Implement cert chain validation.

NOTE: Presence of and constraints on names are not being validated.
author: Linus Nordberg <linus@nordberg.se> 2014-10-15 16:03:25 +0200
committer: Linus Nordberg <linus@nordberg.se> 2014-10-22 16:20:21 +0200
commit: 0aeb7d1de8e50dd0fa92e763ce4c8dd3c172dac8 (patch)
tree: d9a0087c57415c4dcb95bf472c124bcf4526d1e6 /src/v1.erl
parent: f3f35b9a4140830e97b5382bc22fc2e78be7124b (diff)
1 files changed, 10 insertions, 2 deletions
diff --git a/src/v1.erl b/src/v1.erl
index ba5c456..46b5235 100644
--- a/src/v1.erl
+++ b/src/v1.erl
@@ -22,7 +22,13 @@
                         html("add-chain: invalid base64-encoded chain: ",
                              [ChainBase64]);
                     [LeafCert | CertChain] ->
-                        catlfish:add_chain(LeafCert, CertChain);
+                        Roots = catlfish:known_roots(),
+                        case x509:normalise_chain(Roots, [LeafCert|CertChain]) of
+                            {ok, [Leaf | Chain]} ->
+                                catlfish:add_chain(Leaf, Chain);
+                            {Err, Msg} ->
+                                html("add-chain: ", [Msg, Err])
+                        end;
                     Invalid ->
                         html("add-chain: chain is not a list: ", [Invalid])
                 end;
@@ -125,7 +131,9 @@
     deliver(SessionID, R).
 
 'get-roots'(SessionID, _Env, _Input) ->
-    R = [{certificates, []}],                   % NIY.
+    R = [{certificates,
+          [base64:encode(Der) ||
+              Der <- catlfish:update_known_roots()]}],
     deliver(SessionID, binary_to_list(jiffy:encode({R}))).
 
 %% Private functions.
author	Linus Nordberg <linus@nordberg.se>	2014-10-15 16:03:25 +0200
committer	Linus Nordberg <linus@nordberg.se>	2014-10-22 16:20:21 +0200
commit	0aeb7d1de8e50dd0fa92e763ce4c8dd3c172dac8 (patch)
tree	d9a0087c57415c4dcb95bf472c124bcf4526d1e6 /src/v1.erl
parent	f3f35b9a4140830e97b5382bc22fc2e78be7124b (diff)