Merge branch 'ingela/ssl/key-ext-validate/ERL-338/OTP-14141' into maint

* ingela/ssl/key-ext-validate/ERL-338/OTP-14141: ssl: The certificate path may be used as a source to find intermediate CAs for the CRL ssl: Handle more than one DistributionPoint ssl: Correct ssl_certificate:validate/3
author: Ingela Anderton Andin <[email protected]> 2017-01-27 10:27:26 +0100
committer: Ingela Anderton Andin <[email protected]> 2017-01-27 10:27:26 +0100
commit: 2735f415510cf260258e092c0f3e4070a00fc06d (patch)
tree: 8837c7b1157616c6af444e9d528f8f24680e0d5f /lib/ssl/src/ssl_crl.erl
parent: 5cce2a35e902e2fd82ae488a74dd0dd08f3f4b20 (diff)
parent: 63504a78d0547845b6cdea57251db7dc35ae1515 (diff)
download: otp-2735f415510cf260258e092c0f3e4070a00fc06d.tar.gz
otp-2735f415510cf260258e092c0f3e4070a00fc06d.tar.bz2
otp-2735f415510cf260258e092c0f3e4070a00fc06d.zip
1 files changed, 50 insertions, 26 deletions
diff --git a/lib/ssl/src/ssl_crl.erl b/lib/ssl/src/ssl_crl.erl
index fc60bdba67..33375b5e09 100644
--- a/lib/ssl/src/ssl_crl.erl
+++ b/lib/ssl/src/ssl_crl.erl
@@ -29,7 +29,7 @@
 
 -export([trusted_cert_and_path/3]).
 
-trusted_cert_and_path(CRL, {SerialNumber, Issuer},{Db, DbRef} = DbHandle) -> 
+trusted_cert_and_path(CRL, {SerialNumber, Issuer},{_, {Db, DbRef}} = DbHandle) -> 
     case ssl_pkix_db:lookup_trusted_cert(Db, DbRef, SerialNumber, Issuer) of
 	undefined ->
 	    trusted_cert_and_path(CRL, issuer_not_found, DbHandle);
@@ -37,17 +37,34 @@ trusted_cert_and_path(CRL, {SerialNumber, Issuer},{Db, DbRef} = DbHandle) ->
 	    {ok, Root, Chain} = ssl_certificate:certificate_chain(OtpCert, Db, DbRef),
 	    {ok, Root,  lists:reverse(Chain)}
     end;
-
-trusted_cert_and_path(CRL, issuer_not_found, {Db, DbRef} = DbHandle) -> 
-    case find_issuer(CRL, DbHandle) of
+trusted_cert_and_path(CRL, issuer_not_found, {CertPath, {Db, DbRef}}) -> 
+    case find_issuer(CRL, {certpath, 
+                           [{Der, public_key:pkix_decode_cert(Der,otp)} || Der <-  CertPath]}) of
 	{ok, OtpCert} ->
 	    {ok, Root, Chain} = ssl_certificate:certificate_chain(OtpCert, Db, DbRef),
 	    {ok, Root, lists:reverse(Chain)};
 	{error, issuer_not_found} ->
-	    {ok, unknown_crl_ca, []}
-    end.
+	    trusted_cert_and_path(CRL, issuer_not_found, {Db, DbRef}) 
+    end;
+trusted_cert_and_path(CRL, issuer_not_found, {Db, DbRef} = DbInfo) -> 
+    case find_issuer(CRL, DbInfo) of
+	{ok, OtpCert} ->
+            {ok, Root, Chain} = ssl_certificate:certificate_chain(OtpCert, Db, DbRef),
+	    {ok, Root, lists:reverse(Chain)};
+         {error, issuer_not_found} ->
+             {error, unknown_ca}
+     end.
 
-find_issuer(CRL, {Db,DbRef}) ->
+find_issuer(CRL, {certpath = Db, DbRef}) ->
+    Issuer = public_key:pkix_normalize_name(public_key:pkix_crl_issuer(CRL)),
+    IsIssuerFun =
+	fun({_Der,ErlCertCandidate}, Acc) ->
+		verify_crl_issuer(CRL, ErlCertCandidate, Issuer, Acc);
+	   (_, Acc) ->
+		Acc
+	end,
+    find_issuer(IsIssuerFun, Db, DbRef);
+find_issuer(CRL, {Db, DbRef}) ->
     Issuer = public_key:pkix_normalize_name(public_key:pkix_crl_issuer(CRL)),
     IsIssuerFun =
 	fun({_Key, {_Der,ErlCertCandidate}}, Acc) ->
@@ -55,26 +72,33 @@ find_issuer(CRL, {Db,DbRef}) ->
 	   (_, Acc) ->
 		Acc
 	end,
-    if is_reference(DbRef) -> % actual DB exists
-	try ssl_pkix_db:foldl(IsIssuerFun, issuer_not_found, Db) of
-	    issuer_not_found ->
-		{error, issuer_not_found}
-	catch
-	    {ok, _} = Result ->
-		Result
-	end;
-       is_tuple(DbRef), element(1,DbRef) =:= extracted -> % cache bypass byproduct
-	{extracted, CertsData} = DbRef,
-	Certs = [Entry || {decoded, Entry} <- CertsData],
-	try lists:foldl(IsIssuerFun, issuer_not_found, Certs) of
-	    issuer_not_found ->
-		{error, issuer_not_found}
-	catch
-	    {ok, _} = Result ->
-		Result
-	end
-    end.
+    find_issuer(IsIssuerFun, Db, DbRef).
 
+find_issuer(IsIssuerFun, certpath, Certs) ->
+    try lists:foldl(IsIssuerFun, issuer_not_found, Certs) of
+        issuer_not_found ->
+            {error, issuer_not_found}
+    catch
+        {ok, _} = Result ->
+            Result
+    end;
+find_issuer(IsIssuerFun, extracted, CertsData) ->
+    Certs = [Entry || {decoded, Entry} <- CertsData],
+    try lists:foldl(IsIssuerFun, issuer_not_found, Certs) of
+        issuer_not_found ->
+            {error, issuer_not_found}
+    catch
+        {ok, _} = Result ->
+            Result
+    end;
+find_issuer(IsIssuerFun, Db, _) ->  
+    try ssl_pkix_db:foldl(IsIssuerFun, issuer_not_found, Db) of
+        issuer_not_found ->
+            {error, issuer_not_found}
+    catch
+        {ok, _} = Result ->
+            Result
+    end.
 
 verify_crl_issuer(CRL, ErlCertCandidate, Issuer, NotIssuer) ->
     TBSCert =  ErlCertCandidate#'OTPCertificate'.tbsCertificate,
author	Ingela Anderton Andin <[email protected]>	2017-01-27 10:27:26 +0100
committer	Ingela Anderton Andin <[email protected]>	2017-01-27 10:27:26 +0100
commit	2735f415510cf260258e092c0f3e4070a00fc06d (patch)
tree	8837c7b1157616c6af444e9d528f8f24680e0d5f /lib/ssl/src/ssl_crl.erl
parent	5cce2a35e902e2fd82ae488a74dd0dd08f3f4b20 (diff)
parent	63504a78d0547845b6cdea57251db7dc35ae1515 (diff)
download	otp-2735f415510cf260258e092c0f3e4070a00fc06d.tar.gz otp-2735f415510cf260258e092c0f3e4070a00fc06d.tar.bz2 otp-2735f415510cf260258e092c0f3e4070a00fc06d.zip