Rework IDP validation according to the RFC, fix public_key tests

2 files changed, 11 insertions, 7 deletions

diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index 07469e342f..6272fae91b 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -343,8 +343,8 @@ match_name(uniformResourceIdentifier, URI,  [PermittedName | Rest]) ->
     case split_uri(URI) of
 	incomplete ->
 	    false;
-	{_, _, _Host, _, _} ->
-	    match_name(fun is_valid_host_or_domain/2, URI,
+	{_, _, Host, _, _} ->
+	    match_name(fun is_valid_host_or_domain/2, Host,
 		       PermittedName, Rest)
     end;
 
diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl
index 503d0205a6..2d947058de 100644
--- a/lib/public_key/src/pubkey_crl.erl
+++ b/lib/public_key/src/pubkey_crl.erl
@@ -393,11 +393,15 @@ verify_dp_name(asn1_NOVALUE, _) ->
     ok;
 
 verify_dp_name(IDPNames, DPorIssuerNames) ->
-    case match_one(DPorIssuerNames, IDPNames) of
-	true ->
-	    ok;
-	false ->
-	    throw({bad_crl, scope_error})
+    %% RFC 5280 section 5.2.5
+    %% Check that at least one IssuingDistributionPointName in the CRL lines up
+    %% with a DistributionPointName in the certificate.
+    Matches = [X || X <- IDPNames, Y <- DPorIssuerNames, X == Y],
+    case Matches of
+	[] ->
+	    throw({bad_crl, scope_error});
+	_ ->
+	    ok
     end.
 
 match_one([], _) ->