// false otherwise.
-func isKeyFileExists() bool {
-	return isFile(getKeyFile())
-}
-
 // isSSL - returns true with both cert and key exists.
 func isSSL() bool {
-	return isCertFileExists() && isKeyFileExists()
+	return isFile(getPublicCertFile()) && isFile(getPrivateKeyFile())
 }

-// Reads certificated file and returns a list of parsed certificates.
+func parsePublicCertFile(certFile string) (certs []*x509.Certificate, err error) {
+	var bytes []byte
+
+	if bytes, err = ioutil.ReadFile(certFile); err != nil {
+		return certs, err
+	}
+
+	// Parse all certs in the chain.
+	var block *pem.Block
+	var cert *x509.Certificate
+	current := bytes
+	for len(current) > 0 {
+		if block, current = pem.Decode(current); block == nil {
+			err = fmt.Errorf("Could not read PEM block from file %s", certFile)
+			return certs, err
+		}
+
+		if cert, err = x509.ParseCertificate(block.Bytes); err != nil {
+			return certs, err
+		}
+
+		certs = append(certs, cert)
+	}
+
+	if len(certs) == 0 {
+		err = fmt.Errorf("Empty public certificate file %s", certFile)
+	}
+
+	return certs, err
+}
+
+// Reads certificate file and returns a list of parsed certificates.
 func readCertificateChain() ([]*x509.Certificate, error) {
-	bytes, err := ioutil.ReadFile(getCertFile())
+	return parsePublicCertFile(getPublicCertFile())
+}
+
+func getRootCAs(certsCAsDir string) (*x509.CertPool, error) {
+	// Get all CA file names.
+	var caFiles []string
+	fis, err := ioutil.ReadDir(certsCAsDir)
 	if err != nil {
 		return nil, err
 	}
-
-	// Proceed to parse the certificates.
-	return parseCertificateChain(bytes)
-}
-
-// Parses certificate chain, returns a list of parsed certificates.
-func parseCertificateChain(bytes []byte) ([]*x509.Certificate, error) {
-	var certs []*x509.Certificate
-	var block *pem.Block
-	current := bytes
-
-	// Parse all certs in the chain.
-	for len(current) > 0 {
-		block, current = pem.Decode(current)
-		if block == nil {
-			return nil, errors.New("Could not PEM block")
-		}
-		// Parse the decoded certificate.
-		cert, err := x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			return nil, err
-		}
-		certs = append(certs, cert)
-
+	for _, fi := range fis {
+		caFiles = append(caFiles, filepath.Join(certsCAsDir, fi.Name()))
 	}
-	return certs, nil
-}

-// loadRootCAs fetches CA files provided in minio config and adds them to globalRootCAs
-// Currently under Windows, there is no way to load system + user CAs at the same time
-func loadRootCAs() {
-	caFiles := getCAFiles()
 	if len(caFiles) == 0 {
-		return
+		return nil, nil
 	}
-	// Get system cert pool, and empty cert pool under Windows because it is not supported
-	globalRootCAs = getSystemCertPool()
+
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil {
+		// In some systems like Windows, system cert pool is not supported.
+		// Hence we create a new cert pool.
+		rootCAs = x509.NewCertPool()
+	}
+
 	// Load custom root CAs for client requests
 	for _, caFile := range caFiles {
 		caCert, err := ioutil.ReadFile(caFile)
 		if err != nil {
-			fatalIf(err, "Unable to load a CA file")
+			return rootCAs, err
 		}
-		globalRootCAs.AppendCertsFromPEM(caCert)
+
+		rootCAs.AppendCertsFromPEM(caCert)
 	}
+
+	return rootCAs, nil
+}
+
+// loadRootCAs fetches CA files provided in minio config and adds them to globalRootCAs
+// Currently under Windows, there is no way to load system + user CAs at the same time
+func loadRootCAs() (err error) {
+	globalRootCAs, err = getRootCAs(getCADir())
+	return err
 }