jv: add -cacert option

cmd/jv/loader.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
 	"os"
@@ -13,11 +14,21 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-func newLoader(insecure bool) jsonschema.URLLoader {
+func newLoader(insecure bool, cacert string) (jsonschema.URLLoader, error) {
 	httpLoader := HTTPLoader(http.Client{
 		Timeout: 15 * time.Second,
 	})
-	if insecure {
+	if cacert != "" {
+		pem, err := os.ReadFile(cacert)
+		if err != nil {
+			return nil, err
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(pem)
+		httpLoader.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{RootCAs: caCertPool},
+		}
+	} else if insecure {
 		httpLoader.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		}
@@ -26,7 +37,7 @@ func newLoader(insecure bool) jsonschema.URLLoader {
 		"file":  FileLoader{},
 		"http":  &httpLoader,
 		"https": &httpLoader,
-	}
+	}, nil
 }
 
 type FileLoader struct{}

cmd/jv/main.go

@@ -26,6 +26,7 @@ func main() {
 	assertFormat := flag.Bool("f", false, "Enable format assertions with draft >= 2019")
 	assertContent := flag.Bool("c", false, "Enable content assertions with draft >= 7")
 	insecure := flag.Bool("k", false, "Use insecure TLS connection")
+	cacert := flag.String("cacert", "", "Use the specified `PEM-certificate-file` to verify the peer. The file may contain multiple CA certificates")
 	flag.Parse()
 
 	// help --
@@ -85,7 +86,12 @@ func main() {
 	if *assertContent {
 		c.AssertContent()
 	}
-	c.UseLoader(newLoader(*insecure))
+	loader, err := newLoader(*insecure, *cacert)
+	if err != nil {
+		eprintln("%v", err)
+		os.Exit(2)
+	}
+	c.UseLoader(loader)
 
 	// compile
 	sch, err := func() (*jsonschema.Schema, error) {