diff options
author | Erlang/OTP <[email protected]> | 2010-01-19 09:16:47 +0000 |
---|---|---|
committer | Erlang/OTP <[email protected]> | 2010-01-19 09:16:47 +0000 |
commit | ce6ca6867f86c8ba876765d25c52cb80a1c10ad4 (patch) | |
tree | 8ac2bd7e5417314ffd1dbfb8878a9f73731e5e37 | |
parent | e6de285d99aefc1a9de11e6eca187a12fdaf7378 (diff) | |
parent | fe93630eaef3c403edda47e0531dbd5c11c2aa4a (diff) | |
download | otp-ce6ca6867f86c8ba876765d25c52cb80a1c10ad4.tar.gz otp-ce6ca6867f86c8ba876765d25c52cb80a1c10ad4.tar.bz2 otp-ce6ca6867f86c8ba876765d25c52cb80a1c10ad4.zip |
Merge branch 'dgud/ssl-patches-from-Wil' into ccase/r13b04_dev
* dgud/ssl-patches-from-Wil:
Added a public_key:pkix_transform/2 instead and used it from ssl.
Minor code cleanup
new_ssl fix session reuse
Code cleanup
Send CA list during Certificate Request in new_ssl
OTP-8372 Fixed session reuse (in new_ssl), thanks Wil Tan.
Send CA list during Certificate Request (in new_ssl) , thanks Wil
Tan.
-rw-r--r-- | lib/public_key/src/pubkey_cert_records.erl | 12 | ||||
-rw-r--r-- | lib/public_key/src/public_key.erl | 26 | ||||
-rw-r--r-- | lib/ssl/src/ssl_connection.erl | 23 | ||||
-rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 38 |
4 files changed, 67 insertions, 32 deletions
diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl index 36b7c47a9c..c7d4080adb 100644 --- a/lib/public_key/src/pubkey_cert_records.erl +++ b/lib/public_key/src/pubkey_cert_records.erl @@ -1,19 +1,19 @@ %% %% %CopyrightBegin% -%% -%% Copyright Ericsson AB 2008-2009. All Rights Reserved. -%% +%% +%% Copyright Ericsson AB 2008-2010. All Rights Reserved. +%% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in %% compliance with the License. You should have received a copy of the %% Erlang Public License along with this software. If not, it can be %% retrieved online at http://www.erlang.org/. -%% +%% %% Software distributed under the License is distributed on an "AS IS" %% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See %% the License for the specific language governing rights and limitations %% under the License. -%% +%% %% %CopyrightEnd% %% @@ -23,7 +23,7 @@ -include("public_key.hrl"). --export([decode_cert/2, encode_cert/1, encode_tbs_cert/1]). +-export([decode_cert/2, encode_cert/1, encode_tbs_cert/1, transform/2]). -export([old_decode_cert/2, old_encode_cert/1]). %% Debugging and testing new code. diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index b0b0b7a832..52c695523f 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -1,19 +1,19 @@ %% %% %CopyrightBegin% -%% -%% Copyright Ericsson AB 2008-2009. All Rights Reserved. -%% +%% +%% Copyright Ericsson AB 2008-2010. All Rights Reserved. +%% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in %% compliance with the License. You should have received a copy of the %% Erlang Public License along with this software. If not, it can be %% retrieved online at http://www.erlang.org/. -%% +%% %% Software distributed under the License is distributed on an "AS IS" %% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See %% the License for the specific language governing rights and limitations %% under the License. -%% +%% %% %CopyrightEnd% %% @@ -30,7 +30,7 @@ sign/2, sign/3, verify_signature/3, verify_signature/4, verify_signature/5, pem_to_der/1, pem_to_der/2, - pkix_decode_cert/2, pkix_encode_cert/1, + pkix_decode_cert/2, pkix_encode_cert/1, pkix_transform/2, pkix_is_self_signed/1, pkix_is_fixed_dh_cert/1, pkix_issuer_id/2, pkix_is_issuer/2, pkix_normalize_general_name/1, @@ -162,6 +162,20 @@ pkix_encode_cert(Cert) -> pubkey_cert_records:encode_cert(Cert). %%-------------------------------------------------------------------- +%% Function: pkix_transform(CertPart, Op) -> TransformedCertPart +%% +%% CertPart = pkix part data +%% Op = encode | decode +%% +%% Description: Transform parts of a pkix certificate between 'plain' format +%% and the internal 'otp' format, see pkix_decode_cert/2. +%% Decode transforms from 'plain' to 'otp' and encode from 'otp' to 