diff options
| author | Andrew Thompson <[email protected]> | 2013-10-10 02:23:02 -0400 |
|---|---|---|
| committer | Hans Nilsson <[email protected]> | 2014-03-26 10:13:55 +0100 |
| commit | 8991663e33313233fed9cb7b0149baec1aa32b3f (patch) | |
| tree | adc2a51668c9dbd9634bd99e2b7a62a48f3441ee /lib/public_key | |
| parent | dbb4cdad43a980e65546fdb572bf0f5cf007fd5a (diff) | |
| download | otp-8991663e33313233fed9cb7b0149baec1aa32b3f.tar.gz otp-8991663e33313233fed9cb7b0149baec1aa32b3f.tar.bz2 otp-8991663e33313233fed9cb7b0149baec1aa32b3f.zip | |
Various improvements to CRL handling
* Handle v1 CRLs, with no extensions.
* Compare the IDP on a CRL correctly, if present
* Don't try to double-decode altnames
Tests are also included, and the make_certs testing tool in the SSL
application has been greatly extended.
Diffstat (limited to 'lib/public_key')
| -rw-r--r-- | lib/public_key/src/pubkey_cert.erl | 6 | ||||
| -rw-r--r-- | lib/public_key/src/pubkey_crl.erl | 13 |
2 files changed, 15 insertions, 4 deletions
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl index d9288e99bb..07469e342f 100644 --- a/lib/public_key/src/pubkey_cert.erl +++ b/lib/public_key/src/pubkey_cert.erl @@ -319,6 +319,8 @@ verify_fun(Otpcert, Result, UserState0, VerifyFun) -> %% %% Description: Extracts a specific extension from a list of extensions. %%-------------------------------------------------------------------- +select_extension(_, asn1_NOVALUE) -> + undefined; select_extension(_, []) -> undefined; select_extension(Id, [#'Extension'{extnID = Id} = Extension | _]) -> @@ -341,8 +343,8 @@ match_name(uniformResourceIdentifier, URI, [PermittedName | Rest]) -> case split_uri(URI) of incomplete -> false; - {_, _, Host, _, _} -> - match_name(fun is_valid_host_or_domain/2, Host, + {_, _, _Host, _, _} -> + match_name(fun is_valid_host_or_domain/2, URI, PermittedName, Rest) end; diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl index eaba5bfa1b..503d0205a6 100644 --- a/lib/public_key/src/pubkey_crl.erl +++ b/lib/public_key/src/pubkey_crl.erl @@ -39,7 +39,13 @@ validate(OtpCert, OtherDPCRLs, DP, {DerCRL, CRL}, {DerDeltaCRL, DeltaCRL}, CertIssuer = TBSCert#'OTPTBSCertificate'.issuer, TBSCRL = CRL#'CertificateList'.tbsCertList, CRLIssuer = TBSCRL#'TBSCertList'.issuer, - AltNames = subject_alt_names(TBSCert#'OTPTBSCertificate'.extensions), + AltNames = case pubkey_cert:select_extension(?'id-ce-subjectAltName', + TBSCert#'OTPTBSCertificate'.extensions) of + undefined -> + []; + Ext -> + Ext#'Extension'.extnValue + end, revoked_status(DP, IDP, {directoryName, CRLIssuer}, [ {directoryName, CertIssuer} | AltNames], SerialNumber, Revoked, DeltaRevoked, RevokedState1); @@ -401,7 +407,8 @@ match_one([{Type, Name} | Names], CandidateNames) -> case Candidates of [] -> false; - [_|_] -> case pubkey_cert:match_name(Type, Name, Candidates) of + [_|_] -> + case pubkey_cert:match_name(Type, Name, Candidates) of true -> true; false -> @@ -664,6 +671,8 @@ verify_extensions([#'TBSCertList_revokedCertificates_SEQOF'{crlEntryExtensions = verify_extensions(pubkey_cert:extensions_list(Ext)) and verify_extensions(Rest); verify_extensions([]) -> true; +verify_extensions(asn1_NOVALUE) -> + true; verify_extensions([#'Extension'{critical = true, extnID = Id} | Rest]) -> case lists:member(Id, [?'id-ce-authorityKeyIdentifier', ?'id-ce-issuerAltName', |