diff options
author | Andrew Thompson <[email protected]> | 2013-10-10 02:23:02 -0400 |
---|---|---|
committer | Hans Nilsson <[email protected]> | 2014-03-26 10:13:55 +0100 |
commit | 8991663e33313233fed9cb7b0149baec1aa32b3f (patch) | |
tree | adc2a51668c9dbd9634bd99e2b7a62a48f3441ee /lib/public_key/src/pubkey_crl.erl | |
parent | dbb4cdad43a980e65546fdb572bf0f5cf007fd5a (diff) | |
download | otp-8991663e33313233fed9cb7b0149baec1aa32b3f.tar.gz otp-8991663e33313233fed9cb7b0149baec1aa32b3f.tar.bz2 otp-8991663e33313233fed9cb7b0149baec1aa32b3f.zip |
Various improvements to CRL handling
* Handle v1 CRLs, with no extensions.
* Compare the IDP on a CRL correctly, if present
* Don't try to double-decode altnames
Tests are also included, and the make_certs testing tool in the SSL
application has been greatly extended.
Diffstat (limited to 'lib/public_key/src/pubkey_crl.erl')
-rw-r--r-- | lib/public_key/src/pubkey_crl.erl | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl index eaba5bfa1b..503d0205a6 100644 --- a/lib/public_key/src/pubkey_crl.erl +++ b/lib/public_key/src/pubkey_crl.erl @@ -39,7 +39,13 @@ validate(OtpCert, OtherDPCRLs, DP, {DerCRL, CRL}, {DerDeltaCRL, DeltaCRL}, CertIssuer = TBSCert#'OTPTBSCertificate'.issuer, TBSCRL = CRL#'CertificateList'.tbsCertList, CRLIssuer = TBSCRL#'TBSCertList'.issuer, - AltNames = subject_alt_names(TBSCert#'OTPTBSCertificate'.extensions), + AltNames = case pubkey_cert:select_extension(?'id-ce-subjectAltName', + TBSCert#'OTPTBSCertificate'.extensions) of + undefined -> + []; + Ext -> + Ext#'Extension'.extnValue + end, revoked_status(DP, IDP, {directoryName, CRLIssuer}, [ {directoryName, CertIssuer} | AltNames], SerialNumber, Revoked, DeltaRevoked, RevokedState1); @@ -401,7 +407,8 @@ match_one([{Type, Name} | Names], CandidateNames) -> case Candidates of [] -> false; - [_|_] -> case pubkey_cert:match_name(Type, Name, Candidates) of + [_|_] -> + case pubkey_cert:match_name(Type, Name, Candidates) of true -> true; false -> @@ -664,6 +671,8 @@ verify_extensions([#'TBSCertList_revokedCertificates_SEQOF'{crlEntryExtensions = verify_extensions(pubkey_cert:extensions_list(Ext)) and verify_extensions(Rest); verify_extensions([]) -> true; +verify_extensions(asn1_NOVALUE) -> + true; verify_extensions([#'Extension'{critical = true, extnID = Id} | Rest]) -> case lists:member(Id, [?'id-ce-authorityKeyIdentifier', ?'id-ce-issuerAltName', |