2 files changed, 45 insertions, 1 deletions

diff --git a/internal/manager/manager.go b/internal/manager/manager.go
index 2210c9b..33207e9 100644
--- a/internal/manager/manager.go
+++ b/internal/manager/manager.go
@@ -70,7 +70,7 @@ func (mgr *Manager) Run(ctx context.Context,
 		case ev := <-monitorCh:
 			fmt.Printf("DEBUG: received event from monitor with %d matches\n", len(ev.Matches))
 		case ev := <-serverCh:
-			fmt.Printf("DEBUG: received event from server\n: %v", ev)
+			fmt.Printf("DEBUG: received event from server: %v\n", ev)
 		case err := <-errorCh:
 			fmt.Printf("DEBUG: received error: %v\n", err)
 		}
diff --git a/internal/x509util/x509util.go b/internal/x509util/x509util.go
new file mode 100644
index 0000000..912d1b4
--- /dev/null
+++ b/internal/x509util/x509util.go
@@ -0,0 +1,44 @@
+package x509util
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+)
+
+// ParseChain parses a certificate chain in PEM format.  At least one
+// certificate must be in the chain.  The first certificate must be a leaf,
+// whereas all other certificates must CA certificates (intermdiates/roots).
+//
+// Note: it is not checked if the certificate chain's root is trusted or not.
+func ParseChain(b []byte) ([]x509.Certificate, error) {
+	var chain []x509.Certificate
+
+	for {
+		block, rest := pem.Decode(b)
+		if block == nil {
+			break
+		}
+		crt, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("parse certificate: %v", err)
+		}
+
+		chain = append(chain, *crt)
+		b = rest
+	}
+
+	if len(chain) == 0 {
+		return nil, fmt.Errorf("no certificates in the provided chain")
+	}
+	if chain[0].IsCA {
+		return nil, fmt.Errorf("leaf certificate has the CA bit set")
+	}
+	for _, crt := range chain[1:] {
+		if !crt.IsCA {
+			return nil, fmt.Errorf("non-leaf certificate without the CA bit set")
+		}
+	}
+
+	return chain, nil
+}