aboutsummaryrefslogtreecommitdiffstats
path: root/lib/public_key/src
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2010-08-24 08:57:57 +0200
committerIngela Anderton Andin <[email protected]>2010-08-24 08:57:57 +0200
commit574a68e84c92a8a44ea2e5d18a1cd2025892d496 (patch)
tree7ab50c40c457d500cdc2432ca3cc974d8f0959b1 /lib/public_key/src
parent7ed6bbd4e8bb88958bd45f85e3ef8af39c9f894f (diff)
parent12dfe961aeaf1a826d851361a24519e54d8ef119 (diff)
downloadotp-574a68e84c92a8a44ea2e5d18a1cd2025892d496.tar.gz
otp-574a68e84c92a8a44ea2e5d18a1cd2025892d496.tar.bz2
otp-574a68e84c92a8a44ea2e5d18a1cd2025892d496.zip
Merge branch 'ia/public_key_api/OTP-8722' into dev
* ia/public_key_api/OTP-8722: Revise the public_key API Resolved, version is now 0.8. Conflicts: lib/public_key/vsn.mk
Diffstat (limited to 'lib/public_key/src')
-rw-r--r--lib/public_key/src/Makefile3
-rw-r--r--lib/public_key/src/pubkey_cert.erl201
-rw-r--r--lib/public_key/src/pubkey_cert_records.erl86
-rw-r--r--lib/public_key/src/pubkey_crypto.erl171
-rw-r--r--lib/public_key/src/pubkey_pem.erl250
-rw-r--r--lib/public_key/src/public_key.app.src1
-rw-r--r--lib/public_key/src/public_key.appup.src18
-rw-r--r--lib/public_key/src/public_key.erl649
8 files changed, 749 insertions, 630 deletions
diff --git a/lib/public_key/src/Makefile b/lib/public_key/src/Makefile
index c30399f33a..51f405361b 100644
--- a/lib/public_key/src/Makefile
+++ b/lib/public_key/src/Makefile
@@ -42,8 +42,7 @@ MODULES = \
public_key \
pubkey_pem \
pubkey_cert \
- pubkey_cert_records \
- pubkey_crypto
+ pubkey_cert_records
HRL_FILES = $(INCLUDE)/public_key.hrl
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index 0651dcec29..64fc8ab5bc 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -23,14 +23,14 @@
-include("public_key.hrl").
--export([verify_signature/3,
- init_validation_state/3, prepare_for_next_cert/2,
+-export([init_validation_state/3, prepare_for_next_cert/2,
validate_time/3, validate_signature/6,
validate_issuer/4, validate_names/6,
validate_revoked_status/3, validate_extensions/4,
validate_unknown_extensions/3,
normalize_general_name/1, digest_type/1, is_self_signed/1,
- is_issuer/2, issuer_id/2, is_fixed_dh_cert/1]).
+ is_issuer/2, issuer_id/2, is_fixed_dh_cert/1,
+ verify_data/1]).
-define(NULL, 0).
@@ -38,10 +38,22 @@
%% Internal application API
%%====================================================================
-verify_signature(DerCert, Key, KeyParams) ->
- {ok, OtpCert} = pubkey_cert_records:decode_cert(DerCert, otp),
- verify_signature(OtpCert, DerCert, Key, KeyParams).
+%%--------------------------------------------------------------------
+-spec verify_data(der_encoded()) -> {md5 | sha, binary(), binary()}.
+%%
+%% Description: Extracts data from DerCert needed to call public_key:verify/4.
+%%--------------------------------------------------------------------
+verify_data(DerCert) ->
+ {ok, OtpCert} = pubkey_cert_records:decode_cert(DerCert),
+ extract_verify_data(OtpCert, DerCert).
+%%--------------------------------------------------------------------
+-spec init_validation_state(#'OTPCertificate'{}, integer(), list()) ->
+ #path_validation_state{}.
+%%
+%% Description: Creates inital version of path_validation_state for
+%% basic path validation of x509 certificates.
+%%--------------------------------------------------------------------
init_validation_state(#'OTPCertificate'{} = OtpCert, DefaultPathLen,
Options) ->
PolicyTree = #policy_tree_node{valid_policy = ?anyPolicy,
@@ -66,6 +78,12 @@ init_validation_state(#'OTPCertificate'{} = OtpCert, DefaultPathLen,
cert_num = 0},
prepare_for_next_cert(OtpCert, State).
+%%--------------------------------------------------------------------
+-spec prepare_for_next_cert(#'OTPCertificate'{}, #path_validation_state{}) ->
+ #path_validation_state{}.
+%%
+%% Description: Update path_validation_state for next iteration.
+%%--------------------------------------------------------------------
prepare_for_next_cert(OtpCert, ValidationState = #path_validation_state{
working_public_key_algorithm = PrevAlgo,
working_public_key_parameters =
@@ -92,7 +110,13 @@ prepare_for_next_cert(OtpCert, ValidationState = #path_validation_state{
working_issuer_name = Issuer,
cert_num = ValidationState#path_validation_state.cert_num + 1
}.
-
+
+ %%--------------------------------------------------------------------
+-spec validate_time(#'OTPCertificate'{}, list(), boolean()) -> list().
+%%
+%% Description: Check that the certificate validity period includes the
+%% current time.
+%%--------------------------------------------------------------------
validate_time(OtpCert, AccErr, Verify) ->
TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
{'Validity', NotBeforeStr, NotAfterStr}
@@ -107,7 +131,12 @@ validate_time(OtpCert, AccErr, Verify) ->
false ->
not_valid({bad_cert, cert_expired}, Verify, AccErr)
end.
-
+%%--------------------------------------------------------------------
+-spec validate_issuer(#'OTPCertificate'{}, term(), list(), boolean()) -> list().
+%%
+%% Description: Check that the certificate issuer name is the working_issuer_name
+%% in path_validation_state.
+%%--------------------------------------------------------------------
validate_issuer(OtpCert, Issuer, AccErr, Verify) ->
TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
case is_issuer(Issuer, TBSCert#'OTPTBSCertificate'.issuer) of
@@ -116,7 +145,15 @@ validate_issuer(OtpCert, Issuer, AccErr, Verify) ->
_ ->
not_valid({bad_cert, invalid_issuer}, Verify, AccErr)
end.
-
+%%--------------------------------------------------------------------
+-spec validate_signature(#'OTPCertificate'{}, der_encoded(),
+ term(),term(), list(), boolean()) -> list().
+
+%%
+%% Description: Check that the signature on the certificate can be verified using
+%% working_public_key_algorithm, the working_public_key, and
+%% the working_public_key_parameters in path_validation_state.
+%%--------------------------------------------------------------------
validate_signature(OtpCert, DerCert, Key, KeyParams,
AccErr, Verify) ->
@@ -126,7 +163,12 @@ validate_signature(OtpCert, DerCert, Key, KeyParams,
false ->
not_valid({bad_cert, invalid_signature}, Verify, AccErr)
end.
-
+%%--------------------------------------------------------------------
+-spec validate_names(#'OTPCertificate'{}, list(), list(),
+ term(), list(), boolean())-> list().
+%%
+%% Description: Validate Subject Alternative Name.
+%%--------------------------------------------------------------------
validate_names(OtpCert, Permit, Exclude, Last, AccErr, Verify) ->
case is_self_signed(OtpCert) andalso (not Last) of
true ->
@@ -143,8 +185,10 @@ validate_names(OtpCert, Permit, Exclude, Last, AccErr, Verify) ->
Name = [{directoryName, Subject}|EmailAddress],
AltNames = case AltSubject of
- undefined -> [];
- _ -> AltSubject#'Extension'.extnValue
+ undefined ->
+ [];
+ _ ->
+ AltSubject#'Extension'.extnValue
end,
case (is_permitted(Name, Permit) andalso
@@ -159,28 +203,36 @@ validate_names(OtpCert, Permit, Exclude, Last, AccErr, Verify) ->
end
end.
-
-%% See rfc3280 4.1.2.6 Subject: regarding emails.
-extract_email({rdnSequence, List}) ->
- extract_email2(List).
-extract_email2([[#'AttributeTypeAndValue'{type=?'id-emailAddress',
- value=Mail}]|_]) ->
- [{rfc822Name, Mail}];
-extract_email2([_|Rest]) ->
- extract_email2(Rest);
-extract_email2([]) -> [].
-
+%%--------------------------------------------------------------------
+-spec validate_revoked_status(#'OTPCertificate'{}, boolean(), list()) ->
+ list().
+%%
+%% Description: Check if certificate has been revoked.
+%%--------------------------------------------------------------------
validate_revoked_status(_OtpCert, _Verify, AccErr) ->
+ %% TODO: Implement or leave for application?!
%% true |
%% throw({bad_cert, cert_revoked})
AccErr.
-
+%%--------------------------------------------------------------------
+-spec validate_extensions(#'OTPCertificate'{}, #path_validation_state{},
+ boolean(), list())->
+ {#path_validation_state{},
+ UnknownExtensions :: list(), AccErrors :: list()}.
+%%
+%% Description: Check extensions included in basic path validation.
+%%--------------------------------------------------------------------
validate_extensions(OtpCert, ValidationState, Verify, AccErr) ->
TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
Extensions = TBSCert#'OTPTBSCertificate'.extensions,
validate_extensions(Extensions, ValidationState, no_basic_constraint,
is_self_signed(OtpCert), [], Verify, AccErr).
+%--------------------------------------------------------------------
+ -spec validate_unknown_extensions(list(), list(), boolean())-> list().
+%%
+%% Description: Check that all critical extensions has been handled.
+%%--------------------------------------------------------------------
validate_unknown_extensions([], AccErr, _Verify) ->
AccErr;
validate_unknown_extensions([#'Extension'{critical = true} | _],
@@ -190,27 +242,38 @@ validate_unknown_extensions([#'Extension'{critical = false} | Rest],
AccErr, Verify) ->
validate_unknown_extensions(Rest, AccErr, Verify).
+%%--------------------------------------------------------------------
+-spec normalize_general_name({rdnSequence, term()}) -> {rdnSequence, term()}.
+%%
+%% Description: Normalizes a general name so that it can be easily
+%% compared to another genral name.
+%%--------------------------------------------------------------------
normalize_general_name({rdnSequence, Issuer}) ->
- NormIssuer = normalize_general_name(Issuer),
- {rdnSequence, NormIssuer};
-
-normalize_general_name(Issuer) ->
- Normalize = fun([{Description, Type, {printableString, Value}}]) ->
- NewValue = string:to_lower(strip_spaces(Value)),
- [{Description, Type, {printableString, NewValue}}];
- (Atter) ->
- Atter
- end,
- lists:sort(lists:map(Normalize, Issuer)).
