aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWil Tan <[email protected]>2010-01-06 04:10:10 +1100
committerDan Gudmundsson <[email protected]>2010-01-12 12:40:49 +0100
commitfbe15664033aecd247aa3ee7446562639c10a0f4 (patch)
tree56c34d1a9c6d2813aa084b8a3dd6b9fb23079d0f
parente447b437a74b1ba58567026923104b6b2922dafc (diff)
downloadotp-fbe15664033aecd247aa3ee7446562639c10a0f4.tar.gz
otp-fbe15664033aecd247aa3ee7446562639c10a0f4.tar.bz2
otp-fbe15664033aecd247aa3ee7446562639c10a0f4.zip
Send CA list during Certificate Request in new_ssl
When requesting for client certificate, an SSL/TLS server may send a list of the distinguished names of acceptable certificate authorities. OpenSSL does this by default.
-rw-r--r--lib/public_key/src/pubkey_cert_records.erl2
-rw-r--r--lib/ssl/src/ssl_handshake.erl28
2 files changed, 26 insertions, 4 deletions
diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl
index 36b7c47a9c..7f9f3c84f4 100644
--- a/lib/public_key/src/pubkey_cert_records.erl
+++ b/lib/public_key/src/pubkey_cert_records.erl
@@ -23,7 +23,7 @@
-include("public_key.hrl").
--export([decode_cert/2, encode_cert/1, encode_tbs_cert/1]).
+-export([decode_cert/2, encode_cert/1, encode_tbs_cert/1, transform/2]).
-export([old_decode_cert/2, old_encode_cert/1]). %% Debugging and testing new code.
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 829e0c2ba6..85dc61d3aa 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -860,9 +860,31 @@ certificate_types(_) ->
%% a RSA_FIXED_DH or DSS_FIXED_DH
<<?BYTE(?RSA_SIGN)>>.
-certificate_authorities(_) ->
- %%TODO Make list of know CA:s
- <<>>.
+certificate_authorities(CertDbRef) ->
+ Authorities = certificate_authorities_from_db(CertDbRef),
+ Enc = fun(Cert) ->
+ TBSCert = Cert#'OTPCertificate'.tbsCertificate,
+ Subj = pubkey_cert_records:transform(TBSCert#'OTPTBSCertificate'.subject, encode),
+ {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj),
+ DNEncodedBin = iolist_to_binary(DNEncoded),
+ DNEncodedLen = byte_size(DNEncodedBin),
+ <<?UINT16(DNEncodedLen), DNEncodedBin/binary>>
+ end,
+ list_to_binary(lists:map(Enc, [Cert || {_, Cert} <- Authorities])).
+
+certificate_authorities_from_db(CertDbRef) ->
+ certificate_authorities_from_db(CertDbRef, no_candidate, []).
+
+certificate_authorities_from_db(CertDbRef, PrevKey, Acc) ->
+ case ssl_certificate_db:issuer_candidate(PrevKey) of
+ no_more_candidates ->
+ lists:reverse(Acc);
+ {{CertDbRef, _, _} = Key, Cert} ->
+ certificate_authorities_from_db(CertDbRef, Key, [Cert|Acc]);
+ {Key, _Cert} ->
+ % skip certs not from this ssl connection
+ certificate_authorities_from_db(CertDbRef, Key, Acc)
+ end.
digitally_signed(Hashes, #'RSAPrivateKey'{} = Key) ->
public_key:encrypt_private(Hashes, Key,