Add support for chained certificates

lib/trento/infrastructure/software_updates/adapter/suma_http_executor.ex

@@ -80,6 +80,16 @@ defmodule Trento.Infrastructure.SoftwareUpdates.Suma.HttpExecutor do
     )
   end
 
+  def get_cert_der(ca_cert) do
+    ca_cert
+    |> :public_key.pem_decode()
+    |> Enum.map(&:public_key.pem_entry_decode/1)
+    |> Enum.map(&split_type_and_entry/1)
+    |> Enum.map(fn {ans1_type, ans1_entry} ->
+      :public_key.der_encode(ans1_type, ans1_entry)
+    end)
+  end
+
   defp request_options(auth, ca_cert),
     do: [hackney: [cookie: [auth]]] ++ ssl_options(ca_cert) ++ timeout_options()
 
@@ -88,20 +98,9 @@ defmodule Trento.Infrastructure.SoftwareUpdates.Suma.HttpExecutor do
   defp ssl_options(nil), do: []
 
   defp ssl_options(ca_cert),
-    do: [ssl: [verify: :verify_peer, cacerts: [get_cert_der(ca_cert)]]]
-
-  def get_cert_der(ca_cert) do
-    {cert_type, cert_entry} =
-      ca_cert
-      |> :public_key.pem_decode()
-      |> hd()
-      |> :public_key.pem_entry_decode()
-      |> split_type_and_entry()
-
-    :public_key.der_encode(cert_type, cert_entry)
-  end
+    do: [ssl: [verify: :verify_peer, cacerts: get_cert_der(ca_cert)]]
 
-  def split_type_and_entry(ans1_entry) do
+  defp split_type_and_entry(ans1_entry) do
     ans1_type = elem(ans1_entry, 0)
     {ans1_type, ans1_entry}
   end

test/fixtures/cert/one_entry_chain.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICYjCCAcugAwIBAgIJAIwkDNqe2UDmMA0GCSqGSIb3DQEBCwUAMD8xHzAdBgNV
+BAoMFkVsaXhpci5YNTA5LlRlc3QuU3VpdGUxHDAaBgNVBAMME0FsdGVybmF0aXZl
+IFJvb3QgQ0EwHhcNMjQxMTA3MTU0MDAxWhcNNDkxMTA3MTU0NTAxWjA/MR8wHQYD
+VQQKDBZFbGl4aXIuWDUwOS5UZXN0LlN1aXRlMRwwGgYDVQQDDBNBbHRlcm5hdGl2
+ZSBSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzUGvVZbiIJQLE
+7PFhyNfsLYtxPouyijxx3MoAWjmDbdSdrBVNk2OaFC3hZLrR6Q9a+vUSVNaQqDVK
+3FdmsAsHr1Qv7aPH/5beVnLiIOcZ44Er6bDQnE2m9zd9JWjF0K6/11AIQj7bNlic
+IUejsCohFhMFyoAS3Fxs5tkhsnQW8wIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAYYw
+HQYDVR0OBBYEFPTCoPvRToC6zHTW4NddG+a/Ow24MB8GA1UdIwQYMBaAFPTCoPvR
+ToC6zHTW4NddG+a/Ow24MBIGA1UdEwEB/wQIMAYBAf8CAQIwDQYJKoZIhvcNAQEL
+BQADgYEAOtFdLegvhFqoeVNHvPjOkB6Wlf9XYjAZDB4SssFiIDkGCx2OI/TlICur
+Mw3C0yysBWSSSOB7xonpJadf5wbumARAir4xG0YtTi9prFkatdtMtQ0nIEyVXh0G
+WD00Yp7OS6SdEbcQ6bCzuc0wmburb+KOPQJ4/h67sCG9lXprc7s=
+-----END CERTIFICATE-----
+

