All basic test cases pass

author: Ingela Anderton Andin <[email protected]> 2010-10-07 17:04:25 +0200
committer: Ingela Anderton Andin <[email protected]> 2013-01-11 15:05:33 +0100
commit: 1d054d8055435f6c9df687881f1f6425eb29c754 (patch)
tree: 2f5d9c2d393446ff5631552f96d166bfa763594b /lib/public_key/src
parent: 1897e315ee2d8417a6e32f5fae00e9a124a45d83 (diff)
download: otp-1d054d8055435f6c9df687881f1f6425eb29c754.tar.gz
otp-1d054d8055435f6c9df687881f1f6425eb29c754.tar.bz2
otp-1d054d8055435f6c9df687881f1f6425eb29c754.zip
6 files changed, 981 insertions, 131 deletions
diff --git a/lib/public_key/src/Makefile b/lib/public_key/src/Makefile
index d5cd13d81a..d24122221a 100644
--- a/lib/public_key/src/Makefile
+++ b/lib/public_key/src/Makefile
@@ -44,7 +44,8 @@ MODULES = \
 	pubkey_ssh \
 	pubkey_pbe \
 	pubkey_cert \
-	pubkey_cert_records 
+        pubkey_cert_records \
+	pubkey_crl
 
 HRL_FILES = $(INCLUDE)/public_key.hrl 
 
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index f9e2025479..f53c94b334 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -26,10 +26,11 @@
 -export([init_validation_state/3, prepare_for_next_cert/2,
  	 validate_time/3, validate_signature/6,
  	 validate_issuer/4, validate_names/6,
-	 validate_revoked_status/3, validate_extensions/4,
+	 validate_extensions/4,
 	 normalize_general_name/1, digest_type/1, is_self_signed/1,
 	 is_issuer/2, issuer_id/2, is_fixed_dh_cert/1,
-	 verify_data/1, verify_fun/4]).
+	 verify_data/1, verify_fun/4, select_extension/2, match_name/3,
+	 extensions_list/1, cert_auth_key_id/1, time_str_2_gregorian_sec/1]).
 
 -define(NULL, 0).
  
@@ -204,17 +205,6 @@ validate_names(OtpCert, Permit, Exclude, Last, UserState, VerifyFun) ->
     end.
 
 %%--------------------------------------------------------------------
--spec validate_revoked_status(#'OTPCertificate'{}, term(), fun()) ->
-				      term().
-%%
-%% Description: Check if certificate has been revoked.
-%%--------------------------------------------------------------------	
-validate_revoked_status(_OtpCert, UserState, _VerifyFun) ->
-    %% TODO: Implement or leave for application?!
-    %% valid |
-    %% throw({bad_cert, cert_revoked})
-    UserState.
-%%--------------------------------------------------------------------
 -spec validate_extensions(#'OTPCertificate'{}, #path_validation_state{},
 			  term(), fun())->
 				 {#path_validation_state{}, UserState :: term()}.
@@ -256,8 +246,10 @@ is_self_signed(#'OTPCertificate'{tbsCertificate=
 %%
 %% Description:  Checks if <Issuer> issued <Candidate>.
 %%--------------------------------------------------------------------	
-is_issuer({rdnSequence, Issuer}, {rdnSequence, Candidate}) ->
-    is_dir_name(Issuer, Candidate, true).
+is_issuer({rdnSequence, _} = Issuer, {rdnSequence, _} = Candidate) ->
+    {rdnSequence, IssuerDirName} = normalize_general_name(Issuer),
+    {rdnSequence, CandidateDirName} = normalize_general_name(Candidate),
+    is_dir_name(IssuerDirName, CandidateDirName, true).
 %%--------------------------------------------------------------------
 -spec issuer_id(#'OTPCertificate'{}, self | other) -> 
 		       {ok, {integer(), term()}}  | {error, issuer_not_found}.
@@ -307,9 +299,9 @@ verify_fun(Otpcert, Result, UserState0, VerifyFun) ->
 	{valid,UserState} ->
 	    UserState;
 	{fail, Reason} ->
-	    case Result of
+	    case Reason of
 		{bad_cert, _} ->
-		    throw(Result);
+		    throw(Reason);
 		_ ->
 		    throw({bad_cert, Reason})
 	    end;
@@ -321,6 +313,91 @@ verify_fun(Otpcert, Result, UserState0, VerifyFun) ->
 		    UserState
 	    end
     end.
+%%--------------------------------------------------------------------
+-spec select_extension(Oid ::tuple(),[#'Extension'{}]) ->
+			      #'Extension'{} | undefined.
+%%
+%% Description: Extracts a specific extension from a list of extensions.
+%%--------------------------------------------------------------------
+select_extension(_, []) ->
+    undefined;
+select_extension(Id, [#'Extension'{extnID = Id} = Extension | _]) ->
+    Extension;
+select_extension(Id, [_ | Extensions]) ->
+    select_extension(Id, Extensions).
+
+%%--------------------------------------------------------------------
+%% TODO:
+%%
+%% Description:
+%%--------------------------------------------------------------------
+match_name(rfc822Name, Name, [PermittedName | Rest]) ->
+    match_name(fun is_valid_host_or_domain/2, Name, PermittedName, Rest);
+
+match_name(directoryName, DirName,  [PermittedName | Rest]) ->
+    match_name(fun is_rdnSeq/2, DirName, PermittedName, Rest);
+
+match_name(uniformResourceIdentifier, URI,  [PermittedName | Rest]) ->
+    case split_uri(URI) of
+	incomplete ->
+	    false;
+	{_, _, Host, _, _} ->
+	    match_name(fun is_valid_host_or_domain/2, Host,
+		       PermittedName, Rest)
+    end;
+
+match_name(emailAddress, Name, [PermittedName | Rest]) ->
+    Fun = fun(Email, PermittedEmail) ->
+		  is_valid_email_address(Email, PermittedEmail,
+				   string:tokens(PermittedEmail,"@"))
+	  end,
+     match_name(Fun, Name, PermittedName, Rest);
+
+match_name(dNSName, Name, [PermittedName | Rest]) ->
+    Fun = fun(Domain, [$.|Domain]) -> true;
+	     (Name1,Name2) ->
+		  lists:suffix(string:to_lower(Name2),
+			       string:to_lower(Name1))
+	  end,
+    match_name(Fun, Name, [$.|PermittedName], Rest);
+
+match_name(x400Address, OrAddress, [PermittedAddr | Rest]) ->
+    match_name(fun is_or_address/2, OrAddress, PermittedAddr, Rest);
+
+match_name(ipAdress, IP, [PermittedIP | Rest]) ->
+    Fun = fun([IP1, IP2, IP3, IP4],
+	      [IP5, IP6, IP7, IP8, M1, M2, M3, M4]) ->
+		  is_permitted_ip([IP1, IP2, IP3, IP4],
+				  [IP5, IP6, IP7, IP8],
+				  [M1, M2, M3, M4]);
+	     ([IP1, IP2, IP3, IP4, IP5, IP6, IP7, IP8,
+	       IP9, IP10, IP11, IP12, IP13, IP14, IP15, IP16],
+	      [IP17, IP18, IP19, IP20, IP21, IP22, IP23, IP24,
+	       IP25, IP26, IP27, IP28, IP29, IP30, IP31, IP32,
+	       M1, M2, M3, M4, M5, M6, M7, M8,
+	       M9, M10, M11, M12, M13, M14, M15, M16]) ->
+		  is_permitted_ip([IP1, IP2, IP3, IP4, IP5, IP6, IP7, IP8,
+				   IP9, IP10, IP11, IP12, IP13,
+				   IP14, IP15, IP16],
+				  [IP17, IP18, IP19, IP20, IP21, IP22, IP23,
+				   IP24,IP25, IP26, IP27, IP28, IP29, IP30,
+				   IP31, IP32],
+				    [M1, M2, M3, M4, M5, M6, M7, M8, M9, M10,
+				     M11, M12, M13, M14, M15, M16]);
+	     (_,_) ->
+		  false
+	  end,
+    match_name(Fun, IP, PermittedIP, Rest).
+
+match_name(Fun, Name, PermittedName, []) ->
+    Fun(Name, PermittedName);
+match_name(Fun, Name, PermittedName, [Head | Tail]) ->
+    case Fun(Name, PermittedName) of
+	true ->
+	    true;
+	false ->
+	    match_name(Fun, Name, Head, Tail)
+    end.
 
