aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/ssl_crl.erl
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2015-03-09 15:13:51 +0100
committerIngela Anderton Andin <[email protected]>2015-03-09 15:13:51 +0100
commitad771692fec71f2929bdc715cc44ca24757c75f3 (patch)
tree55f6d72d26b6e515bb3aa71ebd1dc4d7f0714081 /lib/ssl/src/ssl_crl.erl
parent6c59d3f422ca9ee1687abda43cf553eea09d78bf (diff)
parentd4fd18e715954d0310deb4ccbedebe0bddcef82c (diff)
downloadotp-ad771692fec71f2929bdc715cc44ca24757c75f3.tar.gz
otp-ad771692fec71f2929bdc715cc44ca24757c75f3.tar.bz2
otp-ad771692fec71f2929bdc715cc44ca24757c75f3.zip
Merge branch 'ia/ssl/crl-cache/OTP-10362'
* ia/ssl/crl-cache/OTP-10362: ssl: fix white box tests ssl: Integrate public_key CRL verification with the ssl application
Diffstat (limited to 'lib/ssl/src/ssl_crl.erl')
-rw-r--r--lib/ssl/src/ssl_crl.erl82
1 files changed, 82 insertions, 0 deletions
diff --git a/lib/ssl/src/ssl_crl.erl b/lib/ssl/src/ssl_crl.erl
new file mode 100644
index 0000000000..b8761f0601
--- /dev/null
+++ b/lib/ssl/src/ssl_crl.erl
@@ -0,0 +1,82 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2015-2015. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+
+%----------------------------------------------------------------------
+%% Purpose: CRL handling
+%%----------------------------------------------------------------------
+
+-module(ssl_crl).
+
+-include("ssl_alert.hrl").
+-include("ssl_internal.hrl").
+-include_lib("public_key/include/public_key.hrl").
+
+-export([trusted_cert_and_path/3]).
+
+trusted_cert_and_path(CRL, {SerialNumber, Issuer},{Db, DbRef} = DbHandle) ->
+ case ssl_pkix_db:lookup_trusted_cert(Db, DbRef, SerialNumber, Issuer) of
+ undefined ->
+ trusted_cert_and_path(CRL, issuer_not_found, DbHandle);
+ {ok, {_, OtpCert}} ->
+ {ok, Root, Chain} = ssl_certificate:certificate_chain(OtpCert, Db, DbRef),
+ {ok, Root, lists:reverse(Chain)}
+ end;
+
+trusted_cert_and_path(CRL, issuer_not_found, {Db, DbRef} = DbHandle) ->
+ try find_issuer(CRL, DbHandle) of
+ OtpCert ->
+ {ok, Root, Chain} = ssl_certificate:certificate_chain(OtpCert, Db, DbRef),
+ {ok, Root, lists:reverse(Chain)}
+ catch
+ throw:_ ->
+ {error, issuer_not_found}
+ end.
+
+find_issuer(CRL, {Db,_}) ->
+ Issuer = public_key:pkix_normalize_name(public_key:pkix_crl_issuer(CRL)),
+ IsIssuerFun =
+ fun({_Key, {_Der,ErlCertCandidate}}, Acc) ->
+ verify_crl_issuer(CRL, ErlCertCandidate, Issuer, Acc);
+ (_, Acc) ->
+ Acc
+ end,
+
+ try ssl_pkix_db:foldl(IsIssuerFun, issuer_not_found, Db) of
+ issuer_not_found ->
+ {error, issuer_not_found}
+ catch
+ {ok, IssuerCert} ->
+ IssuerCert
+ end.
+
+
+verify_crl_issuer(CRL, ErlCertCandidate, Issuer, NotIssuer) ->
+ TBSCert = ErlCertCandidate#'OTPCertificate'.tbsCertificate,
+ case public_key:pkix_normalize_name(TBSCert#'OTPTBSCertificate'.subject) of
+ Issuer ->
+ case public_key:pkix_crl_verify(CRL, ErlCertCandidate) of
+ true ->
+ throw({ok, ErlCertCandidate});
+ false ->
+ NotIssuer;
+ _ ->
+ NotIssuer
+ end;
+ _ ->
+ NotIssuer
+ end.