From 6b17044f8e7bd8f3936c9e529c4de34db2cfc959 Mon Sep 17 00:00:00 2001
From: alankrit <alankrit@google.com>
Date: Wed, 11 Jan 2023 07:59:51 +0000
Subject: [PATCH] fs:Added multiple ca certificate support.

---
 docs/content/docs.md                 |  4 ++--
 fs/config.go                         |  6 +++---
 fs/config/configflags/configflags.go |  2 +-
 fs/fshttp/http.go                    | 22 +++++++++++++---------
 4 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/docs/content/docs.md b/docs/content/docs.md
index 535ed2486..c899b44c1 100644
--- a/docs/content/docs.md
+++ b/docs/content/docs.md
@@ -2099,9 +2099,9 @@ these options.  For example this can be very useful with the HTTP or
 WebDAV backends. Rclone HTTP servers have their own set of
 configuration for SSL/TLS which you can find in their documentation.
 
-### --ca-cert string
+### --ca-cert stringArray
 
-This loads the PEM encoded certificate authority certificate and uses
+This loads the PEM encoded certificate authority certificates and uses
 it to verify the certificates of the servers rclone connects to.
 
 If you have generated certificates signed with a local CA then you
diff --git a/fs/config.go b/fs/config.go
index d496b4d88..8fc8e45d9 100644
--- a/fs/config.go
+++ b/fs/config.go
@@ -120,9 +120,9 @@ type ConfigInfo struct {
 	ProgressTerminalTitle   bool
 	Cookie                  bool
 	UseMmap                 bool
-	CaCert                  string // Client Side CA
-	ClientCert              string // Client Side Cert
-	ClientKey               string // Client Side Key
+	CaCert                  []string // Client Side CA
+	ClientCert              string   // Client Side Cert
+	ClientKey               string   // Client Side Key
 	MultiThreadCutoff       SizeSuffix
 	MultiThreadStreams      int
 	MultiThreadSet          bool   // whether MultiThreadStreams was set (set in fs/config/configflags)
diff --git a/fs/config/configflags/configflags.go b/fs/config/configflags/configflags.go
index abd5209d7..2ecf9e8c7 100644
--- a/fs/config/configflags/configflags.go
+++ b/fs/config/configflags/configflags.go
@@ -120,7 +120,7 @@ func AddFlags(ci *fs.ConfigInfo, flagSet *pflag.FlagSet) {
 	flags.BoolVarP(flagSet, &ci.ProgressTerminalTitle, "progress-terminal-title", "", ci.ProgressTerminalTitle, "Show progress on the terminal title (requires -P/--progress)")
 	flags.BoolVarP(flagSet, &ci.Cookie, "use-cookies", "", ci.Cookie, "Enable session cookiejar")
 	flags.BoolVarP(flagSet, &ci.UseMmap, "use-mmap", "", ci.UseMmap, "Use mmap allocator (see docs)")
-	flags.StringVarP(flagSet, &ci.CaCert, "ca-cert", "", ci.CaCert, "CA certificate used to verify servers")
+	flags.StringArrayVarP(flagSet, &ci.CaCert, "ca-cert", "", ci.CaCert, "CA certificate used to verify servers")
 	flags.StringVarP(flagSet, &ci.ClientCert, "client-cert", "", ci.ClientCert, "Client SSL certificate (PEM) for mutual TLS auth")
 	flags.StringVarP(flagSet, &ci.ClientKey, "client-key", "", ci.ClientKey, "Client SSL private key (PEM) for mutual TLS auth")
 	flags.FVarP(flagSet, &ci.MultiThreadCutoff, "multi-thread-cutoff", "", "Use multi-thread downloads for files above this size")
diff --git a/fs/fshttp/http.go b/fs/fshttp/http.go
index b37fd460c..f17c8298e 100644
--- a/fs/fshttp/http.go
+++ b/fs/fshttp/http.go
@@ -72,16 +72,20 @@ func NewTransportCustom(ctx context.Context, customize func(*http.Transport)) ht
 		t.TLSClientConfig.Certificates = []tls.Certificate{cert}
 	}
 
-	// Load CA cert
-	if ci.CaCert != "" {
-		caCert, err := os.ReadFile(ci.CaCert)
-		if err != nil {
-			log.Fatalf("Failed to read --ca-cert: %v", err)
-		}
+	// Load CA certs
+	if len(ci.CaCert) != 0 {
+
 		caCertPool := x509.NewCertPool()
-		ok := caCertPool.AppendCertsFromPEM(caCert)
-		if !ok {
-			log.Fatalf("Failed to add certificates from --ca-cert")
+
+		for _, cert := range ci.CaCert {
+			caCert, err := os.ReadFile(cert)
+			if err != nil {
+				log.Fatalf("Failed to read --ca-cert file %q : %v", cert, err)
+			}
+			ok := caCertPool.AppendCertsFromPEM(caCert)
+			if !ok {
+				log.Fatalf("Failed to add certificates from --ca-cert file %q", cert)
+			}
 		}
 		t.TLSClientConfig.RootCAs = caCertPool
 	}