aboutsummaryrefslogtreecommitdiffstats
path: root/lib/public_key/src/public_key.erl
diff options
context:
space:
mode:
authorMagnus Henoch <[email protected]>2015-12-08 18:16:36 +0000
committerMagnus Henoch <[email protected]>2016-04-05 15:21:01 +0100
commitee2178b073e936760b405b338e473236a5df94ca (patch)
treee3891e31d17f5066efffb5ea24df31242e6712b7 /lib/public_key/src/public_key.erl
parente5776f33e6aa8ea99b14d3fd0525e9117bbe698a (diff)
downloadotp-ee2178b073e936760b405b338e473236a5df94ca.tar.gz
otp-ee2178b073e936760b405b338e473236a5df94ca.tar.bz2
otp-ee2178b073e936760b405b338e473236a5df94ca.zip
Function for generating OpenSSL-style name hashes
OpenSSL has functions to generate short (eight hex digits) hashes of issuers of certificates and CRLs. These hashes are used by the "c_rehash" script to populate directories of CA certificates and CRLs, e.g. in the Apache web server. Adding this function lets an Erlang program find the right CRL for a given certificate in such a directory.
Diffstat (limited to 'lib/public_key/src/public_key.erl')
-rw-r--r--lib/public_key/src/public_key.erl85
1 files changed, 84 insertions, 1 deletions
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 27bf2093a1..d23abfe256 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -55,7 +55,8 @@
pkix_dist_points/1,
pkix_match_dist_point/2,
pkix_crl_verify/2,
- pkix_crl_issuer/1
+ pkix_crl_issuer/1,
+ short_name_hash/1
]).
-export_type([public_key/0, private_key/0, pem_entry/0,
@@ -818,6 +819,17 @@ oid2ssh_curvename(?'secp384r1') -> <<"nistp384">>;
oid2ssh_curvename(?'secp521r1') -> <<"nistp521">>.
%%--------------------------------------------------------------------
+-spec short_name_hash({rdnSequence, [#'AttributeTypeAndValue'{}]}) ->
+ string().
+
+%% Description: Generates OpenSSL-style hash of a name.
+%%--------------------------------------------------------------------
+short_name_hash({rdnSequence, _Attributes} = Name) ->
+ HashThis = encode_name_for_short_hash(Name),
+ <<HashValue:32/little, _/binary>> = crypto:hash(sha, HashThis),
+ string:to_lower(string:right(integer_to_list(HashValue, 16), 8, $0)).
+
+%%--------------------------------------------------------------------
%%% Internal functions
%%--------------------------------------------------------------------
do_verify(DigestOrPlainText, DigestType, Signature,
@@ -1080,3 +1092,74 @@ ec_key({PubKey, PrivateKey}, Params) ->
parameters = Params,
publicKey = PubKey}.
+encode_name_for_short_hash({rdnSequence, Attributes0}) ->
+ Attributes = lists:map(fun normalise_attribute/1, Attributes0),
+ {Encoded, _} = 'OTP-PUB-KEY':'enc_RDNSequence'(Attributes, []),
+ Encoded.
+
+%% Normalise attribute for "short hash". If the attribute value
+%% hasn't been decoded yet, decode it so we can normalise it.
+normalise_attribute([#'AttributeTypeAndValue'{
+ type = _Type,
+ value = Binary} = ATV]) when is_binary(Binary) ->
+ case pubkey_cert_records:transform(ATV, decode) of
+ #'AttributeTypeAndValue'{value = Binary} ->
+ %% Cannot decode attribute; return original.
+ [ATV];
+ DecodedATV = #'AttributeTypeAndValue'{} ->
+ %% The new value will either be String or {Encoding,String}.
+ normalise_attribute([DecodedATV])
+ end;
+normalise_attribute([#'AttributeTypeAndValue'{
+ type = _Type,
+ value = {Encoding, String}} = ATV])
+ when
+ Encoding =:= utf8String;
+ Encoding =:= printableString;
+ Encoding =:= teletexString;
+ Encoding =:= ia5String ->
+ %% These string types all give us something that the unicode
+ %% module understands.
+ NewValue = normalise_attribute_value(String),
+ [ATV#'AttributeTypeAndValue'{value = NewValue}];
+normalise_attribute([#'AttributeTypeAndValue'{
+ type = _Type,
+ value = String} = ATV]) when is_list(String) ->
+ %% A string returned by pubkey_cert_records:transform/2, for
+ %% certain attributes that commonly have incorrect value types.
+ NewValue = normalise_attribute_value(String),
+ [ATV#'AttributeTypeAndValue'{value = NewValue}].
+
+normalise_attribute_value(String) ->
+ Converted = unicode:characters_to_binary(String),
+ NormalisedString = normalise_string(Converted),
+ %% We can't use the encoding function for the actual type of the
+ %% attribute, since some of them don't allow utf8Strings, which is
+ %% the required encoding when creating the hash.
+ {NewBinary, _} = 'OTP-PUB-KEY':'enc_X520CommonName'({utf8String, NormalisedString}, []),
+ NewBinary.
+
+normalise_string(String) ->
+ %% Normalise attribute values as required for "short hashes", as
+ %% implemented by OpenSSL.
+
+ %% Remove ASCII whitespace from beginning and end.
+ TrimmedLeft = re:replace(String, "^[\s\f\n\r\t\v]+", "", [unicode, global]),
+ TrimmedRight = re:replace(TrimmedLeft, "[\s\f\n\r\t\v]+$", "", [unicode, global]),
+ %% Convert multiple whitespace characters to a single space.
+ Collapsed = re:replace(TrimmedRight, "[\s\f\n\r\t\v]+", "\s", [unicode, global]),
+ %% Convert ASCII characters to lowercase
+ Lower = ascii_to_lower(Collapsed),
+ %% And we're done!
+ Lower.
+
+ascii_to_lower(String) ->
+ %% Can't use string:to_lower/1, because that changes Latin-1
+ %% characters as well.
+ << <<(if $A =< C, C =< $Z ->
+ C + ($a - $A);
+ true ->
+ C
+ end)>>
+ ||
+ <<C>> <= iolist_to_binary(String) >>.