test/fixtures/cert/three_entries_chain.pem

@@ -0,0 +1,49 @@
+-----BEGIN CERTIFICATE-----
+MIICczCCAdygAwIBAgIJALR2PyifzHdYMA0GCSqGSIb3DQEBCwUAMDMxHzAdBgNV
+BAoMFkVsaXhpci5YNTA5LlRlc3QuU3VpdGUxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MjQxMTA3MTU0MDAxWhcNMzQxMTA3MTU0NTAxWjA7MR8wHQYDVQQKDBZFbGl4aXIu
+WDUwOS5UZXN0LlN1aXRlMRgwFgYDVQQDDA9JbnRlcm1lZGlhdGUgQ0EwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBALf/GcAKFCZvd3a7BAvPsT2hPYfCFfj33tWt
+6J/tw1mMpZL6v0JySEvv7TgKlgCskV6TnYTKwFfrTaeeimrjdNtoRSjsbwJzeGTS
+1zmwq+I7d6yZRh3bqaVELdufmB56kj15f2OXAuoTI3gBw63IWu4d5+7aUIYXsH5/
+h5TZ55ThAgMBAAGjgYYwgYMwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+BAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRd
+7IOGY9dvei7xBJTUDjKhcvJ5zzAfBgNVHSMEGDAWgBQtUjdaTs6vVmmbR9NpeTdg
+WzcAFDANBgkqhkiG9w0BAQsFAAOBgQC/XwlIJUVbx0P7ZxEkXRIHfOp9TBvFmDLz
+vqddCAv8Sat4bSaUAYEdqzLpa9GUGJOR4teXasoyKMt9NKBgbX8Q4GiVlJp2fHXt
+FmB0lThaSNXM0RdPdQCyLnFY4h3nxTP3rnyviCFRvz+wGPBvR8m+8qeRq4txTEBm
+J2Ag8E66CA==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIICdjCCAd+gAwIBAgIIGs3fLTuZTtIwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UE
+CgwWRWxpeGlyLlg1MDkuVGVzdC5TdWl0ZTEcMBoGA1UEAwwTQWx0ZXJuYXRpdmUg
+Um9vdCBDQTAeFw0yNDExMDcxNTQwMDFaFw0zNDExMDcxNTQ1MDFaMDMxHzAdBgNV
+BAoMFkVsaXhpci5YNTA5LlRlc3QuU3VpdGUxEDAOBgNVBAMMB1Jvb3QgQ0EwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRlfoVELK6E9eZ7GI0D+45BfQjEixG1
+cmPX1xqeFmR4Mr+yeNSdmpW0tcZO8mx/Vd0RaQiVszkmwr+FUSkzIouunsxPU8Hn
+nTc6dUM+7EjY86MppZBE5NEL/9pGunsBIlSx7PZjvK5FuYcsDtVK87hOJjCASRUa
+9YaodaIUmZzbAgMBAAGjgYYwgYMwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQULVI3Wk7Or1Zpm0fTaXk3YFs3
+ABQwHwYDVR0jBBgwFoAU9MKg+9FOgLrMdNbg110b5r87DbgwEgYDVR0TAQH/BAgw
+BgEB/wIBATANBgkqhkiG9w0BAQsFAAOBgQBF4is4DqvGpVQhwfa53tRkk0WHPoCX
+Laslw7qFRKxop9/0tGOCz6gBvra2os5VqJhYCf+0rsFLmOX05Lm107PZwIfjkLwI
+zi3WVU+mVIBFPBI/EwwHZ/yOtF/w5x8+sxXpGz5Zj1idBHZpbwiKK+2a2Jebmy8b
+5N0Dl4AYIXqYhA==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIICYjCCAcugAwIBAgIJAIwkDNqe2UDmMA0GCSqGSIb3DQEBCwUAMD8xHzAdBgNV
+BAoMFkVsaXhpci5YNTA5LlRlc3QuU3VpdGUxHDAaBgNVBAMME0FsdGVybmF0aXZl
+IFJvb3QgQ0EwHhcNMjQxMTA3MTU0MDAxWhcNNDkxMTA3MTU0NTAxWjA/MR8wHQYD
+VQQKDBZFbGl4aXIuWDUwOS5UZXN0LlN1aXRlMRwwGgYDVQQDDBNBbHRlcm5hdGl2
+ZSBSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzUGvVZbiIJQLE
+7PFhyNfsLYtxPouyijxx3MoAWjmDbdSdrBVNk2OaFC3hZLrR6Q9a+vUSVNaQqDVK
+3FdmsAsHr1Qv7aPH/5beVnLiIOcZ44Er6bDQnE2m9zd9JWjF0K6/11AIQj7bNlic
+IUejsCohFhMFyoAS3Fxs5tkhsnQW8wIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAYYw
+HQYDVR0OBBYEFPTCoPvRToC6zHTW4NddG+a/Ow24MB8GA1UdIwQYMBaAFPTCoPvR
+ToC6zHTW4NddG+a/Ow24MBIGA1UdEwEB/wQIMAYBAf8CAQIwDQYJKoZIhvcNAQEL
+BQADgYEAOtFdLegvhFqoeVNHvPjOkB6Wlf9XYjAZDB4SssFiIDkGCx2OI/TlICur
+Mw3C0yysBWSSSOB7xonpJadf5wbumARAir4xG0YtTi9prFkatdtMtQ0nIEyVXh0G
+WD00Yp7OS6SdEbcQ6bCzuc0wmburb+KOPQJ4/h67sCG9lXprc7s=
+-----END CERTIFICATE-----

