diff options
author | Raimo Niskanen <[email protected]> | 2018-04-24 09:34:51 +0200 |
---|---|---|
committer | Raimo Niskanen <[email protected]> | 2018-04-24 09:34:51 +0200 |
commit | b5ec77bf908877d7471997527959e3d98d45bd96 (patch) | |
tree | b9f626e0ecfcd0b05c7d0975f4e45090753fb3d5 | |
parent | 4c4d861792d79ac7773548c089b7a93bc2c72a51 (diff) | |
download | otp-b5ec77bf908877d7471997527959e3d98d45bd96.tar.gz otp-b5ec77bf908877d7471997527959e3d98d45bd96.tar.bz2 otp-b5ec77bf908877d7471997527959e3d98d45bd96.zip |
Parse cert primarily for host names
-rw-r--r-- | lib/ssl/src/inet_tls_dist.erl | 65 | ||||
-rw-r--r-- | lib/ssl/test/ssl_dist_bench_SUITE.erl | 29 |
2 files changed, 54 insertions, 40 deletions
diff --git a/lib/ssl/src/inet_tls_dist.erl b/lib/ssl/src/inet_tls_dist.erl index d4215c8f83..3fab89fa97 100644 --- a/lib/ssl/src/inet_tls_dist.erl +++ b/lib/ssl/src/inet_tls_dist.erl @@ -585,7 +585,10 @@ get_ifs(#sslsocket{fd = {gen_tcp, Socket, _}}) -> %% Look in Extensions, in all subjectAltName:s -%% to find node names in this certificate +%% to find node names in this certificate. +%% Host names are picked up as a subjectAltName containing +%% a dNSName, and the first subjectAltName containing +%% a commonName is the node name. %% cert_nodes( #'OTPCertificate'{ @@ -594,48 +597,52 @@ cert_nodes( parse_extensions(Extensions) when is_list(Extensions) -> - parse_extensions(Extensions, []); + parse_extensions(Extensions, [], none); parse_extensions(asn1_NOVALUE) -> []. %% -parse_extensions([], CertNodes) -> - CertNodes; -%% -%% XXX Why are all extnValue:s sequences? -%% Should we parse all members? -%% -parse_extensions( - [#'Extension'{ - extnID = ?'id-ce-subjectAltName', - extnValue = [{dNSName,OtherNode}|_]} - |Extensions], - CertNodes) -> - parse_extensions(Extensions, [OtherNode|CertNodes]); -parse_extensions( - [#'Extension'{ - extnID = ?'id-ce-subjectAltName', - extnValue = [{rfc822Name,OtherNode}|_]} - |Extensions], - CertNodes) -> - parse_extensions(Extensions, [OtherNode|CertNodes]); +parse_extensions([], Hosts, none) -> + lists:reverse(Hosts); +parse_extensions([], Hosts, Name) -> + [Name ++ "@" ++ Host || Host <- lists:reverse(Hosts)]; parse_extensions( [#'Extension'{ extnID = ?'id-ce-subjectAltName', - extnValue = [{directoryName,{rdnSequence,[Rdn|_]}}|_]} + extnValue = AltNames} |Extensions], - CertNodes) -> + Hosts, Name) -> + case parse_subject_altname(AltNames) of + none -> + parse_extensions(Extensions, Hosts, Name); + {host,Host} -> + parse_extensions(Extensions, [Host|Hosts], Name); + {name,NewName} when Name =:= none -> + parse_extensions(Extensions, Hosts, NewName); + {Name,_} -> + parse_extensions(Extensions, Hosts, Name) + end; +parse_extensions([_|Extensions], Hosts, Name) -> + parse_extensions(Extensions, Hosts, Name). + +parse_subject_altname([]) -> + none; +parse_subject_altname([{dNSName,Host}|_AltNames]) -> + {host,Host}; +parse_subject_altname( + [{directoryName,{rdnSequence,[Rdn|_]}}|AltNames]) -> %% %% XXX Why is rdnSequence a sequence? %% Should we parse all members? %% case parse_rdn(Rdn) of none -> - parse_extensions(Extensions, CertNodes); - OtherNode -> - parse_extensions(Extensions, [OtherNode|CertNodes]) + parse_subject_altname(AltNames); + Name -> + {name,Name} end; -parse_extensions([_|Extensions], CertNodes) -> - parse_extensions(Extensions, CertNodes). +parse_subject_altname([_|AltNames]) -> + parse_subject_altname(AltNames). + parse_rdn([]) -> none; diff --git a/lib/ssl/test/ssl_dist_bench_SUITE.erl b/lib/ssl/test/ssl_dist_bench_SUITE.erl index 8852b6f3c6..31de0936f9 100644 --- a/lib/ssl/test/ssl_dist_bench_SUITE.erl +++ b/lib/ssl/test/ssl_dist_bench_SUITE.erl @@ -181,6 +181,7 @@ end_per_testcase(_Func, _Conf) -> write_node_conf( ConfFile, Node, ServerConf, ClientConf, CertOptions, RootCert) -> + [_Name,Host] = string:split(atom_to_list(Node), "@"), Conf = public_key:pkix_test_data( #{root => RootCert, @@ -188,17 +189,23 @@ write_node_conf( [{extensions, [#'Extension'{ extnID = ?'id-ce-subjectAltName', - %% extnValue = [{dNSName, atom_to_list(Node)}], - %% extnValue = [{rfc822Name, atom_to_list(Node)}], - extnValue = - [{directoryName, - {rdnSequence, - [[#'AttributeTypeAndValue'{ - type = ?'id-at-commonName', - value = - {utf8String, - atom_to_binary(Node, utf8)}}]]}}], - critical = true}]} | CertOptions]}), + extnValue = [{dNSName, Host}], + critical = true}%, + %% #'Extension'{ + %% extnID = ?'id-ce-subjectAltName', + %% extnValue = + %% [{directoryName, + %% {rdnSequence, + %% [[#'AttributeTypeAndValue'{ + %% type = ?'id-at-commonName', + %% value = + %% {utf8String, + %% unicode:characters_to_binary( + %% Name, utf8) + %% } + %% }]]}}], + %% critical = true} + ]} | CertOptions]}), NodeConf = [{server, ServerConf ++ Conf}, {client, ClientConf ++ Conf}], {ok, Fd} = file:open(ConfFile, [write]), |