public_key: Improve CRL handling support

author: Ingela Anderton Andin <[email protected]> 2014-11-04 15:41:16 +0100
committer: Ingela Anderton Andin <[email protected]> 2015-03-09 10:15:41 +0100
commit: 601246b87b7df5247fc5ab1cf39e665935e335ae (patch)
tree: deeb800cc72710e981ce9b53b275e70eff95e926 /lib/public_key/src/public_key.erl
parent: 9e3299ca1b5d70562372a8eb51abf1cd96a284db (diff)
download: otp-601246b87b7df5247fc5ab1cf39e665935e335ae.tar.gz
otp-601246b87b7df5247fc5ab1cf39e665935e335ae.tar.bz2
otp-601246b87b7df5247fc5ab1cf39e665935e335ae.zip
1 files changed, 93 insertions, 10 deletions
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 1bbf4ef416..a0a87e5351 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2008-2014. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -46,7 +46,11 @@
 	 pkix_normalize_name/1,
 	 pkix_path_validation/3,
 	 ssh_decode/2, ssh_encode/2,
-	 pkix_crls_validate/3
+	 pkix_crls_validate/3,
+	 pkix_dist_point/1,
+	 pkix_dist_points/1,
+	 pkix_crl_verify/2,
+	 pkix_crl_issuer/1
 	]).
 
 -export_type([public_key/0, private_key/0, pem_entry/0,
@@ -470,6 +474,45 @@ verify(DigestOrPlainText, sha = DigestType, Signature, {Key,  #'Dss-Parms'{p = P
     crypto:verify(dss, DigestType, DigestOrPlainText, Signature, [P, Q, G, Key]).
 
 %%--------------------------------------------------------------------
+-spec pkix_dist_point(der_encoded() | #'OTPCertificate'{}) -> 
+			      #'DistributionPoint'{}.  
+%% Description:  Creates a distribution point for CRLs issued by the same issuer as <c>Cert</c>.
+%%--------------------------------------------------------------------
+pkix_dist_point(OtpCert) when is_binary(OtpCert) ->
+    pkix_dist_point(pkix_decode_cert(OtpCert, otp));
+pkix_dist_point(OtpCert) ->
+    Issuer = public_key:pkix_normalize_name(
+	       pubkey_cert_records:transform(
+		 OtpCert#'OTPCertificate'.tbsCertificate#'OTPTBSCertificate'.issuer, encode)),
+    
+    TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
+    Extensions = pubkey_cert:extensions_list(TBSCert#'OTPTBSCertificate'.extensions),
+    AltNames = case pubkey_cert:select_extension(?'id-ce-issuerAltName', Extensions) of 
+		   undefined ->
+		       [];
+		   #'Extension'{extnValue = Value} ->
+		       Value
+	       end,
+    Point = {fullName, [{directoryName, Issuer} | AltNames]},
+    #'DistributionPoint'{cRLIssuer = asn1_NOVALUE,
+			 reasons = asn1_NOVALUE,
+			 distributionPoint =  Point}.	
+%%--------------------------------------------------------------------
+-spec pkix_dist_points(der_encoded() | #'OTPCertificate'{}) -> 
+			      [#'DistributionPoint'{}].  
+%% Description:  Extracts distributionpoints specified in the certificates extensions.
+%%--------------------------------------------------------------------
+pkix_dist_points(OtpCert) when is_binary(OtpCert) ->
+    pkix_dist_points(pkix_decode_cert(OtpCert, otp));
+pkix_dist_points(OtpCert) ->
+    Value = pubkey_cert:distribution_points(OtpCert),
+    lists:foldl(fun(Point, Acc0) ->
+			DistPoint = pubkey_cert_records:transform(Point, decode),
+			[DistPoint | Acc0]
+		end, 
+		[], Value).
+
+%%--------------------------------------------------------------------
 -spec pkix_sign(#'OTPTBSCertificate'{},
 		rsa_private_key() | dsa_private_key()) -> Der::binary().
 %%
@@ -511,6 +554,25 @@ pkix_verify(DerCert, Key = {#'ECPoint'{}, _})
     verify(PlainText, DigestType, Signature,  Key).
 