 %%--------------------------------------------------------------------
 %%% Internal functions
@@ -332,7 +409,7 @@ do_normalize_general_name(Issuer) ->
 		   (Atter)  ->
 			Atter
 		end,
-    lists:sort(lists:map(Normalize, Issuer)).
+    lists:map(Normalize, Issuer).
 
 %% See rfc3280 4.1.2.6 Subject: regarding emails.
 extract_email({rdnSequence, List}) ->
@@ -477,13 +554,6 @@ strip_spaces(String) ->
 		    string:tokens(String, " ")),
     string:strip(NewString).
 
-select_extension(_, []) ->
-    undefined;
-select_extension(Id, [#'Extension'{extnID = Id} = Extension | _]) ->
-    Extension;
-select_extension(Id, [_ | Extensions]) ->
-    select_extension(Id, Extensions).
-
 %% No extensions present
 validate_extensions(OtpCert, asn1_NOVALUE, ValidationState, ExistBasicCon,
 		    SelfSigned, UserState, VerifyFun) ->
@@ -503,18 +573,16 @@ validate_extensions(OtpCert, [], ValidationState =
 	true  ->
 	    {ValidationState#path_validation_state{max_path_length = Len - 1},
 	     UserState0};
-	%% basic_constraint must appear in certs used for digital sign
-	%% see 4.2.1.10 in rfc 3280
 	false ->
-	    UserState = verify_fun(OtpCert, {bad_cert, missing_basic_constraint},
-				   UserState0, VerifyFun),
-	    case SelfSigned of
+	    %% basic_constraint must appear in certs used for digital sign
+	    %% see 4.2.1.10 in rfc 3280
+	    case is_digitally_sign_cert(OtpCert) of
 		true ->
-		    {ValidationState, UserState};
-		false ->
-		    {ValidationState#path_validation_state{max_path_length = 
-							       Len - 1},
-		     UserState}
+		    missing_basic_constraints(OtpCert, SelfSigned,
+					      ValidationState, VerifyFun,
+					      UserState0, Len);
+		false -> %% Example CRL signer only
+		    {ValidationState, UserState0}
 	    end
     end;
 
@@ -861,74 +929,6 @@ type_subtree_names(Type, SubTrees) ->
     [Name || #'GeneralSubtree'{base = {TreeType, Name}} <- SubTrees,
 	     TreeType =:= Type].
 
