tlsconfig: certPool: pass options as argument

thaJeztah · thaJeztah · commit 4fed89b13ab5 · 2026-03-24T20:48:00.000+01:00
Signed-off-by: Sebastiaan van Stijn &lt;github@gone.nl&gt;
diff --git a/tlsconfig/config.go b/tlsconfig/config.go
@@ -75,26 +75,29 @@ func defaultConfig(ops ...func(*tls.Config)) *tls.Config {
 }
 
 // certPool returns an X.509 certificate pool from `caFile`, the certificate file.
-func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
+func certPool(opts Options) (*x509.CertPool, error) {
 	// If we should verify the server, we need to load a trusted ca
 	var (
 		pool *x509.CertPool
 		err  error
 	)
-	if exclusivePool {
+	if opts.ExclusiveRootPools {
 		pool = x509.NewCertPool()
 	} else {
 		pool, err = x509.SystemCertPool()
 		if err != nil {
 			return nil, fmt.Errorf("failed to read system certificates: %v", err)
 		}
 	}
-	pemData, err := os.ReadFile(caFile)
+	if opts.CAFile == "" {
+		return pool, nil
+	}
+	pemData, err := os.ReadFile(opts.CAFile)
 	if err != nil {
-		return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)
+		return nil, fmt.Errorf("could not read CA certificate %q: %v", opts.CAFile, err)
 	}
 	if !pool.AppendCertsFromPEM(pemData) {
-		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)
+		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", opts.CAFile)
 	}
 	return pool, nil
 }
@@ -197,7 +200,7 @@ func Client(options Options) (*tls.Config, error) {
 	tlsConfig := defaultConfig()
 	tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify
 	if !options.InsecureSkipVerify && options.CAFile != "" {
-		CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)
+		CAs, err := certPool(options)
 		if err != nil {
 			return nil, err
 		}
@@ -230,7 +233,7 @@ func Server(options Options) (*tls.Config, error) {
 	}
 	tlsConfig.Certificates = []tls.Certificate{tlsCert}
 	if options.ClientAuth >= tls.VerifyClientCertIfGiven && options.CAFile != "" {
-		CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)
+		CAs, err := certPool(options)
 		if err != nil {
 			return nil, err
 		}

Original file line number	Diff line number	Diff line change
`@@ -75,26 +75,29 @@ func defaultConfig(ops ...func(tls.Config)) tls.Config {`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	// certPool returns an X.509 certificate pool from `caFile`, the certificate file.
`78`		`-func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {`
	`78`	`+func certPool(opts Options) (*x509.CertPool, error) {`
`79`	`79`	`// If we should verify the server, we need to load a trusted ca`
`80`	`80`	`var (`
`81`	`81`	`pool *x509.CertPool`
`82`	`82`	`err error`
`83`	`83`	`)`
`84`		`- if exclusivePool {`
	`84`	`+ if opts.ExclusiveRootPools {`
`85`	`85`	`pool = x509.NewCertPool()`
`86`	`86`	`} else {`
`87`	`87`	`pool, err = x509.SystemCertPool()`
`88`	`88`	`if err != nil {`
`89`	`89`	`return nil, fmt.Errorf("failed to read system certificates: %v", err)`
`90`	`90`	`}`
`91`	`91`	`}`
`92`		`- pemData, err := os.ReadFile(caFile)`
	`92`	`+ if opts.CAFile == "" {`
	`93`	`+ return pool, nil`
	`94`	`+ }`
	`95`	`+ pemData, err := os.ReadFile(opts.CAFile)`
`93`	`96`	`if err != nil {`
`94`		`- return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)`
	`97`	`+ return nil, fmt.Errorf("could not read CA certificate %q: %v", opts.CAFile, err)`
`95`	`98`	`}`
`96`	`99`	`if !pool.AppendCertsFromPEM(pemData) {`
`97`		`- return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)`
	`100`	`+ return nil, fmt.Errorf("failed to append certificates from PEM file: %q", opts.CAFile)`
`98`	`101`	`}`
`99`	`102`	`return pool, nil`
`100`	`103`	`}`
`@@ -197,7 +200,7 @@ func Client(options Options) (*tls.Config, error) {`
`197`	`200`	`tlsConfig := defaultConfig()`
`198`	`201`	`tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify`
`199`	`202`	`if !options.InsecureSkipVerify && options.CAFile != "" {`
`200`		`- CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)`
	`203`	`+ CAs, err := certPool(options)`
`201`	`204`	`if err != nil {`
`202`	`205`	`return nil, err`
`203`	`206`	`}`
`@@ -230,7 +233,7 @@ func Server(options Options) (*tls.Config, error) {`
`230`	`233`	`}`
`231`	`234`	`tlsConfig.Certificates = []tls.Certificate{tlsCert}`
`232`	`235`	`if options.ClientAuth >= tls.VerifyClientCertIfGiven && options.CAFile != "" {`
`233`		`- CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)`
	`236`	`+ CAs, err := certPool(options)`
`234`	`237`	`if err != nil {`
`235`	`238`	`return nil, err`
`236`	`239`	`}`