diff options
author | Linus Nordberg <linus@nordu.net> | 2015-08-03 16:46:53 +0200 |
---|---|---|
committer | Linus Nordberg <linus@nordu.net> | 2015-08-03 16:46:53 +0200 |
commit | 88c9e77bd30d723a02e4cc43ee39be9259f08033 (patch) | |
tree | cae89f052a180ffc1cb3a6cb7ad43efa8cd98b88 /src/x509.erl | |
parent | ebca07015570694e55c18ff323075d8d5a809a35 (diff) |
Always store and return root certificate (closes CATLFISH-55).
Diffstat (limited to 'src/x509.erl')
-rw-r--r-- | src/x509.erl | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/src/x509.erl b/src/x509.erl index 7bbfb8e..279d9b9 100644 --- a/src/x509.erl +++ b/src/x509.erl @@ -71,10 +71,9 @@ detox(LeafDer, ChainDer) -> %% argument is irrelevant. %% %% Return {false, Reason} or {true, ListWithRoot}. Note that -%% ListWithRoot is the empty list when the root of the chain is found -%% amongst the acceptable root certs. Otherwise it contains exactly -%% one element, a CA cert from the acceptable root certs signing the -%% root of the chain. +%% ListWithRoot allways contain exactly one element -- a CA cert from +%% first argument (AcceptableRootCerts) signing the root of the +%% chain. FIXME: Any point in returning this as a list? normalise_chain(_, _, MaxChainLength) when MaxChainLength =< 0 -> %% Chain too long. {false, chain_too_long}; @@ -83,7 +82,7 @@ normalise_chain(AcceptableRootCerts, [TopCert], MaxChainLength) -> case lists:member(TopCert, AcceptableRootCerts) of true -> %% Top cert is part of chain. - {true, []}; + {true, [TopCert]}; false when MaxChainLength =< 1 -> %% Chain too long. {false, chain_too_long}; @@ -485,14 +484,14 @@ chain_test(C0, C1) -> %% Chain too long. ?_assertMatch({false, chain_too_long}, normalise_chain([C1], [C0], 1)), %% Root in chain and in trust store. - ?_assertEqual({true, []}, normalise_chain([C1], [C0, C1], 2)), + ?_assertEqual({true, [C1]}, normalise_chain([C1], [C0, C1], 2)), %% Chain too long. ?_assertMatch({false, chain_too_long}, normalise_chain([C1], [C0, C1], 1)), %% Root not in trust store. ?_assertMatch({false, root_unknown}, normalise_chain([], [C0, C1], 10)), %% Selfsigned. Actually OK. - ?_assertMatch({true, []}, normalise_chain([C0], [C0], 10)), - ?_assertMatch({true, []}, normalise_chain([C0], [C0], 1)), + ?_assertMatch({true, [C0]}, normalise_chain([C0], [C0], 10)), + ?_assertMatch({true, [C0]}, normalise_chain([C0], [C0], 1)), %% Max chain length 0 is not OK. ?_assertMatch({false, chain_too_long}, normalise_chain([C0], [C0], 0)) ]. |