-match_name(rfc822Name, Name, [PermittedName | Rest]) ->
-    match_name(fun is_valid_host_or_domain/2, Name, PermittedName, Rest);
-	
-match_name(directoryName, DirName,  [PermittedName | Rest]) ->
-    match_name(fun is_rdnSeq/2, DirName, PermittedName, Rest);
-
-match_name(uniformResourceIdentifier, URI,  [PermittedName | Rest]) ->
-    case split_uri(URI) of
-	incomplete ->
-	    false;
-	{_, _, Host, _, _} ->
-	    match_name(fun is_valid_host_or_domain/2, Host, 
-		       PermittedName, Rest)
-    end;
-
-match_name(emailAddress, Name, [PermittedName | Rest]) ->
-    Fun = fun(Email, PermittedEmail) -> 
-		  is_valid_email_address(Email, PermittedEmail,
-				   string:tokens(PermittedEmail,"@"))
-	  end,
-     match_name(Fun, Name, PermittedName, Rest);
-
-match_name(dNSName, Name, [PermittedName | Rest]) ->
-    Fun = fun(Domain, [$.|Domain]) -> true;
-	     (Name1,Name2) ->
-		  lists:suffix(string:to_lower(Name2), 
-			       string:to_lower(Name1))
-	  end,
-    match_name(Fun, Name, [$.|PermittedName], Rest);	  
-	     
-match_name(x400Address, OrAddress, [PermittedAddr | Rest]) ->
-    match_name(fun is_or_address/2, OrAddress, PermittedAddr, Rest);
-
-match_name(ipAdress, IP, [PermittedIP | Rest]) ->
-    Fun = fun([IP1, IP2, IP3, IP4],
-	      [IP5, IP6, IP7, IP8, M1, M2, M3, M4]) ->
-		  is_permitted_ip([IP1, IP2, IP3, IP4],
-				  [IP5, IP6, IP7, IP8],
-				  [M1, M2, M3, M4]);
-	     ([IP1, IP2, IP3, IP4, IP5, IP6, IP7, IP8,
-	       IP9, IP10, IP11, IP12, IP13, IP14, IP15, IP16],
-	      [IP17, IP18, IP19, IP20, IP21, IP22, IP23, IP24,
-	       IP25, IP26, IP27, IP28, IP29, IP30, IP31, IP32,
-	       M1, M2, M3, M4, M5, M6, M7, M8,
-	       M9, M10, M11, M12, M13, M14, M15, M16]) ->
-		  is_permitted_ip([IP1, IP2, IP3, IP4, IP5, IP6, IP7, IP8,
-				   IP9, IP10, IP11, IP12, IP13,
-				   IP14, IP15, IP16],
-				  [IP17, IP18, IP19, IP20, IP21, IP22, IP23, 
-				   IP24,IP25, IP26, IP27, IP28, IP29, IP30, 
-				   IP31, IP32],
-				    [M1, M2, M3, M4, M5, M6, M7, M8, M9, M10, 
-				     M11, M12, M13, M14, M15, M16]);
-	     (_,_) ->
-		  false
-	  end,
-    match_name(Fun, IP, PermittedIP, Rest).
-    
-match_name(Fun, Name, PermittedName, []) ->
-    Fun(Name, PermittedName);
-match_name(Fun, Name, PermittedName, [Head | Tail]) ->
-    case Fun(Name, PermittedName) of
-	true ->
-	    true;
-	false ->
-	    match_name(Fun, Name, Head, Tail)
-    end.
-
 is_permitted_ip([], [], []) ->
     true;
 is_permitted_ip([CandidatIp | CandidatIpRest], 
@@ -1037,3 +1037,25 @@ is_dh(?'dhpublicnumber')->
     true;
 is_dh(_) ->
     false.
+
+is_digitally_sign_cert(OtpCert) ->
+    TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
+    Extensions = extensions_list(TBSCert#'OTPTBSCertificate'.extensions),
+    case pubkey_cert:select_extension(?'id-ce-keyUsage', Extensions) of
+	undefined ->
+	     false;
+	#'Extension'{extnValue = KeyUse} ->
+	    lists:member(keyCertSign, KeyUse)
+    end.
+
+missing_basic_constraints(OtpCert, SelfSigned, ValidationState, VerifyFun, UserState0,Len) ->
+    UserState = verify_fun(OtpCert, {bad_cert, missing_basic_constraint},
+			   UserState0, VerifyFun),
+    case SelfSigned of
+	true ->
+	    {ValidationState, UserState};
+	false ->
+	    {ValidationState#path_validation_state{max_path_length =
+						       Len - 1},
+	     UserState}
+    end.
diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl
new file mode 100644
index 0000000000..9d50288974
--- /dev/null
+++ b/lib/public_key/src/pubkey_crl.erl
@@ -0,0 +1,691 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2010-2012. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+-module(pubkey_crl).
+
+-include("public_key.hrl").
+
+-export([validate/7, init_revokation_state/0, fresh_crl/3, verify_crl_signature/4,
+	 is_delta_crl/1, combines/2]).
+
+-record(userstate, {dpcrls
+	  }).
+
+validate(OtpCert, OtherDPCRLs, DP, {DerCRL, CRL}, {DerDeltaCRL, DeltaCRL},
+	     Options, RevokedState0) ->
+    RevokedState =
+	case verify_crl(OtpCert, DP, CRL, DerCRL, DeltaCRL,
+			DerDeltaCRL, OtherDPCRLs, Options, RevokedState0) of
+	    {valid, Revoked, DeltaRevoked, RevokedState1, IDP} ->
+		TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
+		SerialNumber = TBSCert#'OTPTBSCertificate'.serialNumber,
+		CertIssuer = TBSCert#'OTPTBSCertificate'.issuer,
+		TBSCRL = CRL#'CertificateList'.tbsCertList,
+		CRLIssuer =  TBSCRL#'TBSCertList'.issuer,
+		AltNames = subject_alt_names(TBSCert#'OTPTBSCertificate'.extensions),
+		revoked_status(DP, IDP, {directoryName, CRLIssuer},
+			       [ {directoryName, CertIssuer} | AltNames], SerialNumber, Revoked,
+			       DeltaRevoked, RevokedState1);
+	    {invalid, Revoked} ->
+		Revoked
+	end,
+    crl_status(RevokedState).
+
+init_revokation_state() ->
+    #revoke_state{reasons_mask = sets:new(),
+		  interim_reasons_mask = sets:new(),
+		  cert_status = unrevoked}.
+
+fresh_crl(_, {undefined, undefined}, _) ->
+    %% Typically happens when there is no delta CRL that covers a CRL
+    no_fresh_crl;
+
+fresh_crl(DP, {_, #'CertificateList'{tbsCertList = TBSCRL}} = CRL, CallBack) ->
+    Now = calendar:datetime_to_gregorian_seconds(calendar:universal_time()),
+    UpdateTime =
+	pubkey_cert:time_str_2_gregorian_sec(TBSCRL#'TBSCertList'.nextUpdate),
+    case Now >= UpdateTime of
+	true ->
+	    case CallBack(DP, CRL) of
+		CRL ->
+		    no_fresh_crl;
+	       NewCRL ->
+		    fresh_crl(DP, NewCRL, CallBack)
+	    end;
+	false ->
+	    {fresh, CRL}
+    end.
+
+is_delta_crl(#'CertificateList'{tbsCertList = TBSCRL}) ->
+    Extensions = TBSCRL#'TBSCertList'.crlExtensions,
+    case pubkey_cert:select_extension(?'id-ce-deltaCRLIndicator',
+				      Extensions) of
+	undefined ->
+	    false;
+	_ ->
+	    true
+    end.
+
+combines(CRL, DeltaCRL) ->
+    check_crl_num(CRL, DeltaCRL) andalso
+	check_delta_issuer_and_scope(CRL, DeltaCRL).
+
+crl_status(State)->
+    %% Fun argument is to enable future implementation of CRL checking
+    %% that does not care about all possible reasons.
+    crl_status(State, fun all_reasons/0).
+
+crl_status({skip, #revoke_state{cert_status = Status} = RevokedState}, _) ->
+    {undetermined, status(Status), RevokedState};
+
+crl_status(#revoke_state{cert_status = unrevoked = Status,
+			 valid_ext = false} = RevokedState, _) ->
+    {undetermined, Status, RevokedState};
+
+crl_status(#revoke_state{cert_status = Status,
+			 valid_ext = false}, _) ->
+    {finished, status(Status)};
+
+crl_status(#revoke_state{reasons_mask = Mask,
+			 cert_status = Status,
+			 valid_ext = true} = RevokedState, Fun) ->
+    case is_all_reasons(Mask, Fun) of
+	true ->
+	    {finished, status(Status)};
+	false when (Status == unrevoked) ->
+	    {undetermined, Status, RevokedState};
+	_ ->
+	    {finished ,status(Status)}
+    end.
+
+verify_crl(OtpCert, DP, CRL, DerCRL, DeltaCRL, DerDeltaCRL, OtherDPCRLs,
+	   Options, State0) ->
+    #'CertificateList'{tbsCertList =
+			   #'TBSCertList'{crlExtensions = Extensions,
+					  revokedCertificates = TmpRevoked}
+		      } = CRL,
+    Revoked = revoked(TmpRevoked),
+    IDP = issuing_distribution_point(Extensions),
+
+    DeltaRevoked = delta_revoked(DeltaCRL),
+
+    ValidExt = verify_extensions(Extensions) and
+	verify_extensions(Revoked),
+
+    IntMask = compute_interim_reasons_mask(DP, IDP),
+
+    RevokedState =
+	State0#revoke_state{interim_reasons_mask = IntMask,
+			    valid_ext = ValidExt},
+
+    {Fun, AdditionalArgs} =  IssuerFun = proplists:get_value(issuer_fun, Options),
+
+    try verify_issuer_and_scope(OtpCert, DP, IDP, CRL) of
+	{ok, Issuer} ->
+	    case Fun(DP, CRL, Issuer, AdditionalArgs) of
+		{ok, TrustedOtpCert, Path} ->
+		    verify_mask_and_signatures(Revoked, DeltaRevoked,
+					       RevokedState,
+					       CRL, DerCRL, DeltaCRL, DerDeltaCRL,
+					       IssuerFun, TrustedOtpCert, Path, OtherDPCRLs, IDP);
+		_ ->
+		    {invalid, State0#revoke_state{valid_ext = ValidExt}}
+	    end;
+	{error, issuer_not_found} ->
+	    case Fun(DP, CRL, issuer_not_found, AdditionalArgs) of
+		{ok, TrustedOtpCert, Path} ->
+		    verify_mask_and_signatures(Revoked, DeltaRevoked,
+					       RevokedState, CRL, DerCRL, DeltaCRL,
+					       DerDeltaCRL, IssuerFun,
+					       TrustedOtpCert, Path, OtherDPCRLs, IDP);
+		_ ->
+		    {invalid, {skip, State0}}
+	    end
+    catch
+	throw:{bad_crl, invalid_issuer} ->
+	    {invalid, {skip, State0}};
+	throw:_ ->
+	    {invalid, State0#revoke_state{valid_ext = ValidExt}}
+    end.
+
+verify_mask_and_signatures(Revoked, DeltaRevoked, RevokedState, CRL, DerCRL, DeltaCRL, DerDeltaCRL,
+			   IssuerFun, TrustedOtpCert, Path, OtherDPCRLs, IDP) ->
+
+    ReasonsMask = sets:union(RevokedState#revoke_state.reasons_mask,
+			     RevokedState#revoke_state.interim_reasons_mask),
+    try
+	verify_interim_reasons_mask(RevokedState),
+	true = verify_crl_signatures(CRL, DerCRL, DeltaCRL, DerDeltaCRL,
+				     TrustedOtpCert, Path, IssuerFun, OtherDPCRLs),
+	{valid, Revoked, DeltaRevoked, RevokedState#revoke_state{reasons_mask = ReasonsMask}, IDP}
+    catch
+	throw:_ ->
+	    {invalid, RevokedState};
+	error:{badmatch, _} ->
