diff options
| author | Ingela Anderton Andin <[email protected]> | 2010-09-01 08:37:37 +0200 |
|---|---|---|
| committer | Ingela Anderton Andin <[email protected]> | 2010-09-01 08:37:37 +0200 |
| commit | 8537e5489707c8961c1a6f045f635b7a064f811c (patch) | |
| tree | a74a43c10ba57dec0c03e5e42581fffa637ae140 /lib/ssl/src/ssl_certificate.erl | |
| parent | d6559386aaf37419864885bcd6bf43a9af8480b7 (diff) | |
| parent | a6de8740405037bad55c09089f1d69c8c5511d6c (diff) | |
| download | otp-8537e5489707c8961c1a6f045f635b7a064f811c.tar.gz otp-8537e5489707c8961c1a6f045f635b7a064f811c.tar.bz2 otp-8537e5489707c8961c1a6f045f635b7a064f811c.zip | |
Merge branch 'ia/ssl-public_key-empty-cert-chain/OTP-8788' into dev
* ia/ssl-public_key-empty-cert-chain/OTP-8788:
Empty certificate chain
Diffstat (limited to 'lib/ssl/src/ssl_certificate.erl')
| -rw-r--r-- | lib/ssl/src/ssl_certificate.erl | 31 |
1 files changed, 12 insertions, 19 deletions
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index 917e75157b..a42cd0c10d 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -31,7 +31,7 @@ -include("ssl_debug.hrl"). -include_lib("public_key/include/public_key.hrl"). --export([trusted_cert_and_path/3, +-export([trusted_cert_and_path/2, certificate_chain/2, file_to_certificats/1, validate_extensions/6, @@ -47,14 +47,14 @@ %%==================================================================== %%-------------------------------------------------------------------- --spec trusted_cert_and_path([der_cert()], certdb_ref(), boolean()) -> - {der_cert(), [der_cert()], list()}. +-spec trusted_cert_and_path([der_cert()], certdb_ref()) -> + {der_cert() | unknown_ca, [der_cert()]}. %% %% Description: Extracts the root cert (if not presents tries to %% look it up, if not found {bad_cert, unknown_ca} will be added verification %% errors. Returns {RootCert, Path, VerifyErrors} %%-------------------------------------------------------------------- -trusted_cert_and_path(CertChain, CertDbRef, Verify) -> +trusted_cert_and_path(CertChain, CertDbRef) -> [Cert | RestPath] = lists:reverse(CertChain), OtpCert = public_key:pkix_decode_cert(Cert, otp), IssuerAnPath = @@ -71,24 +71,22 @@ trusted_cert_and_path(CertChain, CertDbRef, Verify) -> {ok, IssuerId} -> {IssuerId, [Cert | RestPath]}; Other -> - {Other, RestPath} + {Other, [Cert | RestPath]} end end end, case IssuerAnPath of - {{error, issuer_not_found}, _ } -> - %% The root CA was not sent and can not be found, we fail if verify = true - not_valid(?ALERT_REC(?FATAL, ?UNKNOWN_CA), Verify, {Cert, RestPath}); + {{error, issuer_not_found}, Path} -> + %% The root CA was not sent and can not be found. + {unknown_ca, Path}; {{SerialNr, Issuer}, Path} -> - case ssl_manager:lookup_trusted_cert(CertDbRef, - SerialNr, Issuer) of + case ssl_manager:lookup_trusted_cert(CertDbRef, SerialNr, Issuer) of {ok, {BinCert,_}} -> - {BinCert, Path, []}; + {BinCert, Path}; _ -> - %% Fail if verify = true - not_valid(?ALERT_REC(?FATAL, ?UNKNOWN_CA), - Verify, {Cert, RestPath}) + %% Root CA could not be verified + {unknown_ca, Path} end end. @@ -244,11 +242,6 @@ find_issuer(OtpCert, PrevCandidateKey) -> end end. -not_valid(Alert, true, _) -> - throw(Alert); -not_valid(_, false, {ErlCert, Path}) -> - {ErlCert, Path, [{bad_cert, unknown_ca}]}. - is_valid_extkey_usage(KeyUse, client) -> %% Client wants to verify server is_valid_key_usage(KeyUse,?'id-kp-serverAuth'); |