+ NormIssuer = do_normalize_general_name(Issuer),
+ {rdnSequence, NormIssuer}.
+%%--------------------------------------------------------------------
+-spec is_self_signed(#'OTPCertificate'{}) -> boolean().
+%%
+%% Description: Checks if the certificate is self signed.
+%%--------------------------------------------------------------------
is_self_signed(#'OTPCertificate'{tbsCertificate=
#'OTPTBSCertificate'{issuer = Issuer,
subject = Subject}}) ->
is_issuer(Issuer, Subject).
-
+%%--------------------------------------------------------------------
+-spec is_issuer({rdnSequence, term()}, {rdnSequence, term()}) -> boolean().
+%%
+%% Description: Checks if <Issuer> issued <Candidate>.
+%%--------------------------------------------------------------------
is_issuer({rdnSequence, Issuer}, {rdnSequence, Candidate}) ->
is_dir_name(Issuer, Candidate, true).
-
+%%--------------------------------------------------------------------
+-spec issuer_id(#'OTPCertificate'{}, self | other) ->
+ {ok, {integer(), term()}} | {error, issuer_not_found}.
+%%
+%% Description: Extracts the issuer id from a certificate if possible.
+%%--------------------------------------------------------------------
issuer_id(Otpcert, other) ->
TBSCert = Otpcert#'OTPCertificate'.tbsCertificate,
Extensions = extensions_list(TBSCert#'OTPTBSCertificate'.extensions),
@@ -227,7 +290,12 @@ issuer_id(Otpcert, self) ->
SerialNr = TBSCert#'OTPTBSCertificate'.serialNumber,
{ok, {SerialNr, normalize_general_name(Issuer)}}.
-
+%%--------------------------------------------------------------------
+-spec is_fixed_dh_cert(#'OTPCertificate'{}) -> boolean().
+%%
+%% Description: Checks if the certificate can be be used
+%% for DH key agreement.
+%%--------------------------------------------------------------------
is_fixed_dh_cert(#'OTPCertificate'{tbsCertificate =
#'OTPTBSCertificate'{subjectPublicKeyInfo =
SubjectPublicKeyInfo,
@@ -238,6 +306,24 @@ is_fixed_dh_cert(#'OTPCertificate'{tbsCertificate =
%%--------------------------------------------------------------------
%%% Internal functions
%%--------------------------------------------------------------------
+do_normalize_general_name(Issuer) ->
+ Normalize = fun([{Description, Type, {printableString, Value}}]) ->
+ NewValue = string:to_lower(strip_spaces(Value)),
+ [{Description, Type, {printableString, NewValue}}];
+ (Atter) ->
+ Atter
+ end,
+ lists:sort(lists:map(Normalize, Issuer)).
+
+%% See rfc3280 4.1.2.6 Subject: regarding emails.
+extract_email({rdnSequence, List}) ->
+ extract_email2(List).
+extract_email2([[#'AttributeTypeAndValue'{type=?'id-emailAddress',
+ value=Mail}]|_]) ->
+ [{rfc822Name, Mail}];
+extract_email2([_|Rest]) ->
+ extract_email2(Rest);
+extract_email2([]) -> [].
extensions_list(asn1_NOVALUE) ->
[];
@@ -249,17 +335,22 @@ not_valid(Error, true, _) ->
not_valid(Error, false, AccErrors) ->
[Error | AccErrors].
-verify_signature(OtpCert, DerCert, Key, KeyParams) ->
- %% Signature is an ASN1 compact bit string
+extract_verify_data(OtpCert, DerCert) ->
{0, Signature} = OtpCert#'OTPCertificate'.signature,
SigAlgRec = OtpCert#'OTPCertificate'.signatureAlgorithm,
SigAlg = SigAlgRec#'SignatureAlgorithm'.algorithm,
- EncTBSCert = encoded_tbs_cert(DerCert),
- verify(SigAlg, EncTBSCert, Signature, Key, KeyParams).
+ PlainText = encoded_tbs_cert(DerCert),
+ DigestType = digest_type(SigAlg),
+ {DigestType, PlainText, Signature}.
-verify(Alg, PlainText, Signature, Key, KeyParams) ->
- public_key:verify_signature(PlainText, digest_type(Alg),
- Signature, Key, KeyParams).
+verify_signature(OtpCert, DerCert, Key, KeyParams) ->
+ {DigestType, PlainText, Signature} = extract_verify_data(OtpCert, DerCert),
+ case Key of
+ #'RSAPublicKey'{} ->
+ public_key:verify(PlainText, DigestType, Signature, Key);
+ _ ->
+ public_key:verify(PlainText, DigestType, Signature, {Key, KeyParams})
+ end.
encoded_tbs_cert(Cert) ->
{ok, PKIXCert} =
@@ -411,8 +502,8 @@ validate_extensions([#'Extension'{extnID = ?'id-ce-basicConstraints',
ValidationState =
#path_validation_state{max_path_length = Len}, _,
SelfSigned, UnknownExtensions, Verify, AccErr) ->
- Length = if SelfSigned -> min(N, Len);
- true -> min(N, Len-1)
+ Length = if SelfSigned -> erlang:min(N, Len);
+ true -> erlang:min(N, Len-1)
end,
validate_extensions(Rest,
ValidationState#path_validation_state{max_path_length =
@@ -603,11 +694,6 @@ is_valid_subject_alt_name({_, [_|_]}) ->
is_valid_subject_alt_name({_, _}) ->
false.
-min(N, M) when N =< M ->
- N;
-min(_, M) ->
- M.
-
is_ip_address(Address) ->
case inet_parse:address(Address) of
{ok, _} ->
@@ -670,10 +756,11 @@ split_auth_path(URIPart) ->
end.
split_uri(UriPart, SplitChar, NoMatchResult, SkipLeft, SkipRight) ->
- case regexp:first_match(UriPart, SplitChar) of
- {match, Match, _} ->
- {string:substr(UriPart, 1, Match - SkipLeft),
- string:substr(UriPart, Match + SkipRight, length(UriPart))};
+ case re:run(UriPart, SplitChar) of
+ {match,[{Start, _}]} ->
+ StrPos = Start + 1,
+ {string:substr(UriPart, 1, StrPos - SkipLeft),
+ string:substr(UriPart, StrPos + SkipRight, length(UriPart))};
nomatch ->
NoMatchResult
end.
@@ -926,7 +1013,7 @@ add_policy_constraints(ExpPolicy, MapPolicy,
policy_constraint(Current, asn1_NOVALUE, _) ->
Current;
policy_constraint(Current, New, CertNum) ->
- min(Current, New + CertNum).
+ erlang:min(Current, New + CertNum).
process_policy_tree(_,_, ?NULL) ->
?NULL;
diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl
index ac04e1c2cb..20b322b4a4 100644
--- a/lib/public_key/src/pubkey_cert_records.erl
+++ b/lib/public_key/src/pubkey_cert_records.erl
@@ -23,30 +23,61 @@
-include("public_key.hrl").
--export([decode_cert/2, encode_cert/1, encode_tbs_cert/1, transform/2]).
+-export([decode_cert/1, transform/2]).
%%====================================================================
%% Internal application API
%%====================================================================
-decode_cert(DerCert, plain) ->
- 'OTP-PUB-KEY':decode('Certificate', DerCert);
-decode_cert(DerCert, otp) ->
+%%--------------------------------------------------------------------
+-spec decode_cert(der_encoded()) -> {ok, #'OTPCertificate'{}}.
+%%
+%% Description: Recursively decodes a Certificate.
+%%--------------------------------------------------------------------
+decode_cert(DerCert) ->
{ok, Cert} = 'OTP-PUB-KEY':decode('OTPCertificate', DerCert),
#'OTPCertificate'{tbsCertificate = TBS} = Cert,
{ok, Cert#'OTPCertificate'{tbsCertificate = decode_tbs(TBS)}}.
-encode_cert(Cert = #'Certificate'{}) ->
- {ok, EncCert} = 'OTP-PUB-KEY':encode('Certificate', Cert),
- list_to_binary(EncCert);
-encode_cert(C = #'OTPCertificate'{tbsCertificate = TBS}) ->
- Cert = C#'OTPCertificate'{tbsCertificate=encode_tbs(TBS)},
- {ok, EncCert} = 'OTP-PUB-KEY':encode('OTPCertificate', Cert),
- list_to_binary(EncCert).
-
-encode_tbs_cert(TBS) ->
- {ok, EncTBSCert} = 'OTP-PUB-KEY':encode('OTPTBSCertificate', encode_tbs(TBS)),
- list_to_binary(EncTBSCert).
+%%--------------------------------------------------------------------
+-spec transform(term(), encode | decode) ->term().
+%%
+%% Description: Transforms between encoded and decode otp formated
+%% certificate parts.
+%%--------------------------------------------------------------------
+
+transform(#'OTPCertificate'{tbsCertificate = TBS} = Cert, encode) ->
+ Cert#'OTPCertificate'{tbsCertificate=encode_tbs(TBS)};
+transform(#'OTPCertificate'{tbsCertificate = TBS} = Cert, decode) ->
+ Cert#'OTPCertificate'{tbsCertificate=decode_tbs(TBS)};
+transform(#'OTPTBSCertificate'{}= TBS, encode) ->
+ encode_tbs(TBS);
+transform(#'OTPTBSCertificate'{}= TBS, decode) ->
+ decode_tbs(TBS);
+transform(#'AttributeTypeAndValue'{type=Id,value=Value0} = ATAV, Func) ->
+ {ok, Value} =
+ case attribute_type(Id) of
+ Type when is_atom(Type) -> 'OTP-PUB-KEY':Func(Type, Value0);
+ _UnknownType -> {ok, Value0}
+ end,
+ ATAV#'AttributeTypeAndValue'{value=Value};
+transform(AKI = #'AuthorityKeyIdentifier'{authorityCertIssuer=ACI},Func) ->
+ AKI#'AuthorityKeyIdentifier'{authorityCertIssuer=transform(ACI,Func)};
+transform(List = [{directoryName, _}],Func) ->
+ [{directoryName, transform(Value,Func)} || {directoryName, Value} <- List];
+transform({directoryName, Value},Func) ->
+ {directoryName, transform(Value,Func)};
+transform({rdnSequence, SeqList},Func) when is_list(SeqList) ->
+ {rdnSequence,
+ lists:map(fun(Seq) ->
+ lists:map(fun(Element) -> transform(Element,Func) end, Seq)
+ end, SeqList)};
+transform(#'NameConstraints'{permittedSubtrees=Permitted, excludedSubtrees=Excluded}, Func) ->
+ #'NameConstraints'{permittedSubtrees=transform_sub_tree(Permitted,Func),
+ excludedSubtrees=transform_sub_tree(Excluded,Func)};
+
+transform(Other,_) ->
+ Other.
