diff options
author | Wil Tan <[email protected]> | 2010-01-06 04:10:10 +1100 |
---|---|---|
committer | Dan Gudmundsson <[email protected]> | 2010-01-12 12:40:49 +0100 |
commit | fbe15664033aecd247aa3ee7446562639c10a0f4 (patch) | |
tree | 56c34d1a9c6d2813aa084b8a3dd6b9fb23079d0f | |
parent | e447b437a74b1ba58567026923104b6b2922dafc (diff) | |
download | otp-fbe15664033aecd247aa3ee7446562639c10a0f4.tar.gz otp-fbe15664033aecd247aa3ee7446562639c10a0f4.tar.bz2 otp-fbe15664033aecd247aa3ee7446562639c10a0f4.zip |
Send CA list during Certificate Request in new_ssl
When requesting for client certificate, an SSL/TLS server may send a
list of the distinguished names of acceptable certificate authorities.
OpenSSL does this by default.
-rw-r--r-- | lib/public_key/src/pubkey_cert_records.erl | 2 | ||||
-rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 28 |
2 files changed, 26 insertions, 4 deletions
diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl index 36b7c47a9c..7f9f3c84f4 100644 --- a/lib/public_key/src/pubkey_cert_records.erl +++ b/lib/public_key/src/pubkey_cert_records.erl @@ -23,7 +23,7 @@ -include("public_key.hrl"). --export([decode_cert/2, encode_cert/1, encode_tbs_cert/1]). +-export([decode_cert/2, encode_cert/1, encode_tbs_cert/1, transform/2]). -export([old_decode_cert/2, old_encode_cert/1]). %% Debugging and testing new code. diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 829e0c2ba6..85dc61d3aa 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -860,9 +860,31 @@ certificate_types(_) -> %% a RSA_FIXED_DH or DSS_FIXED_DH <<?BYTE(?RSA_SIGN)>>. -certificate_authorities(_) -> - %%TODO Make list of know CA:s - <<>>. +certificate_authorities(CertDbRef) -> + Authorities = certificate_authorities_from_db(CertDbRef), + Enc = fun(Cert) -> + TBSCert = Cert#'OTPCertificate'.tbsCertificate, + Subj = pubkey_cert_records:transform(TBSCert#'OTPTBSCertificate'.subject, encode), + {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj), + DNEncodedBin = iolist_to_binary(DNEncoded), + DNEncodedLen = byte_size(DNEncodedBin), + <<?UINT16(DNEncodedLen), DNEncodedBin/binary>> + end, + list_to_binary(lists:map(Enc, [Cert || {_, Cert} <- Authorities])). + +certificate_authorities_from_db(CertDbRef) -> + certificate_authorities_from_db(CertDbRef, no_candidate, []). + +certificate_authorities_from_db(CertDbRef, PrevKey, Acc) -> + case ssl_certificate_db:issuer_candidate(PrevKey) of + no_more_candidates -> + lists:reverse(Acc); + {{CertDbRef, _, _} = Key, Cert} -> + certificate_authorities_from_db(CertDbRef, Key, [Cert|Acc]); + {Key, _Cert} -> + % skip certs not from this ssl connection + certificate_authorities_from_db(CertDbRef, Key, Acc) + end. digitally_signed(Hashes, #'RSAPrivateKey'{} = Key) -> public_key:encrypt_private(Hashes, Key, |