diff options
author | Linus Nordberg <linus@nordberg.se> | 2015-02-27 01:51:12 +0100 |
---|---|---|
committer | Linus Nordberg <linus@nordberg.se> | 2015-02-27 01:51:12 +0100 |
commit | 85615c8e621aa16026faf07f01bf0ba0776c191f (patch) | |
tree | 32d07b604b17ad4a89471bfeb6c0a13cf28a3abc /src/catlfish.erl | |
parent | bdfde9547c151588917fd932ecf74377d3c378c3 (diff) |
Verify that known roots are indeed signing themselves.
This filters out certificates with signing algorithms that we can't
handle.
Also, make unit tests better.
Diffstat (limited to 'src/catlfish.erl')
-rw-r--r-- | src/catlfish.erl | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/src/catlfish.erl b/src/catlfish.erl index 765a8a6..3956eec 100644 --- a/src/catlfish.erl +++ b/src/catlfish.erl @@ -200,9 +200,17 @@ known_roots(Directory, CacheUsage) -> end. read_files_and_update_table(Directory) -> - L = x509:read_pemfiles_from_dir(Directory), - true = ets:insert(?CACHE_TABLE, {?ROOTS_CACHE_KEY, L}), - L. + Certs = x509:read_pemfiles_from_dir(Directory), + Proper = x509:self_signed(Certs), + case length(Certs) - length(Proper) of + 0 -> ok; + N -> lager:warning( + "Ignoring ~p root certificates not signing themselves properly", + [N]) + end, + true = ets:insert(?CACHE_TABLE, {?ROOTS_CACHE_KEY, Proper}), + lager:info("Known roots imported: ~p", [length(Proper)]), + Proper. %%%%%%%%%%%%%%%%%%%% %% Testing internal functions. @@ -218,7 +226,7 @@ read_pemfiles_test_() -> end, fun(_) -> ets:delete(?CACHE_TABLE, ?ROOTS_CACHE_KEY) end, fun({L, LCached}) -> - [?_assertMatch(7, length(L)), + [?_assertMatch(4, length(L)), ?_assertEqual(L, LCached)] end}. |