summaryrefslogtreecommitdiff
path: root/src/catlfish.erl
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordberg.se>2015-02-27 01:51:12 +0100
committerLinus Nordberg <linus@nordberg.se>2015-02-27 01:51:12 +0100
commit85615c8e621aa16026faf07f01bf0ba0776c191f (patch)
tree32d07b604b17ad4a89471bfeb6c0a13cf28a3abc /src/catlfish.erl
parentbdfde9547c151588917fd932ecf74377d3c378c3 (diff)
Verify that known roots are indeed signing themselves.
This filters out certificates with signing algorithms that we can't handle. Also, make unit tests better.
Diffstat (limited to 'src/catlfish.erl')
-rw-r--r--src/catlfish.erl16
1 files changed, 12 insertions, 4 deletions
diff --git a/src/catlfish.erl b/src/catlfish.erl
index 765a8a6..3956eec 100644
--- a/src/catlfish.erl
+++ b/src/catlfish.erl
@@ -200,9 +200,17 @@ known_roots(Directory, CacheUsage) ->
end.
read_files_and_update_table(Directory) ->
- L = x509:read_pemfiles_from_dir(Directory),
- true = ets:insert(?CACHE_TABLE, {?ROOTS_CACHE_KEY, L}),
- L.
+ Certs = x509:read_pemfiles_from_dir(Directory),
+ Proper = x509:self_signed(Certs),
+ case length(Certs) - length(Proper) of
+ 0 -> ok;
+ N -> lager:warning(
+ "Ignoring ~p root certificates not signing themselves properly",
+ [N])
+ end,
+ true = ets:insert(?CACHE_TABLE, {?ROOTS_CACHE_KEY, Proper}),
+ lager:info("Known roots imported: ~p", [length(Proper)]),
+ Proper.
%%%%%%%%%%%%%%%%%%%%
%% Testing internal functions.
@@ -218,7 +226,7 @@ read_pemfiles_test_() ->
end,
fun(_) -> ets:delete(?CACHE_TABLE, ?ROOTS_CACHE_KEY) end,
fun({L, LCached}) ->
- [?_assertMatch(7, length(L)),
+ [?_assertMatch(4, length(L)),
?_assertEqual(L, LCached)]
end}.