Add public_key:pkix_match_dist_point

2 files changed, 50 insertions, 0 deletions

diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index 6923066da7..becb5338e0 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -728,6 +728,23 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
  </func>
    
   <func>
+    <name>pkix_match_dist_point(CRL, DistPoint) -> boolean()</name>
+    <fsummary>Checks whether the given distribution point matches the
+    Issuing Distribution Point of the CRL.</fsummary>
+
+    <type>
+      <v>CRL = der_encoded() | #'CertificateList'{} </v>
+      <v>DistPoint = #'DistributionPoint'{}</v>
+    </type>
+    <desc>
+      <p>Checks whether the given distribution point matches the
+      Issuing Distribution Point of the CRL, as described in RFC 5280.
+      If the CRL doesn't have an Issuing Distribution Point extension,
+      the distribution point always matches.</p>
+    </desc>
+  </func>
+
+  <func>
     <name>pkix_sign(#'OTPTBSCertificate'{}, Key) -> der_encoded()</name>
     <fsummary>Signs certificate.</fsummary>
     <type>
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index a5944bd604..27bf2093a1 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -53,6 +53,7 @@
 	 pkix_crls_validate/3,
 	 pkix_dist_point/1,
 	 pkix_dist_points/1,
+	 pkix_match_dist_point/2,
 	 pkix_crl_verify/2,
 	 pkix_crl_issuer/1
 	]).
@@ -524,6 +525,38 @@ pkix_dist_points(OtpCert) ->
 		[], Value).
 
 %%--------------------------------------------------------------------
+-spec pkix_match_dist_point(der_encoded() | #'CertificateList'{},
+			    #'DistributionPoint'{}) -> boolean().
+%% Description: Check whether the given distribution point matches
+%% the "issuing distribution point" of the CRL.
+%%--------------------------------------------------------------------
+pkix_match_dist_point(CRL, DistPoint) when is_binary(CRL) ->
+    pkix_match_dist_point(der_decode('CertificateList', CRL), DistPoint);
+pkix_match_dist_point(#'CertificateList'{},
+		      #'DistributionPoint'{distributionPoint = asn1_NOVALUE}) ->
+    %% No distribution point name specified - that's considered a match.
+    true;
+pkix_match_dist_point(#'CertificateList'{
+			 tbsCertList =
+			     #'TBSCertList'{
+				crlExtensions = Extensions}},
+		      #'DistributionPoint'{
+			 distributionPoint = {fullName, DPs}}) ->
+    case pubkey_cert:select_extension(?'id-ce-issuingDistributionPoint', Extensions) of
+	undefined ->
+	    %% If the CRL doesn't have an IDP extension, it
+	    %% automatically qualifies.
+	    true;
+	#'Extension'{extnValue = IDPValue} ->
+	    %% If the CRL does have an IDP extension, it must match
+	    %% the given DistributionPoint to be considered a match.
+	    IDPEncoded = der_decode('IssuingDistributionPoint', IDPValue),
+	    #'IssuingDistributionPoint'{distributionPoint = {fullName, IDPs}} =
+		pubkey_cert_records:transform(IDPEncoded, decode),
+	    pubkey_crl:match_one(IDPs, DPs)
+    end.
+
+%%--------------------------------------------------------------------
 -spec pkix_sign(#'OTPTBSCertificate'{},
 		rsa_private_key() | dsa_private_key()) -> Der::binary().
 %%