`DecodeChain` assumes the certificate chain order is from the leaf to root

[magodo]

I'm new to the cryptography area, and I'd like to post some stupid question here.

I'm using this package to decode a pfx exported from Azure Key Vault, where the PEM blocks after decoding is in the order of: private key -> root cert -> intermidiary cert -> leaf cert. The DecodeChain returns the root cert as the certficate.

The document of this function clearly states that:

The first certificate is assumed to be the leaf certificate, and subsequent certificates, if any, are assumed to comprise the CA certificate chain.

It is obvious that I can manually tweak the returned certificate and caCerts as I already know my pfx is in the reverse order as is expected by this API. Whilst I'd like to see if there is an idiomatic way to achieve this. Even better, is there a way I can tell which order the current pfx is in, and conditionally apply the order reversing. Does it make sense to embed above ordering things to this API so that it can handle both orders?