Test x509 intermediates correctly

plugin/pkg/auth/authenticator/request/x509/x509.go

@@ -52,28 +52,34 @@ func New(opts x509.VerifyOptions, user UserConversion) *Authenticator {
 
 // AuthenticateRequest authenticates the request using presented client certificates
 func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
-	if req.TLS == nil {
+	if req.TLS == nil || len(req.TLS.PeerCertificates) == 0 {
 		return nil, false, nil
 	}
 
+	// Use intermediates, if provided
+	optsCopy := a.opts
+	if optsCopy.Intermediates == nil && len(req.TLS.PeerCertificates) > 1 {
+		optsCopy.Intermediates = x509.NewCertPool()
+		for _, intermediate := range req.TLS.PeerCertificates[1:] {
+			optsCopy.Intermediates.AddCert(intermediate)
+		}
+	}
+
+	chains, err := req.TLS.PeerCertificates[0].Verify(optsCopy)
+	if err != nil {
+		return nil, false, err
+	}
+
 	var errlist []error
-	for _, cert := range req.TLS.PeerCertificates {
-		chains, err := cert.Verify(a.opts)
+	for _, chain := range chains {
+		user, ok, err := a.user.User(chain)
 		if err != nil {
 			errlist = append(errlist, err)
 			continue
 		}
 
-		for _, chain := range chains {
-			user, ok, err := a.user.User(chain)
-			if err != nil {
-				errlist = append(errlist, err)
-				continue
-			}
-
-			if ok {
-				return user, ok, err
-			}
+		if ok {
+			return user, ok, err
 		}
 	}
 	return nil, false, utilerrors.NewAggregate(errlist)