From f103b39a94c748c8fc9fa429b4f9741b00857b33 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Hurtado?= <hector.hurtado@bbva.com>
Date: Fri, 24 Jan 2020 11:54:06 +0100
Subject: [PATCH] If CA certificate file is incorrect return an error instead
 of use default syustem CA store

---
 internal/server/user/server.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/internal/server/user/server.go b/internal/server/user/server.go
index ca3a7ca..c30d60c 100644
--- a/internal/server/user/server.go
+++ b/internal/server/user/server.go
@@ -19,6 +19,7 @@ package user
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
@@ -47,7 +48,7 @@ func Run(bindAddr, certFile, keyFile, cliCaFile string, cliAuth bool) {
 			var err error
 			Server.TLSConfig.ClientCAs, err = loadCertificatesFromFile(cliCaFile)
 			if err != nil {
-				log.Printf("UserServer failed to load CA certs: %s\nDefault to system CA store.", err)
+				log.Fatalf("UserServer failed to load CA certs: %s\n", err)
 			} else {
 				CAStore := "System store"
 				if Server.TLSConfig.ClientCAs != nil {
@@ -70,10 +71,13 @@ func Run(bindAddr, certFile, keyFile, cliCaFile string, cliAuth bool) {
 
 func loadCertificatesFromFile(certFile string) (pool *x509.CertPool, err error) {
 	if certFile != "" {
-		caCerts, err := ioutil.ReadFile(certFile)
+		var caCerts []byte
+		caCerts, err = ioutil.ReadFile(certFile)
 		if err == nil {
 			pool = x509.NewCertPool()
-			pool.AppendCertsFromPEM(caCerts)
+			if !pool.AppendCertsFromPEM(caCerts) {
+				err = fmt.Errorf("Invalid certificate file %s", certFile)
+			}
 		}
 	}