+	    {invalid, RevokedState}
+    end.
+
+
+verify_crl_signatures(CRL, DerCRL, DeltaCRL, DerDeltaCRL, TrustedOtpCert, Path,
+		      IssuerFun, OtherDPCRLs) ->
+    try
+	VerifyFunAndState =
+	    {fun(_, {bad_cert, _} = Reason, _UserState) ->
+		    {fail, Reason};
+		(_,{extension, _}, UserState) ->
+		     {unknown, UserState};
+		(_Cert, valid, UserState) ->
+		     {valid, UserState};
+		(Cert, valid_peer, UserState) ->
+		     case verify_crl_keybit(Cert, cRLSign) of
+			 true ->
+			     handle_signer(Cert, IssuerFun, UserState);
+			 false ->
+			     {fail, crl_sign_bit_not_set}
+		     end
+	     end, #userstate{dpcrls = OtherDPCRLs}},
+
+	{ok, {{_,Key, KeyParams},_}} =
+	    public_key:pkix_path_validation(TrustedOtpCert, Path,
+					    [{verify_fun, VerifyFunAndState}]),
+	true = verify_crl_signature(CRL, DerCRL, Key, KeyParams),
+	true = verify_crl_signature(DeltaCRL, DerDeltaCRL, Key, KeyParams)
+    catch
+	error:{badmatch, _} ->
+	    false
+    end.
+
+handle_signer(OtpCert, IssuerFun, UserState) ->
+    case verify_crl_keybit(OtpCert, keyCertSign) of
+	true ->
+	    {valid, UserState};
+	false ->
+	    handle_crlsigner(OtpCert, IssuerFun, UserState)
+    end.
+
+handle_crlsigner(_, _,#userstate{dpcrls = []} = UserState) ->
+    {valid, UserState};
+handle_crlsigner(OtpCert, IssuerFun, #userstate{dpcrls = CRLInfo} = UserState) ->
+    case public_key:pkix_crls_validate(OtpCert, CRLInfo, [{issuer_fun, IssuerFun}]) of
+	valid ->
+	    {valid, UserState};
+	Reason ->
+	    {fail, Reason}
+    end.
+
+delta_revoked(undefined)->
+    [];
+delta_revoked(#'CertificateList'{tbsCertList =
+				     #'TBSCertList'{revokedCertificates
+						    = DeltaRevoked}}) ->
+    revoked(DeltaRevoked).
+
+revoked(asn1_NOVALUE) ->
+    [];
+revoked(Revoked) ->
+   Revoked.
+
+revoked_status(DP, IDP, CRLIssuer, Names, SerialNumber, Revoked, DeltaRevoked, RevokedState0) ->
+    DefaultIssuer0 = default_issuer(CRLIssuer, DeltaRevoked),
+    RevokedState1 = check_revoked(DP, IDP, DefaultIssuer0, Names, SerialNumber, DeltaRevoked, RevokedState0),
+    RevokedState = case RevokedState1#revoke_state.cert_status of
+		       unrevoked when RevokedState1#revoke_state.cert_status =/= removeFromCRL ->
+			   DefaultIssuer = default_issuer(CRLIssuer, Revoked),
+			   check_revoked(DP, IDP, DefaultIssuer, Names, SerialNumber,
+					 Revoked, RevokedState1);
+		       _ ->
+			   RevokedState1
+		   end,
+    case RevokedState#revoke_state.cert_status of
+	removeFromCRL ->
+	    RevokedState#revoke_state{cert_status = unrevoked};
+	_ ->
+	    RevokedState
+    end.
+
+default_issuer(_, []) ->
+    undefined;
+default_issuer(Default, [#'TBSCertList_revokedCertificates_SEQOF'{crlEntryExtensions = Extensions}| _]) ->
+    case extension_value(?'id-ce-certificateIssuer', 'GeneralNames', Extensions) of
+	undefined ->
+	    [pubkey_cert_records:transform(Default, decode)];
+	GeneralNames ->
+	    gen_names(GeneralNames)
+    end.
+
+is_all_reasons(Mask, AllReasonsFun) ->
+    AllReasons = AllReasonsFun(),
+    case sets:is_subset(AllReasons, Mask) of
+	true ->
+	    true;
+	false ->
+	    %% As the "uspecified" reason should not
+	    %% be explicitly used according to RFC 3280
+	    %% and the conformance tests have test cases
+	    %% that should succed, and that does not specify
+	    %% "unspecified", we tolorate that it is not included.
+	    sets:is_subset(sets:del_element(unspecified, AllReasons), Mask)
+    end.
+
+all_reasons() ->
+    sets:from_list([unspecified, keyCompromise,
+		    cACompromise, affiliationChanged, superseded,
+		    cessationOfOperation, certificateHold,
+		    privilegeWithdrawn, aACompromise]).
+
+verify_issuer_and_scope(#'OTPCertificate'{tbsCertificate = TBSCert} = Cert,
+			#'DistributionPoint'{cRLIssuer = DPIssuer} = DP, IDP,
+			#'CertificateList'{tbsCertList = TBSCRL} = CRL)
+  when DPIssuer =/= asn1_NOVALUE ->
+    CRLIssuer = pubkey_cert_records:transform(TBSCRL#'TBSCertList'.issuer, decode),
+    Issuer = dp_crlissuer_to_issuer(DPIssuer),
+    case pubkey_cert:is_issuer(Issuer, CRLIssuer) and is_indirect_crl(IDP) of
+	true ->
+	    verify_scope(Cert, DP, IDP),
+	    issuer_id(Cert, CRL);
+	false ->
+	    %% otherwise verify that the CRL issuer matches the certificate issuer
+	    verify_issuer_and_scope(Cert, DP#'DistributionPoint'{distributionPoint =
+								     [TBSCert#'OTPTBSCertificate'.issuer],
+								 cRLIssuer = asn1_NOVALUE},
+				    IDP, CRL)
+    end;
+verify_issuer_and_scope(#'OTPCertificate'{tbsCertificate = TBSCert}= Cert,
+			DP, IDP,
+			#'CertificateList'{tbsCertList = TBSCRL}) ->
+    CRLIssuer = pubkey_cert_records:transform(TBSCRL#'TBSCertList'.issuer, decode),
+    CertIssuer = TBSCert#'OTPTBSCertificate'.issuer,
+    case pubkey_cert:is_issuer(CertIssuer, CRLIssuer) of
+	true ->
+	    verify_scope(Cert, DP, IDP),
+	    issuer_id(Cert);
+	false ->
+	    throw({bad_crl, invalid_issuer})
+    end.
+
+dp_crlissuer_to_issuer(DPCRLIssuer) ->
+     [{directoryName, Issuer}] = pubkey_cert_records:transform(DPCRLIssuer, decode),
+     Issuer.
+
+is_indirect_crl(#'IssuingDistributionPoint'{indirectCRL = Value})->
+    Value;
+is_indirect_crl(_) ->
+    false.
+
+verify_scope(_,_, undefined) ->
+    ok;
+verify_scope(#'OTPCertificate'{tbsCertificate = TBSCert}, #'DistributionPoint'{cRLIssuer = DPIssuer} = DP, IDP) ->
+    CertIssuer = TBSCert#'OTPTBSCertificate'.issuer,
+    Names = gen_names(DPIssuer),
+    DPName =  dp_names(DP#'DistributionPoint'.distributionPoint, Names, CertIssuer),
+    IDPName = dp_names(IDP#'IssuingDistributionPoint'.distributionPoint, Names, CertIssuer),
+    verify_scope(DPName, IDPName, Names, TBSCert, IDP).
+
+verify_scope(asn1_NOVALUE, _, asn1_NOVALUE, _, _) ->
+    throw({bad_crl, scope_error});
+verify_scope(asn1_NOVALUE, IDPName, DPIssuerNames, TBSCert, IDP) ->
+    verify_dp_name(IDPName, DPIssuerNames),
+    verify_dp_bools(TBSCert, IDP);
+
+verify_scope(DPName, IDPName, _, TBSCert, IDP) ->
+    verify_dp_name(IDPName, DPName),
+    verify_dp_bools(TBSCert, IDP).
+
+dp_names(asn1_NOVALUE, _, _) ->
+    asn1_NOVALUE;
+dp_names({fullName, Name}, _, _) ->
+    {fullName, gen_names(Name)};
+dp_names({nameRelativeToCRLIssuer, Fragment}, asn1_NOVALUE, {rdnSequence, RelativeDestinguistNames}) ->
+    {nameRelativeToCRLIssuer, [{directoryName, {rdnSequence, RelativeDestinguistNames ++
+						    lists:map(fun(AttrAndValue) ->
+								      pubkey_cert_records:transform(AttrAndValue, decode)
+							      end, Fragment)}}]};
+dp_names({nameRelativeToCRLIssuer, Fragment},{rdnSequence, RelativeDestinguistNames}, _) ->
+    {nameRelativeToCRLIssuer, [{directoryName, {rdnSequence, RelativeDestinguistNames ++
+						    lists:map(fun(AttrAndValue) ->
+								      pubkey_cert_records:transform(AttrAndValue, decode)
+							      end, Fragment)}}]};
+dp_names([{rdnSequence, _}] = Name0, _,_) ->
+    [Name] = pubkey_cert_records:transform(Name0, decode),
+    {fullName, [{directoryName, Name}]}.
+
+gen_names(asn1_NOVALUE) ->
+    asn1_NOVALUE;
+gen_names([]) ->
+    [];
+gen_names([{NameType, Name} | Rest]) ->
+    [{NameType,  pubkey_cert_records:transform(Name, decode)} | gen_names(Rest)].
+
+verify_dp_name(asn1_NOVALUE, _) ->
+    ok;
+verify_dp_name({Type, IDPNames}, {Type, DPorIssuerNames}) ->
+    case match_one(IDPNames, DPorIssuerNames) of
+	true ->
+	    ok;
+	false ->
+	    throw({bad_crl, scope_error})
+    end;
+verify_dp_name(_,_) ->
+    throw({bad_crl, scope_error}).
+
+match_one([], _) ->
+    false;
+match_one([{Type, Name} | RestIDP], DPorIssuerNames) ->
+    Candidates = [NameName || {NameType, NameName} <- DPorIssuerNames, NameType == Type],
+    case Candidates of
+	[] ->
+	    false;
+	[_|_] -> case pubkey_cert:match_name(Type, Name, Candidates) of
+		     true ->
+			 true;
+		 false ->
+			 match_one(RestIDP, DPorIssuerNames)
+		 end
+    end.
+
+verify_dp_bools(TBSCert, IDP) ->
+    BasicConstraints =
+	pubkey_cert:select_extension(?'id-ce-basicConstraints',
+				     TBSCert#'OTPTBSCertificate'.extensions),
+
+    case verify_onlyContainsUserCerts(BasicConstraints, IDP) andalso
+	verify_onlyContainsCACerts(BasicConstraints, IDP) andalso
+	verify_onlyContainsAttributeCerts(IDP) of
+	true ->
+	    ok;
+	_  ->
+	    throw({bad_crl, scope_error})
+    end.
+
+verify_onlyContainsUserCerts(
+  #'Extension'{extnValue = #'BasicConstraints'{cA = true}},
+  #'IssuingDistributionPoint'{onlyContainsUserCerts = true}) ->
+    false;
+verify_onlyContainsUserCerts(_,_) ->
+    true.
+
+verify_onlyContainsCACerts(
+  #'Extension'{extnValue = #'BasicConstraints'{cA = true}},
+  #'IssuingDistributionPoint'{onlyContainsCACerts = true}) ->
+    true;
+verify_onlyContainsCACerts(_,#'IssuingDistributionPoint'{onlyContainsCACerts = true}) ->
+    false;
+verify_onlyContainsCACerts(_,_) ->
+    true.
+
+verify_onlyContainsAttributeCerts(
+  #'IssuingDistributionPoint'{onlyContainsAttributeCerts = Bool}) ->
+    not Bool.
+
+check_crl_num(#'CertificateList'{tbsCertList = TBSCRL},
+	      #'CertificateList'{tbsCertList = TBSDeltaCRL})->
+    Extensions = TBSCRL#'TBSCertList'.crlExtensions,
