Merge branch 'release/1.9.0'

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ jobs:
       matrix:
         otp_vsn: [22.0, 22.1, 22.2, 22.3,
                   23.0, 23.1, 23.2, 23.3,
-                  24]
+                  24.0]
         os: [ubuntu-latest]
     steps:
       - uses: actions/checkout@v2

.github/workflows/hardcoded-authorities-updater.sh

@@ -28,12 +28,12 @@ if git branch -a | grep "${BRANCH}" >/dev/null; then
     exit
 fi
 
-ORIGIN=origin
+REMOTE=origin
 PR_TITLE="Update bundled CAs to latest as of $DATE"
 git checkout -b "$BRANCH"
 git add .
 git commit -a -m "${PR_TITLE}"
-git push "$ORIGIN" "$BRANCH"
+git push "$REMOTE" "$BRANCH"
 
 PR_LABEL="hardcoded authorities update"
 if ! gh pr list --state open --label "$PR_LABEL" | grep "${PR_TITLE}" >/dev/null; then

.gitignore

@@ -17,3 +17,4 @@ _build
 .idea
 *.iml
 rebar3.crashdump
+/doc/

CHANGELOG.md

@@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [1.9.0] - 2021-09-03
+
+### Added
+
+- test coverage of certificates yet-to-be valid
+- test coverage of misordered certificate chains
+
+### Changed
+
+- **partial chain validation to prepare for
+[DST Root CA X3 expiration](https://blog.voltone.net/post/30)**
+- documentation from edoc to ExDoc
+
+### Removed
+
+- dependency on badssl.com for important test cases
+
 ## [1.8.0] - 2021-08-31
 
 ### Added

Makefile

@@ -62,16 +62,7 @@ shell:
 	@$(REBAR3) as development shell
 
 doc: $(REBAR3)
-	@$(REBAR3) edoc
-
-README.md: doc
-	# non-portable dirty hack follows (pandoc 2.11.0.4 used)
-	# gfm: "github-flavoured markdown"
-	@pandoc --from html --to gfm doc/overview-summary.html -o README.md
-	@tail -n +11 <"README.md"   >"README.md_"
-	@head -n -12 <"README.md_"  >"README.md"
-	@tail -n  2  <"README.md_" >>"README.md"
-	@rm "README.md_"
+	./support/scripts/generate_docs.sh
 
 publish: $(REBAR3)
 	@$(REBAR3) hex publish

README.md

@@ -31,7 +31,7 @@ rebar.config
 ``` erlang
 {deps,
  [% [...]
-  {tls_certificate_check, "~> 1.7"}
+  {tls_certificate_check, "~> 1.9"}
   ]}.
 ```
 
@@ -64,7 +64,7 @@ mix.exs
   defp deps do
     [
       # [...]
-      {:tls_certificate_check, "~> 1.7"}
+      {:tls_certificate_check, "~> 1.9"}
     ]
   end
 ```
@@ -111,7 +111,3 @@ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
 CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
 TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
------
-
-*Generated by EDoc*

rebar.config

@@ -8,7 +8,11 @@
   warn_unused_import,
   warnings_as_errors,
   {platform_define, "^2[3-9]", 'HARDCODED_AUTHORITIES_UPDATER_SUPPORTED'},
-  {platform_define, "^[3-9]",  'HARDCODED_AUTHORITIES_UPDATER_SUPPORTED'}
+  {platform_define, "^[3-9]",  'HARDCODED_AUTHORITIES_UPDATER_SUPPORTED'},
+  {platform_define, "^22\\.",            'EXPIRED_CAs_ARE_CONSIDERED_VALID'},
+  {platform_define, "^23\\.[0-2][^0-9]", 'EXPIRED_CAs_ARE_CONSIDERED_VALID'},
+  {platform_define, "^22\\.",            'FLAKY_CROSS_SIGNING_VALIDATION'},
+  {platform_define, "^23\\.[0-1][^0-9]", 'FLAKY_CROSS_SIGNING_VALIDATION'}
  ]}.
 
 {minimum_otp_vsn, "22.0"}.
@@ -72,7 +76,14 @@
      ]},
     {escript_name, "tls_certificate_check_hardcoded_authorities_updater"},
     {escript_emu_args, "%%! -noinput\n"}
-   ]}
+   ]},
+
+   {docs,
+    [{edoc_opts, [{preprocess, true},
+                  {doclet, edoc_doclet_chunks},
+                  {layout, edoc_layout_chunks},
+                  {dir, "_build/default/lib/tls_certificate_check/doc"}]}
+    ]}
  ]}.
 
 {edoc_opts,

src/tls_certificate_check.erl

@@ -18,6 +18,7 @@
 %% FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 %% DEALINGS IN THE SOFTWARE.
 
+%% @doc Main API
 -module(tls_certificate_check).
 
 -ifdef(TEST).
@@ -83,9 +84,8 @@ options(Target) ->
             [{verify, verify_peer},
              {depth, ?DEFAULT_MAX_CERTIFICATE_CHAIN_DEPTH},
              {cacerts, CAs},
-             {partial_chain,
-                fun tls_certificate_check_shared_state:find_trusted_authority/1},
-             {verify_fun, CertificateVerificationFun}
+             {verify_fun, CertificateVerificationFun},
+             {partial_chain, fun tls_certificate_check_shared_state:find_trusted_authority/1}
              | HostnameCheckOptions]
     catch
         http_target ->
@@ -129,4 +129,22 @@ trusted_authorities_is_exported_test() ->
     {ok, _} = application:ensure_all_started(tls_certificate_check),
     ?assertMatch([_|_], ?MODULE:trusted_authorities()).
 
+http_target_test() ->
+    {ok, _} = application:ensure_all_started(tls_certificate_check),
+    ?assertEqual([], ?MODULE:options("http://example.com/")).
+
+https_target_test() ->
+    {ok, _} = application:ensure_all_started(tls_certificate_check),
+    ?assertMatch([_|_], ?MODULE:options("https://example.com/")).
+
+generic_tls_target_test() ->
+    {ok, _} = application:ensure_all_started(tls_certificate_check),
+    ?assertMatch([_|_], ?MODULE:options("example.com")).
+
+https_and_generic_tls_targets_equivalence_test() ->
+    ?assertEqual(
+       ?MODULE:options("example.com"),
+       ?MODULE:options("https://example.com/")
+      ).
+
 -endif. % -ifdef(TEST).