tlsconfig: certPool: pass options as argument

thaJeztah · thaJeztah · commit 0819711a9938 · 2026-03-25T13:21:41.000+01:00
Signed-off-by: Sebastiaan van Stijn &lt;github@gone.nl&gt;
diff --git a/tlsconfig/config.go b/tlsconfig/config.go
@@ -77,26 +77,29 @@ func defaultConfig(ops ...func(*tls.Config)) *tls.Config {
 }
 
 // certPool returns an X.509 certificate pool from `caFile`, the certificate file.
-func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
+func certPool(opts Options) (*x509.CertPool, error) {
 	// If we should verify the server, we need to load a trusted ca
 	var (
 		pool *x509.CertPool
 		err  error
 	)
-	if exclusivePool {
+	if opts.ExclusiveRootPools {
 		pool = x509.NewCertPool()
 	} else {
 		pool, err = x509.SystemCertPool()
 		if err != nil {
 			return nil, fmt.Errorf("failed to read system certificates: %v", err)
 		}
 	}
-	pemData, err := os.ReadFile(caFile)
+	if opts.CAFile == "" {
+		return pool, nil
+	}
+	pemData, err := os.ReadFile(opts.CAFile)
 	if err != nil {
-		return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)
+		return nil, fmt.Errorf("could not read CA certificate %q: %v", opts.CAFile, err)
 	}
 	if !pool.AppendCertsFromPEM(pemData) {
-		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)
+		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", opts.CAFile)
 	}
 	return pool, nil
 }
@@ -199,7 +202,7 @@ func Client(options Options) (*tls.Config, error) {
 	tlsConfig := defaultConfig()
 	tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify
 	if !options.InsecureSkipVerify && options.CAFile != "" {
-		CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)
+		CAs, err := certPool(options)
 		if err != nil {
 			return nil, err
 		}
@@ -232,7 +235,7 @@ func Server(options Options) (*tls.Config, error) {
 	}
 	tlsConfig.Certificates = []tls.Certificate{tlsCert}
 	if options.ClientAuth >= tls.VerifyClientCertIfGiven && options.CAFile != "" {
-		CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)
+		CAs, err := certPool(options)
 		if err != nil {
 			return nil, err
 		}

Original file line number	Diff line number	Diff line change
`@@ -77,26 +77,29 @@ func defaultConfig(ops ...func(tls.Config)) tls.Config {`
`77`	`77`	`}`
`78`	`78`
`79`	`79`	// certPool returns an X.509 certificate pool from `caFile`, the certificate file.
`80`		`-func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {`
	`80`	`+func certPool(opts Options) (*x509.CertPool, error) {`
`81`	`81`	`// If we should verify the server, we need to load a trusted ca`
`82`	`82`	`var (`
`83`	`83`	`pool *x509.CertPool`
`84`	`84`	`err error`
`85`	`85`	`)`
`86`		`- if exclusivePool {`
	`86`	`+ if opts.ExclusiveRootPools {`
`87`	`87`	`pool = x509.NewCertPool()`
`88`	`88`	`} else {`
`89`	`89`	`pool, err = x509.SystemCertPool()`
`90`	`90`	`if err != nil {`
`91`	`91`	`return nil, fmt.Errorf("failed to read system certificates: %v", err)`
`92`	`92`	`}`
`93`	`93`	`}`
`94`		`- pemData, err := os.ReadFile(caFile)`
	`94`	`+ if opts.CAFile == "" {`
	`95`	`+ return pool, nil`
	`96`	`+ }`
	`97`	`+ pemData, err := os.ReadFile(opts.CAFile)`
`95`	`98`	`if err != nil {`
`96`		`- return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)`
	`99`	`+ return nil, fmt.Errorf("could not read CA certificate %q: %v", opts.CAFile, err)`
`97`	`100`	`}`
`98`	`101`	`if !pool.AppendCertsFromPEM(pemData) {`
`99`		`- return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)`
	`102`	`+ return nil, fmt.Errorf("failed to append certificates from PEM file: %q", opts.CAFile)`
`100`	`103`	`}`
`101`	`104`	`return pool, nil`
`102`	`105`	`}`
`@@ -199,7 +202,7 @@ func Client(options Options) (*tls.Config, error) {`
`199`	`202`	`tlsConfig := defaultConfig()`
`200`	`203`	`tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify`
`201`	`204`	`if !options.InsecureSkipVerify && options.CAFile != "" {`
`202`		`- CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)`
	`205`	`+ CAs, err := certPool(options)`
`203`	`206`	`if err != nil {`
`204`	`207`	`return nil, err`
`205`	`208`	`}`
`@@ -232,7 +235,7 @@ func Server(options Options) (*tls.Config, error) {`
`232`	`235`	`}`
`233`	`236`	`tlsConfig.Certificates = []tls.Certificate{tlsCert}`
`234`	`237`	`if options.ClientAuth >= tls.VerifyClientCertIfGiven && options.CAFile != "" {`
`235`		`- CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)`
	`238`	`+ CAs, err := certPool(options)`
`236`	`239`	`if err != nil {`
`237`	`240`	`return nil, err`
`238`	`241`	`}`