GODRIVER-1524 Improve error checking for loading CA certificate (#329)

Author: Divjot Arora

mongo/options/clientoptions.go

@@ -780,9 +780,9 @@ func addCACertFromFile(cfg *tls.Config, file string) error {
 		return err
 	}
 
-	certBytes, err := loadCert(data)
+	certBytes, err := loadCACert(data)
 	if err != nil {
-		return err
+		return fmt.Errorf("error loading CA cert: %v", err)
 	}
 
 	cert, err := x509.ParseCertificate(certBytes)
@@ -799,12 +799,12 @@ func addCACertFromFile(cfg *tls.Config, file string) error {
 	return nil
 }
 
-func loadCert(data []byte) ([]byte, error) {
+func loadCACert(data []byte) ([]byte, error) {
 	var certBlock *pem.Block
 
 	for certBlock == nil {
 		if data == nil || len(data) == 0 {
-			return nil, errors.New(".pem file must have both a CERTIFICATE and an RSA PRIVATE KEY section")
+			return nil, errors.New("no CERTIFICATE section found")
 		}
 
 		block, rest := pem.Decode(data)
@@ -814,10 +814,6 @@ func loadCert(data []byte) ([]byte, error) {
 
 		switch block.Type {
 		case "CERTIFICATE":
-			if certBlock != nil {
-				return nil, errors.New("multiple CERTIFICATE sections in .pem file")
-			}
-
 			certBlock = block
 		}
 

mongo/options/clientoptions_test.go

@@ -6,9 +6,11 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"os"
 	"reflect"
+	"strings"
 	"testing"
 	"time"
 
@@ -17,6 +19,7 @@ import (
 	"go.mongodb.org/mongo-driver/bson/bsoncodec"
 	"go.mongodb.org/mongo-driver/event"
 	"go.mongodb.org/mongo-driver/internal"
+	"go.mongodb.org/mongo-driver/internal/testutil/assert"
 	"go.mongodb.org/mongo-driver/mongo/readconcern"
 	"go.mongodb.org/mongo-driver/mongo/readpref"
 	"go.mongodb.org/mongo-driver/mongo/writeconcern"
@@ -459,6 +462,42 @@ func TestClientOptions(t *testing.T) {
 			})
 		}
 	})
+	t.Run("loadCACert", func(t *testing.T) {
+		caData := readFile(t, "testdata/ca.pem")
+		keyData := readFile(t, "testdata/ca-key.pem")
+		noCertErr := errors.New("no CERTIFICATE section found")
+		malformedErr := errors.New("invalid .pem file")
+
+		testCases := []struct {
+			name string
+			data []byte
+			err  error
+		}{
+			{"file with certificate succeeds", caData, nil},
+			{"empty file errors", []byte{}, noCertErr},
+			{"file with no certificate errors", keyData, noCertErr},
+			{"file with malformed data errors", []byte{1, 2, 3}, malformedErr},
+		}
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				_, err := loadCACert(tc.data)
+				if tc.err == nil {
+					assert.Nil(t, err, "loadCACert error: %v", err)
+					return
+				}
+
+				assert.NotNil(t, err, "expected error %v, got nil", tc.err)
+				containsMsg := strings.Contains(err.Error(), tc.err.Error())
+				assert.True(t, containsMsg, "expected error %v, got %v", tc.err, err)
+			})
+		}
+	})
+}
+
+func readFile(t *testing.T, path string) []byte {
+	data, err := ioutil.ReadFile(path)
+	assert.Nil(t, err, "ReadFile error for %s: %v", path, err)
+	return data
 }
 
 type testDialer struct {