%%--------------------------------------------------------------------
%%% Internal functions
@@ -132,31 +163,6 @@ encode_extensions(Exts) ->
end
end, Exts).
-transform(#'AttributeTypeAndValue'{type=Id,value=Value0} = ATAV, Func) ->
- {ok, Value} =
- case attribute_type(Id) of
- Type when is_atom(Type) -> 'OTP-PUB-KEY':Func(Type, Value0);
- _UnknownType -> {ok, Value0}
- end,
- ATAV#'AttributeTypeAndValue'{value=Value};
-transform(AKI = #'AuthorityKeyIdentifier'{authorityCertIssuer=ACI},Func) ->
- AKI#'AuthorityKeyIdentifier'{authorityCertIssuer=transform(ACI,Func)};
-transform(List = [{directoryName, _}],Func) ->
- [{directoryName, transform(Value,Func)} || {directoryName, Value} <- List];
-transform({directoryName, Value},Func) ->
- {directoryName, transform(Value,Func)};
-transform({rdnSequence, SeqList},Func) when is_list(SeqList) ->
- {rdnSequence,
- lists:map(fun(Seq) ->
- lists:map(fun(Element) -> transform(Element,Func) end, Seq)
- end, SeqList)};
-transform(#'NameConstraints'{permittedSubtrees=Permitted, excludedSubtrees=Excluded}, Func) ->
- #'NameConstraints'{permittedSubtrees=transform_sub_tree(Permitted,Func),
- excludedSubtrees=transform_sub_tree(Excluded,Func)};
-
-transform(Other,_) ->
- Other.
-
encode_tbs(TBS=#'OTPTBSCertificate'{issuer=Issuer0,
subject=Subject0,
subjectPublicKeyInfo=Spki0,
diff --git a/lib/public_key/src/pubkey_crypto.erl b/lib/public_key/src/pubkey_crypto.erl
deleted file mode 100644
index 7b7abb1c56..0000000000
--- a/lib/public_key/src/pubkey_crypto.erl
+++ /dev/null
@@ -1,171 +0,0 @@
-%%
-%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 2008-2010. All Rights Reserved.
-%%
-%% The contents of this file are subject to the Erlang Public License,
-%% Version 1.1, (the "License"); you may not use this file except in
-%% compliance with the License. You should have received a copy of the
-%% Erlang Public License along with this software. If not, it can be
-%% retrieved online at http://www.erlang.org/.
-%%
-%% Software distributed under the License is distributed on an "AS IS"
-%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
-%% the License for the specific language governing rights and limitations
-%% under the License.
-%%
-%% %CopyrightEnd%
-%%
-
-%%
-%% Description: Functions that call the crypto driver.
-
--module(pubkey_crypto).
-
--include("public_key.hrl").
-
--export([encrypt_public/3, decrypt_private/3,
- encrypt_private/3, decrypt_public/3,
- sign/2, sign/3, verify/5, gen_key/2]).
-
--define(UINT32(X), X:32/unsigned-big-integer).
-
-%%====================================================================
-%% Internal application API
-%%====================================================================
-
-%%--------------------------------------------------------------------
-%% Function: encrypt(PlainText, Key, Padding) -> Encrypted
-%%
-%% PlainText = binary()
-%% Key = rsa_public_key() | rsa_private_key()
-%% Padding = rsa_pkcs1_padding | rsa_pkcs1_oaep_padding
-%% Encrypted = binary()
-%%
-%% Description: Public key encrypts PlainText.
-%%--------------------------------------------------------------------
-encrypt_public(PlainText, #'RSAPublicKey'{modulus=N,publicExponent=E},
- Padding) ->
- crypto:rsa_public_encrypt(PlainText, [crypto:mpint(E),crypto:mpint(N)],
- Padding);
-encrypt_public(PlainText, #'RSAPrivateKey'{modulus=N,publicExponent=E},
- Padding) ->
- crypto:rsa_public_encrypt(PlainText, [crypto:mpint(E),crypto:mpint(N)],
- Padding).
-
-encrypt_private(PlainText, #'RSAPrivateKey'{modulus = N,
- publicExponent = E,
- privateExponent = D}, Padding) ->
- crypto:rsa_private_encrypt(PlainText, [crypto:mpint(E),
- crypto:mpint(N),
- crypto:mpint(D)], Padding).
-
-%%--------------------------------------------------------------------
-%% Function: decrypt(CipherText, Key) -> PlainText
-%%
-%% ChipherText = binary()
-%% Key = rsa_private_key()
-%% Padding = rsa_pkcs1_padding | rsa_pkcs1_oaep_padding
-%% PlainText = binary()
-%%
-%% Description: Uses private key to decrypt public key encrypted data.
-%%--------------------------------------------------------------------
-decrypt_private(CipherText,
- #'RSAPrivateKey'{modulus = N,publicExponent = E,
- privateExponent = D},
- Padding) ->
- crypto:rsa_private_decrypt(CipherText,
- [crypto:mpint(E), crypto:mpint(N),
- crypto:mpint(D)], Padding).
-decrypt_public(CipherText, #'RSAPublicKey'{modulus = N, publicExponent = E},
- Padding) ->
- crypto:rsa_public_decrypt(CipherText,[crypto:mpint(E), crypto:mpint(N)],
- Padding);
-decrypt_public(CipherText, #'RSAPrivateKey'{modulus = N, publicExponent = E},
- Padding) ->
- crypto:rsa_public_decrypt(CipherText,[crypto:mpint(E), crypto:mpint(N)],
- Padding).
-
-%%--------------------------------------------------------------------
-%% Function: sign(PlainText, Key) ->
-%% sign(DigestType, PlainText, Key) -> Signature
-%%
-%% DigestType = sha | md5
-%% PlainText = binary()
-%% Key = rsa_private_key() | dsa_private_key()
-%% Signature = binary()
-%%
-%% Description: Signs PlainText using Key.
-%%--------------------------------------------------------------------
-sign(PlainText, Digest) ->
- sign(sha, PlainText, Digest).
-
-sign(DigestType, PlainText, #'RSAPrivateKey'{modulus = N, publicExponent = E,
- privateExponent = D}) ->
- crypto:rsa_sign(DigestType, sized_binary(PlainText), [crypto:mpint(E),
- crypto:mpint(N),
- crypto:mpint(D)]);
-
-sign(none, Hash, #'DSAPrivateKey'{p = P, q = Q, g = G, x = X}) ->
- crypto:dss_sign(none, Hash,
- [crypto:mpint(P), crypto:mpint(Q),
- crypto:mpint(G), crypto:mpint(X)]);
-
-sign(sha, PlainText, #'DSAPrivateKey'{p = P, q = Q, g = G, x = X}) ->
- crypto:dss_sign(sized_binary(PlainText),
- [crypto:mpint(P), crypto:mpint(Q),
- crypto:mpint(G), crypto:mpint(X)]).
-
-%%--------------------------------------------------------------------
-%% Function: verify(DigestType, PlainText, Signature, Key) -> true | false
-%%
-%% DigestType = sha | md5
-%% PlainText = binary()
-%% Signature = binary()
-%% Key = rsa_public_key() | dsa_public_key()
-%%
-%% Description: Verifies the signature <Signature>.
-%%--------------------------------------------------------------------
-verify(DigestType, PlainText, Signature,
- #'RSAPublicKey'{modulus = Mod, publicExponent = Exp}, _) ->
- crypto:rsa_verify(DigestType,
- sized_binary(PlainText),
- sized_binary(Signature),
- [crypto:mpint(Exp), crypto:mpint(Mod)]);
-
-verify(none, Hash, Signature, Key, #'Dss-Parms'{p = P, q = Q, g = G}) ->
- crypto:dss_verify(none, Hash,
- sized_binary(Signature),
- [crypto:mpint(P), crypto:mpint(Q),
- crypto:mpint(G), crypto:mpint(Key)]);
-
-verify(sha, PlainText, Signature, Key, #'Dss-Parms'{p = P, q = Q, g = G}) ->
- crypto:dss_verify(sized_binary(PlainText),
- sized_binary(Signature),
- [crypto:mpint(P), crypto:mpint(Q),
- crypto:mpint(G), crypto:mpint(Key)]).
-
-
-%%--------------------------------------------------------------------
-%% Function: gen_key(Type, Params) ->
-%% Type = diffie_hellman
-%% Params = [P,G] | [Y, P, G]
-%% Description: Generates keys.
-%% -----------------------------------------------------------------
-gen_key(diffie_hellman, [Y, P, G]) ->
- crypto:dh_generate_key(crypto:mpint(Y), [crypto:mpint(P),
- crypto:mpint(G)]);
-gen_key(diffie_hellman, [P, G]) ->
- crypto:dh_generate_key([crypto:mpint(P), crypto:mpint(G)]).
-
-%%% TODO: Support rsa, dss key_gen
-
-%%--------------------------------------------------------------------
-%%% Internal functions
-%%--------------------------------------------------------------------
-sized_binary(Binary) when is_binary(Binary) ->
- Size = size(Binary),
- <<?UINT32(Size), Binary/binary>>;
-sized_binary(List) ->
- sized_binary(list_to_binary(List)).
-
diff --git a/lib/public_key/src/pubkey_pem.erl b/lib/public_key/src/pubkey_pem.erl
index 65879f1bbe..31d881973a 100644
--- a/lib/public_key/src/pubkey_pem.erl
+++ b/lib/public_key/src/pubkey_pem.erl
@@ -40,7 +40,10 @@
-module(pubkey_pem).
--export([read_file/1, read_file/2, write_file/2, decode/2]).
+-include("public_key.hrl").
+
+-export([encode/1, decode/1, decipher/2, cipher/3]).
+%% Backwards compatibility
-export([decode_key/2]).
-define(ENCODED_LINE_LENGTH, 64).
@@ -48,28 +51,82 @@
%%====================================================================
%% Internal application API
%%====================================================================
-read_file(File) ->
- read_file(File, no_passwd).
-read_file(File, Passwd) ->
- {ok, Bin} = file:read_file(File),
- decode(Bin, Passwd).
+%%--------------------------------------------------------------------
+-spec decode(binary()) -> [pem_entry()].
+%%
+%% Description: Decodes a PEM binary.
