1 files changed, 21 insertions, 3 deletions

diff --git a/src/x509.erl b/src/x509.erl
index a784354..5a96a29 100644
--- a/src/x509.erl
+++ b/src/x509.erl
@@ -2,7 +2,7 @@
 %%% See LICENSE for licensing information.
 
 -module(x509).
--export([normalise_chain/2, cert_string/1]).
+-export([normalise_chain/2, cert_string/1, valid_cert_p/1]).
 
 -include_lib("public_key/include/public_key.hrl").
 
@@ -73,8 +73,9 @@ signed_by_p(Cert, IssuerCert) ->
     %% FIXME: Validate presence and contents (against constraints) of
     %% names (subject, subjectAltName, emailAddress) too?
     case (catch public_key:pkix_is_issuer(Cert, IssuerCert)) of
-        {'EXIT', _Reason} ->
-            %% Invalid ASN.1.
+        {'EXIT', Reason} ->
+            lager:info("invalid certificate: ~p: ~p",
+                       [mochihex:to_hex(crypto:hash(sha, Cert)), Reason]),
             {false, encoding_invalid};
         true ->
             %% Cert.issuer does match IssuerCert.subject. Now verify
@@ -101,6 +102,23 @@ cert_string(Der) ->
     lists:flatten([io_lib:format("~2.16.0B", [X]) ||
 		      X <- binary_to_list(crypto:hash(sha, Der))]).
 
+valid_cert_p(Der) ->
+    %% Use the customized ASN.1 specification "OTP-PKIX.asn1" since
+    %% that's what's required for public_key functions we're using
+    %% (pkix_verify, public_key:pkix_is_issuer).
+    case (catch public_key:pkix_decode_cert(Der, otp)) of
+        #'OTPCertificate'{} ->
+            true;
+        {'EXIT', Reason} ->
+            lager:info("invalid certificate: ~p: ~p",
+                       [mochihex:to_hex(crypto:hash(sha, Der)), Reason]),
+            false;
+        Unknown ->
+            lager:info("unknown error decoding cert: ~p: ~p",
+                       [mochihex:to_hex(crypto:hash(sha, Der)), Unknown]),
+            false
+    end.
+
 %%%%%%%%%%%%%%%%%%%%
 %% Precertificates according to draft-ietf-trans-rfc6962-bis-04.