+    DeltaExtensions = TBSDeltaCRL#'TBSCertList'.crlExtensions,
+
+    try
+	CRLNum = assert_extension_value(?'id-ce-cRLNumber', 'CRLNumber', Extensions),
+	DeltaBaseNum = assert_extension_value(?'id-ce-deltaCRLIndicator',
+					      'CRLNumber', DeltaExtensions),
+	DeltaCRLNum = assert_extension_value(?'id-ce-cRLNumber', 'CRLNumber', DeltaExtensions),
+	(CRLNum >= DeltaBaseNum) andalso (CRLNum < DeltaCRLNum)
+    catch
+	throw:no_extension_present ->
+	    false
+    end;
+check_crl_num(_,_) ->
+    false.
+
+
+extension_value(Extension, ExtType, Extensions) ->
+    case pubkey_cert:select_extension(Extension, Extensions) of
+	#'Extension'{extnValue = Value} ->
+	    public_key:der_decode(ExtType, list_to_binary(Value));
+	_ ->
+	    undefined
+    end.
+
+
+assert_extension_value(Extension, ExtType, Extensions) ->
+    case extension_value(Extension, ExtType, Extensions) of
+	undefined ->
+	    throw(no_extension_present);
+	Value ->
+	    Value
+    end.
+
+check_delta_issuer_and_scope(_, undefined) ->
+    true;
+check_delta_issuer_and_scope(#'CertificateList'{tbsCertList = TBSCRL},
+			     #'CertificateList'{tbsCertList = TBSDeltaCRL}) ->
+    case pubkey_cert:is_issuer(TBSCRL#'TBSCertList'.issuer,
+			       TBSDeltaCRL#'TBSCertList'.issuer) of
+	true ->
+	    check_delta_scope(TBSCRL, TBSDeltaCRL);
+	false ->
+	    false
+    end.
+
+check_delta_scope(#'TBSCertList'{crlExtensions = Extensions},
+		   #'TBSCertList'{crlExtensions = DeltaExtensions})->
+    IDP = issuing_distribution_point(Extensions),
+    DeltaIDP = issuing_distribution_point(DeltaExtensions),
+
+    AuthKey = authority_key_identifier(Extensions),
+    DeltaAuthKey = authority_key_identifier(DeltaExtensions),
+    is_match(IDP, DeltaIDP) andalso is_match(AuthKey, DeltaAuthKey).
+
+is_match(X, X) ->
+    true;
+is_match(_,_) ->
+    false.
+
+compute_interim_reasons_mask(#'DistributionPoint'{reasons = asn1_NOVALUE},
+			     #'IssuingDistributionPoint'{onlySomeReasons =
+							     asn1_NOVALUE}) ->
+    all_reasons();
+compute_interim_reasons_mask(#'DistributionPoint'{reasons = asn1_NOVALUE},
+			     undefined) ->
+    all_reasons();
+
+compute_interim_reasons_mask(#'DistributionPoint'{reasons = asn1_NOVALUE},
+			     #'IssuingDistributionPoint'{onlySomeReasons =
+							     IDPReasons}) ->
+    sets:from_list(IDPReasons);
+compute_interim_reasons_mask(#'DistributionPoint'{reasons = DPReasons},
+			     #'IssuingDistributionPoint'{onlySomeReasons =
+							     asn1_NOVALUE}) ->
+    sets:from_list(DPReasons);
+compute_interim_reasons_mask(#'DistributionPoint'{reasons = DPReasons},
+			     undefined) ->
+    sets:from_list(DPReasons);
+compute_interim_reasons_mask(#'DistributionPoint'{reasons = DPReasons},
+			     #'IssuingDistributionPoint'{onlySomeReasons =
+							     IDPReasons}) ->
+    sets:intersection(sets:from_list(DPReasons), sets:from_list(IDPReasons)).
+
+verify_interim_reasons_mask(#revoke_state{reasons_mask = Mask,
+					  interim_reasons_mask = IntMask}) ->
+    case sets:fold(fun(Element, Acc) ->
+			   case sets:is_element(Element, Mask) of
+			       true ->
+				   Acc;
+			   false ->
+				   true
+			   end
+		   end, false, IntMask) of
+	true ->
+	    ok;
+	false ->
+	    throw({bad_crl, mask_error})
+    end.
+
+verify_crl_signature(undefined, undefined, _,_) ->
+    true;
+verify_crl_signature(CRL, DerCRL, Key, KeyParams) ->
+    {DigestType, PlainText, Signature} = extract_crl_verify_data(CRL, DerCRL),
+    case Key of
+	#'RSAPublicKey'{} ->
+	    public_key:verify(PlainText, DigestType, Signature, Key);
+	_ ->
+	    public_key:verify(PlainText, DigestType, Signature,
+			      {Key, KeyParams})
+    end.
+extract_crl_verify_data(CRL, DerCRL) ->
+    {0, Signature} = CRL#'CertificateList'.signature,
+    #'AlgorithmIdentifier'{algorithm = SigAlg} =
+	CRL#'CertificateList'.signatureAlgorithm,
+    PlainText = encoded_tbs_crl(DerCRL),
+    DigestType = pubkey_cert:digest_type(SigAlg),
+    {DigestType, PlainText, Signature}.
+
+encoded_tbs_crl(CRL) ->
+    {ok, PKIXCRL} =
+	'OTP-PUB-KEY':decode_TBSCertList_exclusive(CRL),
+    {'CertificateList',
+     {'CertificateList_tbsCertList', EncodedTBSCertList}, _, _} = PKIXCRL,
+    EncodedTBSCertList.
+
+check_revoked(_,_,_,_,_,[], State) ->
+    State;
+check_revoked(#'DistributionPoint'{cRLIssuer = DPIssuer} = DP, IDP, DefaultIssuer0, Names, SerialNr,
+	      [#'TBSCertList_revokedCertificates_SEQOF'{userCertificate =
+							    SerialNr,
+							crlEntryExtensions =
+							    Extensions}| Rest],
+	      State) ->
+    Reason = revoked_reason(Extensions),
+    case (DPIssuer =/= asn1_NOVALUE) and is_indirect_crl(IDP) of
+	true ->
+	    handle_indirect_crl_check(DP, IDP, DefaultIssuer0, Names, SerialNr, Extensions, Reason, Rest, State);
+	false ->
+	    State#revoke_state{cert_status = Reason}
+    end;
+
+check_revoked(DP, IDP, DefaultIssuer0, Names, SerialNr,
+	      [#'TBSCertList_revokedCertificates_SEQOF'{crlEntryExtensions =
+							    Extensions}| Rest], State) ->
+    DefaultIssuer = case extension_value(?'id-ce-certificateIssuer', 'GeneralNames', Extensions) of
+			undefined ->
+			    DefaultIssuer0;
+			GeneralNames ->
+			    gen_names(GeneralNames)
+		    end,
+    check_revoked(DP, IDP, DefaultIssuer, Names, SerialNr, Rest, State).
+
+handle_indirect_crl_check(DP, IDP, DefaultIssuer0, Names, SerialNr, Extensions, Reason, Rest, State) ->
+    case check_crl_issuer_extension(Names, Extensions, DefaultIssuer0) of
+	{true, _} ->
+	    State#revoke_state{cert_status = Reason};
+	{false, DefaultIssuer} ->
+	    check_revoked(DP, IDP, DefaultIssuer, Names, SerialNr, Rest, State)
+    end.
+
+check_crl_issuer_extension(Names, Extensions, Default0) ->
+    case extension_value(?'id-ce-certificateIssuer', 'GeneralNames', Extensions) of
+	undefined ->
+	    {match_one(Default0, Names), Default0};
+	GeneralNames ->
+	    Default = gen_names(GeneralNames),
+	    {match_one(Default, Names), Default}
+    end.
+
+revoked_reason(Extensions) ->
+    case extension_value(?'id-ce-cRLReasons', 'CRLReason', Extensions) of
+	undefined ->
+	    unspecified;
+	Value ->
+	    Value
+    end.
+
+verify_crl_keybit(#'OTPCertificate'{tbsCertificate = TBS}, Bit) ->
+    case pubkey_cert:select_extension( ?'id-ce-keyUsage',
+				       TBS#'OTPTBSCertificate'.extensions) of
+	#'Extension'{extnID = ?'id-ce-keyUsage',
+		     extnValue = KeyUse} ->
+	    lists:member(Bit, KeyUse);
+	_ ->
+	    true
+    end.
+
+issuer_id(Cert, #'CertificateList'{tbsCertList = TBSCRL}) ->
+    Extensions =
+	pubkey_cert:extensions_list(TBSCRL#'TBSCertList'.crlExtensions),
+    case authority_key_identifier(Extensions) of
+	undefined ->
+	    issuer_id(Cert);
+	#'AuthorityKeyIdentifier'{authorityCertIssuer = asn1_NOVALUE,
+				  authorityCertSerialNumber = asn1_NOVALUE} ->
+	    issuer_id(Cert);
+	#'AuthorityKeyIdentifier'{authorityCertIssuer = Issuer,
+				  authorityCertSerialNumber = Nr}  ->
+	    {ok, {Nr, Issuer}}
+    end.
+
+issuer_id(#'OTPCertificate'{} = Cert) ->
+    case public_key:pkix_is_self_signed(Cert) of
+	true ->
+	    public_key:pkix_issuer_id(Cert, self);
+	false ->
+	    public_key:pkix_issuer_id(Cert, other)
+    end.
+
+status(unrevoked) ->
+    unrevoked;
+status(Reason) ->
+    {revoked, Reason}.
+
+verify_extensions([#'TBSCertList_revokedCertificates_SEQOF'{crlEntryExtensions = Ext} | Rest]) ->
+    verify_extensions(pubkey_cert:extensions_list(Ext)) and verify_extensions(Rest);
+verify_extensions([]) ->
+    true;
+verify_extensions([#'Extension'{critical = true, extnID = Id} | Rest]) ->
+    case lists:member(Id, [?'id-ce-authorityKeyIdentifier',
+			   ?'id-ce-issuerAltName',
+			   ?'id-ce-cRLNumber',
+			   ?'id-ce-certificateIssuer',
+			   ?'id-ce-deltaCRLIndicator',
+			   ?'id-ce-issuingDistributionPoint',
+			   ?'id-ce-freshestCRL']) of
+	true ->
+	    verify_extensions(Rest);
+	false ->
+	    false
+    end;
+verify_extensions([_Ext | Rest]) ->
+    verify_extensions(Rest).
+
+issuing_distribution_point(Extensions) ->
+    Enc = extension_value(?'id-ce-issuingDistributionPoint',
+			  'IssuingDistributionPoint', Extensions),
+    pubkey_cert_records:transform(Enc, decode).
+
+authority_key_identifier(Extensions) ->
+    Enc = extension_value(?'id-ce-authorityKeyIdentifier',
+			  'AuthorityKeyIdentifier', Extensions),
+    pubkey_cert_records:transform(Enc, decode).
+
+subject_alt_names(Extensions) ->
+    Enc = extension_value(?'id-ce-subjectAltName',
+			  'GeneralNames', Extensions),
+    case Enc of
+	undefined ->
+	    [];
+	_ ->
+	    pubkey_cert_records:transform(Enc, decode)
+    end.
diff --git a/lib/public_key/src/pubkey_pem.erl b/lib/public_key/src/pubkey_pem.erl
index 4012825f20..6bdc35fb79 100644
--- a/lib/public_key/src/pubkey_pem.erl
+++ b/lib/public_key/src/pubkey_pem.erl
@@ -167,6 +167,8 @@ split_lines(Bin) ->
 %% Ignore white space at end of line
 join_entry([<<"-----END ", _/binary>>| Lines], Entry) ->
     {lists:reverse(Entry), Lines};
+join_entry([<<"-----END X509 CRL-----", _/binary>>| Lines], Entry) ->
+    {lists:reverse(Entry), Lines};
 join_entry([Line | Lines], Entry) ->
     join_entry(Lines, [Line | Entry]).
 