+%%--------------------------------------------------------------------
+decode(Bin) ->
+ decode_pem_entries(split_bin(Bin), []).
-write_file(File, Ds) ->
- file:write_file(File, encode_file(Ds)).
+%%--------------------------------------------------------------------
+-spec encode([pem_entry()]) -> iolist().
+%%
+%% Description: Encodes a list of PEM entries.
+%%--------------------------------------------------------------------
+encode(PemEntries) ->
+ encode_pem_entries(PemEntries).
-decode_key({_Type, Bin, not_encrypted}, _) ->
- Bin;
-decode_key({_Type, Bin, {Chipher,Salt}}, Password) ->
- decode_key(Bin, Password, Chipher, Salt).
+%%--------------------------------------------------------------------
+-spec decipher({pki_asn1_type(), decrypt_der(),{Cipher :: string(), Salt :: binary()}}, string()) ->
+ der_encoded().
+%%
+%% Description: Deciphers a decrypted pem entry.
+%%--------------------------------------------------------------------
+decipher({_, DecryptDer, {Cipher,Salt}}, Password) ->
+ decode_key(DecryptDer, Password, Cipher, Salt).
-decode(Bin, Passwd) ->
- decode_file(split_bin(Bin), Passwd).
+%%--------------------------------------------------------------------
+-spec cipher(der_encoded(),{Cipher :: string(), Salt :: binary()} , string()) -> binary().
+%%
+%% Description: Ciphers a PEM entry
+%%--------------------------------------------------------------------
+cipher(Der, {Cipher,Salt}, Password)->
+ encode_key(Der, Password, Cipher, Salt).
%%--------------------------------------------------------------------
%%% Internal functions
%%--------------------------------------------------------------------
+encode_pem_entries(Entries) ->
+ [encode_pem_entry(Entry) || Entry <- Entries].
+
+encode_pem_entry({Asn1Type, Der, not_encrypted}) ->
+ StartStr = pem_start(Asn1Type),
+ [StartStr, "\n", b64encode_and_split(Der), pem_end(StartStr) ,"\n\n"];
+encode_pem_entry({Asn1Type, Der, {Cipher, Salt}}) ->
+ StartStr = pem_start(Asn1Type),
+ [StartStr,"\n", pem_decrypt(),"\n", pem_decrypt_info(Cipher, Salt),"\n",
+ b64encode_and_split(Der), pem_end(StartStr) ,"\n\n"].
+
+decode_pem_entries([], Entries) ->
+ lists:reverse(Entries);
+decode_pem_entries([<<>>], Entries) ->
+ lists:reverse(Entries);
+decode_pem_entries([<<>> | Lines], Entries) ->
+ decode_pem_entries(Lines, Entries);
+decode_pem_entries([Start| Lines], Entries) ->
+ case pem_end(Start) of
+ undefined ->
+ decode_pem_entries(Lines, Entries);
+ _End ->
+ {Entry, RestLines} = join_entry(Lines, []),
+ decode_pem_entries(RestLines, [decode_pem_entry(Start, Entry) | Entries])
+ end.
+decode_pem_entry(Start, [<<"Proc-Type: 4,ENCRYPTED", _/binary>>, Line | Lines]) ->
+ Asn1Type = asn1_type(Start),
+ Cs = erlang:iolist_to_binary(Lines),
+ Decoded = base64:mime_decode(Cs),
+ [_, DekInfo0] = string:tokens(binary_to_list(Line), ": "),
+ [Cipher, Salt] = string:tokens(DekInfo0, ","),
+ {Asn1Type, Decoded, {Cipher, unhex(Salt)}};
+decode_pem_entry(Start, Lines) ->
+ Asn1Type = asn1_type(Start),
+ Cs = erlang:iolist_to_binary(Lines),
+ Der = base64:mime_decode(Cs),
+ {Asn1Type, Der, not_encrypted}.
+
split_bin(Bin) ->
split_bin(0, Bin).
@@ -85,88 +142,26 @@ split_bin(N, Bin) ->
split_bin(N+1, Bin)
end.
-decode_file(Bin, Passwd) ->
- decode_file(Bin, [], [Passwd]).
-
-decode_file([<<"-----BEGIN CERTIFICATE REQUEST-----", _/binary>>|Rest], Ens, Info) ->
- decode_file2(Rest, [], Ens, cert_req, Info);
-decode_file([<<"-----BEGIN CERTIFICATE-----", _/binary>>|Rest], Ens, Info) ->
- decode_file2(Rest, [], Ens, cert, Info);
-decode_file([<<"-----BEGIN RSA PRIVATE KEY-----", _/binary>>|Rest], Ens, Info) ->
- decode_file2(Rest, [], Ens, rsa_private_key, Info);
-decode_file([<<"-----BEGIN DSA PRIVATE KEY-----", _/binary>>|Rest], Ens, Info) ->
- decode_file2(Rest, [], Ens, dsa_private_key, Info);
-decode_file([<<"-----BEGIN DH PARAMETERS-----", _/binary>>|Rest], Ens, Info) ->
- decode_file2(Rest, [], Ens, dh_params, Info);
-decode_file([_|Rest], Ens, Info) ->
- decode_file(Rest, Ens, Info);
-decode_file([], Ens, _Info) ->
- {ok, lists:reverse(Ens)}.
-
-decode_file2([<<"Proc-Type: 4,ENCRYPTED", _/binary>>| Rest0], RLs, Ens, Tag, Info0) ->
- [InfoLine|Rest] = Rest0,
- Info = dek_info(InfoLine, Info0),
- decode_file2(Rest, RLs, Ens, Tag, Info);
-decode_file2([<<"-----END", _/binary>>| Rest], RLs, Ens, Tag, Info0) ->
- Cs = erlang:iolist_to_binary(lists:reverse(RLs)),
- Bin = base64:mime_decode(Cs),
- case Info0 of
- [Password, Cipher, SaltHex | Info1] ->
- Salt = unhex(SaltHex),
- Enc = {Cipher, Salt},
- Decoded = decode_key(Bin, Password, Cipher, Salt),
- decode_file(Rest, [{Tag, Decoded, Enc}| Ens], Info1);
- _ ->
- decode_file(Rest, [{Tag, Bin, not_encrypted}| Ens], Info0)
- end;
-decode_file2([L|Rest], RLs, Ens, Tag, Info0) ->
- decode_file2(Rest, [L|RLs], Ens, Tag, Info0);
-decode_file2([], _, Ens, _, _) ->
- {ok, lists:reverse(Ens)}.
-
-%% Support same as decode_file
-encode_file(Ds) ->
- lists:map(
- fun({cert, Bin, not_encrypted}) ->
- %% PKIX (X.509)
- ["-----BEGIN CERTIFICATE-----\n",
- b64encode_and_split(Bin),
- "-----END CERTIFICATE-----\n\n"];
- ({cert_req, Bin, not_encrypted}) ->
- %% PKCS#10
- ["-----BEGIN CERTIFICATE REQUEST-----\n",
- b64encode_and_split(Bin),
- "-----END CERTIFICATE REQUEST-----\n\n"];
- ({rsa_private_key, Bin, not_encrypted}) ->
- %% PKCS#?
- ["XXX Following key assumed not encrypted\n",
- "-----BEGIN RSA PRIVATE KEY-----\n",
- b64encode_and_split(Bin),
- "-----END RSA PRIVATE KEY-----\n\n"];
- ({dsa_private_key, Bin, not_encrypted}) ->
- %% PKCS#?
- ["XXX Following key assumed not encrypted\n",
- "-----BEGIN DSA PRIVATE KEY-----\n",
- b64encode_and_split(Bin),
- "-----END DSA PRIVATE KEY-----\n\n"]
- end, Ds).
-
-dek_info(Line0, Info) ->
- Line = binary_to_list(Line0),
- [_, DekInfo0] = string:tokens(Line, ": "),
- DekInfo1 = string:tokens(DekInfo0, ",\n"),
- Info ++ DekInfo1.
+b64encode_and_split(Bin) ->
+ split_lines(base64:encode(Bin)).
-unhex(S) ->
- unhex(S, []).
+split_lines(<<Text:?ENCODED_LINE_LENGTH/binary, Rest/binary>>) ->
+ [Text, $\n | split_lines(Rest)];
+split_lines(Bin) ->
+ [Bin, $\n].
-unhex("", Acc) ->
- list_to_binary(lists:reverse(Acc));
-unhex([D1, D2 | Rest], Acc) ->
- unhex(Rest, [erlang:list_to_integer([D1, D2], 16) | Acc]).
+%% Ignore white space at end of line
+join_entry([<<"-----END CERTIFICATE-----", _/binary>>| Lines], Entry) ->
+ {lists:reverse(Entry), Lines};
+join_entry([<<"-----END RSA PRIVATE KEY-----", _/binary>>| Lines], Entry) ->
+ {lists:reverse(Entry), Lines};
+join_entry([<<"-----END DSA PRIVATE KEY-----", _/binary>>| Lines], Entry) ->
+ {lists:reverse(Entry), Lines};
+join_entry([<<"-----END DH PARAMETERS-----", _/binary>>| Lines], Entry) ->
+ {lists:reverse(Entry), Lines};
+join_entry([Line | Lines], Entry) ->
+ join_entry(Lines, [Line | Entry]).
-decode_key(Data, no_passwd, _Alg, _Salt) ->
- Data;
decode_key(Data, Password, "DES-CBC", Salt) ->
Key = password_to_key(Password, Salt, 8),
IV = Salt,
@@ -177,6 +172,16 @@ decode_key(Data, Password, "DES-EDE3-CBC", Salt) ->
<<Key1:8/binary, Key2:8/binary, Key3:8/binary>> = Key,
crypto:des_ede3_cbc_decrypt(Key1, Key2, Key3, IV, Data).
+encode_key(Data, Password, "DES-CBC", Salt) ->
+ Key = password_to_key(Password, Salt, 8),
+ IV = Salt,
+ crypto:des_cbc_encrypt(Key, IV, Data);
+encode_key(Data, Password, "DES-EDE3-CBC", Salt) ->
+ Key = password_to_key(Password, Salt, 24),
+ IV = Salt,
+ <<Key1:8/binary, Key2:8/binary, Key3:8/binary>> = Key,
+ crypto:des_ede3_cbc_encrypt(Key1, Key2, Key3, IV, Data).
