From 88c9e77bd30d723a02e4cc43ee39be9259f08033 Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordu.net>
Date: Mon, 3 Aug 2015 16:46:53 +0200
Subject: Always store and return root certificate (closes CATLFISH-55).

---
 src/x509.erl | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/x509.erl b/src/x509.erl
index 7bbfb8e..279d9b9 100644
--- a/src/x509.erl
+++ b/src/x509.erl
@@ -71,10 +71,9 @@ detox(LeafDer, ChainDer) ->
 %% argument is irrelevant.
 %%
 %% Return {false, Reason} or {true, ListWithRoot}. Note that
-%% ListWithRoot is the empty list when the root of the chain is found
-%% amongst the acceptable root certs. Otherwise it contains exactly
-%% one element, a CA cert from the acceptable root certs signing the
-%% root of the chain.
+%% ListWithRoot allways contain exactly one element -- a CA cert from
+%% first argument (AcceptableRootCerts) signing the root of the
+%% chain. FIXME: Any point in returning this as a list?
 normalise_chain(_, _, MaxChainLength) when MaxChainLength =< 0 ->
     %% Chain too long.
     {false, chain_too_long};
@@ -83,7 +82,7 @@ normalise_chain(AcceptableRootCerts, [TopCert], MaxChainLength) ->
     case lists:member(TopCert, AcceptableRootCerts) of
         true ->
             %% Top cert is part of chain.
-            {true, []};
+            {true, [TopCert]};
         false when MaxChainLength =< 1 ->
             %% Chain too long.
             {false, chain_too_long};
@@ -485,14 +484,14 @@ chain_test(C0, C1) ->
      %% Chain too long.
      ?_assertMatch({false, chain_too_long}, normalise_chain([C1], [C0], 1)),
      %% Root in chain and in trust store.
-     ?_assertEqual({true, []}, normalise_chain([C1], [C0, C1], 2)),
+     ?_assertEqual({true, [C1]}, normalise_chain([C1], [C0, C1], 2)),
      %% Chain too long.
      ?_assertMatch({false, chain_too_long}, normalise_chain([C1], [C0, C1], 1)),
      %% Root not in trust store.
      ?_assertMatch({false, root_unknown}, normalise_chain([], [C0, C1], 10)),
      %% Selfsigned. Actually OK.
-     ?_assertMatch({true, []}, normalise_chain([C0], [C0], 10)),
-     ?_assertMatch({true, []}, normalise_chain([C0], [C0], 1)),
+     ?_assertMatch({true, [C0]}, normalise_chain([C0], [C0], 10)),
+     ?_assertMatch({true, [C0]}, normalise_chain([C0], [C0], 1)),
      %% Max chain length 0 is not OK.
      ?_assertMatch({false, chain_too_long}, normalise_chain([C0], [C0], 0))
     ].
-- 
cgit v1.1