@@ -198,7 +200,9 @@ pem_start('DHParameter') ->
 pem_start('CertificationRequest') ->
     <<"-----BEGIN CERTIFICATE REQUEST-----">>;
 pem_start('ContentInfo') ->
-    <<"-----BEGIN PKCS7-----">>.
+    <<"-----BEGIN PKCS7-----">>;
+pem_start('CertificateList') ->
+     <<"-----BEGIN X509 CRL-----">>.
 
 pem_end(<<"-----BEGIN CERTIFICATE-----">>) ->
     <<"-----END CERTIFICATE-----">>;
@@ -220,6 +224,8 @@ pem_end(<<"-----BEGIN CERTIFICATE REQUEST-----">>) ->
     <<"-----END CERTIFICATE REQUEST-----">>;
 pem_end(<<"-----BEGIN PKCS7-----">>) ->
     <<"-----END PKCS7-----">>;
+pem_end(<<"-----BEGIN X509 CRL-----">>) ->
+    <<"-----END X509 CRL-----">>;
 pem_end(_) ->
     undefined.
 
@@ -242,7 +248,9 @@ asn1_type(<<"-----BEGIN ENCRYPTED PRIVATE KEY-----">>) ->
 asn1_type(<<"-----BEGIN CERTIFICATE REQUEST-----">>) ->
     'CertificationRequest';
 asn1_type(<<"-----BEGIN PKCS7-----">>) ->
-    'ContentInfo'.
+    'ContentInfo';
+asn1_type(<<"-----BEGIN X509 CRL-----">>) ->
+    'CertificateList'.
 
