summaryrefslogtreecommitdiff
path: root/src/x509.erl
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordu.net>2015-08-03 16:46:53 +0200
committerLinus Nordberg <linus@nordu.net>2015-08-03 16:46:53 +0200
commit88c9e77bd30d723a02e4cc43ee39be9259f08033 (patch)
treecae89f052a180ffc1cb3a6cb7ad43efa8cd98b88 /src/x509.erl
parentebca07015570694e55c18ff323075d8d5a809a35 (diff)
Always store and return root certificate (closes CATLFISH-55).
Diffstat (limited to 'src/x509.erl')
-rw-r--r--src/x509.erl15
1 files changed, 7 insertions, 8 deletions
diff --git a/src/x509.erl b/src/x509.erl
index 7bbfb8e..279d9b9 100644
--- a/src/x509.erl
+++ b/src/x509.erl
@@ -71,10 +71,9 @@ detox(LeafDer, ChainDer) ->
%% argument is irrelevant.
%%
%% Return {false, Reason} or {true, ListWithRoot}. Note that
-%% ListWithRoot is the empty list when the root of the chain is found
-%% amongst the acceptable root certs. Otherwise it contains exactly
-%% one element, a CA cert from the acceptable root certs signing the
-%% root of the chain.
+%% ListWithRoot allways contain exactly one element -- a CA cert from
+%% first argument (AcceptableRootCerts) signing the root of the
+%% chain. FIXME: Any point in returning this as a list?
normalise_chain(_, _, MaxChainLength) when MaxChainLength =< 0 ->
%% Chain too long.
{false, chain_too_long};
@@ -83,7 +82,7 @@ normalise_chain(AcceptableRootCerts, [TopCert], MaxChainLength) ->
case lists:member(TopCert, AcceptableRootCerts) of
true ->
%% Top cert is part of chain.
- {true, []};
+ {true, [TopCert]};
false when MaxChainLength =< 1 ->
%% Chain too long.
{false, chain_too_long};
@@ -485,14 +484,14 @@ chain_test(C0, C1) ->
%% Chain too long.
?_assertMatch({false, chain_too_long}, normalise_chain([C1], [C0], 1)),
%% Root in chain and in trust store.
- ?_assertEqual({true, []}, normalise_chain([C1], [C0, C1], 2)),
+ ?_assertEqual({true, [C1]}, normalise_chain([C1], [C0, C1], 2)),
%% Chain too long.
?_assertMatch({false, chain_too_long}, normalise_chain([C1], [C0, C1], 1)),
%% Root not in trust store.
?_assertMatch({false, root_unknown}, normalise_chain([], [C0, C1], 10)),
%% Selfsigned. Actually OK.
- ?_assertMatch({true, []}, normalise_chain([C0], [C0], 10)),
- ?_assertMatch({true, []}, normalise_chain([C0], [C0], 1)),
+ ?_assertMatch({true, [C0]}, normalise_chain([C0], [C0], 10)),
+ ?_assertMatch({true, [C0]}, normalise_chain([C0], [C0], 1)),
%% Max chain length 0 is not OK.
?_assertMatch({false, chain_too_long}, normalise_chain([C0], [C0], 0))
].