aboutsummaryrefslogtreecommitdiffstats
path: root/lib/public_key/src/pubkey_crl.erl
diff options
context:
space:
mode:
authorAndrew Thompson <[email protected]>2013-10-10 02:23:02 -0400
committerHans Nilsson <[email protected]>2014-03-26 10:13:55 +0100
commit8991663e33313233fed9cb7b0149baec1aa32b3f (patch)
treeadc2a51668c9dbd9634bd99e2b7a62a48f3441ee /lib/public_key/src/pubkey_crl.erl
parentdbb4cdad43a980e65546fdb572bf0f5cf007fd5a (diff)
downloadotp-8991663e33313233fed9cb7b0149baec1aa32b3f.tar.gz
otp-8991663e33313233fed9cb7b0149baec1aa32b3f.tar.bz2
otp-8991663e33313233fed9cb7b0149baec1aa32b3f.zip
Various improvements to CRL handling
* Handle v1 CRLs, with no extensions. * Compare the IDP on a CRL correctly, if present * Don't try to double-decode altnames Tests are also included, and the make_certs testing tool in the SSL application has been greatly extended.
Diffstat (limited to 'lib/public_key/src/pubkey_crl.erl')
-rw-r--r--lib/public_key/src/pubkey_crl.erl13
1 files changed, 11 insertions, 2 deletions
diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl
index eaba5bfa1b..503d0205a6 100644
--- a/lib/public_key/src/pubkey_crl.erl
+++ b/lib/public_key/src/pubkey_crl.erl
@@ -39,7 +39,13 @@ validate(OtpCert, OtherDPCRLs, DP, {DerCRL, CRL}, {DerDeltaCRL, DeltaCRL},
CertIssuer = TBSCert#'OTPTBSCertificate'.issuer,
TBSCRL = CRL#'CertificateList'.tbsCertList,
CRLIssuer = TBSCRL#'TBSCertList'.issuer,
- AltNames = subject_alt_names(TBSCert#'OTPTBSCertificate'.extensions),
+ AltNames = case pubkey_cert:select_extension(?'id-ce-subjectAltName',
+ TBSCert#'OTPTBSCertificate'.extensions) of
+ undefined ->
+ [];
+ Ext ->
+ Ext#'Extension'.extnValue
+ end,
revoked_status(DP, IDP, {directoryName, CRLIssuer},
[ {directoryName, CertIssuer} | AltNames], SerialNumber, Revoked,
DeltaRevoked, RevokedState1);
@@ -401,7 +407,8 @@ match_one([{Type, Name} | Names], CandidateNames) ->
case Candidates of
[] ->
false;
- [_|_] -> case pubkey_cert:match_name(Type, Name, Candidates) of
+ [_|_] ->
+ case pubkey_cert:match_name(Type, Name, Candidates) of
true ->
true;
false ->
@@ -664,6 +671,8 @@ verify_extensions([#'TBSCertList_revokedCertificates_SEQOF'{crlEntryExtensions =
verify_extensions(pubkey_cert:extensions_list(Ext)) and verify_extensions(Rest);
verify_extensions([]) ->
true;
+verify_extensions(asn1_NOVALUE) ->
+ true;
verify_extensions([#'Extension'{critical = true, extnID = Id} | Rest]) ->
case lists:member(Id, [?'id-ce-authorityKeyIdentifier',
?'id-ce-issuerAltName',