From d3b5c1eebb57b492e1b52b5a1111a1fd9bb8b3c6 Mon Sep 17 00:00:00 2001
From: joe <joe@jerkface.net>
Date: Tue, 20 May 2014 20:47:28 -0400
Subject: export certOrKey

---
 TLSA.hs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'TLSA.hs')

diff --git a/TLSA.hs b/TLSA.hs
index 8bc4203..3224397 100644
--- a/TLSA.hs
+++ b/TLSA.hs
@@ -7,6 +7,7 @@ module TLSA
     , fromByteString
     , toByteString
     , match
+    , certOrKey
     , IssuanceTest(..)
     , validate
     ) where
@@ -40,7 +41,7 @@ toWord8 = toEnum . fromEnum
 
 -- | The Certificate Usage Field as described in RFC 6698, section 2.1.1.
 --
--- It is used by the 'validate' function in making a 'Validation' decision.
+-- It is used by the 'validate' function in making a validation decision.
 data CertUsage
 
     -- | This is usage value 0 in RFC 6698.  Any CA certificate that 'match'es
@@ -233,7 +234,8 @@ data IssuanceTest = IssuanceTest
     -- ^ This is used to validate a single link in a certificate chain.
     , isSignedBy :: SignedCertificate -> PubKey -> Bool
     -- ^ This is used to check signatures for trust anchor keys that are
-    -- supplied via a 'TLSA' record but not otherwise present in the input.
+    -- obtained from a 'TLSA' using 'certOrKey' but are not otherwise present
+    -- in the input.
     }
 
 -- | Use the the given set of 'TLSA' records to validate or paritally validate
@@ -314,6 +316,8 @@ pairings op = loop
                 []          -> (m,[]):loop ms cs
                 (as,b:bs):_ -> (m,[b]):loop ms (as++bs)
 
+-- | If a 'SignedCertificate' or a 'PubKey' is embedded in the 'TLSA' record
+-- (i.e. 'matchingType' = 'Match_Exact'), then extract it.
 certOrKey :: TLSA -> Maybe (Either PubKey SignedCertificate)
 certOrKey tlsa@(matchingType->Match_Exact) =
     case selector tlsa of
-- 
cgit v1.2.3