aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorErlang/OTP <[email protected]>2010-01-19 09:16:47 +0000
committerErlang/OTP <[email protected]>2010-01-19 09:16:47 +0000
commitce6ca6867f86c8ba876765d25c52cb80a1c10ad4 (patch)
tree8ac2bd7e5417314ffd1dbfb8878a9f73731e5e37
parente6de285d99aefc1a9de11e6eca187a12fdaf7378 (diff)
parentfe93630eaef3c403edda47e0531dbd5c11c2aa4a (diff)
downloadotp-ce6ca6867f86c8ba876765d25c52cb80a1c10ad4.tar.gz
otp-ce6ca6867f86c8ba876765d25c52cb80a1c10ad4.tar.bz2
otp-ce6ca6867f86c8ba876765d25c52cb80a1c10ad4.zip
Merge branch 'dgud/ssl-patches-from-Wil' into ccase/r13b04_dev
* dgud/ssl-patches-from-Wil: Added a public_key:pkix_transform/2 instead and used it from ssl. Minor code cleanup new_ssl fix session reuse Code cleanup Send CA list during Certificate Request in new_ssl OTP-8372 Fixed session reuse (in new_ssl), thanks Wil Tan. Send CA list during Certificate Request (in new_ssl) , thanks Wil Tan.
-rw-r--r--lib/public_key/src/pubkey_cert_records.erl12
-rw-r--r--lib/public_key/src/public_key.erl26
-rw-r--r--lib/ssl/src/ssl_connection.erl23
-rw-r--r--lib/ssl/src/ssl_handshake.erl38
4 files changed, 67 insertions, 32 deletions
diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl
index 36b7c47a9c..c7d4080adb 100644
--- a/lib/public_key/src/pubkey_cert_records.erl
+++ b/lib/public_key/src/pubkey_cert_records.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 2008-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
@@ -23,7 +23,7 @@
-include("public_key.hrl").
--export([decode_cert/2, encode_cert/1, encode_tbs_cert/1]).
+-export([decode_cert/2, encode_cert/1, encode_tbs_cert/1, transform/2]).
-export([old_decode_cert/2, old_encode_cert/1]). %% Debugging and testing new code.
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index b0b0b7a832..52c695523f 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 2008-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
@@ -30,7 +30,7 @@
sign/2, sign/3,
verify_signature/3, verify_signature/4, verify_signature/5,
pem_to_der/1, pem_to_der/2,
- pkix_decode_cert/2, pkix_encode_cert/1,
+ pkix_decode_cert/2, pkix_encode_cert/1, pkix_transform/2,
pkix_is_self_signed/1, pkix_is_fixed_dh_cert/1,
pkix_issuer_id/2,
pkix_is_issuer/2, pkix_normalize_general_name/1,
@@ -162,6 +162,20 @@ pkix_encode_cert(Cert) ->
pubkey_cert_records:encode_cert(Cert).
%%--------------------------------------------------------------------
+%% Function: pkix_transform(CertPart, Op) -> TransformedCertPart
+%%
+%% CertPart = pkix part data
+%% Op = encode | decode
+%%
+%% Description: Transform parts of a pkix certificate between 'plain' format
+%% and the internal 'otp' format, see pkix_decode_cert/2.
+%% Decode transforms from 'plain' to 'otp' and encode from 'otp' to 'plain'
+%% format.
+%%--------------------------------------------------------------------
+pkix_transform(CertPart, Op) ->
+ pubkey_cert_records:transform(CertPart, Op).
+
+%%--------------------------------------------------------------------
%% Function: pkix_path_validation(TrustedCert, CertChain, Options) ->
%% {ok, {{algorithm(), public_key(), public_key_params()} policy_tree()}} |
%% {error, Reason}
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 178c055cdf..d9377fe3d6 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 2007-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
@@ -1115,13 +1115,12 @@ do_server_hello(Type, #state{negotiated_version = Version,
case ssl_handshake:master_secret(Version, Session,
ConnectionStates0, server) of
{_, ConnectionStates1} ->
- {ConnectionStates, Hashes} =
- finished(State#state{connection_states =
- ConnectionStates1}),
- {next_state, abbreviated,
- next_record(State#state{connection_states =
- ConnectionStates,
- tls_handshake_hashes = Hashes})};
+ State1 = State#state{connection_states=ConnectionStates1,
+ session = Session},
+ {ConnectionStates, Hashes} = finalize_server_handshake(State1),
+ Resumed = State1#state{connection_states = ConnectionStates,
+ tls_handshake_hashes = Hashes},
+ {next_state, abbreviated, next_record(Resumed)};
#alert{} = Alert ->
handle_own_alert(Alert, Version, hello, State),
{stop, normal, State}
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 829e0c2ba6..8c598135ca 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 2007-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
@@ -860,9 +860,31 @@ certificate_types(_) ->
%% a RSA_FIXED_DH or DSS_FIXED_DH
<<?BYTE(?RSA_SIGN)>>.
-certificate_authorities(_) ->
- %%TODO Make list of know CA:s
- <<>>.
+certificate_authorities(CertDbRef) ->
+ Authorities = certificate_authorities_from_db(CertDbRef),
+ Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) ->
+ OTPSubj = TBSCert#'OTPTBSCertificate'.subject,
+ Subj = public_key:pkix_transform(OTPSubj, encode),
+ {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj),
+ DNEncodedBin = iolist_to_binary(DNEncoded),
+ DNEncodedLen = byte_size(DNEncodedBin),
+ <<?UINT16(DNEncodedLen), DNEncodedBin/binary>>
+ end,
+ list_to_binary([Enc(Cert) || {_, Cert} <- Authorities]).
+
+certificate_authorities_from_db(CertDbRef) ->
+ certificate_authorities_from_db(CertDbRef, no_candidate, []).
+
+certificate_authorities_from_db(CertDbRef, PrevKey, Acc) ->
+ case ssl_certificate_db:issuer_candidate(PrevKey) of
+ no_more_candidates ->
+ lists:reverse(Acc);
+ {{CertDbRef, _, _} = Key, Cert} ->
+ certificate_authorities_from_db(CertDbRef, Key, [Cert|Acc]);
+ {Key, _Cert} ->
+ %% skip certs not from this ssl connection
+ certificate_authorities_from_db(CertDbRef, Key, Acc)
+ end.
digitally_signed(Hashes, #'RSAPrivateKey'{} = Key) ->
public_key:encrypt_private(Hashes, Key,