Rework IDP validation according to the RFC, fix public_key tests

author: Andrew Thompson <[email protected]> 2014-02-08 00:58:11 -0500
committer: Hans Nilsson <[email protected]> 2014-03-26 10:13:55 +0100
commit: 9756dcd97cd819c9b2d64c35dd36550f99600e92 (patch)
tree: 1f7a8f1eabe71993442963c4530e8c96579ccb06 /lib/public_key/src/pubkey_crl.erl
parent: 8991663e33313233fed9cb7b0149baec1aa32b3f (diff)
download: otp-9756dcd97cd819c9b2d64c35dd36550f99600e92.tar.gz
otp-9756dcd97cd819c9b2d64c35dd36550f99600e92.tar.bz2
otp-9756dcd97cd819c9b2d64c35dd36550f99600e92.zip
1 files changed, 9 insertions, 5 deletions
diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl
index 503d0205a6..2d947058de 100644
--- a/lib/public_key/src/pubkey_crl.erl
+++ b/lib/public_key/src/pubkey_crl.erl
@@ -393,11 +393,15 @@ verify_dp_name(asn1_NOVALUE, _) ->
     ok;
 
 verify_dp_name(IDPNames, DPorIssuerNames) ->
-    case match_one(DPorIssuerNames, IDPNames) of
-	true ->
-	    ok;
-	false ->
-	    throw({bad_crl, scope_error})
+    %% RFC 5280 section 5.2.5
+    %% Check that at least one IssuingDistributionPointName in the CRL lines up
+    %% with a DistributionPointName in the certificate.
+    Matches = [X || X <- IDPNames, Y <- DPorIssuerNames, X == Y],
+    case Matches of
+	[] ->
+	    throw({bad_crl, scope_error});
+	_ ->
+	    ok
     end.
 
 match_one([], _) ->
author	Andrew Thompson <[email protected]>	2014-02-08 00:58:11 -0500
committer	Hans Nilsson <[email protected]>	2014-03-26 10:13:55 +0100
commit	9756dcd97cd819c9b2d64c35dd36550f99600e92 (patch)
tree	1f7a8f1eabe71993442963c4530e8c96579ccb06 /lib/public_key/src/pubkey_crl.erl
parent	8991663e33313233fed9cb7b0149baec1aa32b3f (diff)
download	otp-9756dcd97cd819c9b2d64c35dd36550f99600e92.tar.gz otp-9756dcd97cd819c9b2d64c35dd36550f99600e92.tar.bz2 otp-9756dcd97cd819c9b2d64c35dd36550f99600e92.zip