From cce15445c979cc74f26007dddcd4a0fbfe42ed0b Mon Sep 17 00:00:00 2001
From: Armon Dadgar <armon.dadgar@gmail.com>
Date: Mon, 18 May 2015 16:11:09 -0700
Subject: [PATCH] auth/cert: Guard against empty certs. Fixes #214

---
 builtin/credential/cert/path_login.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go
index 3be1895d50..bb5b2358cc 100644
--- a/builtin/credential/cert/path_login.go
+++ b/builtin/credential/cert/path_login.go
@@ -154,9 +154,14 @@ func validateConnState(roots *x509.CertPool, cs *tls.ConnectionState) ([][]*x509
 		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
 	}
 	certs := cs.PeerCertificates
+	if len(certs) == 0 {
+		return nil, nil
+	}
 
-	for _, cert := range certs[1:] {
-		opts.Intermediates.AddCert(cert)
+	if len(certs) > 1 {
+		for _, cert := range certs[1:] {
+			opts.Intermediates.AddCert(cert)
+		}
 	}
 
 	chains, err := certs[0].Verify(opts)