+
password_to_key(Data, Salt, KeyLen) ->
<<Key:KeyLen/binary, _/binary>> =
password_to_key(<<>>, Data, Salt, KeyLen, <<>>),
@@ -188,11 +193,58 @@ password_to_key(Prev, Data, Salt, Len, Acc) ->
M = crypto:md5([Prev, Data, Salt]),
password_to_key(M, Data, Salt, Len - size(M), <<Acc/binary, M/binary>>).
-b64encode_and_split(Bin) ->
- split_lines(base64:encode(Bin)).
+unhex(S) ->
+ unhex(S, []).
-split_lines(<<Text:?ENCODED_LINE_LENGTH/binary, Rest/binary>>) ->
- [Text, $\n | split_lines(Rest)];
-split_lines(Bin) ->
- [Bin, $\n].
+unhex("", Acc) ->
+ list_to_binary(lists:reverse(Acc));
+unhex([D1, D2 | Rest], Acc) ->
+ unhex(Rest, [erlang:list_to_integer([D1, D2], 16) | Acc]).
+
+hexify(L) -> [[hex_byte(B)] || B <- binary_to_list(L)].
+
+hex_byte(B) when B < 16#10 -> ["0", erlang:integer_to_list(B, 16)];
+hex_byte(B) -> erlang:integer_to_list(B, 16).
+
+pem_start('Certificate') ->
+ <<"-----BEGIN CERTIFICATE-----">>;
+pem_start('RSAPrivateKey') ->
+ <<"-----BEGIN RSA PRIVATE KEY-----">>;
+pem_start('DSAPrivateKey') ->
+ <<"-----BEGIN DSA PRIVATE KEY-----">>;
+pem_start('DHParameter') ->
+ <<"-----BEGIN DH PARAMETERS-----">>.
+
+pem_end(<<"-----BEGIN CERTIFICATE-----">>) ->
+ <<"-----END CERTIFICATE-----">>;
+pem_end(<<"-----BEGIN RSA PRIVATE KEY-----">>) ->
+ <<"-----END RSA PRIVATE KEY-----">>;
+pem_end(<<"-----BEGIN DSA PRIVATE KEY-----">>) ->
+ <<"-----END DSA PRIVATE KEY-----">>;
+pem_end(<<"-----BEGIN DH PARAMETERS-----">>) ->
+ <<"-----END DH PARAMETERS-----">>;
+pem_end(_) ->
+ undefined.
+
+asn1_type(<<"-----BEGIN CERTIFICATE-----">>) ->
+ 'Certificate';
+asn1_type(<<"-----BEGIN RSA PRIVATE KEY-----">>) ->
+ 'RSAPrivateKey';
+asn1_type(<<"-----BEGIN DSA PRIVATE KEY-----">>) ->
+ 'DSAPrivateKey';
+asn1_type(<<"-----BEGIN DH PARAMETERS-----">>) ->
+ 'DHParameter'.
+
+pem_decrypt() ->
+ <<"Proc-Type: 4,ENCRYPTED">>.
+
+pem_decrypt_info(Cipher, Salt) ->
+ io_lib:format("DEK-Info: ~s,~s", [Cipher, lists:flatten(hexify(Salt))]).
+%%--------------------------------------------------------------------
+%%% Deprecated
+%%--------------------------------------------------------------------
+decode_key({_Type, Bin, not_encrypted}, _) ->
+ Bin;
+decode_key({_Type, Bin, {Chipher,Salt}}, Password) ->
+ decode_key(Bin, Password, Chipher, Salt).
diff --git a/lib/public_key/src/public_key.app.src b/lib/public_key/src/public_key.app.src
index d5e1705827..60487946fa 100644
--- a/lib/public_key/src/public_key.app.src
+++ b/lib/public_key/src/public_key.app.src
@@ -4,7 +4,6 @@
{modules, [
public_key,
pubkey_pem,
- pubkey_crypto,
pubkey_cert,
pubkey_cert_records,
'OTP-PUB-KEY'
diff --git a/lib/public_key/src/public_key.appup.src b/lib/public_key/src/public_key.appup.src
index 2eb5750923..c9d15b8747 100644
--- a/lib/public_key/src/public_key.appup.src
+++ b/lib/public_key/src/public_key.appup.src
@@ -1,6 +1,15 @@
%% -*- erlang -*-
{"%VSN%",
[
+ {"0.7",
+ [
+ {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
+ {update, public_key, soft, soft_purge, soft_purge, []},
+ {update, pubkey_pem, soft, soft_purge, soft_purge, []},
+ {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}
+ {update, pubkey_cert, soft, soft_purge, soft_purge, []}
+ ]
+ },
{"0.6",
[
{update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
@@ -22,6 +31,15 @@
}
],
[
+ {"0.7",
+ [
+ {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
+ {update, public_key, soft, soft_purge, soft_purge, []},
+ {update, pubkey_pem, soft, soft_purge, soft_purge, []},
+ {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}
+ {update, pubkey_cert, soft, soft_purge, soft_purge, []}
+ ]
+ },
{"0.6",
[
{update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 12354eee5d..95c3d714d3 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -23,239 +23,396 @@
-include("public_key.hrl").
--export([decode_private_key/1, decode_private_key/2, decode_dhparams/1,
- decrypt_private/2, decrypt_private/3, encrypt_public/2,
- encrypt_public/3, decrypt_public/2, decrypt_public/3,
- encrypt_private/2, encrypt_private/3, gen_key/1, sign/2, sign/3,
- verify_signature/3, verify_signature/4, verify_signature/5,
- pem_to_der/1, pem_to_der/2, der_to_pem/2,
- pkix_decode_cert/2, pkix_encode_cert/1, pkix_transform/2,
- pkix_is_self_signed/1, pkix_is_fixed_dh_cert/1,
+-export([pem_decode/1, pem_encode/1,
+ der_decode/2, der_encode/2,
+ pem_entry_decode/1,
+ pem_entry_decode/2,
+ pem_entry_encode/2,
+ pem_entry_encode/3,
+ pkix_decode_cert/2, pkix_encode/3,
+ encrypt_private/2, encrypt_private/3,
+ decrypt_private/2, decrypt_private/3,
+ encrypt_public/2, encrypt_public/3,
+ decrypt_public/2, decrypt_public/3,
+ sign/3, verify/4,
+ pkix_sign/2, pkix_verify/2,
+ pkix_is_self_signed/1,
+ pkix_is_fixed_dh_cert/1,
+ pkix_is_issuer/2,
pkix_issuer_id/2,
- pkix_is_issuer/2, pkix_normalize_general_name/1,
+ pkix_normalize_name/1,
pkix_path_validation/3
]).
+%% Deprecated
+-export([decode_private_key/1, decode_private_key/2, pem_to_der/1]).
+
+-deprecated({pem_to_der, 1, next_major_release}).
+-deprecated({decode_private_key, 1, next_major_release}).
+-deprecated({decode_private_key, 2, next_major_release}).
+
+-type rsa_public_key() :: #'RSAPublicKey'{}.
+-type rsa_private_key() :: #'RSAPrivateKey'{}.
+-type dsa_private_key() :: #'DSAPrivateKey'{}.
+-type dsa_public_key() :: {integer(), #'Dss-Parms'{}}.
+-type rsa_padding() :: 'rsa_pkcs1_padding' | 'rsa_pkcs1_oaep_padding'
+ | 'rsa_no_padding'.
+-type public_crypt_options() :: [{rsa_pad, rsa_padding()}].
+-type rsa_digest_type() :: 'md5' | 'sha'.
+-type dss_digest_type() :: 'none' | 'sha'.
+
+-define(UINT32(X), X:32/unsigned-big-integer).
+
%%====================================================================
%% API
%%====================================================================
%%--------------------------------------------------------------------
-%% Function: decode_private_key(KeyInfo [,Password]) ->
-%% {ok, PrivateKey} | {error, Reason}
-%%
-%% KeyInfo = {Type, der_bin(), ChipherInfo} - as returned from
-%% pem_to_der/[1,2] for private keys
-%% Type = rsa_private_key | dsa_private_key
-%% ChipherInfo = opaque() | no_encryption
+-spec pem_decode(binary()) -> [pem_entry()].
+%%
+%% Description: Decode PEM binary data and return
+%% entries as asn1 der encoded entities.
+%%--------------------------------------------------------------------
+pem_decode(PemBin) when is_binary(PemBin) ->
+ pubkey_pem:decode(PemBin).
+
+%%--------------------------------------------------------------------
+-spec pem_encode([pem_entry()]) -> binary().
%%
-%% Description: Decodes an asn1 der encoded private key.
+%% Description: Creates a PEM binary.
%%--------------------------------------------------------------------
-decode_private_key(KeyInfo) ->
- decode_private_key(KeyInfo, no_passwd).
+pem_encode(PemEntries) when is_list(PemEntries) ->
+ iolist_to_binary(pubkey_pem:encode(PemEntries)).
-decode_private_key(KeyInfo = {rsa_private_key, _, _}, Password) ->
- DerEncoded = pubkey_pem:decode_key(KeyInfo, Password),
- 'OTP-PUB-KEY':decode('RSAPrivateKey', DerEncoded);
-decode_private_key(KeyInfo = {dsa_private_key, _, _}, Password) ->
- DerEncoded = pubkey_pem:decode_key(KeyInfo, Password),
- 'OTP-PUB-KEY':decode('DSAPrivateKey', DerEncoded).
+%%--------------------------------------------------------------------
+-spec pem_entry_decode(pem_entry(), [string()]) -> term().
+%
+%% Description: Decodes a pem entry. pem_decode/1 returns a list of
+%% pem entries.
+%%--------------------------------------------------------------------
+pem_entry_decode({Asn1Type, Der, not_encrypted}) when is_atom(Asn1Type),
+ is_binary(Der) ->
+ der_decode(Asn1Type, Der).
+pem_entry_decode({Asn1Type, Der, not_encrypted}, _) when is_atom(Asn1Type),
+ is_binary(Der) ->
+ der_decode(Asn1Type, Der);
+pem_entry_decode({Asn1Type, CryptDer, {Cipher, Salt}} = PemEntry,
+ Password) when is_atom(Asn1Type),
+ is_binary(CryptDer),
+ is_list(Cipher),
+ is_binary(Salt),
+ erlang:byte_size(Salt) == 8
+ ->
+ Der = pubkey_pem:decipher(PemEntry, Password),
+ der_decode(Asn1Type, Der).
+%%--------------------------------------------------------------------
+-spec pem_entry_encode(pki_asn1_type(), term()) -> pem_entry().
+-spec pem_entry_encode(pki_asn1_type(), term(),
+ {{Cipher :: string(), Salt :: binary()}, string()}) -> pem_entry().
+%
+%% Description: Creates a pem entry that can be feed to pem_encode/1.
