Verify that known roots are indeed signing themselves.

This filters out certificates with signing algorithms that we can't handle. Also, make unit tests better.
author: Linus Nordberg <linus@nordberg.se> 2015-02-27 01:51:12 +0100
committer: Linus Nordberg <linus@nordberg.se> 2015-02-27 01:51:12 +0100
commit: 85615c8e621aa16026faf07f01bf0ba0776c191f (patch)
tree: 32d07b604b17ad4a89471bfeb6c0a13cf28a3abc /src/catlfish.erl
parent: bdfde9547c151588917fd932ecf74377d3c378c3 (diff)
1 files changed, 12 insertions, 4 deletions
diff --git a/src/catlfish.erl b/src/catlfish.erl
index 765a8a6..3956eec 100644
--- a/src/catlfish.erl
+++ b/src/catlfish.erl
@@ -200,9 +200,17 @@ known_roots(Directory, CacheUsage) ->
     end.
 
 read_files_and_update_table(Directory) ->
-    L = x509:read_pemfiles_from_dir(Directory),
-    true = ets:insert(?CACHE_TABLE, {?ROOTS_CACHE_KEY, L}),
-    L.
+    Certs = x509:read_pemfiles_from_dir(Directory),
+    Proper = x509:self_signed(Certs),
+    case length(Certs) - length(Proper) of
+        0 -> ok;
+        N -> lager:warning(
+               "Ignoring ~p root certificates not signing themselves properly",
+               [N])
+    end,
+    true = ets:insert(?CACHE_TABLE, {?ROOTS_CACHE_KEY, Proper}),
+    lager:info("Known roots imported: ~p", [length(Proper)]),
+    Proper.
 
 %%%%%%%%%%%%%%%%%%%%
 %% Testing internal functions.
@@ -218,7 +226,7 @@ read_pemfiles_test_() ->
      end,
      fun(_) -> ets:delete(?CACHE_TABLE, ?ROOTS_CACHE_KEY) end,
      fun({L, LCached}) ->
-             [?_assertMatch(7, length(L)),
+             [?_assertMatch(4, length(L)),
               ?_assertEqual(L, LCached)]
      end}.
author	Linus Nordberg <linus@nordberg.se>	2015-02-27 01:51:12 +0100
committer	Linus Nordberg <linus@nordberg.se>	2015-02-27 01:51:12 +0100
commit	85615c8e621aa16026faf07f01bf0ba0776c191f (patch)
tree	32d07b604b17ad4a89471bfeb6c0a13cf28a3abc /src/catlfish.erl
parent	bdfde9547c151588917fd932ecf74377d3c378c3 (diff)