Add a CA.Pool() method to ./internal/certauthority.

This is convenient for at least one test and is simple enough to write and test. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 14:33:07 -06:00 · 2020-12-02 14:33:07 -06:00 · 22953cdb78
commit 22953cdb78
parent fe0481c304
2 changed files with 17 additions and 0 deletions
--- a/internal/certauthority/certauthority.go
+++ b/internal/certauthority/certauthority.go
@ -136,6 +136,13 @@ func (c *CA) Bundle() []byte {
 	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: c.caCertBytes})
 }

+// Pool returns the current CA signing bundle as a *x509.CertPool.
+func (c *CA) Pool() *x509.CertPool {
+	pool := x509.NewCertPool()
+	pool.AppendCertsFromPEM(c.Bundle())
+	return pool
+}
+
 // Issue a new server certificate for the given identity and duration.
 func (c *CA) Issue(subject pkix.Name, dnsNames []string, ips []net.IP, ttl time.Duration) (*tls.Certificate, error) {
 	// Choose a random 128 bit serial number.
--- a/internal/certauthority/certauthority_test.go
+++ b/internal/certauthority/certauthority_test.go
@ -182,6 +182,16 @@ func TestBundle(t *testing.T) {
 	})
 }

+func TestPool(t *testing.T) {
+	t.Run("success", func(t *testing.T) {
+		ca, err := New(pkix.Name{CommonName: "test"}, 1*time.Hour)
+		require.NoError(t, err)
+
+		got := ca.Pool()
+		require.Len(t, got.Subjects(), 1)
+	})
+}
+
 type errSigner struct {
 	pubkey crypto.PublicKey
 	err    error