documentaiton tweeks

1 files changed, 8 insertions, 7 deletions

diff --git a/TLSA.hs b/TLSA.hs
index 7fb66dc..01c9a09 100644
--- a/TLSA.hs
+++ b/TLSA.hs
@@ -237,13 +237,13 @@ data IssuanceTest = IssuanceTest
     -- supplied via a 'TLSA' record but not otherwise present in the chain.
     }
 
--- | Use the the given set of 'TLSA' records to validate, or paritally validate
--- a certificate, given a list of other probably relevent certificates. Results
+-- | Use the the given set of 'TLSA' records to validate or paritally validate
+-- a certificate given a list of other probably relevent certificates. Results
 -- are interpreted as follows:
 --
---   [@ Nothing   @] The certificate passed validation.
+--   [@ Nothing   @] The certificate PASSED validation.
 --
---   [@ Just \[\] @] Failed validation.
+--   [@ Just \[\] @] The certificate FAILED validation.
 --
 --   [@ Just xss  @] A set of certificate issued-by chains.  If you trust any
 --                   certificate in any of these chains, you may consider the
@@ -252,11 +252,12 @@ data IssuanceTest = IssuanceTest
 validate :: IssuanceTest -> [TLSA] -> SignedCertificate -> [SignedCertificate]
          -> Maybe [[SignedCertificate]]
 validate (IssuanceTest isIssuedBy isSignedBy) rs cert chain
-    | not (null domainIssued) = Nothing
-    | any hasAnchor chains    = Nothing
+    | domainIssued         = Nothing
+    | any hasAnchor chains = Nothing
+    | null rs              = Just $ (certv !) .: chains
     | otherwise = Just $ (certv !) .: filter satisfiesConstraints chains
  where
-    domainIssued = filter (`match` cert) daneEEs
+    domainIssued = any (`match` cert) daneEEs
 
     threshold = length chain