test/fixtures/cert/two_entries_chain.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIICSTCCAbKgAwIBAgIIaNZzHCfEcPQwDQYJKoZIhvcNAQELBQAwMzEfMB0GA1UE
+CgwWRWxpeGlyLlg1MDkuVGVzdC5TdWl0ZTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0y
+NDExMDcxNTQwMDFaFw00OTExMDcxNTQ1MDFaMDMxHzAdBgNVBAoMFkVsaXhpci5Y
+NTA5LlRlc3QuU3VpdGUxEDAOBgNVBAMMB1Jvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANRlfoVELK6E9eZ7GI0D+45BfQjEixG1cmPX1xqeFmR4Mr+y
+eNSdmpW0tcZO8mx/Vd0RaQiVszkmwr+FUSkzIouunsxPU8HnnTc6dUM+7EjY86Mp
+pZBE5NEL/9pGunsBIlSx7PZjvK5FuYcsDtVK87hOJjCASRUa9YaodaIUmZzbAgMB
+AAGjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgGGMB0GA1Ud
+DgQWBBQtUjdaTs6vVmmbR9NpeTdgWzcAFDAfBgNVHSMEGDAWgBQtUjdaTs6vVmmb
+R9NpeTdgWzcAFDANBgkqhkiG9w0BAQsFAAOBgQCudruo0hLXFayy3vJKJkzSMmqr
+2QpfbK2belUu34l9xUfU/m3ueQdcTJysueDXQHz4bsEw2cOEAoCeeXHv04j+k9rX
+Qqy3DMN01Z1L2XhBRK4G5vYXdDhOSatAfTWzH9mQeks12SNxjivVi/gZ9ucuFLfT
+HtqiiVqmOiFSs7Du6A==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIICczCCAdygAwIBAgIJALR2PyifzHdYMA0GCSqGSIb3DQEBCwUAMDMxHzAdBgNV
+BAoMFkVsaXhpci5YNTA5LlRlc3QuU3VpdGUxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MjQxMTA3MTU0MDAxWhcNMzQxMTA3MTU0NTAxWjA7MR8wHQYDVQQKDBZFbGl4aXIu
+WDUwOS5UZXN0LlN1aXRlMRgwFgYDVQQDDA9JbnRlcm1lZGlhdGUgQ0EwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBALf/GcAKFCZvd3a7BAvPsT2hPYfCFfj33tWt
+6J/tw1mMpZL6v0JySEvv7TgKlgCskV6TnYTKwFfrTaeeimrjdNtoRSjsbwJzeGTS
+1zmwq+I7d6yZRh3bqaVELdufmB56kj15f2OXAuoTI3gBw63IWu4d5+7aUIYXsH5/
+h5TZ55ThAgMBAAGjgYYwgYMwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+BAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRd
+7IOGY9dvei7xBJTUDjKhcvJ5zzAfBgNVHSMEGDAWgBQtUjdaTs6vVmmbR9NpeTdg
+WzcAFDANBgkqhkiG9w0BAQsFAAOBgQC/XwlIJUVbx0P7ZxEkXRIHfOp9TBvFmDLz
+vqddCAv8Sat4bSaUAYEdqzLpa9GUGJOR4teXasoyKMt9NKBgbX8Q4GiVlJp2fHXt
+FmB0lThaSNXM0RdPdQCyLnFY4h3nxTP3rnyviCFRvz+wGPBvR8m+8qeRq4txTEBm
+J2Ag8E66CA==
+-----END CERTIFICATE-----
+

test/trento/infrastructure/software_updates/adapter/suma_http_executor_test.exs

@@ -0,0 +1,30 @@
+defmodule Trento.Infrastructure.SoftwareUpdates.Adapter.SumaHttpExecutorTest do
+  @moduledoc false
+
+  use ExUnit.Case
+
+  alias Trento.Infrastructure.SoftwareUpdates.Suma.HttpExecutor
+
+  def load_certificate_content(name) do
+    File.cwd!()
+    |> Path.join("/test/fixtures/cert")
+    |> Path.join(name)
+    |> File.read!()
+  end
+
+  describe "Http executor certificate handling" do
+    test "should support chained certificates" do
+      scenarios = [
+        %{cert: "one_entry_chain.pem", expected_entries: 1},
+        %{cert: "two_entries_chain.pem", expected_entries: 2},
+        %{cert: "three_entries_chain.pem", expected_entries: 3}
+      ]
+
+      for %{cert: cert, expected_entries: expected_entries} <- scenarios do
+        cert_content = load_certificate_content(cert)
+        cert_der = HttpExecutor.get_cert_der(cert_content)
+        assert length(cert_der) == expected_entries
+      end
+    end
+  end
+end