'plain' +%% format. +%%-------------------------------------------------------------------- +pkix_transform(CertPart, Op) -> + pubkey_cert_records:transform(CertPart, Op). + +%%-------------------------------------------------------------------- %% Function: pkix_path_validation(TrustedCert, CertChain, Options) -> %% {ok, {{algorithm(), public_key(), public_key_params()} policy_tree()}} | %% {error, Reason} diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index 178c055cdf..d9377fe3d6 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -1,19 +1,19 @@ %% %% %CopyrightBegin% -%% -%% Copyright Ericsson AB 2007-2009. All Rights Reserved. -%% +%% +%% Copyright Ericsson AB 2007-2010. All Rights Reserved. +%% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in %% compliance with the License. You should have received a copy of the %% Erlang Public License along with this software. If not, it can be %% retrieved online at http://www.erlang.org/. -%% +%% %% Software distributed under the License is distributed on an "AS IS" %% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See %% the License for the specific language governing rights and limitations %% under the License. -%% +%% %% %CopyrightEnd% %% @@ -1115,13 +1115,12 @@ do_server_hello(Type, #state{negotiated_version = Version, case ssl_handshake:master_secret(Version, Session, ConnectionStates0, server) of {_, ConnectionStates1} -> - {ConnectionStates, Hashes} = - finished(State#state{connection_states = - ConnectionStates1}), - {next_state, abbreviated, - next_record(State#state{connection_states = - ConnectionStates, - tls_handshake_hashes = Hashes})}; + State1 = State#state{connection_states=ConnectionStates1, + session = Session}, + {ConnectionStates, Hashes} = finalize_server_handshake(State1), + Resumed = State1#state{connection_states = ConnectionStates, + tls_handshake_hashes = Hashes}, + {next_state, abbreviated, next_record(Resumed)}; #alert{} = Alert -> handle_own_alert(Alert, Version, hello, State), {stop, normal, State} diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 829e0c2ba6..8c598135ca 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -1,19 +1,19 @@ %% %% %CopyrightBegin% -%% -%% Copyright Ericsson AB 2007-2009. All Rights Reserved. -%% +%% +%% Copyright Ericsson AB 2007-2010. All Rights Reserved. +%% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in %% compliance with the License. You should have received a copy of the %% Erlang Public License along with this software. If not, it can be %% retrieved online at http://www.erlang.org/. -%% +%% %% Software distributed under the License is distributed on an "AS IS" %% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See %% the License for the specific language governing rights and limitations %% under the License. -%% +%% %% %CopyrightEnd% %% @@ -860,9 +860,31 @@ certificate_types(_) -> %% a RSA_FIXED_DH or DSS_FIXED_DH <<?BYTE(?RSA_SIGN)>>. -certificate_authorities(_) -> - %%TODO Make list of know CA:s - <<>>. +certificate_authorities(CertDbRef) -> + Authorities = certificate_authorities_from_db(CertDbRef), + Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) -> + OTPSubj = TBSCert#'OTPTBSCertificate'.subject, + Subj = public_key:pkix_transform(OTPSubj, encode), + {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj), + DNEncodedBin = iolist_to_binary(DNEncoded), + DNEncodedLen = byte_size(DNEncodedBin), + <<?UINT16(DNEncodedLen), DNEncodedBin/binary>> + end, + list_to_binary([Enc(Cert) || {_, Cert} <- Authorities]). + +certificate_authorities_from_db(CertDbRef) -> + certificate_authorities_from_db(CertDbRef, no_candidate, []). + +certificate_authorities_from_db(CertDbRef, PrevKey, Acc) -> + case ssl_certificate_db:issuer_candidate(PrevKey) of + no_more_candidates -> + lists:reverse(Acc); + {{CertDbRef, _, _} = Key, Cert} -> + certificate_authorities_from_db(CertDbRef, Key, [Cert|Acc]); + {Key, _Cert} -> + %% skip certs not from this ssl connection + certificate_authorities_from_db(CertDbRef, Key, Acc) + end. digitally_signed(Hashes, #'RSAPrivateKey'{} = Key) -> public_key:encrypt_private(Hashes, Key, |