Merge branch 'validate-certchain' into staging1

Conflicts:
	src/catlfish.erl

1 files changed, 14 insertions, 2 deletions

diff --git a/src/v1.erl b/src/v1.erl
index 535fc8f..d5e65ea 100644
--- a/src/v1.erl
+++ b/src/v1.erl
@@ -20,7 +20,17 @@
                         html("add-chain: invalid base64-encoded chain: ",
                              [ChainBase64]);
                     [LeafCert | CertChain] ->
-                        catlfish:add_chain(LeafCert, CertChain);
+                        Roots = catlfish:known_roots(),
+                        case x509:normalise_chain(Roots, [LeafCert|CertChain]) of
+                            {ok, [Leaf | Chain]} ->
+				io:format("[info] adding ~p~n",
+                                          [x509:cert_string(LeafCert)]),
+                                catlfish:add_chain(Leaf, Chain);
+                            {Err, Msg} ->
+				io:format("[info] rejecting ~p: ~p~n",
+                                          [x509:cert_string(LeafCert), Err]),
+                                html("add-chain: ", [Msg, Err])
+                        end;
                     Invalid ->
                         html("add-chain: chain is not a list: ", [Invalid])
                 end;
@@ -122,7 +132,9 @@
     deliver(SessionID, R).
 
 'get-roots'(SessionID, _Env, _Input) ->
-    R = [{certificates, []}],                   % NIY.
+    R = [{certificates,
+          [base64:encode(Der) ||
+              Der <- catlfish:update_known_roots()]}],
     deliver(SessionID, binary_to_list(jiffy:encode({R}))).
 
 %% Private functions.