diff options
| author | Linus Nordberg <linus@nordu.net> | 2017-02-25 00:51:52 +0100 |
|---|---|---|
| committer | Linus Nordberg <linus@nordu.net> | 2017-02-25 00:51:52 +0100 |
| commit | 50478caf119584d4152a6e17c6790d10d97599f0 (patch) | |
| tree | 735de02c74cf970ba7ee51d52f3ba30ecf096bd0 /src/x509.erl | |
| parent | a0332b7116aa1c5abf16e7e3ff7a0630beb806d2 (diff) | |
Don't store root cert twice when included in submission.
Closes CATLFISH-96.
Diffstat (limited to 'src/x509.erl')
| -rw-r--r-- | src/x509.erl | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/src/x509.erl b/src/x509.erl index 4eb9755..0b32c4e 100644 --- a/src/x509.erl +++ b/src/x509.erl @@ -25,7 +25,12 @@ normalise_chain(AcceptableRootCerts, CertChain) -> {false, Reason} -> {error, Reason}; {true, Root} -> - {ok, CertChain ++ Root} + case lists:member(Root, CertChain) of + true -> + {ok, CertChain}; + false -> + {ok, CertChain ++ [Root]} + end end. -spec cert_string(binary()) -> string(). @@ -70,10 +75,8 @@ detox(LeafDer, ChainDer) -> %% argument is: leaf cert in head, chain in tail. Order of certs in first %% argument is irrelevant. %% -%% Return {false, Reason} or {true, ListWithRoot}. Note that -%% ListWithRoot allways contain exactly one element -- a CA cert from -%% first argument (AcceptableRootCerts) signing the root of the -%% chain. FIXME: Any point in returning this as a list? +%% Return {false, Reason} or {true, Root} where Root is a CA cert from +%% AcceptableRootCerts signing the root of the chain. normalise_chain(_, _, MaxChainLength) when MaxChainLength =< 0 -> %% Chain too long. {false, chain_too_long}; @@ -82,7 +85,7 @@ normalise_chain(AcceptableRootCerts, [TopCert], MaxChainLength) -> case lists:member(TopCert, AcceptableRootCerts) of true -> %% Top cert is part of chain. - {true, [TopCert]}; + {true, TopCert}; false when MaxChainLength =< 1 -> %% Chain too long. {false, chain_too_long}; @@ -90,11 +93,11 @@ normalise_chain(AcceptableRootCerts, [TopCert], MaxChainLength) -> %% Top cert _might_ be signed by a cert in truststore. case signer(TopCert, AcceptableRootCerts) of notfound -> {false, root_unknown}; - Root -> {true, [Root]} + Root -> {true, Root} end end; -normalise_chain(AcceptableRootCerts, [BottomCert|Rest], MaxChainLength) -> - case signed_by_p(BottomCert, hd(Rest)) of +normalise_chain(AcceptableRootCerts, [Cert|Rest], MaxChainLength) -> + case signed_by_p(Cert, hd(Rest)) of true -> normalise_chain(AcceptableRootCerts, Rest, MaxChainLength - 1); false -> {false, signature_mismatch} end. |