Fix: correctly use chained certificates for AWS credential exchange

strideynet · strideynet · commit d729c47339e8 · 2025-02-05T17:26:28.000Z
Signed-off-by: Noah Stride &lt;noah.stride@goteleport.com&gt;
diff --git a/signer.go b/signer.go
@@ -110,7 +110,7 @@ func (s *X509SVIDSigner) Certificate() (*x509.Certificate, error) {
 // the trust anchor.
 // Implements the aws_signing_helper.Signer interface.
 func (s *X509SVIDSigner) CertificateChain() ([]*x509.Certificate, error) {
-	if len(s.SVID.Certificates) < 1 {
+	if len(s.SVID.Certificates) > 1 {
 		return s.SVID.Certificates[1:], nil
 	}
 	return nil, nil

Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ func (s X509SVIDSigner) Certificate() (x509.Certificate, error) {`
`110`	`110`	`// the trust anchor.`
`111`	`111`	`// Implements the aws_signing_helper.Signer interface.`
`112`	`112`	`func (s X509SVIDSigner) CertificateChain() ([]x509.Certificate, error) {`
`113`		`- if len(s.SVID.Certificates) < 1 {`
	`113`	`+ if len(s.SVID.Certificates) > 1 {`
`114`	`114`	`return s.SVID.Certificates[1:], nil`
`115`	`115`	`}`
`116`	`116`	`return nil, nil`