 %%--------------------------------------------------------------------
+-spec pkix_crl_verify(CRL::binary() | #'CertificateList'{}, Cert::binary() | #'OTPCertificate'{}) -> boolean().
+%%
+%% Description: Verify that Cert is the CRL signer.
+%%--------------------------------------------------------------------
+pkix_crl_verify(CRL, Cert) when is_binary(CRL) ->
+    pkix_crl_verify(der_decode('CertificateList', CRL), Cert);
+pkix_crl_verify(CRL, Cert) when is_binary(Cert) ->
+    pkix_crl_verify(CRL, pkix_decode_cert(Cert, otp));
+pkix_crl_verify(#'CertificateList'{} = CRL, #'OTPCertificate'{} = Cert) ->
+    TBSCert = Cert#'OTPCertificate'.tbsCertificate, 
+    PublicKeyInfo = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
+    PublicKey = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.subjectPublicKey,
+    AlgInfo = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.algorithm,
+    PublicKeyParams = AlgInfo#'PublicKeyAlgorithm'.parameters,
+    pubkey_crl:verify_crl_signature(CRL, 
+				    der_encode('CertificateList', CRL), 
+				    PublicKey, PublicKeyParams).
+
+%%--------------------------------------------------------------------
 -spec pkix_is_issuer(Cert :: der_encoded()| #'OTPCertificate'{} | #'CertificateList'{},
 		     IssuerCert :: der_encoded()|
 				   #'OTPCertificate'{}) -> boolean().
@@ -564,15 +626,21 @@ pkix_is_fixed_dh_cert(Cert) when is_binary(Cert) ->
 %
 %% Description: Returns the issuer id.
 %%--------------------------------------------------------------------
-pkix_issuer_id(#'OTPCertificate'{} = OtpCert, self) ->
-    pubkey_cert:issuer_id(OtpCert, self);
-
-pkix_issuer_id(#'OTPCertificate'{} = OtpCert, other) ->
-    pubkey_cert:issuer_id(OtpCert, other);
+pkix_issuer_id(Cert, Signed)->
+    pkix_issuer_id(Cert, Signed, decode).
 
-pkix_issuer_id(Cert, Signed) when is_binary(Cert) ->
-    OtpCert = pkix_decode_cert(Cert, otp),
-    pkix_issuer_id(OtpCert, Signed).
+%%--------------------------------------------------------------------
+-spec pkix_crl_issuer(CRL::binary()| #'CertificateList'{}) -> 
+			     {rdnSequence,
+			      [#'AttributeTypeAndValue'{}]}.
+%
+%% Description: Returns the issuer.
+%%--------------------------------------------------------------------
+pkix_crl_issuer(CRL) when is_binary(CRL) ->
+    pkix_crl_issuer(der_decode('CertificateList', CRL));
+pkix_crl_issuer(#'CertificateList'{} = CRL) ->
+    pubkey_cert_records:transform(
+      CRL#'CertificateList'.tbsCertList#'TBSCertList'.issuer, decode).
 
 %%--------------------------------------------------------------------
 -spec pkix_normalize_name({rdnSequence,
@@ -921,3 +989,18 @@ ec_key({PubKey, PrivateKey}, Params) ->
 		    privateKey = binary_to_list(PrivateKey),
 		    parameters = Params,
 		    publicKey = {0, PubKey}}.
+
+pkix_issuer_id(#'OTPCertificate'{} = OtpCert, Signed, decode) when (Signed == self) or 
+								   (Signed == other) ->
+    pubkey_cert:issuer_id(OtpCert, Signed);
+pkix_issuer_id(#'OTPCertificate'{} = OtpCert, Signed, encode) when (Signed == self) or 
+								   (Signed == other) ->
+    case pubkey_cert:issuer_id(OtpCert, Signed) of
+	{ok, {Serial, Issuer}} ->
+	    {ok, {Serial, pubkey_cert_records:transform(Issuer, encode)}};
+	Error ->
+	    Error
+    end;
+pkix_issuer_id(Cert, Signed, Decode) when is_binary(Cert) -> 
+    OtpCert = pkix_decode_cert(Cert, otp),
+    pkix_issuer_id(OtpCert, Signed, Decode).
author	Ingela Anderton Andin <[email protected]>	2014-11-04 15:41:16 +0100
committer	Ingela Anderton Andin <[email protected]>	2015-03-09 10:15:41 +0100
commit	601246b87b7df5247fc5ab1cf39e665935e335ae (patch)
tree	deeb800cc72710e981ce9b53b275e70eff95e926 /lib/public_key/src/public_key.erl
parent	9e3299ca1b5d70562372a8eb51abf1cd96a284db (diff)
download	otp-601246b87b7df5247fc5ab1cf39e665935e335ae.tar.gz otp-601246b87b7df5247fc5ab1cf39e665935e335ae.tar.bz2 otp-601246b87b7df5247fc5ab1cf39e665935e335ae.zip