aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Thompson <[email protected]>2014-02-08 00:58:11 -0500
committerHans Nilsson <[email protected]>2014-03-26 10:13:55 +0100
commit9756dcd97cd819c9b2d64c35dd36550f99600e92 (patch)
tree1f7a8f1eabe71993442963c4530e8c96579ccb06
parent8991663e33313233fed9cb7b0149baec1aa32b3f (diff)
downloadotp-9756dcd97cd819c9b2d64c35dd36550f99600e92.tar.gz
otp-9756dcd97cd819c9b2d64c35dd36550f99600e92.tar.bz2
otp-9756dcd97cd819c9b2d64c35dd36550f99600e92.zip
Rework IDP validation according to the RFC, fix public_key tests
-rw-r--r--lib/public_key/src/pubkey_cert.erl4
-rw-r--r--lib/public_key/src/pubkey_crl.erl14
-rw-r--r--lib/ssl/test/make_certs.erl4
-rw-r--r--lib/ssl/test/ssl_crl_SUITE.erl31
4 files changed, 27 insertions, 26 deletions
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index 07469e342f..6272fae91b 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -343,8 +343,8 @@ match_name(uniformResourceIdentifier, URI, [PermittedName | Rest]) ->
case split_uri(URI) of
incomplete ->
false;
- {_, _, _Host, _, _} ->
- match_name(fun is_valid_host_or_domain/2, URI,
+ {_, _, Host, _, _} ->
+ match_name(fun is_valid_host_or_domain/2, Host,
PermittedName, Rest)
end;
diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl
index 503d0205a6..2d947058de 100644
--- a/lib/public_key/src/pubkey_crl.erl
+++ b/lib/public_key/src/pubkey_crl.erl
@@ -393,11 +393,15 @@ verify_dp_name(asn1_NOVALUE, _) ->
ok;
verify_dp_name(IDPNames, DPorIssuerNames) ->
- case match_one(DPorIssuerNames, IDPNames) of
- true ->
- ok;
- false ->
- throw({bad_crl, scope_error})
+ %% RFC 5280 section 5.2.5
+ %% Check that at least one IssuingDistributionPointName in the CRL lines up
+ %% with a DistributionPointName in the certificate.
+ Matches = [X || X <- IDPNames, Y <- DPorIssuerNames, X == Y],
+ case Matches of
+ [] ->
+ throw({bad_crl, scope_error});
+ _ ->
+ ok
end.
match_one([], _) ->
diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl
index 2b4eaaef53..c438ae2b87 100644
--- a/lib/ssl/test/make_certs.erl
+++ b/lib/ssl/test/make_certs.erl
@@ -410,7 +410,6 @@ ca_cnf(C) ->
"[idpsec]\n"
"fullname=URI:http://localhost:8000/",C#config.commonName,"/crl.pem\n"
- %"fullname=URI:file://$ROOTDIR/",C#config.commonName,"/crl.pem\n"
"[user_cert]\n"
"basicConstraints = CA:false\n"
@@ -422,7 +421,8 @@ ca_cnf(C) ->
"crlDistributionPoints=@crl_section\n"
"[crl_section]\n"
- "URI.1=file://$ROOTDIR/",C#config.commonName,"/crl.pem\n"
+ %% intentionally invalid
+ "URI.1=http://localhost/",C#config.commonName,"/crl.pem\n"
"URI.2=http://localhost:8000/",C#config.commonName,"/crl.pem\n"
"\n"
diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl
index 8afd926ee6..7cf09aa419 100644
--- a/lib/ssl/test/ssl_crl_SUITE.erl
+++ b/lib/ssl/test/ssl_crl_SUITE.erl
@@ -69,6 +69,7 @@ init_per_suite(Config0) ->
false ->
{skip, "Openssl not found"};
_ ->
+ inets:start(),
catch crypto:stop(),
try crypto:start() of
ok ->
@@ -81,6 +82,7 @@ init_per_suite(Config0) ->
end_per_suite(_Config) ->
ssl:stop(),
+ inets:stop(),
application:stop(crypto).
init_per_group(v1_crl, Config) ->
@@ -91,7 +93,12 @@ init_per_group(v1_crl, Config) ->
CertDir,
[{v2_crls, false}])),
ct:log("Make certs ~p~n", [Result]),
- [{make_cert_result, Result}, {cert_dir, CertDir} | Config];
+ %% start a HTTP server to serve the CRLs
+ {ok, Httpd} = inets:start(httpd, [{port, 8000}, {server_name, "localhost"},
+ {server_root, "/tmp"},
+ {document_root, CertDir},
+ {modules, [mod_get]}]),
+ [{make_cert_result, Result}, {cert_dir, CertDir}, {httpd, Httpd} | Config];
init_per_group(idp_crl, Config) ->
ssl:start(),
CertDir = filename:join(?config(priv_dir, Config), "idp_crl"),
@@ -113,7 +120,12 @@ init_per_group(_GroupName, Config) ->
(catch make_certs:all(?config(data_dir, Config),
CertDir)),
ct:log("Make certs ~p~n", [Result]),
- [{make_cert_result, Result}, {cert_dir, CertDir} | Config].
+ %% start a HTTP server to serve the CRLs
+ {ok, Httpd} = inets:start(httpd, [{port, 8000}, {server_name, "localhost"},
+ {server_root, "/tmp"},
+ {document_root, CertDir},
+ {modules, [mod_get]}]),
+ [{make_cert_result, Result}, {cert_dir, CertDir}, {httpd, Httpd} | Config].
end_per_group(_GroupName, Config) ->
case ?config(httpd, Config) of
@@ -185,8 +197,6 @@ crl_verify_revoked(Config) when is_list(Config) ->
{cacertfile, filename:join([PrivDir, "revoked", "cacerts.pem"])}],
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
-
- Data = "From openssl to erlang",
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
{from, self()},
@@ -462,19 +472,6 @@ fetch_point(#'DistributionPoint'{distributionPoint={fullName, Names}}) ->
%%
fetch([]) ->
not_available;
-fetch([{uniformResourceIdentifier, "file://"++File}|Rest]) ->
- io:format("getting CRL from ~p~n", [File]),
- try file:read_file(File) of
- {ok, Bin} ->
- %% assume PEM
- [{'CertificateList', DER, _}=CertList] = public_key:pem_decode(Bin),
- {DER, public_key:pem_entry_decode(CertList)};
- _ ->
- fetch(Rest)
- catch
- _:_ ->
- fetch(Rest)
- end;
fetch([{uniformResourceIdentifier, "http"++_=URL}|Rest]) ->
io:format("getting CRL from ~p~n", [URL]),
_ = inets:start(),