diff options
| author | Ingela Anderton Andin <[email protected]> | 2017-01-11 14:35:58 +0100 |
|---|---|---|
| committer | Ingela Anderton Andin <[email protected]> | 2017-01-24 17:41:24 +0100 |
| commit | 306badbd13a70fa232091ca3f7ea4fe92c9cfe24 (patch) | |
| tree | 5a89e0a7e4db848309c23075d608c28bd01bdd96 | |
| parent | 5a97f05aa92b4a68083390c9eb5e33193213086f (diff) | |
| download | otp-306badbd13a70fa232091ca3f7ea4fe92c9cfe24.tar.gz otp-306badbd13a70fa232091ca3f7ea4fe92c9cfe24.tar.bz2 otp-306badbd13a70fa232091ca3f7ea4fe92c9cfe24.zip | |
ssl: Correct ssl_certificate:validate/3
Changes made to ssl_certificate:validate appear to be preventing CRL
validation from happening when an id-ce-extKeyUsage extension is
present in the cert before the DistributionPoint extension.
https://github.com/erlang/otp/blob/448e8aca77dd29ed5b37d56f0700d24ac26a7243/lib/ssl/src/ssl_certificate.erl#L131
See also ERL-338 and PR-1302
| -rw-r--r-- | lib/ssl/src/ssl_certificate.erl | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index f359655d85..8aa2aa4081 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -125,21 +125,21 @@ file_to_crls(File, DbHandle) -> %% Description: Validates ssl/tls specific extensions %%-------------------------------------------------------------------- validate(_,{extension, #'Extension'{extnID = ?'id-ce-extKeyUsage', - extnValue = KeyUse}}, {Role, _,_, _, _}) -> + extnValue = KeyUse}}, UserState = {Role, _,_, _, _}) -> case is_valid_extkey_usage(KeyUse, Role) of true -> - {valid, Role}; + {valid, UserState}; false -> {fail, {bad_cert, invalid_ext_key_usage}} end; -validate(_, {extension, _}, Role) -> - {unknown, Role}; +validate(_, {extension, _}, UserState) -> + {unknown, UserState}; validate(_, {bad_cert, _} = Reason, _) -> {fail, Reason}; -validate(_, valid, Role) -> - {valid, Role}; -validate(_, valid_peer, Role) -> - {valid, Role}. +validate(_, valid, UserState) -> + {valid, UserState}; +validate(_, valid_peer, UserState) -> + {valid, UserState}. %%-------------------------------------------------------------------- -spec is_valid_key_usage(list(), term()) -> boolean(). |