Improved certificate extension handling

Added the functionality so that the verification fun will be called
when a certificate is considered valid by the path validation to allow
access to eachs certificate in the path to the user application.

Removed clause that only check that a extension is not critical,
it does alter the verification rusult only withholds information from
the application.

Try to verify subject-AltName, if unable to verify it let
application try.

1 files changed, 4 insertions, 1 deletions

diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 68bf04eeff..9c7817fa8e 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -539,6 +539,7 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer,
 					 user_state = UserState0,
 					 verify_fun = VerifyFun} =
 	     ValidationState0) ->
+
     OtpCert = pkix_decode_cert(DerCert, otp),
 
     UserState1 = pubkey_cert:validate_time(OtpCert, UserState0, VerifyFun),
@@ -556,10 +557,12 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer,
 
     %% We want the key_usage extension to be checked before we validate
     %% the signature. 
-    UserState = pubkey_cert:validate_signature(OtpCert, DerCert,
+    UserState0 = pubkey_cert:validate_signature(OtpCert, DerCert,
 						Key, KeyParams, UserState5, VerifyFun),
+    UserState = pubkey_cert:verify_fun(OtpCert, valid, UserState0, VerifyFun),
     ValidationState  = 
 	ValidationState1#path_validation_state{user_state = UserState},
+
     pubkey_cert:prepare_for_next_cert(OtpCert, ValidationState).
 
 sized_binary(Binary) when is_binary(Binary) ->