Various improvements to CRL handling

* Handle v1 CRLs, with no extensions.
* Compare the IDP on a CRL correctly, if present
* Don't try to double-decode altnames

Tests are also included, and the make_certs testing tool in the SSL
application has been greatly extended.

1 files changed, 11 insertions, 2 deletions

diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl
index eaba5bfa1b..503d0205a6 100644
--- a/lib/public_key/src/pubkey_crl.erl
+++ b/lib/public_key/src/pubkey_crl.erl
@@ -39,7 +39,13 @@ validate(OtpCert, OtherDPCRLs, DP, {DerCRL, CRL}, {DerDeltaCRL, DeltaCRL},
 		CertIssuer = TBSCert#'OTPTBSCertificate'.issuer,
 		TBSCRL = CRL#'CertificateList'.tbsCertList,
 		CRLIssuer =  TBSCRL#'TBSCertList'.issuer,
-		AltNames = subject_alt_names(TBSCert#'OTPTBSCertificate'.extensions),
+		AltNames = case pubkey_cert:select_extension(?'id-ce-subjectAltName',
+							     TBSCert#'OTPTBSCertificate'.extensions) of
+			     undefined ->
+				[];
+			     Ext ->
+				Ext#'Extension'.extnValue
+			   end,
 		revoked_status(DP, IDP, {directoryName, CRLIssuer},
 			       [ {directoryName, CertIssuer} | AltNames], SerialNumber, Revoked,
 			       DeltaRevoked, RevokedState1);
@@ -401,7 +407,8 @@ match_one([{Type, Name} | Names], CandidateNames) ->
     case Candidates of
 	[] ->
 	    false;
-	[_|_] -> case pubkey_cert:match_name(Type, Name, Candidates) of
+	[_|_] ->
+	case pubkey_cert:match_name(Type, Name, Candidates) of
 		     true ->
 			 true;
 		 false ->
@@ -664,6 +671,8 @@ verify_extensions([#'TBSCertList_revokedCertificates_SEQOF'{crlEntryExtensions =
     verify_extensions(pubkey_cert:extensions_list(Ext)) and verify_extensions(Rest);
 verify_extensions([]) ->
     true;
+verify_extensions(asn1_NOVALUE) ->
+    true;
 verify_extensions([#'Extension'{critical = true, extnID = Id} | Rest]) ->
     case lists:member(Id, [?'id-ce-authorityKeyIdentifier',
 			   ?'id-ce-issuerAltName',