From 352818ea48438383216a783ef9448570b343c29b Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 29 Jan 2020 21:01:48 +0100
Subject: global-functions: $CertificateAvailable: check whole chain

The root certificate is a self-signed certificate. Check for the issue
certificate until we find the self-signed one.
---
 global-functions | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/global-functions b/global-functions
index 9c58450..5f80c0b 100644
--- a/global-functions
+++ b/global-functions
@@ -116,6 +116,7 @@
   :local CommonName [ :tostr $1 ];
 
   :global CertificateDownload;
+  :global ParseKeyValueStore;
 
   :if ([ / system resource get free-hdd-space ] < 8388608 && \
        [ / certificate settings get crl-download ] = true && \
@@ -127,6 +128,17 @@
     :log info ("Certificate with CommonName \"" . $CommonName . "\" not available.");
     $CertificateDownload $CommonName;
   }
+
+  :local CertVal [ / certificate get [ find where common-name=$CommonName ] ];
+  :local Issuer ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN");
+  :while ($Issuer != $CertVal->"common-name") do={
+    :if ([ / certificate print count-only where common-name=$Issuer ] = 0) do={
+      :log info ("Certificate chain for \"" . $CommonName . "\" is incomplete, missing \"" . $Issuer . "\".");
+      $CertificateDownload $CommonName;
+    }
+    :set CertVal [ / certificate get [ find where common-name=$Issuer ] ];
+    :set Issuer ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN");
+  }
 }
 
 # send notification via e-mail
-- 
cgit v1.2.3-54-g00ecf