wisq/cert_checker.ex

## cert_checker.ex
defmodule CertChecker do
  alias X509.Certificate, as: Cert

  def check_file(file) do
    [cert | chain] = read_pem_file(file)
    check_certs(cert, chain)
  end

  def check_certs(cert, chain) do
    cert_map = chain |> map_by_subject()
    ca_map = cacerts() |> map_by_subject()

    with {:ok, path} <- path_to_ca(cert, cert_map, ca_map) do
      [root_der | _] = path_der = [cert | path] |> Enum.reverse() |> Enum.map(&Cert.to_der/1)

      :public_key.pkix_path_validation(root_der, path_der, verify_fun: {&verify/3, nil})
    end
  end

  defp read_pem_file(file) do
    file
    |> File.read!()
    |> :public_key.pem_decode()
    |> Enum.map(fn {:Certificate, der, :not_encrypted} -> Cert.from_der!(der) end)
  end

  defp cacerts do
    :certifi.cacerts()
    |> Enum.map(&X509.Certificate.from_der!/1)
  end

  defp map_by_subject(certs) do
    Map.new(certs, &{Cert.subject(&1), &1})
  end

  defp path_to_ca(cert, cert_map, ca_map) do
    issuer = Cert.issuer(cert)

    cond do
      ca = Map.get(ca_map, issuer) ->
        {:ok, [ca]}

      next_cert = Map.get(cert_map, issuer) ->
        with {:ok, path} <- path_to_ca(next_cert, cert_map, ca_map) do
          {:ok, [next_cert | path]}
        end

      true ->
        {:error, :no_path_to_ca}
    end
  end

  def verify_debug(cert, msg, state) do
    {common_name(cert), msg} |> IO.inspect()
    verify(cert, msg, state)
  end

  def verify(_, {:bad_cert, _} = reason, _), do: {:fail, reason}
  def verify(_, {:extension, _}, state), do: {:unknown, state}
  def verify(_, :valid, state), do: {:valid, state}
  def verify(_, :valid_peer, state), do: {:valid, state}

  defp common_name(cert) do
    cert
    |> X509.Certificate.subject()
    |> X509.RDNSequence.get_attr("commonName")
  end
end
	defmodule CertChecker do
	alias X509.Certificate, as: Cert

	def check_file(file) do
	[cert \| chain] = read_pem_file(file)
	check_certs(cert, chain)
	end

	def check_certs(cert, chain) do
	cert_map = chain \|> map_by_subject()
	ca_map = cacerts() \|> map_by_subject()

	with {:ok, path} <- path_to_ca(cert, cert_map, ca_map) do
	[root_der \| _] = path_der = [cert \| path] \|> Enum.reverse() \|> Enum.map(&Cert.to_der/1)

	:public_key.pkix_path_validation(root_der, path_der, verify_fun: {&verify/3, nil})
	end
	end

	defp read_pem_file(file) do
	file
	\|> File.read!()
	\|> :public_key.pem_decode()
	\|> Enum.map(fn {:Certificate, der, :not_encrypted} -> Cert.from_der!(der) end)
	end

	defp cacerts do
	:certifi.cacerts()
	\|> Enum.map(&X509.Certificate.from_der!/1)
	end

	defp map_by_subject(certs) do
	Map.new(certs, &{Cert.subject(&1), &1})
	end

	defp path_to_ca(cert, cert_map, ca_map) do
	issuer = Cert.issuer(cert)

	cond do
	ca = Map.get(ca_map, issuer) ->
	{:ok, [ca]}

	next_cert = Map.get(cert_map, issuer) ->
	with {:ok, path} <- path_to_ca(next_cert, cert_map, ca_map) do
	{:ok, [next_cert \| path]}
	end

	true ->
	{:error, :no_path_to_ca}
	end
	end

	def verify_debug(cert, msg, state) do
	{common_name(cert), msg} \|> IO.inspect()
	verify(cert, msg, state)
	end

	def verify(_, {:bad_cert, _} = reason, _), do: {:fail, reason}
	def verify(_, {:extension, _}, state), do: {:unknown, state}
	def verify(_, :valid, state), do: {:valid, state}
	def verify(_, :valid_peer, state), do: {:valid, state}

	defp common_name(cert) do
	cert
	\|> X509.Certificate.subject()
	\|> X509.RDNSequence.get_attr("commonName")
	end
	end