Skip to content

[pull] master from ghostunnel:master #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 6 commits into from
Apr 18, 2026
Merged

[pull] master from ghostunnel:master #74

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6e3ac6b
Make integration tests faster with better timeout handling
csstaub Apr 17, 2026
ef38e5f
Add test for keychain identity on Windows and fix bug identified
csstaub Apr 18, 2026
f2709da
Add more unit tests to cover all code paths for certstore reload
csstaub Apr 18, 2026
f3dafed
Merge pull request #702 from ghostunnel/cs/windows-keychain-test
csstaub Apr 18, 2026
072ba3e
Cap assert_connection_rejected timeout to min(timeout, TIMEOUT)
Copilot Apr 18, 2026
ed3ec1c
Merge pull request #703 from ghostunnel/cs/faster-tests
csstaub Apr 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 33 additions & 16 deletions certloader/certstore_enabled.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ type certstoreCertificate struct {
requireToken bool
// Added logger, useful for certstore logging
logger *log.Logger
// openStore allows injecting a custom store opener for testing.
// If nil, defaults to certstore.Open.
openStore func(*log.Logger) (certstore.Store, error)
}

// SupportsKeychain returns true or false, depending on whether the
Expand Down Expand Up @@ -69,7 +72,12 @@ func CertificateFromKeychainIdentity(

// Reload transparently reloads the certificate.
func (c *certstoreCertificate) Reload() error {
store, err := certstore.Open(c.logger)
opener := c.openStore
if opener == nil {
opener = certstore.Open
}

store, err := opener(c.logger)
if err != nil {
return err
}
Expand All @@ -93,21 +101,30 @@ func (c *certstoreCertificate) Reload() error {
continue
}

bothFiltersPresent := c.commonNameOrSerial != "" && c.issuerName != ""
issuerNameMatches := chain[0].Issuer.CommonName == c.issuerName

commonNameOrSerialMatches :=
chain[0].SerialNumber.String() == c.commonNameOrSerial ||
chain[0].Subject.CommonName == c.commonNameOrSerial

if (bothFiltersPresent && commonNameOrSerialMatches && issuerNameMatches) ||
(!bothFiltersPresent && (commonNameOrSerialMatches || issuerNameMatches)) {
// If both a serial/name and an issuer was specified, we want to
// filter on both of them to support e.g. a case where there's two
// certs with the same name but from different issuers. If only one
// of serial/name or issuer was specified we'll take the certs that
// match whatever we have.
candidates = append(candidates, identity)
hasIdentityFilter := c.commonNameOrSerial != ""
hasIssuerFilter := c.issuerName != ""

commonNameOrSerialMatches := hasIdentityFilter &&
(chain[0].SerialNumber.String() == c.commonNameOrSerial ||
chain[0].Subject.CommonName == c.commonNameOrSerial)

issuerNameMatches := hasIssuerFilter &&
chain[0].Issuer.CommonName == c.issuerName

if hasIdentityFilter && hasIssuerFilter {
// Both filters specified: require both to match, to support
// e.g. two certs with the same name but from different issuers.
if commonNameOrSerialMatches && issuerNameMatches {
candidates = append(candidates, identity)
}
} else if hasIdentityFilter {
if commonNameOrSerialMatches {
candidates = append(candidates, identity)
}
} else if hasIssuerFilter {
if issuerNameMatches {
candidates = append(candidates, identity)
}
}
}

Expand Down
Loading
Loading