| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Not storing the full chain, which would be even more useful.
No rate limiting, which would be good.
Also, reorganise some in x509.erl and add tests.
|
|
|
|
| |
Also some cosmetic changes.
|
|
|
|
| |
NOTE: We're not dialyzer clean yet.
|
| |
|
| |
|
|
|
|
|
| |
Also, have valid_chain_p return boolean, add some debug logging and
detect invalid signature types instead of crashing.
|
|
|
|
|
|
|
| |
This filters out certificates with signing algorithms that we can't
handle.
Also, make unit tests better.
|
| |
|
|
|
|
| |
Trying to figure out why public_key:verify isn't found in docker images.
|
|
|
|
|
|
|
|
|
|
| |
Even canoncalized versions of this data mismatch in otherwise proper
chains. Since we're not here to validate chains for any other reasons
than attribution and spam control, let's stop validate
cert.issuer==candidate.subject. We still verify the cryptographic
chain with signatures of tbsCertificates of course.
Resolves CATLFISH-19.
|
|
|
|
| |
Makefile target 'check' runs them.
|
|
|
|
|
|
|
| |
OTP cert validation is too strict. Let's see if this is forgiving
enough for our needs.
Also, move all cert reading from disk to x509.erl.
|
|
|
|
| |
Also move x509 specific code to the x509 module.
|
|
|
|
|
|
| |
Now not crashing badly encoded certs in the list of known roots, which
is good. They're simply ignored. Next step is to figure out if we
should accept some anomalies, due to reality.
|
|
|
|
| |
Writing to stdout for now, until we've decided on logging framework.
|
|
|
|
| |
This way, Chain is always a list.
|
|
|
|
|
| |
The type definition seem to have disappeared from public_key.hrl in
R17 and I don't know how to conditionally define a type.
|
|
NOTE: Presence of and constraints on names are not being validated.
|