From 0aeb7d1de8e50dd0fa92e763ce4c8dd3c172dac8 Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordberg.se>
Date: Wed, 15 Oct 2014 16:03:25 +0200
Subject: Implement cert chain validation.

NOTE: Presence of and constraints on names are not being validated.
---
 src/v1.erl | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'src/v1.erl')

diff --git a/src/v1.erl b/src/v1.erl
index ba5c456..46b5235 100644
--- a/src/v1.erl
+++ b/src/v1.erl
@@ -22,7 +22,13 @@
                         html("add-chain: invalid base64-encoded chain: ",
                              [ChainBase64]);
                     [LeafCert | CertChain] ->
-                        catlfish:add_chain(LeafCert, CertChain);
+                        Roots = catlfish:known_roots(),
+                        case x509:normalise_chain(Roots, [LeafCert|CertChain]) of
+                            {ok, [Leaf | Chain]} ->
+                                catlfish:add_chain(Leaf, Chain);
+                            {Err, Msg} ->
+                                html("add-chain: ", [Msg, Err])
+                        end;
                     Invalid ->
                         html("add-chain: chain is not a list: ", [Invalid])
                 end;
@@ -125,7 +131,9 @@
     deliver(SessionID, R).
 
 'get-roots'(SessionID, _Env, _Input) ->
-    R = [{certificates, []}],                   % NIY.
+    R = [{certificates,
+          [base64:encode(Der) ||
+              Der <- catlfish:update_known_roots()]}],
     deliver(SessionID, binary_to_list(jiffy:encode({R}))).
 
 %% Private functions.
-- 
cgit v1.1