 pem_decrypt() ->
     <<"Proc-Type: 4,ENCRYPTED">>.
diff --git a/lib/public_key/src/public_key.app.src b/lib/public_key/src/public_key.app.src
index 4cc81ea573..9f0677606d 100644
--- a/lib/public_key/src/public_key.app.src
+++ b/lib/public_key/src/public_key.app.src
@@ -7,6 +7,7 @@
 		  pubkey_ssh,
 		  pubkey_cert,
 		  pubkey_cert_records,
+		  pubkey_crl,
 		  'OTP-PUB-KEY',
 		  'PKCS-FRAME'
             ]},
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index d5df53e848..fa999c5ab9 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -42,7 +42,8 @@
 	 pkix_issuer_id/2,
 	 pkix_normalize_name/1,
 	 pkix_path_validation/3,
-	 ssh_decode/2, ssh_encode/2
+	 ssh_decode/2, ssh_encode/2,
+	 pkix_crls_validate/3
 	]).
 
 -type rsa_padding()          :: 'rsa_pkcs1_padding' | 'rsa_pkcs1_oaep_padding' 
@@ -428,9 +429,9 @@ pkix_verify(DerCert,  #'RSAPublicKey'{} = RSAKey)
     verify(PlainText, DigestType, Signature, RSAKey).
 
 %%--------------------------------------------------------------------
--spec pkix_is_issuer(Cert::binary()| #'OTPCertificate'{},
-		     IssuerCert::binary()|
-				 #'OTPCertificate'{}) -> boolean().
+-spec pkix_is_issuer(Cert :: der_encoded()| #'OTPCertificate'{} | #'CertificateList'{},
+		     IssuerCert :: der_encoded()|
+				   #'OTPCertificate'{}) -> boolean().
 %%
 %% Description: Checks if <IssuerCert> issued <Cert>.
 %%--------------------------------------------------------------------
@@ -443,7 +444,11 @@ pkix_is_issuer(Cert, IssuerCert) when is_binary(IssuerCert) ->
 pkix_is_issuer(#'OTPCertificate'{tbsCertificate = TBSCert}, 
 	       #'OTPCertificate'{tbsCertificate = Candidate}) ->
     pubkey_cert:is_issuer(TBSCert#'OTPTBSCertificate'.issuer,
-			  Candidate#'OTPTBSCertificate'.subject).
+			  Candidate#'OTPTBSCertificate'.subject);
+pkix_is_issuer(#'CertificateList'{tbsCertList = TBSCRL},
+	       #'OTPCertificate'{tbsCertificate = Candidate}) ->
+    pubkey_cert:is_issuer(Candidate#'OTPTBSCertificate'.subject,
+			  pubkey_cert_records:transform(TBSCRL#'TBSCertList'.issuer, decode)).
 
 %%--------------------------------------------------------------------
 -spec pkix_is_self_signed(Cert::binary()| #'OTPCertificate'{}) -> boolean().
@@ -511,7 +516,7 @@ pkix_normalize_name(Issuer) ->
 pkix_path_validation(PathErr, [Cert | Chain], Options0) when is_atom(PathErr)->
     {VerifyFun, Userstat0} =
 	proplists:get_value(verify_fun, Options0, ?DEFAULT_VERIFYFUN),
-    Otpcert = pkix_decode_cert(Cert, otp),
+    Otpcert = otp_cert(Cert),
     Reason = {bad_cert, PathErr},
     try VerifyFun(Otpcert, Reason, Userstat0) of
 	{valid, Userstate} ->
@@ -537,6 +542,20 @@ pkix_path_validation(#'OTPCertificate'{} = TrustedCert, CertChain, Options)
 							Options),
     path_validation(CertChain, ValidationState).
 
+
+pkix_crls_validate(OtpCert, [{_,_,_} |_] = DPAndCRLs, Options) ->
+    pkix_crls_validate(OtpCert, DPAndCRLs, DPAndCRLs,
+		       Options, pubkey_crl:init_revokation_state());
+
+pkix_crls_validate(OtpCert, DPAndCRLs0, Options) ->
+    CallBack = proplists:get_value(update_crl, Options, fun(_, CurrCRL) ->
+							       CurrCRL
+						       end),
+    DPAndCRLs = sort_dp_crls(DPAndCRLs0, CallBack),
+    pkix_crls_validate(OtpCert, DPAndCRLs, DPAndCRLs,
+		       Options, pubkey_crl:init_revokation_state()).
+
+
 %%--------------------------------------------------------------------
 -spec ssh_decode(binary(), public_key | ssh_file()) -> [{public_key(), Attributes::list()}].
 %%
@@ -611,12 +630,13 @@ path_validation([DerCert | Rest], ValidationState = #path_validation_state{
 	    {error, Reason}
     end;
 
-path_validation([DerCert | _] = Path,
+path_validation([Cert | _] = Path,
 		#path_validation_state{user_state = UserState0,
 				       verify_fun = VerifyFun} =
 		    ValidationState) ->
     Reason = {bad_cert, max_path_length_reached},
-    OtpCert = pkix_decode_cert(DerCert, otp),
+    OtpCert = otp_cert(Cert),
+
     try VerifyFun(OtpCert,  Reason, UserState0) of
 	{valid, UserState} ->
 	    path_validation(Path,
@@ -630,7 +650,7 @@ path_validation([DerCert | _] = Path,
 	    {error, Reason}
     end.
 
