Allow to append to system CA

Fixes #1 Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com>
2025-09-16 23:00:53 +00:00 · 2022-05-12 11:59:24 +02:00
parent a7b15ad1f8
commit 5842702dd4
3 changed files with 57 additions and 0 deletions
--- a/config.go
+++ b/config.go
@@ -13,6 +13,8 @@ type config struct {

 	cacerts []byte
 	header  http.Header
+
+	systemfallback bool
 }

 // Option is a generic option for TPM configuration
@@ -26,6 +28,13 @@ var Emulated Option = func(c *config) error {
 	return nil
 }

+// AppendCustomCAToSystemCA uses the system CA pool as a fallback, appending the custom CA
+// to it.
+var AppendCustomCAToSystemCA Option = func(c *config) error {
+	c.systemfallback = true
+	return nil
+}
+
 // WithCAs sets the root CAs for the request
 func WithCAs(ca []byte) Option {
 	return func(c *config) error {
--- a/get.go
+++ b/get.go
@@ -30,6 +30,14 @@ func Get(url string, opts ...Option) ([]byte, error) {
 	dialer := websocket.DefaultDialer
 	if len(c.cacerts) > 0 {
 		pool := x509.NewCertPool()
+		if c.systemfallback {
+			systemPool, err := x509.SystemCertPool()
+			if err != nil {
+				return nil, err
+			}
+			pool = systemPool
+		}
+
 		pool.AppendCertsFromPEM(c.cacerts)
 		dialer = &websocket.Dialer{
 			Proxy:            http.ProxyFromEnvironment,
--- a/get_test.go
+++ b/get_test.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"os"
 	"time"

 	"github.com/gorilla/websocket"
@@ -108,5 +109,44 @@ var _ = Describe("GET", func() {
 			Expect(err).ToNot(HaveOccurred())
 			Expect(result).To(Equal(map[string]interface{}{"foo": "bar"}))
 		})
+
+	})
+})
+
+// This test is meant to be running manually against a
+// reg. server with a valid cert.
+var _ = Describe("GET", func() {
+	Context("challenges with a remote endpoint", func() {
+		regUrl := os.Getenv("REG_URL")
+
+		expectedMatches := ContainElement("ros-node-{{ trunc 4 .MachineID }}")
+		BeforeEach(func() {
+			if regUrl == "" {
+				Skip("No remote url passed, skipping suite")
+			}
+		})
+
+		It("gets pubhash from remote with a public signed CA", func() {
+			msg, err := Get(regUrl, Emulated, WithSeed(1))
+			result := map[string]interface{}{}
+			json.Unmarshal(msg, &result)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(result).To(expectedMatches)
+		})
+
+		It("it fails if we specify a custom CA (invalid)", func() {
+			msg, err := Get(regUrl, Emulated, WithSeed(1), WithCAs([]byte(`dddd`)))
+			result := map[string]interface{}{}
+			json.Unmarshal(msg, &result)
+			Expect(err).To(HaveOccurred())
+		})
+
+		It("it pass if appends to system CA", func() {
+			msg, err := Get(regUrl, Emulated, WithSeed(1), AppendCustomCAToSystemCA, WithCAs([]byte(`dddd`)))
+			result := map[string]interface{}{}
+			json.Unmarshal(msg, &result)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(result).To(expectedMatches)
+		})
 	})
 })