diff options
author | Ingela Anderton Andin <[email protected]> | 2010-09-13 08:52:54 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2010-09-13 08:52:54 +0200 |
commit | 3f336f1b6f2854618146e882b04e8cbc50d1111e (patch) | |
tree | f275ef9c49054004e3504d7f9548474a78dcefa1 /lib/public_key/src/pubkey_cert.erl | |
parent | f86c89a90a228eed9a58632cc0fb3372b210ec1a (diff) | |
parent | 6cced538abd4f8053c009b163efa8c6d568b9580 (diff) | |
download | otp-3f336f1b6f2854618146e882b04e8cbc50d1111e.tar.gz otp-3f336f1b6f2854618146e882b04e8cbc50d1111e.tar.bz2 otp-3f336f1b6f2854618146e882b04e8cbc50d1111e.zip |
Merge branch 'ia/public_key-subject-alternative-name/OTP-8825' into dev
* ia/public_key-subject-alternative-name/OTP-8825:
Improved certificate extension handling
Add handling of SubjectAltName of type otherName
Diffstat (limited to 'lib/public_key/src/pubkey_cert.erl')
-rw-r--r-- | lib/public_key/src/pubkey_cert.erl | 90 |
1 files changed, 40 insertions, 50 deletions
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl index b3c230df25..e704c168f1 100644 --- a/lib/public_key/src/pubkey_cert.erl +++ b/lib/public_key/src/pubkey_cert.erl @@ -29,7 +29,7 @@ validate_revoked_status/3, validate_extensions/4, normalize_general_name/1, digest_type/1, is_self_signed/1, is_issuer/2, issuer_id/2, is_fixed_dh_cert/1, - verify_data/1]). + verify_data/1, verify_fun/4]). -define(NULL, 0). @@ -288,6 +288,35 @@ is_fixed_dh_cert(#'OTPCertificate'{tbsCertificate = Extensions}}) -> is_fixed_dh_cert(SubjectPublicKeyInfo, extensions_list(Extensions)). + +%%-------------------------------------------------------------------- +-spec verify_fun(#'OTPTBSCertificate'{}, {bad_cert, atom()} | {extension, #'Extension'{}}| + valid, term(), fun()) -> term(). +%% +%% Description: Gives the user application the opportunity handle path +%% validation errors and unknown extensions and optional do other +%% things with a validated certificate. +%% -------------------------------------------------------------------- +verify_fun(Otpcert, Result, UserState0, VerifyFun) -> + case VerifyFun(Otpcert, Result, UserState0) of + {valid,UserState} -> + UserState; + {fail, Reason} -> + case Result of + {bad_cert, _} -> + throw(Result); + _ -> + throw({bad_cert, Reason}) + end; + {unknown, UserState} -> + case Result of + {extension, #'Extension'{critical = true}} -> + throw({bad_cert, unknown_critical_extension}); + _ -> + UserState + end + end. + %%-------------------------------------------------------------------- %%% Internal functions %%-------------------------------------------------------------------- @@ -315,25 +344,6 @@ extensions_list(asn1_NOVALUE) -> extensions_list(Extensions) -> Extensions. -verify_fun(Otpcert, Result, UserState0, VerifyFun) -> - case VerifyFun(Otpcert, Result, UserState0) of - {valid,UserState} -> - UserState; - {fail, Reason} -> - case Result of - {bad_cert, _} -> - throw(Result); - _ -> - throw({bad_cert, Reason}) - end; - {unknown, UserState} -> - case Result of - {extension, #'Extension'{critical = true}} -> - throw({bad_cert, unknown_critical_extension}); - _ -> - UserState - end - end. extract_verify_data(OtpCert, DerCert) -> {0, Signature} = OtpCert#'OTPCertificate'.signature, @@ -538,42 +548,21 @@ validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-keyUsage', end; validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-subjectAltName', - extnValue = Names} | Rest], + extnValue = Names, + critical = true} = Ext | Rest], ValidationState, ExistBasicCon, SelfSigned, UserState0, VerifyFun) -> case validate_subject_alt_names(Names) of - true when Names =/= [] -> + true -> validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, SelfSigned, UserState0, VerifyFun); - _ -> - UserState = verify_fun(OtpCert, {bad_cert, invalid_subject_altname}, + false -> + UserState = verify_fun(OtpCert, {extension, Ext}, UserState0, VerifyFun), validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, SelfSigned, UserState, VerifyFun) end; -%% This extension SHOULD NOT be marked critical. Its value -%% does not have to be further validated at this point. -validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-issuerAltName', - extnValue = _} | Rest], - ValidationState, ExistBasicCon, - SelfSigned, UserState, VerifyFun) -> - validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, - SelfSigned, UserState, VerifyFun); - -%% This extension MUST NOT be marked critical.Its value -%% does not have to be further validated at this point. -validate_extensions(OtpCert, [#'Extension'{extnID = Id, - extnValue = _, - critical = false} | Rest], - ValidationState, - ExistBasicCon, SelfSigned, - UserState, VerifyFun) - when Id == ?'id-ce-subjectKeyIdentifier'; - Id == ?'id-ce-authorityKeyIdentifier'-> - validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, - SelfSigned, UserState, VerifyFun); - validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-nameConstraints', extnValue = NameConst} | Rest], ValidationState, @@ -587,7 +576,6 @@ validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-nameConstraints', validate_extensions(OtpCert, Rest, NewValidationState, ExistBasicCon, SelfSigned, UserState, VerifyFun); - validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-certificatePolicies', critical = true} = Ext| Rest], ValidationState, ExistBasicCon, SelfSigned, UserState0, VerifyFun) -> @@ -648,13 +636,13 @@ is_valid_key_usage(KeyUse, Use) -> lists:member(Use, KeyUse). validate_subject_alt_names([]) -> - true; + false; validate_subject_alt_names([AltName | Rest]) -> case is_valid_subject_alt_name(AltName) of true -> - validate_subject_alt_names(Rest); + true; false -> - false + validate_subject_alt_names(Rest) end. is_valid_subject_alt_name({Name, Value}) when Name == rfc822Name; @@ -682,6 +670,8 @@ is_valid_subject_alt_name({directoryName, _}) -> true; is_valid_subject_alt_name({_, [_|_]}) -> true; +is_valid_subject_alt_name({otherName, #'AnotherName'{}}) -> + false; is_valid_subject_alt_name({_, _}) -> false. |