ssl: Improve PEM cache by validating entries

The PEM cache is now validated by a background process, instead of always keeping it if it is small enough and clearing it otherwhiss. That strategy required that small caches where cleared by API function if a file changes on disk. However document the clearing API function as it can still be usefull.
author: Ingela Anderton Andin <[email protected]> 2015-02-02 14:15:15 +0100
committer: Ingela Anderton Andin <[email protected]> 2015-02-06 12:23:13 +0100
commit: fa9fda4a50ad92bb55f2a5707f0ec1dc7cf47d79 (patch)
tree: 2b4a1d4f3aac821cce6e13bbd67855ac0dcb7594 /lib/ssl/src/ssl_pkix_db.erl
parent: 0fee86f864a4ba2a7a363927a50c81c43994ca9a (diff)
download: otp-fa9fda4a50ad92bb55f2a5707f0ec1dc7cf47d79.tar.gz
otp-fa9fda4a50ad92bb55f2a5707f0ec1dc7cf47d79.tar.bz2
otp-fa9fda4a50ad92bb55f2a5707f0ec1dc7cf47d79.zip
1 files changed, 16 insertions, 17 deletions
diff --git a/lib/ssl/src/ssl_pkix_db.erl b/lib/ssl/src/ssl_pkix_db.erl
index e59aba0618..8531445ba4 100644
--- a/lib/ssl/src/ssl_pkix_db.erl
+++ b/lib/ssl/src/ssl_pkix_db.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -81,10 +81,10 @@ lookup_trusted_cert(DbHandle, Ref, SerialNumber, Issuer) ->
 	    {ok, Certs}
     end.
 
-lookup_cached_pem([_, _, PemChache], MD5) ->
-    lookup_cached_pem(PemChache, MD5);
-lookup_cached_pem(PemChache, MD5) ->
-    lookup(MD5, PemChache).
+lookup_cached_pem([_, _, PemChache], File) ->
+    lookup_cached_pem(PemChache, File);
+lookup_cached_pem(PemChache, File) ->
+    lookup(File, PemChache).
 
 %%--------------------------------------------------------------------
 -spec add_trusted_certs(pid(), {erlang:timestamp(), string()} |
@@ -100,36 +100,35 @@ add_trusted_certs(_Pid, {der, DerList}, [CerDb, _,_]) ->
     {ok, NewRef};
 
 add_trusted_certs(_Pid, File, [CertsDb, RefDb, PemChache] = Db) ->
-    MD5 = crypto:hash(md5, File),
-    case lookup_cached_pem(Db, MD5) of
+    case lookup_cached_pem(Db, File) of
 	[{_Content, Ref}] ->
 	    ref_count(Ref, RefDb, 1),
 	    {ok, Ref};
 	[Content] ->
 	    Ref = make_ref(),
 	    update_counter(Ref, 1, RefDb),
-	    insert(MD5, {Content, Ref}, PemChache),
+	    insert(File, {Content, Ref}, PemChache),
 	    add_certs_from_pem(Content, Ref, CertsDb),
 	    {ok, Ref};
 	undefined ->
-	    new_trusted_cert_entry({MD5, File}, Db)
+	    new_trusted_cert_entry(File, Db)
     end.
 %%--------------------------------------------------------------------
 %%
 %% Description: Cache file as binary in DB
 %%--------------------------------------------------------------------
--spec cache_pem_file({binary(), binary()}, [db_handle()]) -> {ok, term()}.
-cache_pem_file({MD5, File}, [_CertsDb, _RefDb, PemChache]) ->
+-spec cache_pem_file(binary(), [db_handle()]) -> {ok, term()}.
+cache_pem_file(File, [_CertsDb, _RefDb, PemChache]) ->
     {ok, PemBin} = file:read_file(File),
     Content = public_key:pem_decode(PemBin),
-    insert(MD5, Content, PemChache),
+    insert(File, Content, PemChache),
     {ok, Content}.
 
--spec cache_pem_file(reference(), {binary(), binary()}, [db_handle()]) -> {ok, term()}.
-cache_pem_file(Ref, {MD5, File}, [_CertsDb, _RefDb, PemChache]) ->
+-spec cache_pem_file(reference(), binary(), [db_handle()]) -> {ok, term()}.
+cache_pem_file(Ref, File, [_CertsDb, _RefDb, PemChache]) ->
     {ok, PemBin} = file:read_file(File),
     Content = public_key:pem_decode(PemBin),
-    insert(MD5, {Content, Ref}, PemChache),
+    insert(File, {Content, Ref}, PemChache),
     {ok, Content}.
 
 %%--------------------------------------------------------------------
@@ -245,9 +244,9 @@ add_certs(Cert, Ref, CertsDb) ->
 	    error_logger:info_report(Report)
     end.
 
-new_trusted_cert_entry(FileRef, [CertsDb, RefDb, _] = Db) ->
+new_trusted_cert_entry(File, [CertsDb, RefDb, _] = Db) ->
     Ref = make_ref(),
     update_counter(Ref, 1, RefDb),
-    {ok, Content} = cache_pem_file(Ref, FileRef, Db),
+    {ok, Content} = cache_pem_file(Ref, File, Db),
     add_certs_from_pem(Content, Ref, CertsDb),
     {ok, Ref}.
author	Ingela Anderton Andin <[email protected]>	2015-02-02 14:15:15 +0100
committer	Ingela Anderton Andin <[email protected]>	2015-02-06 12:23:13 +0100
commit	fa9fda4a50ad92bb55f2a5707f0ec1dc7cf47d79 (patch)
tree	2b4a1d4f3aac821cce6e13bbd67855ac0dcb7594 /lib/ssl/src/ssl_pkix_db.erl
parent	0fee86f864a4ba2a7a363927a50c81c43994ca9a (diff)
download	otp-fa9fda4a50ad92bb55f2a5707f0ec1dc7cf47d79.tar.gz otp-fa9fda4a50ad92bb55f2a5707f0ec1dc7cf47d79.tar.bz2 otp-fa9fda4a50ad92bb55f2a5707f0ec1dc7cf47d79.zip