Handle client certificate chain

[Klaus-Tockloth]

The client should send the full certificate chain to the server (best practice) and not only the (single) client certificate. This use case is currently not handled. The defect is here:

func GetClientCertificate(clientCertPath string, clientKeyPath string) (*tls.Certificate, error) {
	fmt.Printf("Server requested certificate\n")
	if clientCertPath == "" || clientKeyPath == "" {
		return nil, errors.New("client certificate and key are required")
	}
	clientBytes, err := os.ReadFile(clientCertPath)
	if err != nil {
		return nil, fmt.Errorf("error reading client certificate: %w", err)
	}
	var cert *x509.Certificate
	for block, rest := pem.Decode(clientBytes); block != nil; block, rest = pem.Decode(rest) {
		if block.Type == "CERTIFICATE" {
			cert, err = x509.ParseCertificate(block.Bytes)
			if err != nil {
				return nil, fmt.Errorf("error parsing client certificate: %v", err)
			}
		}
	}

	certificate := tls.Certificate{
		Certificate: [][]byte{cert.Raw},
		PrivateKey: &CustomSigner{
			x509Cert:       cert,
			clientCertPath: clientCertPath,
			clientKeyPath:  clientKeyPath,
		},
	}
	return &certificate, nil
}

In case of a chain: cert contains the last certificate in the chain.

[getvictor]

I agree. I will plan to fix this once I come back to refresh this codebase and articles.