Merge branch 'raimo/ssl-dist-optfile-backport/OTP-14657' into maint

* raimo/ssl-dist-optfile-backport/OTP-14657:
  Use SNI when connecting
  Use -ssl_dist_optfile options
  Read in -ssl_dist_optfile to ETS
  Facilitate test certs with common root
  Stop checking DNS name for SNI

3 files changed, 223 insertions, 68 deletions

diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index 5230cef496..dea35bc390 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -774,6 +774,7 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
 
   <func>
     <name>pkix_test_data(Options) -> Config </name>
+    <name>pkix_test_data([chain_opts()]) -> [conf_opt()]</name>
     <fsummary>Creates certificate test data.</fsummary>
     <type>
       <v>Options = #{chain_type() := chain_opts()} </v>
@@ -781,30 +782,83 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
       
       <v>chain_type() = server_chain | client_chain </v>
 
-      <v>chain_opts() = #{chain_end() := [cert_opt()],
-          intermediates => [[cert_opt()]]}</v>
-      <d>A valid chain must have at least a ROOT and a peer cert</d>
-
-      <v>chain_end() = root | peer </v>
-
+      <v>chain_opts() = #{root := [cert_opt()] | root_cert(),
+      peer := [cert_opt()],
+      intermediates => [[cert_opt()]]}</v>
+      <d>
+	A valid chain must have at least a ROOT and a peer cert.
+	The root cert can be given either as a cert pre-generated by
+	<seealso marker="#pkix_test_root_cert-2">
+	  pkix_test_root_cert/2
+	</seealso>, or as root cert generation options.
+      </d>
+      <v>root_cert() = #{cert := der_encoded(), key := Key}</v>
+      <d>
+	A root certificate generated by
+	<seealso marker="#pkix_test_root_cert-2">
+	  pkix_test_root_cert/2
+	</seealso>.
+      </d>
       <v>cert_opt() = {Key, Value}</v>
       <d>For available options see <seealso marker="#cert_opt"> cert_opt()</seealso> below.</d>
 
       <v>Config = #{server_config := [conf_opt()],
       client_config := [conf_opt()]}</v>
 
-      <v>conf_opt() = {cert, der_encoded()} | {key, der_encoded()} |{cacerts, [der_encoded()]}</v>
-      <d>This is a subset of the type <seealso marker="ssl:ssl#type-ssloption"> ssl:ssl_option()</seealso> </d>
+      <v>conf_opt() = {cert, der_encoded()} | {key, PrivateKey} |{cacerts, [der_encoded()]}</v>
+      <d>
+	This is a subset of the type
+	<seealso marker="ssl:ssl#type-ssloption"> ssl:ssl_option()</seealso>.
+	<c>PrivateKey</c> is what
+	<seealso marker="#generate_key-1">generate_key/1</seealso>
+	returns.
+      </d>
     </type>
     
     <desc>
-      <p>Creates certificate test data to facilitate automated testing
-      of applications using X509-certificates often through
-      SSL/TLS. The test data can be used when you have control
-      over both the client and the server in a test scenario.
+      <p>
+	Creates certificate configuration(s) consisting of certificate
+	and its private key plus CA certificate bundle, for a client
+	and a server, intended to facilitate automated testing
+	of applications using X509-certificates,
+	often through SSL/TLS. The test data can be used
+	when you have control over both the client and the server
+	in a test scenario.
+      </p>
+      <p>
+	When this function is called with a map containing
+	client and server chain specifications;
+	it generates both a client and a server certificate chain
+	where the <c>cacerts</c>
+	returned for the server contains the root cert the server
+	should trust and the intermediate certificates the server
+	should present to connecting clients.
+	The root cert the server should trust is the one used
+	as root of the client certificate chain.
+	Vice versa applies to the <c>cacerts</c> returned for the client.
+	The root cert(s) can either be pre-generated with
+	<seealso marker="#pkix_test_root_cert-2">
+	  pkix_test_root_cert/2
+	</seealso>, or if options are specified; it is (they are)
+	 generated.
+      </p>
+      <p>
+	When this function is called with a list of certificate options;
+	it generates a configuration with just one node certificate
+	where <c>cacerts</c> contains the root cert
+	and the intermediate certs that should be presented to a peer.
+	In this case the same root cert must be used for all peers.
+	This is useful in for example an Erlang distributed cluster
+	where any node,	towards another node, acts either
+	as a server or as a client depending on who connects to whom.
+	The generated certificate contains a subject altname,
+	which is not needed in a client certificate,
+	but makes the certificate useful for both roles.
+      </p>
+      <p>
+	The <marker id="cert_opt"/><c>cert_opt()</c>
+	type consists of the following options:
       </p>
-      
-      <p> The <marker id="cert_opt"/> cert_opt() type consists of the following options: </p>
       <taglist>
 	<tag> {digest, digest_type()}</tag>
 	<item><p>Hash algorithm to be used for
@@ -851,6 +905,36 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
     </desc>
   </func>
   