+%%--------------------------------------------------------------------
+pem_entry_encode(Asn1Type, Entity) when is_atom(Asn1Type) ->
+ Der = der_encode(Asn1Type, Entity),
+ {Asn1Type, Der, not_encrypted}.
+pem_entry_encode(Asn1Type, Entity,
+ {{Cipher, Salt}= CipherInfo, Password}) when is_atom(Asn1Type),
+ is_list(Cipher),
+ is_binary(Salt),
+ erlang:byte_size(Salt) == 8,
+ is_list(Password)->
+ Der = der_encode(Asn1Type, Entity),
+ DecryptDer = pubkey_pem:cipher(Der, CipherInfo, Password),
+ {Asn1Type, DecryptDer, CipherInfo}.
%%--------------------------------------------------------------------
-%% Function: decode_dhparams(DhParamInfo) ->
-%% {ok, DhParams} | {error, Reason}
-%%
-%% DhParamsInfo = {Type, der_bin(), ChipherInfo} - as returned from
-%% pem_to_der/[1,2] for DH parameters.
-%% Type = dh_params
-%% ChipherInfo = opaque() | no_encryption
+-spec der_decode(asn1_type(), der_encoded()) -> term().
%%
-%% Description: Decodes an asn1 der encoded DH parameters.
+%% Description: Decodes a public key asn1 der encoded entity.
%%--------------------------------------------------------------------
-decode_dhparams({dh_params, DerEncoded, not_encrypted}) ->
- 'OTP-PUB-KEY':decode('DHParameter', DerEncoded).
+der_decode(Asn1Type, Der) when is_atom(Asn1Type), is_binary(Der) ->
+ try
+ {ok, Decoded} = 'OTP-PUB-KEY':decode(Asn1Type, Der),
+ Decoded
+ catch
+ error:{badmatch, {error, _}} = Error ->
+ erlang:error(Error)
+ end.
%%--------------------------------------------------------------------
-%% Function: decrypt_private(CipherText, Key) ->
-%% decrypt_private(CipherText, Key, Options) -> PlainTex
-%% decrypt_public(CipherText, Key) ->
-%% decrypt_public(CipherText, Key, Options) -> PlainTex
+-spec der_encode(asn1_type(), term()) -> der_encoded().
%%
-%% CipherText = binary()
-%% Key = rsa_key()
-%% PlainText = binary()
+%% Description: Encodes a public key entity with asn1 DER encoding.
+%%--------------------------------------------------------------------
+der_encode(Asn1Type, Entity) when is_atom(Asn1Type) ->
+ try
+ {ok, Encoded} = 'OTP-PUB-KEY':encode(Asn1Type, Entity),
+ iolist_to_binary(Encoded)
+ catch
+ error:{badmatch, {error, _}} = Error ->
+ erlang:error(Error)
+ end.
+
+%%--------------------------------------------------------------------
+-spec pkix_decode_cert(der_encoded(), plain | otp) ->
+ #'Certificate'{} | #'OTPCertificate'{}.
%%
-%% Description: Decrypts <CipherText>.
+%% Description: Decodes an asn1 der encoded pkix certificate. The otp
+%% option will use the customized asn1 specification OTP-PKIX.asn1 for
+%% decoding and also recursively decode most of the standard
+%% extensions.
+%% --------------------------------------------------------------------
+pkix_decode_cert(DerCert, plain) when is_binary(DerCert) ->
+ der_decode('Certificate', DerCert);
+pkix_decode_cert(DerCert, otp) when is_binary(DerCert) ->
+ try
+ {ok, #'OTPCertificate'{}= Cert} =
+ pubkey_cert_records:decode_cert(DerCert),
+ Cert
+ catch
+ error:{badmatch, {error, _}} = Error ->
+ erlang:error(Error)
+ end.
+
+%%--------------------------------------------------------------------
+-spec pkix_encode(asn1_type(), term(), otp | plain) -> der_encoded().
+%%
+%% Description: Der encodes a certificate or part of a certificate.
+%% This function must be used for encoding certificates or parts of certificates
+%% that are decoded with the otp format, whereas for the plain format this
+%% function will only call der_encode/2.
+%%--------------------------------------------------------------------
+pkix_encode(Asn1Type, Term, plain) when is_atom(Asn1Type) ->
+ der_encode(Asn1Type, Term);
+
+pkix_encode(Asn1Type, Term0, otp) when is_atom(Asn1Type) ->
+ Term = pubkey_cert_records:transform(Term0, encode),
+ der_encode(Asn1Type, Term).
+
+%%--------------------------------------------------------------------
+-spec decrypt_private(CipherText :: binary(), rsa_private_key()) ->
+ PlainText :: binary().
+-spec decrypt_private(CipherText :: binary(), rsa_private_key(),
+ public_crypt_options()) -> PlainText :: binary().
+%%
+%% Description: Public key decryption using the private key.
%%--------------------------------------------------------------------
decrypt_private(CipherText, Key) ->
decrypt_private(CipherText, Key, []).
-decrypt_private(CipherText, Key, Options) ->
- Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_padding),
- pubkey_crypto:decrypt_private(CipherText, Key, Padding).
-decrypt_public(CipherText, Key) ->
- decrypt_public(CipherText, Key, []).
-decrypt_public(CipherText, Key, Options) ->
+decrypt_private(CipherText,
+ #'RSAPrivateKey'{modulus = N,publicExponent = E,
+ privateExponent = D},
+ Options) when is_binary(CipherText),
+ is_list(Options) ->
Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_padding),
- pubkey_crypto:decrypt_public(CipherText, Key, Padding).
+ crypto:rsa_private_decrypt(CipherText,
+ [crypto:mpint(E), crypto:mpint(N),
+ crypto:mpint(D)], Padding).
%%--------------------------------------------------------------------
-%% Function: encrypt_public(PlainText, Key, Options) -> CipherText
-%% encrypt_private(PlainText, Key, Options) -> CipherText
-%%
-%% PlainText = iolist()
-%% Key = rsa_private_key()
-%% CipherText = binary()
+-spec decrypt_public(CipherText :: binary(), rsa_public_key()) ->
+ PlainText :: binary().
+-spec decrypt_public(CipherText :: binary(), rsa_public_key(),
+ public_crypt_options()) -> PlainText :: binary().
%%
-%% Description: Encrypts <Plain>
+%% Description: Public key decryption using the public key.
%%--------------------------------------------------------------------
-encrypt_public(PlainText, Key) ->
- encrypt_public(PlainText, Key, []).
-encrypt_public(PlainText, Key, Options) ->
- Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_padding),
- pubkey_crypto:encrypt_public(PlainText, Key, Padding).
+decrypt_public(CipherText, Key) ->
+ decrypt_public(CipherText, Key, []).
-encrypt_private(PlainText, Key) ->
- encrypt_private(PlainText, Key, []).
-encrypt_private(PlainText, Key, Options) ->
- Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_padding),
- pubkey_crypto:encrypt_private(PlainText, Key, Padding).
+decrypt_public(CipherText, #'RSAPublicKey'{modulus = N, publicExponent = E},
+ Options) when is_binary(CipherText), is_list(Options) ->
+ decrypt_public(CipherText, N,E, Options);
-%%--------------------------------------------------------------------
-%% Function: gen_key(Params) -> Keys
-%%
-%% Params = #'DomainParameters'{} - Currently only supported option
-%% Keys = {PublicDHKey = integer(), PrivateDHKey = integer()}
-%%
-%% Description: Generates keys. Currently supports Diffie-Hellman keys.
-%%--------------------------------------------------------------------
-gen_key(#'DHParameter'{prime = P, base = G}) when is_integer(P),
- is_integer(G) ->
- pubkey_crypto:gen_key(diffie_hellman, [P, G]).
+decrypt_public(CipherText,#'RSAPrivateKey'{modulus = N, publicExponent = E},
+ Options) when is_binary(CipherText), is_list(Options) ->
+ decrypt_public(CipherText, N,E, Options).
%%--------------------------------------------------------------------
-%% Function: pem_to_der(CertSource) ->
-%% pem_to_der(CertSource, Password) -> {ok, [Entry]} |
-%% {error, Reason}
-%%
-%% CertSource = File | CertData
-%% CertData = binary()
-%% File = path()
-%% Entry = {entry_type(), der_bin(), ChipherInfo}
-%% ChipherInfo = opague() | no_encryption
-%% der_bin() = binary()
-%% entry_type() = cert | cert_req | rsa_private_key | dsa_private_key
-%% dh_params
+-spec encrypt_public(PlainText :: binary(), rsa_public_key()) ->
+ CipherText :: binary().
+-spec encrypt_public(PlainText :: binary(), rsa_public_key(),
+ public_crypt_options()) -> CipherText :: binary().
%%
-%% Description: decode PEM binary data or a PEM file and return
-%% entries as asn1 der encoded entities. Currently supported entry
-%% types are certificates, certificate requests, rsa private keys and
-%% dsa private keys. In the case of a key entry ChipherInfo will be
-%% private keys and Diffie Hellam parameters .In the case of a key
-%% entry ChipherInfo will be used by decode_private_key/2 if the key
-%% is protected by a password.
+%% Description: Public key encryption using the public key.
%%--------------------------------------------------------------------
-pem_to_der(CertSource) ->
- pem_to_der(CertSource, no_passwd).
+encrypt_public(PlainText, Key) ->
+ encrypt_public(PlainText, Key, []).
-pem_to_der(File, Password) when is_list(File) ->
- pubkey_pem:read_file(File, Password);
-pem_to_der(PemBin, Password) when is_binary(PemBin) ->
- pubkey_pem:decode(PemBin, Password).
+encrypt_public(PlainText, #'RSAPublicKey'{modulus=N,publicExponent=E},
+ Options) when is_binary(PlainText), is_list(Options) ->
+ encrypt_public(PlainText, N,E, Options);
-der_to_pem(File, TypeDerList) ->
- pubkey_pem:write_file(File, TypeDerList).
+encrypt_public(PlainText, #'RSAPrivateKey'{modulus=N,publicExponent=E},
+ Options) when is_binary(PlainText), is_list(Options) ->
+ encrypt_public(PlainText, N,E, Options).
%%--------------------------------------------------------------------
-%% Function: pkix_decode_cert(BerCert, Type) -> {ok, Cert} | {error, Reason}
-%%
-%% BerCert = binary()
-%% Type = plain | otp
-%% Cert = certificate()
+-spec encrypt_private(PlainText :: binary(), rsa_private_key()) ->
+ CipherText :: binary().
