Implement cert chain validation.

NOTE: Presence of and constraints on names are not being validated.
author: Linus Nordberg <linus@nordberg.se> 2014-10-15 16:03:25 +0200
committer: Linus Nordberg <linus@nordberg.se> 2014-10-22 22:08:24 +0200
commit: 62376e9dc1596160982a5eafbfb4cda7884613ab (patch)
tree: 618c98926d570087b825e96abc850a15de877651 /src/v1.erl
parent: 92d8435250a9d8d498e129f91e64045bfd30e7b9 (diff)
1 files changed, 10 insertions, 2 deletions
diff --git a/src/v1.erl b/src/v1.erl
index ba5c456..46b5235 100644
--- a/src/v1.erl
+++ b/src/v1.erl
@@ -22,7 +22,13 @@
                         html("add-chain: invalid base64-encoded chain: ",
                              [ChainBase64]);
                     [LeafCert | CertChain] ->
-                        catlfish:add_chain(LeafCert, CertChain);
+                        Roots = catlfish:known_roots(),
+                        case x509:normalise_chain(Roots, [LeafCert|CertChain]) of
+                            {ok, [Leaf | Chain]} ->
+                                catlfish:add_chain(Leaf, Chain);
+                            {Err, Msg} ->
+                                html("add-chain: ", [Msg, Err])
+                        end;
                     Invalid ->
                         html("add-chain: chain is not a list: ", [Invalid])
                 end;
@@ -125,7 +131,9 @@
     deliver(SessionID, R).
 
 'get-roots'(SessionID, _Env, _Input) ->
-    R = [{certificates, []}],                   % NIY.
+    R = [{certificates,
+          [base64:encode(Der) ||
+              Der <- catlfish:update_known_roots()]}],
     deliver(SessionID, binary_to_list(jiffy:encode({R}))).
 
 %% Private functions.
author	Linus Nordberg <linus@nordberg.se>	2014-10-15 16:03:25 +0200
committer	Linus Nordberg <linus@nordberg.se>	2014-10-22 22:08:24 +0200
commit	62376e9dc1596160982a5eafbfb4cda7884613ab (patch)
tree	618c98926d570087b825e96abc850a15de877651 /src/v1.erl
parent	92d8435250a9d8d498e129f91e64045bfd30e7b9 (diff)