+  <func>
+    <name>pkix_test_root_cert(Name, Options) -> RootCert</name>
+    <fsummary>Generates a test data root cert.</fsummary>
+    <type>
+      <v>Name = string()</v>
+      <d>The root certificate name.</d>
+      <v>Options = [cert_opt()]</v>
+      <d>
+	For available options see
+	<seealso marker="#cert_opt">cert_opt()</seealso>
+	under
+	<seealso marker="#pkix_test_data-1">pkix_test_data/1</seealso>.
+      </d>
+      <v>RootCert = #{cert := der_encoded(), key := Key}</v>
+      <d>
+	A root certificate and key.  The <c>Key</c> is generated by
+	<seealso marker="#generate_key-1">generate_key/1</seealso>.
+      </d>
+    </type>
+    <desc>
+      <p>
+	Generates a root certificate that can be used
+	in multiple calls to
+	<seealso marker="#pkix_test_data-1">pkix_test_data/1</seealso>
+	when you want the same root certificate for
+	several generated certificates.
+      </p>
+    </desc>
+  </func>
+
   <func>  
     <name>pkix_verify(Cert, Key) -> boolean()</name>
     <fsummary>Verifies PKIX x.509 certificate signature.</fsummary>
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index 76fd0f8133..c433a96585 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2008-2016. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2017. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@@ -33,11 +33,12 @@
 	 is_fixed_dh_cert/1, verify_data/1, verify_fun/4, 
 	 select_extension/2, match_name/3,
 	 extensions_list/1, cert_auth_key_id/1, time_str_2_gregorian_sec/1,
-         gen_test_certs/1]).
+         gen_test_certs/1, root_cert/2]).
 
 -define(NULL, 0).
 
--export_type([chain_opts/0, test_config/0]).
+-export_type([cert_opt/0, chain_opts/0, conf_opt/0,
+              test_config/0, test_root_cert/0]).
 
