From 85615c8e621aa16026faf07f01bf0ba0776c191f Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordberg.se>
Date: Fri, 27 Feb 2015 01:51:12 +0100
Subject: Verify that known roots are indeed signing themselves.

This filters out certificates with signing algorithms that we can't
handle.

Also, make unit tests better.
---
 src/catlfish.erl | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'src/catlfish.erl')

diff --git a/src/catlfish.erl b/src/catlfish.erl
index 765a8a6..3956eec 100644
--- a/src/catlfish.erl
+++ b/src/catlfish.erl
@@ -200,9 +200,17 @@ known_roots(Directory, CacheUsage) ->
     end.
 
 read_files_and_update_table(Directory) ->
-    L = x509:read_pemfiles_from_dir(Directory),
-    true = ets:insert(?CACHE_TABLE, {?ROOTS_CACHE_KEY, L}),
-    L.
+    Certs = x509:read_pemfiles_from_dir(Directory),
+    Proper = x509:self_signed(Certs),
+    case length(Certs) - length(Proper) of
+        0 -> ok;
+        N -> lager:warning(
+               "Ignoring ~p root certificates not signing themselves properly",
+               [N])
+    end,
+    true = ets:insert(?CACHE_TABLE, {?ROOTS_CACHE_KEY, Proper}),
+    lager:info("Known roots imported: ~p", [length(Proper)]),
+    Proper.
 
 %%%%%%%%%%%%%%%%%%%%
 %% Testing internal functions.
@@ -218,7 +226,7 @@ read_pemfiles_test_() ->
      end,
      fun(_) -> ets:delete(?CACHE_TABLE, ?ROOTS_CACHE_KEY) end,
      fun({L, LCached}) ->
-             [?_assertMatch(7, length(L)),
+             [?_assertMatch(4, length(L)),
               ?_assertEqual(L, LCached)]
      end}.
 
-- 
cgit v1.1