From 6cc9a670e1b6a7f55bf12c6fb1e28db314b55559 Mon Sep 17 00:00:00 2001
From: Jonas Wagner <knoppiks@users.noreply.github.com>
Date: Fri, 14 Jul 2023 08:19:03 +0200
Subject: [PATCH] Prevent Panic for empty Arrays on Error

Co-authored-by: Brad Davidson <brad@oatmail.org>
Signed-off-by: Jonas Wagner <jwagner@knoppiks.de>
---
 factory/ca.go            | 11 ++++++++++-
 storage/kubernetes/ca.go |  3 +++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/factory/ca.go b/factory/ca.go
index b2c92f6..fb1c537 100644
--- a/factory/ca.go
+++ b/factory/ca.go
@@ -28,6 +28,9 @@ func GenCA() (*x509.Certificate, crypto.Signer, error) {
 // Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
 func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {
 	chain, signer, err := LoadOrGenCAChain()
+	if err != nil {
+		return nil, nil, err
+	}
 	return chain[0], signer, err
 }
 
@@ -69,7 +72,10 @@ func loadCA() ([]*x509.Certificate, crypto.Signer, error) {
 
 func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {
 	chain, signer, err := LoadCAChain(caPem, caKey)
-	return chain[0], signer, err
+	if err != nil {
+		return nil, nil, err
+	}
+	return chain[0], signer, nil
 }
 
 func LoadCAChain(caPem, caKey []byte) ([]*x509.Certificate, crypto.Signer, error) {
@@ -93,6 +99,9 @@ func LoadCAChain(caPem, caKey []byte) ([]*x509.Certificate, crypto.Signer, error
 // Deprecated: Use LoadCertsChain instead as it supports intermediate CAs
 func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error) {
 	chain, signer, err := LoadCertsChain(certFile, keyFile)
+	if err != nil {
+		return nil, nil, err
+	}
 	return chain[0], signer, err
 }
 
diff --git a/storage/kubernetes/ca.go b/storage/kubernetes/ca.go
index 6c203e1..18a07e0 100644
--- a/storage/kubernetes/ca.go
+++ b/storage/kubernetes/ca.go
@@ -14,6 +14,9 @@ import (
 // Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
 func LoadOrGenCA(secrets v1controller.SecretClient, namespace, name string) (*x509.Certificate, crypto.Signer, error) {
 	chain, signer, err := LoadOrGenCAChain(secrets, namespace, name)
+	if err != nil {
+		return nil, nil, err
+	}
 	return chain[0], signer, err
 }