 -type cert_opt()  :: {digest, public_key:digest_type()} | 
                      {key, public_key:key_params() | public_key:private_key()} | 
@@ -46,9 +47,12 @@
 -type chain_end()   :: root | peer.
 -type chain_opts()  :: #{chain_end() := [cert_opt()],  intermediates =>  [[cert_opt()]]}.
 -type conf_opt()    :: {cert, public_key:der_encoded()} | 
-                       {key,  public_key:der_encoded()} |
+                       {key,  public_key:private_key()} |
                        {cacerts, [public_key:der_encoded()]}.
--type test_config() :: #{server_config := [conf_opt()],  client_config :=  [conf_opt()]}.
+-type test_config() ::
+        #{server_config := [conf_opt()],  client_config :=  [conf_opt()]}.
+-type test_root_cert() ::
+        #{cert := binary(), key := public_key:private_key()}.
 %%====================================================================
 %% Internal application APIu
 %%====================================================================
@@ -430,31 +434,94 @@ match_name(Fun, Name, PermittedName, [Head | Tail]) ->
 	false ->
 	    match_name(Fun, Name, Head, Tail)
     end.
+
 %%%
--spec gen_test_certs(#{server_chain:= chain_opts(), client_chain:= chain_opts()}) -> test_config().
- 
-%% Generates server and and client configuration for testing 
+-spec gen_test_certs(#{server_chain:= chain_opts(),
+                       client_chain:= chain_opts()} |
+                     chain_opts()) ->
+                            test_config() |
+                            [conf_opt()].
+%%
+%% Generates server and and client configuration for testing
 %% purposes. All certificate options have default values
-gen_test_certs(#{client_chain := #{root := ClientRootConf,
-                                   intermediates := ClientCAs,
-                                   peer := ClientPeer}, 
-                 server_chain := 
-                     #{root := ServerRootConf,
-                       intermediates := ServerCAs,
-                       peer := ServerPeer}}) ->
-    SRootKey = gen_key(proplists:get_value(key, ServerRootConf, default_key_gen())),
-    CRootKey = gen_key(proplists:get_value(key, ClientRootConf, default_key_gen())),
-    ServerRoot = root_cert("server", SRootKey, ClientRootConf),
-    ClientRoot = root_cert("client", CRootKey, ServerRootConf),
-    
-    [{ServerDERCert, ServerDERKey} | ServerCAsKeys] = config(server, ServerRoot, 
-                                                       SRootKey, lists:reverse([ServerPeer | lists:reverse(ServerCAs)])),
-    [{ClientDERCert, ClientDERKey} | ClientCAsKeys] = config(client, ClientRoot, 
-                                                       CRootKey, lists:reverse([ClientPeer | lists:reverse(ClientCAs)])),
-    ServerDERCA = ca_config(ClientRoot, ServerCAsKeys),
-    ClientDERCA = ca_config(ServerRoot, ClientCAsKeys),
-    #{server_config => [{cert, ServerDERCert}, {key, ServerDERKey}, {cacerts, ServerDERCA}], 
-      client_config => [{cert, ClientDERCert}, {key, ClientDERKey}, {cacerts, ClientDERCA}]}.
+gen_test_certs(
+  #{client_chain :=
+        #{root := ClientRoot,
+          intermediates := ClientCAs,
+          peer := ClientPeer},
+    server_chain :=
+        #{root := ServerRoot,
+          intermediates := ServerCAs,
+          peer := ServerPeer}}) ->
+    #{cert := ServerRootCert, key := ServerRootKey} =
+        case ServerRoot of
+            #{} ->
+                ServerRoot;
+            ServerRootConf when is_list(ServerRootConf) ->
+                root_cert("SERVER ROOT CA", ServerRootConf)
+        end,
+    #{cert := ClientRootCert, key := ClientRootKey} =
+        case ClientRoot of
+            #{} ->
+                ClientRoot;
+            ClientRootConf when is_list(ClientRootConf) ->
+                root_cert("CLIENT ROOT CA", ClientRootConf)
+        end,
+    [{ServerDERCert, ServerDERKey} | ServerCAsKeys] =
+        config(
+          server, ServerRootCert, ServerRootKey,
+          lists:reverse([ServerPeer | lists:reverse(ServerCAs)])),
+    [{ClientDERCert, ClientDERKey} | ClientCAsKeys] =
+        config(
+          client, ClientRootCert, ClientRootKey,
+          lists:reverse([ClientPeer | lists:reverse(ClientCAs)])),
+    ServerDERCA = ca_config(ClientRootCert, ServerCAsKeys),
+    ClientDERCA = ca_config(ServerRootCert, ClientCAsKeys),
+    #{server_config =>
+          [{cert, ServerDERCert}, {key, ServerDERKey},
+           {cacerts, ServerDERCA}],
+      client_config =>
+          [{cert, ClientDERCert}, {key, ClientDERKey},
+           {cacerts, ClientDERCA}]};
+%%
+%% Generates a node configuration for testing purposes,
+%% when using the node server cert also for the client.
+%% All certificate options have default values
+gen_test_certs(
+  #{root := Root, intermediates := CAs, peer := Peer}) ->
+    #{cert := RootCert, key := RootKey} =
+        case Root of
+            #{} ->
+                Root;
+            RootConf when is_list(RootConf) ->
+                root_cert("SERVER ROOT CA", RootConf)
+        end,
+    [{DERCert, DERKey} | CAsKeys] =
+        config(
+          server, RootCert, RootKey,
+          lists:reverse([Peer | lists:reverse(CAs)])),
+    DERCAs = ca_config(RootCert, CAsKeys),
+    [{cert, DERCert}, {key, DERKey}, {cacerts, DERCAs}].
+
+%%%
+-spec root_cert(string(), [cert_opt()]) -> test_root_cert().
+%%
+%% Generate a self-signed root cert
+root_cert(Name, Opts) ->
+    PrivKey = gen_key(proplists:get_value(key, Opts, default_key_gen())),
+    TBS = cert_template(),
+    Issuer = subject("root", Name),
+    OTPTBS =
+        TBS#'OTPTBSCertificate'{
+          signature = sign_algorithm(PrivKey, Opts),
+          issuer = Issuer,
+          validity = validity(Opts),
+          subject = Issuer,
+          subjectPublicKeyInfo = public_key(PrivKey),
+          extensions = extensions(undefined, ca, Opts)
+         },
+    #{cert => public_key:pkix_sign(OTPTBS, PrivKey),
+      key => PrivKey}.
 
 %%--------------------------------------------------------------------
 %%% Internal functions
@@ -1103,7 +1170,7 @@ missing_basic_constraints(OtpCert, SelfSigned, ValidationState, VerifyFun, UserS
 	     UserState}
     end.
 
- gen_key(KeyGen) ->
+gen_key(KeyGen) ->
      case is_key(KeyGen) of
          true ->
              KeyGen;
@@ -1120,28 +1187,14 @@ is_key(#'ECPrivateKey'{}) ->
 is_key(_) ->
     false.
 