+-spec encrypt_private(PlainText :: binary(), rsa_private_key(),
+ public_crypt_options()) -> CipherText :: binary().
%%
-%% Description: Decodes an asn1 ber encoded pkix certificate.
-%% otp - Uses OTP-PKIX.asn1 to decode known extensions and
-%% enhance the signature field in #'Certificate'{} and '#TBSCertificate'{}.
+%% Description: Public key encryption using the private key.
%%--------------------------------------------------------------------
-pkix_decode_cert(BinCert, Type) ->
- pubkey_cert_records:decode_cert(BinCert, Type).
+encrypt_private(PlainText, Key) ->
+ encrypt_private(PlainText, Key, []).
+
+encrypt_private(PlainText, #'RSAPrivateKey'{modulus = N,
+ publicExponent = E,
+ privateExponent = D},
+ Options) when is_binary(PlainText), is_list(Options) ->
+ Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_padding),
+ crypto:rsa_private_encrypt(PlainText, [crypto:mpint(E),
+ crypto:mpint(N),
+ crypto:mpint(D)], Padding).
%%--------------------------------------------------------------------
-%% Function: pkix_encode_cert(Cert) -> {ok, binary()} | {error, Reason}
-%%
-%% Cert = #'Certificate'{}
+-spec sign(PlainTextOrDigest :: binary(), rsa_digest_type() | dss_digest_type(),
+ rsa_private_key() |
+ dsa_private_key()) -> Signature :: binary().
%%
-%% Description: Encodes a certificate record using asn1.
+%% Description: Create digital signature.
%%--------------------------------------------------------------------
-pkix_encode_cert(Cert) ->
- pubkey_cert_records:encode_cert(Cert).
+sign(PlainText, DigestType, #'RSAPrivateKey'{modulus = N, publicExponent = E,
+ privateExponent = D})
+ when is_binary(PlainText),
+ DigestType == md5;
+ DigestType == sha ->
+
+ crypto:rsa_sign(DigestType, sized_binary(PlainText), [crypto:mpint(E),
+ crypto:mpint(N),
+ crypto:mpint(D)]);
+
+sign(Digest, none, #'DSAPrivateKey'{p = P, q = Q, g = G, x = X})
+ when is_binary(Digest)->
+ crypto:dss_sign(none, Digest,
+ [crypto:mpint(P), crypto:mpint(Q),
+ crypto:mpint(G), crypto:mpint(X)]);
+
+sign(PlainText, sha, #'DSAPrivateKey'{p = P, q = Q, g = G, x = X})
+ when is_binary(PlainText) ->
+ crypto:dss_sign(sized_binary(PlainText),
+ [crypto:mpint(P), crypto:mpint(Q),
+ crypto:mpint(G), crypto:mpint(X)]).
+
+%%--------------------------------------------------------------------
+-spec verify(PlainTextOrDigest :: binary(), rsa_digest_type() | dss_digest_type(),
+ Signature :: binary(), rsa_public_key()
+ | dsa_public_key()) -> boolean().
+%%
+%% Description: Verifies a digital signature.
+%%--------------------------------------------------------------------
+verify(PlainText, DigestType, Signature,
+ #'RSAPublicKey'{modulus = Mod, publicExponent = Exp})
+ when is_binary (PlainText), DigestType == sha; DigestType == md5 ->
+ crypto:rsa_verify(DigestType,
+ sized_binary(PlainText),
+ sized_binary(Signature),
+ [crypto:mpint(Exp), crypto:mpint(Mod)]);
+
+verify(Digest, none, Signature, {Key, #'Dss-Parms'{p = P, q = Q, g = G}})
+ when is_integer(Key), is_binary(Digest), is_binary(Signature) ->
+ crypto:dss_verify(none,
+ Digest,
+ sized_binary(Signature),
+ [crypto:mpint(P), crypto:mpint(Q),
+ crypto:mpint(G), crypto:mpint(Key)]);
+verify(PlainText, sha, Signature, {Key, #'Dss-Parms'{p = P, q = Q, g = G}})
+ when is_integer(Key), is_binary(PlainText), is_binary(Signature) ->
+ crypto:dss_verify(sized_binary(PlainText),
+ sized_binary(Signature),
+ [crypto:mpint(P), crypto:mpint(Q),
+ crypto:mpint(G), crypto:mpint(Key)]).
%%--------------------------------------------------------------------
-%% Function: pkix_transform(CertPart, Op) -> TransformedCertPart
+-spec pkix_sign(#'OTPTBSCertificate'{},
+ rsa_private_key() | dsa_private_key()) -> der_encoded().
%%
-%% CertPart = pkix part data
-%% Op = encode | decode
-%%
-%% Description: Transform parts of a pkix certificate between 'plain' format
-%% and the internal 'otp' format, see pkix_decode_cert/2.
-%% Decode transforms from 'plain' to 'otp' and encode from 'otp' to 'plain'
-%% format.
+%% Description: Sign a pkix x.509 certificate. Returns the corresponding
+%% der encoded 'Certificate'{}
%%--------------------------------------------------------------------
-pkix_transform(CertPart, Op) ->
- pubkey_cert_records:transform(CertPart, Op).
+pkix_sign(#'OTPTBSCertificate'{signature =
+ #'SignatureAlgorithm'{algorithm = Alg}
+ = SigAlg} = TBSCert, Key) ->
+
+ Msg = pkix_encode('OTPTBSCertificate', TBSCert, otp),
+ DigestType = pubkey_cert:digest_type(Alg),
+ Signature = sign(Msg, DigestType, Key),
+ Cert = #'OTPCertificate'{tbsCertificate= TBSCert,
+ signatureAlgorithm = SigAlg,
+ signature = {0, Signature}
+ },
+ pkix_encode('OTPCertificate', Cert, otp).
%%--------------------------------------------------------------------
-%% Function: pkix_path_validation(TrustedCert, CertChain, Options) ->
-%% {ok, {{algorithm(), public_key(), public_key_params()} policy_tree()}} |
-%% {error, Reason}
+-spec pkix_verify(der_encoded(), rsa_public_key()|
+ dsa_public_key()) -> boolean().
%%
-%% Description: Performs a bacis path validation according to RFC 3280.
+%% Description: Verify pkix x.509 certificate signature.
%%--------------------------------------------------------------------
-pkix_path_validation(TrustedCert, CertChain, Options)
- when is_binary(TrustedCert) ->
- {ok, OtpCert} = pkix_decode_cert(TrustedCert, otp),
- pkix_path_validation(OtpCert, CertChain, Options);
+pkix_verify(DerCert, {Key, #'Dss-Parms'{}} = DSAKey)
+ when is_binary(DerCert), is_integer(Key) ->
+ {DigestType, PlainText, Signature} = pubkey_cert:verify_data(DerCert),
+ verify(PlainText, DigestType, Signature, DSAKey);
+
+pkix_verify(DerCert, #'RSAPublicKey'{} = RSAKey)
+ when is_binary(DerCert) ->
+ {DigestType, PlainText, Signature} = pubkey_cert:verify_data(DerCert),
+ verify(PlainText, DigestType, Signature, RSAKey).
-pkix_path_validation(#'OTPCertificate'{} = TrustedCert, CertChain, Options)
- when is_list(CertChain), is_list(Options) ->
- MaxPathDefault = length(CertChain),
- ValidationState = pubkey_cert:init_validation_state(TrustedCert,
- MaxPathDefault,
- Options),
- Fun = proplists:get_value(validate_extensions_fun, Options,
- fun(Extensions, State, _, AccError) ->
- {Extensions, State, AccError}
- end),
- Verify = proplists:get_value(verify, Options, true),
- path_validation(CertChain, ValidationState, Fun, Verify).
%%--------------------------------------------------------------------
-%% Function: pkix_is_fixed_dh_cert(Cert) -> true | false
+-spec pkix_is_issuer(Cert :: der_encoded()| #'OTPCertificate'{},
+ IssuerCert :: der_encoded()|
+ #'OTPCertificate'{}) -> boolean().
%%
-%% Description: Checks if a Certificate is a fixed Diffie-Hellman Cert
+%% Description: Checks if <IssuerCert> issued <Cert>.
%%--------------------------------------------------------------------
-pkix_is_fixed_dh_cert(#'OTPCertificate'{} = OTPCert) ->
- pubkey_cert:is_fixed_dh_cert(OTPCert);
-pkix_is_fixed_dh_cert(Cert) when is_binary(Cert) ->
- {ok, OtpCert} = pkix_decode_cert(Cert, otp),
- pkix_is_fixed_dh_cert(OtpCert).
+pkix_is_issuer(Cert, IssuerCert) when is_binary(Cert) ->
+ OtpCert = pkix_decode_cert(Cert, otp),
+ pkix_is_issuer(OtpCert, IssuerCert);
+
+pkix_is_issuer(Cert, IssuerCert) when is_binary(IssuerCert) ->
+ OtpIssuerCert = pkix_decode_cert(IssuerCert, otp),
+ pkix_is_issuer(Cert, OtpIssuerCert);
+
+pkix_is_issuer(#'OTPCertificate'{tbsCertificate = TBSCert},
+ #'OTPCertificate'{tbsCertificate = Candidate}) ->
+ pubkey_cert:is_issuer(TBSCert#'OTPTBSCertificate'.issuer,
+ Candidate#'OTPTBSCertificate'.subject).
%%--------------------------------------------------------------------
-%% Function: pkix_is_self_signed(Cert) -> true | false
+-spec pkix_is_self_signed(der_encoded()| #'OTPCertificate'{}) -> boolean().
%%
%% Description: Checks if a Certificate is self signed.
%%--------------------------------------------------------------------
pkix_is_self_signed(#'OTPCertificate'{} = OTPCert) ->
pubkey_cert:is_self_signed(OTPCert);
pkix_is_self_signed(Cert) when is_binary(Cert) ->
- {ok, OtpCert} = pkix_decode_cert(Cert, otp),
+ OtpCert = pkix_decode_cert(Cert, otp),
pkix_is_self_signed(OtpCert).
-
+
%%--------------------------------------------------------------------
-%% Function: pkix_issuer_id(Cert) -> {ok, {SerialNr, Issuer}} | {error, Reason}
-%%
-%% Cert = asn1_der_encoded() | 'OTPCertificate'{}
+-spec pkix_is_fixed_dh_cert(der_encoded()| #'OTPCertificate'{}) -> boolean().
%%
+%% Description: Checks if a Certificate is a fixed Diffie-Hellman Cert.