-validate(DerCert, #path_validation_state{working_issuer_name = Issuer,
+validate(Cert, #path_validation_state{working_issuer_name = Issuer,
 					 working_public_key = Key,
 					 working_public_key_parameters = 
 					 KeyParams, 
@@ -641,31 +661,31 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer,
 					 verify_fun = VerifyFun} =
 	     ValidationState0) ->
 
-    OtpCert = pkix_decode_cert(DerCert, otp),
+    OtpCert = otp_cert(Cert),
 
-    UserState1 = pubkey_cert:validate_time(OtpCert, UserState0, VerifyFun),
+    {ValidationState1, UserState1} =
+	pubkey_cert:validate_extensions(OtpCert, ValidationState0, UserState0,
+					VerifyFun),
 
-    UserState2 = pubkey_cert:validate_issuer(OtpCert, Issuer, UserState1, VerifyFun),
+    %% We want the key_usage extension to be checked before we validate
+    %% other things so that CRL validation errors will comply to standard
+    %% test suite description
 
-    UserState3 = pubkey_cert:validate_names(OtpCert, Permit, Exclude, Last,
-					    UserState2,VerifyFun),
+    UserState2 = pubkey_cert:validate_time(OtpCert, UserState1, VerifyFun),
 
-    UserState4 = pubkey_cert:validate_revoked_status(OtpCert, UserState3, VerifyFun),
-    
-    {ValidationState1, UserState5} =
-	pubkey_cert:validate_extensions(OtpCert, ValidationState0, UserState4,
-					VerifyFun),
+    UserState3 = pubkey_cert:validate_issuer(OtpCert, Issuer, UserState2, VerifyFun),
 
-    %% We want the key_usage extension to be checked before we validate
-    %% the signature. 
-    UserState6 = pubkey_cert:validate_signature(OtpCert, DerCert,
-						Key, KeyParams, UserState5, VerifyFun),
+    UserState4 = pubkey_cert:validate_names(OtpCert, Permit, Exclude, Last,
+					    UserState3, VerifyFun),
+
+    UserState5 = pubkey_cert:validate_signature(OtpCert, der_cert(Cert),
+						Key, KeyParams, UserState4, VerifyFun),
     UserState = case Last of
 		    false ->
-			pubkey_cert:verify_fun(OtpCert, valid, UserState6, VerifyFun);
+			pubkey_cert:verify_fun(OtpCert, valid, UserState5, VerifyFun);
 		    true ->
 			pubkey_cert:verify_fun(OtpCert, valid_peer,
-					       UserState6, VerifyFun)
+					       UserState5, VerifyFun)
 		end,
 
     ValidationState  = 
@@ -676,3 +696,110 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer,
 sized_binary(Binary) ->
     Size = size(Binary),
     <<?UINT32(Size), Binary/binary>>.
+
+otp_cert(Der) when is_binary(Der) ->
+    pkix_decode_cert(Der, otp);
+otp_cert(#'OTPCertificate'{} =Cert) ->
+    Cert.
+
+der_cert(#'OTPCertificate'{} = Cert) ->
+    pkix_encode('OTPCertificate', Cert, otp);
+der_cert(Der) when is_binary(Der) ->
+    Der.
+
+pkix_crls_validate(_, [],_, _, _) ->
+    {bad_cert, revocation_status_undetermined};
+pkix_crls_validate(OtpCert, [{DP, CRL, DeltaCRL} | Rest],  All, Options, RevokedState0) ->
+    CallBack = proplists:get_value(update_crl, Options, fun(_, CurrCRL) ->
+							       CurrCRL
+						       end),
+    case pubkey_crl:fresh_crl(DP, CRL, CallBack) of
+	{fresh, CRL} ->
+	    do_pkix_crls_validate(OtpCert, [{DP, CRL, DeltaCRL} | Rest],
+				  All, Options, RevokedState0);
+	{fresh, NewCRL} ->
+	    NewAll = [{DP, NewCRL, DeltaCRL} | All -- [{DP, CRL, DeltaCRL}]],
+	    do_pkix_crls_validate(OtpCert, [{DP, NewCRL, DeltaCRL} | Rest],
+				  NewAll, Options, RevokedState0);
+	no_fresh_crl ->
+	    pkix_crls_validate(OtpCert, Rest, All, Options, RevokedState0)
+    end.
+
+do_pkix_crls_validate(OtpCert, [{DP, CRL, DeltaCRL} | Rest],  All, Options, RevokedState0) ->
+    OtherDPCRLs = All -- [{DP, CRL, DeltaCRL}],
+    case pubkey_crl:validate(OtpCert, OtherDPCRLs, DP, CRL, DeltaCRL, Options, RevokedState0) of
+	{undetermined, _, _} when Rest == []->
+	    {bad_cert, revocation_status_undetermined};
+	{undetermined, _, RevokedState} when Rest =/= []->
+	    pkix_crls_validate(OtpCert, Rest, All, Options, RevokedState);
+	{finished, unrevoked} ->
+	    valid;
+	{finished, Status} ->
+	    {bad_cert, Status}
+    end.
+
+sort_dp_crls(DpsAndCrls, FreshCB) ->
+    Sorted = do_sort_dp_crls(DpsAndCrls, dict:new()),
+    sort_crls(Sorted, FreshCB, []).
+
+do_sort_dp_crls([], Dict) ->
+    dict:to_list(Dict);
+do_sort_dp_crls([{DP, CRL} | Rest], Dict0) ->
+    Dict = try dict:fetch(DP, Dict0) of
+	       _ ->
+		   dict:append(DP, CRL, Dict0)
+	   catch _:_ ->
+		   dict:store(DP, [CRL], Dict0)
+	   end,
+    do_sort_dp_crls(Rest, Dict).
+
+sort_crls([], _, Acc) ->
+    Acc;
+
+sort_crls([{DP, AllCRLs} | Rest], FreshCB, Acc)->
+    {DeltaCRLs, CRLs} = do_sort_crls(AllCRLs),
+    DpsAndCRLs = combine(CRLs, DeltaCRLs, DP, FreshCB, []),
+    sort_crls(Rest, FreshCB, DpsAndCRLs ++ Acc).
+
+do_sort_crls(CRLs) ->
+    lists:partition(fun({_, CRL}) ->
+			    pubkey_crl:is_delta_crl(CRL)
+		    end, CRLs).
+
+combine([], _,_,_,Acc) ->
+    Acc;
+combine([{_, CRL} = Entry | CRLs], DeltaCRLs, DP, FreshCB, Acc) ->
+    DeltaCRL = combine(CRL, DeltaCRLs),
+    case pubkey_crl:fresh_crl(DP, DeltaCRL, FreshCB) of
+	no_fresh_crl ->
+	    combine(CRLs, DeltaCRLs, DP, FreshCB, [{DP, Entry, {undefined, undefined}} | Acc]);
+	{fresh, NewDeltaCRL} ->
+	    combine(CRLs, DeltaCRLs, DP, FreshCB, [{DP, Entry, NewDeltaCRL} | Acc])
+    end.
+
+combine(CRL, DeltaCRLs) ->
+    Deltas = lists:filter(fun({_,DeltaCRL}) ->
+				  pubkey_crl:combines(CRL, DeltaCRL)
+			  end, DeltaCRLs),
+    case Deltas of
+	[] ->
+	    {undefined, undefined};
+	[Delta] ->
+	    Delta;
+	[_,_|_] ->
+	    Fun =
+		fun({_, #'CertificateList'{tbsCertList = FirstTBSCRL}} = CRL1,
+		    {_, #'CertificateList'{tbsCertList = SecondTBSCRL}} = CRL2) ->
+			Time1 = pubkey_cert:time_str_2_gregorian_sec(
+				  FirstTBSCRL#'TBSCertList'.thisUpdate),
+			Time2 = pubkey_cert:time_str_2_gregorian_sec(
+				  SecondTBSCRL#'TBSCertList'.thisUpdate),
+			case Time1 > Time2 of
+			      true ->
+				CRL1;
+			    false ->
+				CRL2
+			end
+		end,
+	    lists:foldl(Fun,  hd(Deltas), tl(Deltas))
+    end.
author	Ingela Anderton Andin <[email protected]>	2010-10-07 17:04:25 +0200
committer	Ingela Anderton Andin <[email protected]>	2013-01-11 15:05:33 +0100
commit	1d054d8055435f6c9df687881f1f6425eb29c754 (patch)
tree	2f5d9c2d393446ff5631552f96d166bfa763594b /lib/public_key/src
parent	1897e315ee2d8417a6e32f5fae00e9a124a45d83 (diff)
download	otp-1d054d8055435f6c9df687881f1f6425eb29c754.tar.gz otp-1d054d8055435f6c9df687881f1f6425eb29c754.tar.bz2 otp-1d054d8055435f6c9df687881f1f6425eb29c754.zip