Merge branch 'ia/ssl/countryname-utf8-workaround/OTP-10222' into maint

* ia/ssl/countryname-utf8-workaround/OTP-10222:
  ssl & public_key: Workaround that some certificates encode countryname as utf8 and close down gracefully if other ASN-1 errors occur.

1 files changed, 17 insertions, 12 deletions

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 28469dfa5f..bb26302fff 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -220,18 +220,23 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef,
 		 end, {Role, UserState0}}
 	end,
 
-    {TrustedErlCert, CertPath}  =
-	ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbHandle, CertDbRef),
-
-    case public_key:pkix_path_validation(TrustedErlCert,
-					 CertPath,
-					 [{max_path_length,
-					   MaxPathLen},
-					  {verify_fun, ValidationFunAndState}]) of
-	{ok, {PublicKeyInfo,_}} ->
-	    {PeerCert, PublicKeyInfo};
-	{error, Reason} ->
-	    path_validation_alert(Reason)
+    try
+	{TrustedErlCert, CertPath}  =
+	    ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbHandle, CertDbRef),
+	case public_key:pkix_path_validation(TrustedErlCert,
+					      CertPath,
+					     [{max_path_length,
+					       MaxPathLen},
+					      {verify_fun, ValidationFunAndState}]) of
+	    {ok, {PublicKeyInfo,_}} ->
+		{PeerCert, PublicKeyInfo};
+	    {error, Reason} ->
+		path_validation_alert(Reason)
+	end
+    catch
+	error:_ ->
+	    %% ASN-1 decode of certificate somehow failed
+	    ?ALERT_REC(?FATAL, ?CERTIFICATE_UNKNOWN)
     end.
 
 %%--------------------------------------------------------------------