+%%--------------------------------------------------------------------
+pkix_is_fixed_dh_cert(#'OTPCertificate'{} = OTPCert) ->
+ pubkey_cert:is_fixed_dh_cert(OTPCert);
+pkix_is_fixed_dh_cert(Cert) when is_binary(Cert) ->
+ OtpCert = pkix_decode_cert(Cert, otp),
+ pkix_is_fixed_dh_cert(OtpCert).
+
+%%--------------------------------------------------------------------
+-spec pkix_issuer_id(der_encoded()| #'OTPCertificate'{},
+ IssuedBy :: self | other) ->
+ {ok, {SerialNr :: integer(),
+ Issuer :: {rdnSequence,
+ [#'AttributeTypeAndValue'{}]}}}
+ | {error, Reason :: term()}.
+%
%% Description: Returns the issuer id.
%%--------------------------------------------------------------------
pkix_issuer_id(#'OTPCertificate'{} = OtpCert, self) ->
@@ -265,115 +422,64 @@ pkix_issuer_id(#'OTPCertificate'{} = OtpCert, other) ->
pubkey_cert:issuer_id(OtpCert, other);
pkix_issuer_id(Cert, Signed) when is_binary(Cert) ->
- {ok, OtpCert} = pkix_decode_cert(Cert, otp),
+ OtpCert = pkix_decode_cert(Cert, otp),
pkix_issuer_id(OtpCert, Signed).
%%--------------------------------------------------------------------
-%% Function: pkix_is_issuer(Cert, IssuerCert) -> true | false
-%%
-%% Cert = asn1_der_encoded() | 'OTPCertificate'{}
-%% IssuerCert = asn1_der_encoded() | 'OTPCertificate'{}
+-spec pkix_normalize_name({rdnSequence,
+ [#'AttributeTypeAndValue'{}]}) ->
+ {rdnSequence,
+ [#'AttributeTypeAndValue'{}]}.
%%
-%% Description: Checks if <IssuerCert> issued <Cert>.
+%% Description: Normalizes a issuer name so that it can be easily
+%% compared to another issuer name.
%%--------------------------------------------------------------------
-pkix_is_issuer(Cert, IssuerCert) when is_binary(Cert) ->
- {ok, OtpCert} = pkix_decode_cert(Cert, otp),
- pkix_is_issuer(OtpCert, IssuerCert);
-
-pkix_is_issuer(Cert, IssuerCert) when is_binary(IssuerCert) ->
- {ok, OtpIssuerCert} = pkix_decode_cert(IssuerCert, otp),
- pkix_is_issuer(Cert, OtpIssuerCert);
+pkix_normalize_name(Issuer) ->
+ pubkey_cert:normalize_general_name(Issuer).
-pkix_is_issuer(#'OTPCertificate'{tbsCertificate = TBSCert},
- #'OTPCertificate'{tbsCertificate = Candidate}) ->
- pubkey_cert:is_issuer(TBSCert#'OTPTBSCertificate'.issuer,
- Candidate#'OTPTBSCertificate'.subject).
-
-%%--------------------------------------------------------------------
-%% Function: pkix_normalize_general_name(Issuer) ->
-%%
-%% Issuer = general_name() - see PKIX
-%%
-%% Description: Normalizes a general name so that it can be easily
-%% compared to another genral name.
+%%--------------------------------------------------------------------
+-spec pkix_path_validation(der_encoded()| #'OTPCertificate'{},
+ CertChain :: [der_encoded()] ,
+ Options :: list()) ->
+ {ok, {PublicKeyInfo :: term(),
+ PolicyTree :: term(),
+ [{bad_cert, Reason :: term()}]}} |
+ {error, {bad_cert, Reason :: term()}}.
+%% Description: Performs a basic path validation according to RFC 5280.
%%--------------------------------------------------------------------
-pkix_normalize_general_name(Issuer) ->
- pubkey_cert:normalize_general_name(Issuer).
+pkix_path_validation(TrustedCert, CertChain, Options)
+ when is_binary(TrustedCert) ->
+ OtpCert = pkix_decode_cert(TrustedCert, otp),
+ pkix_path_validation(OtpCert, CertChain, Options);
+
+pkix_path_validation(#'OTPCertificate'{} = TrustedCert, CertChain, Options)
+ when is_list(CertChain), is_list(Options) ->
+ MaxPathDefault = length(CertChain),
+ ValidationState = pubkey_cert:init_validation_state(TrustedCert,
+ MaxPathDefault,
+ Options),
+ Fun = proplists:get_value(validate_extensions_fun, Options,
+ fun(Extensions, State, _, AccError) ->
+ {Extensions, State, AccError}
+ end),
+ Verify = proplists:get_value(verify, Options, true),
+ path_validation(CertChain, ValidationState, Fun, Verify).
%%--------------------------------------------------------------------
-%% Function:sign(Msg, Key) -> {ok, Signature}
-%% sign(Msg, Key, KeyParams) -> {ok, Signature}
-%%
-%% Msg = binary() | #'TBSCertificate'{}
-%% Key = private_key()
-%% KeyParams = key_params()
-%% Signature = binary()
-%%
-%% Description: Signs plaintext Msg or #TBSCertificate{}, in the later
-%% case a der encoded "#Certificate{}" will be returned.
+%%% Internal functions
%%--------------------------------------------------------------------
-sign(Msg, #'RSAPrivateKey'{} = Key) when is_binary(Msg) ->
- pubkey_crypto:sign(Msg, Key);
-
-sign(Msg, #'DSAPrivateKey'{} = Key) when is_binary(Msg) ->
- pubkey_crypto:sign(Msg, Key);
-sign(#'OTPTBSCertificate'{signature = #'SignatureAlgorithm'{algorithm = Alg}
- = SigAlg} = TBSCert, Key) ->
- Msg = pubkey_cert_records:encode_tbs_cert(TBSCert),
- DigestType = pubkey_cert:digest_type(Alg),
- Signature = pubkey_crypto:sign(DigestType, Msg, Key),
- Cert = #'OTPCertificate'{tbsCertificate= TBSCert,
- signatureAlgorithm = SigAlg,
- signature = {0, Signature}
- },
- pkix_encode_cert(Cert).
+encrypt_public(PlainText, N, E, Options)->
+ Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_padding),
+ crypto:rsa_public_encrypt(PlainText, [crypto:mpint(E),crypto:mpint(N)],
+ Padding).
-sign(DigestType, Msg, Key) ->
- pubkey_crypto:sign(DigestType, Msg, Key).
+decrypt_public(CipherText, N,E, Options) ->
+ Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_padding),
+ crypto:rsa_public_decrypt(CipherText,[crypto:mpint(E), crypto:mpint(N)],
+ Padding).
-%%--------------------------------------------------------------------
-%% Function: verify_signature(PlainText, DigestType, Signature, Key) ->
-%% verify_signature(PlainText, DigestType,
-%% Signature, Key, KeyParams) ->
-%% verify_signature(DerCert, Key, KeyParams) ->
-%%
-%% PlainText = binary()
-%% DigestType = md5 | sha
-%% DerCert = asn1_der_encoded()
-%% Signature = binary()
-%% Key = public_key()
-%% KeyParams = key_params()
-%% Verified = boolean()
-%%
-%% Description: Verifies the signature <Signature>.
-%%--------------------------------------------------------------------
-verify_signature(PlainText, DigestType, Signature, #'RSAPublicKey'{} = Key)
- when is_binary(PlainText), is_binary(Signature), DigestType == sha;
- DigestType == md5 ->
- pubkey_crypto:verify(DigestType, PlainText, Signature, Key, undefined).
-
-verify_signature(PlainText, DigestType, Signature, #'RSAPublicKey'{} = Key,
- KeyParams)
- when is_binary(PlainText), is_binary(Signature), DigestType == sha;
- DigestType == md5 ->
- pubkey_crypto:verify(DigestType, PlainText, Signature, Key, KeyParams);
-verify_signature(PlainText, sha, Signature, Key, #'Dss-Parms'{} = KeyParams)
- when is_binary(PlainText), is_binary(Signature), is_integer(Key) ->
- pubkey_crypto:verify(sha, PlainText, Signature, Key, KeyParams);
-verify_signature(Hash, none, Signature, Key, KeyParams) ->
- pubkey_crypto:verify(none, Hash, Signature, Key, KeyParams).
-
-verify_signature(DerCert, Key, #'Dss-Parms'{} = KeyParams)
- when is_binary(DerCert), is_integer(Key) ->
- pubkey_cert:verify_signature(DerCert, Key, KeyParams);
-verify_signature(DerCert, #'RSAPublicKey'{} = Key, KeyParams)
- when is_binary(DerCert) ->
- pubkey_cert:verify_signature(DerCert, Key, KeyParams).
-%%--------------------------------------------------------------------
-%%% Internal functions
-%%--------------------------------------------------------------------
path_validation([], #path_validation_state{working_public_key_algorithm
= Algorithm,
working_public_key =
@@ -423,7 +529,7 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer,
user_state = UserState0,
acc_errors = AccErr0} =
ValidationState0, ValidateExtensionFun, Verify) ->
- {ok, OtpCert} = pkix_decode_cert(DerCert, otp),
+ OtpCert = pkix_decode_cert(DerCert, otp),
%% All validate functions will throw {bad_cert, Reason} if they
%% fail and Verify = true if Verify = false errors
%% will be accumulated in the validationstate
@@ -456,3 +562,26 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer,
ValidationState1#path_validation_state{user_state = UserState,
acc_errors = AccErr},
pubkey_cert:prepare_for_next_cert(OtpCert, ValidationState).
+
+sized_binary(Binary) when is_binary(Binary) ->
+ Size = size(Binary),
+ <<?UINT32(Size), Binary/binary>>;
+sized_binary(List) ->
+ sized_binary(list_to_binary(List)).
+
+%%--------------------------------------------------------------------
+%%% Deprecated functions
+%%--------------------------------------------------------------------
+pem_to_der(CertSource) ->
+ {ok, Bin} = file:read_file(CertSource),
+ pubkey_pem:decode(Bin).
+
+decode_private_key(KeyInfo) ->
+ decode_private_key(KeyInfo, no_passwd).
+
+decode_private_key(KeyInfo = {'RSAPrivateKey', _, _}, Password) ->
+ DerEncoded = pubkey_pem:decode_key(KeyInfo, Password),
+ 'OTP-PUB-KEY':decode('RSAPrivateKey', DerEncoded);
+decode_private_key(KeyInfo = {'DSAPrivateKey', _, _}, Password) ->
+ DerEncoded = pubkey_pem:decode_key(KeyInfo, Password),
+ 'OTP-PUB-KEY':decode('DSAPrivateKey', DerEncoded).