-root_cert(Role, PrivKey, Opts) ->
-     TBS = cert_template(),
-     Issuer = issuer("root", Role, " ROOT CA"),
-     OTPTBS = TBS#'OTPTBSCertificate'{
-                signature = sign_algorithm(PrivKey, Opts),
-                issuer = Issuer,
-                validity = validity(Opts),  
-                subject = Issuer,
-                subjectPublicKeyInfo = public_key(PrivKey),
-                extensions = extensions(Role, ca, Opts)
-               },
-     public_key:pkix_sign(OTPTBS, PrivKey).
 
 cert_template() ->
     #'OTPTBSCertificate'{
        version = v3,              
-       serialNumber = trunc(rand:uniform()*100000000)*10000 + 1,
+       serialNumber = erlang:unique_integer([positive, monotonic]),
        issuerUniqueID = asn1_NOVALUE,       
        subjectUniqueID = asn1_NOVALUE
       }.
-issuer(Contact, Role, Name) ->
-  subject(Contact, Role ++ Name).
 
 subject(Contact, Name) ->
     Opts = [{email, Contact ++ "@example.org"},
@@ -1176,9 +1229,11 @@ validity(Opts) ->
     DefFrom0 = calendar:gregorian_days_to_date(calendar:date_to_gregorian_days(date())-1),
     DefTo0   = calendar:gregorian_days_to_date(calendar:date_to_gregorian_days(date())+7),
     {DefFrom, DefTo} = proplists:get_value(validity, Opts, {DefFrom0, DefTo0}),
-    Format = fun({Y,M,D}) -> 
-                     lists:flatten(io_lib:format("~w~2..0w~2..0w000000Z",[Y,M,D])) 
-             end,
+    Format =
+        fun({Y,M,D}) ->
+                lists:flatten(
+                  io_lib:format("~4..0w~2..0w~2..0w000000Z",[Y,M,D]))
+        end,
     #'Validity'{notBefore={generalTime, Format(DefFrom)},
 		notAfter ={generalTime, Format(DefTo)}}.
 
@@ -1240,7 +1295,6 @@ cert(Role, #'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{subject = Iss
                subject = subject(Contact, atom_to_list(Role) ++ Name),
                subjectPublicKeyInfo = public_key(Key),
                extensions = extensions(Role, Type, Opts)
-               
               },
     public_key:pkix_sign(OTPTBS, PrivKey).
 
@@ -1297,7 +1351,7 @@ add_default_extensions(server, peer, Exts) ->
               ],
     add_default_extensions(Default, Exts);
     
-add_default_extensions(_, peer, Exts) ->
+add_default_extensions(client, peer, Exts) ->
     Exts.
 
 add_default_extensions(Defaults0, Exts) ->
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 6788c1ee92..034126655c 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -59,7 +59,8 @@
 	 pkix_crl_verify/2,
 	 pkix_crl_issuer/1,
 	 short_name_hash/1,
-         pkix_test_data/1
+         pkix_test_data/1,
+         pkix_test_root_cert/2
 	]).
 
 -export_type([public_key/0, private_key/0, pem_entry/0,
@@ -1033,10 +1034,12 @@ short_name_hash({rdnSequence, _Attributes} = Name) ->
 
 
 %%--------------------------------------------------------------------
--spec pkix_test_data(#{chain_type() := pubkey_cert:chain_opts()}) ->
-                            pubkey_cert:test_config().
+-spec pkix_test_data(#{chain_type() := pubkey_cert:chain_opts()} |
+                     pubkey_cert:chain_opts()) ->
+                            pubkey_cert:test_config() |
+                            [pubkey_cert:conf_opt()].
 
-%% Description: Generates OpenSSL-style hash of a name.
+%% Description: Generates cert(s) and ssl configuration
 %%--------------------------------------------------------------------
 
 pkix_test_data(#{client_chain := ClientChain0,
@@ -1045,7 +1048,21 @@ pkix_test_data(#{client_chain := ClientChain0,
     ClientChain = maps:merge(Default, ClientChain0),
     ServerChain = maps:merge(Default, ServerChain0),
     pubkey_cert:gen_test_certs(#{client_chain => ClientChain,
-                                 server_chain => ServerChain}).
+                                 server_chain => ServerChain});
+pkix_test_data(#{} = Chain) ->
+    Default = #{intermediates => []},
+    pubkey_cert:gen_test_certs(maps:merge(Default, Chain)).
+
+%%--------------------------------------------------------------------
+-spec pkix_test_root_cert(
+        Name :: string(), Opts :: [pubkey_cert:cert_opt()]) ->
+                                 pubkey_cert:test_root_cert().
+
+%% Description: Generates a root cert suitable for pkix_test_data/1
+%%--------------------------------------------------------------------
+
+pkix_test_root_cert(Name, Opts) ->
+    pubkey_cert:root_cert(Name, Opts).
 
 %%--------------------------------------------------------------------
 %%% Internal functions