aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRaimo Niskanen <[email protected]>2018-04-24 09:34:51 +0200
committerRaimo Niskanen <[email protected]>2018-04-24 09:34:51 +0200
commitb5ec77bf908877d7471997527959e3d98d45bd96 (patch)
treeb9f626e0ecfcd0b05c7d0975f4e45090753fb3d5
parent4c4d861792d79ac7773548c089b7a93bc2c72a51 (diff)
downloadotp-b5ec77bf908877d7471997527959e3d98d45bd96.tar.gz
otp-b5ec77bf908877d7471997527959e3d98d45bd96.tar.bz2
otp-b5ec77bf908877d7471997527959e3d98d45bd96.zip
Parse cert primarily for host names
-rw-r--r--lib/ssl/src/inet_tls_dist.erl65
-rw-r--r--lib/ssl/test/ssl_dist_bench_SUITE.erl29
2 files changed, 54 insertions, 40 deletions
diff --git a/lib/ssl/src/inet_tls_dist.erl b/lib/ssl/src/inet_tls_dist.erl
index d4215c8f83..3fab89fa97 100644
--- a/lib/ssl/src/inet_tls_dist.erl
+++ b/lib/ssl/src/inet_tls_dist.erl
@@ -585,7 +585,10 @@ get_ifs(#sslsocket{fd = {gen_tcp, Socket, _}}) ->
%% Look in Extensions, in all subjectAltName:s
-%% to find node names in this certificate
+%% to find node names in this certificate.
+%% Host names are picked up as a subjectAltName containing
+%% a dNSName, and the first subjectAltName containing
+%% a commonName is the node name.
%%
cert_nodes(
#'OTPCertificate'{
@@ -594,48 +597,52 @@ cert_nodes(
parse_extensions(Extensions) when is_list(Extensions) ->
- parse_extensions(Extensions, []);
+ parse_extensions(Extensions, [], none);
parse_extensions(asn1_NOVALUE) ->
[].
%%
-parse_extensions([], CertNodes) ->
- CertNodes;
-%%
-%% XXX Why are all extnValue:s sequences?
-%% Should we parse all members?
-%%
-parse_extensions(
- [#'Extension'{
- extnID = ?'id-ce-subjectAltName',
- extnValue = [{dNSName,OtherNode}|_]}
- |Extensions],
- CertNodes) ->
- parse_extensions(Extensions, [OtherNode|CertNodes]);
-parse_extensions(
- [#'Extension'{
- extnID = ?'id-ce-subjectAltName',
- extnValue = [{rfc822Name,OtherNode}|_]}
- |Extensions],
- CertNodes) ->
- parse_extensions(Extensions, [OtherNode|CertNodes]);
+parse_extensions([], Hosts, none) ->
+ lists:reverse(Hosts);
+parse_extensions([], Hosts, Name) ->
+ [Name ++ "@" ++ Host || Host <- lists:reverse(Hosts)];
parse_extensions(
[#'Extension'{
extnID = ?'id-ce-subjectAltName',
- extnValue = [{directoryName,{rdnSequence,[Rdn|_]}}|_]}
+ extnValue = AltNames}
|Extensions],
- CertNodes) ->
+ Hosts, Name) ->
+ case parse_subject_altname(AltNames) of
+ none ->
+ parse_extensions(Extensions, Hosts, Name);
+ {host,Host} ->
+ parse_extensions(Extensions, [Host|Hosts], Name);
+ {name,NewName} when Name =:= none ->
+ parse_extensions(Extensions, Hosts, NewName);
+ {Name,_} ->
+ parse_extensions(Extensions, Hosts, Name)
+ end;
+parse_extensions([_|Extensions], Hosts, Name) ->
+ parse_extensions(Extensions, Hosts, Name).
+
+parse_subject_altname([]) ->
+ none;
+parse_subject_altname([{dNSName,Host}|_AltNames]) ->
+ {host,Host};
+parse_subject_altname(
+ [{directoryName,{rdnSequence,[Rdn|_]}}|AltNames]) ->
%%
%% XXX Why is rdnSequence a sequence?
%% Should we parse all members?
%%
case parse_rdn(Rdn) of
none ->
- parse_extensions(Extensions, CertNodes);
- OtherNode ->
- parse_extensions(Extensions, [OtherNode|CertNodes])
+ parse_subject_altname(AltNames);
+ Name ->
+ {name,Name}
end;
-parse_extensions([_|Extensions], CertNodes) ->
- parse_extensions(Extensions, CertNodes).
+parse_subject_altname([_|AltNames]) ->
+ parse_subject_altname(AltNames).
+
parse_rdn([]) ->
none;
diff --git a/lib/ssl/test/ssl_dist_bench_SUITE.erl b/lib/ssl/test/ssl_dist_bench_SUITE.erl
index 8852b6f3c6..31de0936f9 100644
--- a/lib/ssl/test/ssl_dist_bench_SUITE.erl
+++ b/lib/ssl/test/ssl_dist_bench_SUITE.erl
@@ -181,6 +181,7 @@ end_per_testcase(_Func, _Conf) ->
write_node_conf(
ConfFile, Node, ServerConf, ClientConf, CertOptions, RootCert) ->
+ [_Name,Host] = string:split(atom_to_list(Node), "@"),
Conf =
public_key:pkix_test_data(
#{root => RootCert,
@@ -188,17 +189,23 @@ write_node_conf(
[{extensions,
[#'Extension'{
extnID = ?'id-ce-subjectAltName',
- %% extnValue = [{dNSName, atom_to_list(Node)}],
- %% extnValue = [{rfc822Name, atom_to_list(Node)}],
- extnValue =
- [{directoryName,
- {rdnSequence,
- [[#'AttributeTypeAndValue'{
- type = ?'id-at-commonName',
- value =
- {utf8String,
- atom_to_binary(Node, utf8)}}]]}}],
- critical = true}]} | CertOptions]}),
+ extnValue = [{dNSName, Host}],
+ critical = true}%,
+ %% #'Extension'{
+ %% extnID = ?'id-ce-subjectAltName',
+ %% extnValue =
+ %% [{directoryName,
+ %% {rdnSequence,
+ %% [[#'AttributeTypeAndValue'{
+ %% type = ?'id-at-commonName',
+ %% value =
+ %% {utf8String,
+ %% unicode:characters_to_binary(
+ %% Name, utf8)
+ %% }
+ %% }]]}}],
+ %% critical = true}
+ ]} | CertOptions]}),
NodeConf =
[{server, ServerConf ++ Conf}, {client, ClientConf ++ Conf}],
{ok, Fd} = file:open(ConfFile, [write]),