aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHans Nilsson <[email protected]>2017-10-11 12:35:38 +0200
committerHans Nilsson <[email protected]>2017-10-12 15:01:01 +0200
commit93534057710cef4a88f18f441fea20e733ebc253 (patch)
treee44c3879afff4567c3c975ee4f95d83698b3608a
parentf37f9eac178836e6bcdf575fa4c72642f146de35 (diff)
downloadotp-93534057710cef4a88f18f441fea20e733ebc253.tar.gz
otp-93534057710cef4a88f18f441fea20e733ebc253.tar.bz2
otp-93534057710cef4a88f18f441fea20e733ebc253.zip
public_key: Fix bug in pkix_verify_hostname with IP addresses
An IP address could in some circomstances be converted to a list and then to_lower was applied to it. So {$A,1,1,1} was changed to {$a,1,1,1} which of course didn't match....
-rw-r--r--lib/public_key/src/public_key.erl2
-rw-r--r--lib/public_key/test/public_key_SUITE.erl14
-rw-r--r--lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem22
-rw-r--r--lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf3
4 files changed, 22 insertions, 19 deletions
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index c3f2d791a3..453f34de64 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -1529,6 +1529,8 @@ verify_hostname_match_loop(Refs, Pres, MatchFun, FailCB, Cert) ->
Refs).
+to_lower_ascii({ip,_}=X) -> X;
+to_lower_ascii({iPAddress,_}=X) -> X;
to_lower_ascii(S) when is_list(S) -> lists:map(fun to_lower_ascii/1, S);
to_lower_ascii({T,S}) -> {T, to_lower_ascii(S)};
to_lower_ascii(C) when $A =< C,C =< $Z -> C + ($a-$A);
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index 0077c7908c..0100f0a912 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -991,7 +991,7 @@ pkix_verify_hostname_options(Config) ->
%% openssl req -x509 -nodes -newkey rsa:1024 -keyout /dev/null -extensions SAN -config public_key_SUITE_data/verify_hostname_ip.conf 2>/dev/null > public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
%%
%% Subject: C=SE, CN=example.com
-%% Subject Alternative Name: DNS:1.2.3.4, DNS: abcd:ef::1, IP:5.6.7.8, URI:https://10.11.12.13
+%% Subject Alternative Name: DNS:1.2.3.4, DNS: abcd:ef::1, IP:10.67.16.75, URI:https://10.11.12.13
pkix_verify_hostname_subjAltName_IP(Config) ->
DataDir = proplists:get_value(data_dir, Config),
@@ -1000,7 +1000,7 @@ pkix_verify_hostname_subjAltName_IP(Config) ->
%% Print the tests that a matchfun has to handle
catch public_key:pkix_verify_hostname(Cert, [{some_tag,"some.domain"},
- {ip, {5,6,7,8}}
+ {ip, {10,67,16,75}}
],
[{match_fun,
fun(Ref,Pres) ->
@@ -1012,12 +1012,14 @@ pkix_verify_hostname_subjAltName_IP(Config) ->
true = public_key:pkix_verify_hostname(Cert, [{uri_id,"https://10.11.12.13"}]),
true = public_key:pkix_verify_hostname(Cert, [{dns_id,"1.2.3.4"}]),
true = public_key:pkix_verify_hostname(Cert, [{dns_id,<<"1.2.3.4">>}]),
- false = public_key:pkix_verify_hostname(Cert, [{dns_id,"5.6.7.8"}]),
+ false = public_key:pkix_verify_hostname(Cert, [{dns_id,"10.67.16.75"}]),
true = public_key:pkix_verify_hostname(Cert, [{ip, "aBcD:ef:0::0:1"}]),
true = public_key:pkix_verify_hostname(Cert, [{ip, {16#abcd,16#ef,0,0,0,0,0,1}}]),
- true = public_key:pkix_verify_hostname(Cert, [{ip, "5.6.7.8"}]),
- true = public_key:pkix_verify_hostname(Cert, [{ip, <<"5.6.7.8">>}]),
- true = public_key:pkix_verify_hostname(Cert, [{ip, {5,6,7,8}}]).
+ true = public_key:pkix_verify_hostname(Cert, [{ip, "10.67.16.75"}]),
+ true = public_key:pkix_verify_hostname(Cert, [{ip, <<"10.67.16.75">>}]),
+ true = public_key:pkix_verify_hostname(Cert, [{ip, {10,67,16,75}}]),
+ false = public_key:pkix_verify_hostname(Cert, [{ip, {1,2,3,4}}]),
+ false = public_key:pkix_verify_hostname(Cert, [{ip, {10,11,12,13}}]).
%%--------------------------------------------------------------------
diff --git a/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
index f9ffb257b5..97d12cdadf 100644
--- a/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
+++ b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
@@ -1,13 +1,13 @@
-----BEGIN CERTIFICATE-----
-MIIB/zCCAWigAwIBAgIJAMoSejmTjwAGMA0GCSqGSIb3DQEBCwUAMB8xCzAJBgNV
-BAYTAlNFMRAwDgYDVQQDEwc1LjYuNy44MB4XDTE3MDkyODE0MDAxNVoXDTE3MTAy
-ODE0MDAxNVowHzELMAkGA1UEBhMCU0UxEDAOBgNVBAMTBzUuNi43LjgwgZ8wDQYJ
-KoZIhvcNAQEBBQADgY0AMIGJAoGBAMUPU89KwVbTCDkyxQSz3wprMbZTLe35K6jm
-Q7oY1rJyVXjsFHwZrFqqNMScEyX40rJhczQ2Z9etEX6qYLbdb/DZeFcKo14fR583
-QMFZC+qqpLWHdvjaQN0KwD99VFeZIGpRgywG8SR+BXZjDHUkGsMrikAEJtf0Tgih
-IPyiFtiJAgMBAAGjQzBBMD8GA1UdEQQ4MDaCBzEuMi4zLjSHBAUGBwiHEKvNAO8A
-AAAAAAAAAAAAAAGGE2h0dHBzOi8vMTAuMTEuMTIuMTMwDQYJKoZIhvcNAQELBQAD
-gYEAtWVeQaRFZ0kH/pzSWMSsOCUrjbwlWRwDNbagNKoM6nCRv0QQ59fG6XrVZwR3
-c0s5arlMh3U2+bjKE+Iq9+b/lN1lGzf8iaAqBNa7KptwTSUEY3TiNG5X0zlSXKTI
-3z7AaUEtghL9ImCPj5V3tVksqWd7U0zLmeeLZnM+wGAL9Hc=
+MIICBzCCAXCgAwIBAgIJAJgbo5FL73LuMA0GCSqGSIb3DQEBCwUAMCMxCzAJBgNV
+BAYTAlNFMRQwEgYDVQQDEwtleGFtcGxlLmNvbTAeFw0xNzEwMTExMDM0NDJaFw0x
+NzExMTAxMDM0NDJaMCMxCzAJBgNVBAYTAlNFMRQwEgYDVQQDEwtleGFtcGxlLmNv
+bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5muN8NIRHuqXgtAFpaJ4EPnd
+SD+hnzMiiWQ9qAsS8P4xFsl5aNH74BTgst6Rcq33qAw+4BtKFXMt7JbWMuZklFV3
+fzRSx099MVJSH3f2LDMNLfyDiSJnhBEv1rLPaosi91ZLvI5LiGTxzRLi3qftZBft
+Ryw1OempB4chLcBy2rsCAwEAAaNDMEEwPwYDVR0RBDgwNoIHMS4yLjMuNIcECkMQ
+S4cQq80A7wAAAAAAAAAAAAAAAYYTaHR0cHM6Ly8xMC4xMS4xMi4xMzANBgkqhkiG
+9w0BAQsFAAOBgQDMn8aqs/5FkkWhspvN2n+D2l87M+33a5My54ZVZhayZ/KRmhCN
+Gix/BiVYJ3UlmWmGcnQXb3MLt/LQHaD3S2whDaLN3xJ8BbnX7A4ZTybitdyeFhDw
+K3iDVUM3bSsBJ4EcBPWIMnow3ALP5HlGRMlH/87Qt+uVPXuwNh9pmyIhRQ==
-----END CERTIFICATE-----
diff --git a/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf
index 0a738f2586..798592e4f6 100644
--- a/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf
+++ b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf
@@ -5,14 +5,13 @@ distinguished_name = DN
[DN]
C=SE
CN=example.com
-CN=5.6.7.8
[SAN]
subjectAltName = @alt_names
[alt_names]
DNS = 1.2.3.4
-IP.1 = 5.6.7.8
+IP.1 = 10.67.16.75
IP.2 = abcd:ef::1
URI = https://10.11.12.13