Merge branch 'legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530'

* legoscia/ssl_crl_hash_dir-bis/PR-982/OTP-13530:
  Skip crl_hash_dir_expired test for LibreSSL
  Add ssl_crl_hash_dir module
  Function for generating OpenSSL-style name hashes
  Add public_key:pkix_match_dist_point
  Improve formatting for crl_{check,cache} options
  Add issuer arg to ssl_crl_cache_api lookup callback

Conflicts:
	lib/public_key/test/public_key_SUITE.erl

6 files changed, 135 insertions, 16 deletions

diff --git a/lib/ssl/src/Makefile b/lib/ssl/src/Makefile
index 7a7a373487..b625db0656 100644
--- a/lib/ssl/src/Makefile
+++ b/lib/ssl/src/Makefile
@@ -70,6 +70,7 @@ MODULES= \
 	ssl_session_cache \
 	ssl_crl\
 	ssl_crl_cache \
+	ssl_crl_hash_dir \
 	ssl_socket \
 	ssl_listen_tracker_sup \
 	tls_record \
diff --git a/lib/ssl/src/ssl.app.src b/lib/ssl/src/ssl.app.src
index 937a3b1bd1..6467cedf9d 100644
--- a/lib/ssl/src/ssl.app.src
+++ b/lib/ssl/src/ssl.app.src
@@ -44,6 +44,7 @@
 	       ssl_crl,
 	       ssl_crl_cache, 
 	       ssl_crl_cache_api,
+	       ssl_crl_hash_dir,
 	       %% App structure
 	       ssl_app,
 	       ssl_sup,
diff --git a/lib/ssl/src/ssl_crl_cache.erl b/lib/ssl/src/ssl_crl_cache.erl
index 60e7427737..647e0465fe 100644
--- a/lib/ssl/src/ssl_crl_cache.erl
+++ b/lib/ssl/src/ssl_crl_cache.erl
@@ -28,7 +28,7 @@
 
 -behaviour(ssl_crl_cache_api).
 
--export([lookup/2, select/2, fresh_crl/2]).
+-export([lookup/3, select/2, fresh_crl/2]).
 -export([insert/1, insert/2, delete/1]).
 
 %%====================================================================
@@ -36,9 +36,10 @@
 %%====================================================================
 
 lookup(#'DistributionPoint'{distributionPoint = {fullName, Names}},
+       _Issuer,
        CRLDbInfo) ->
     get_crls(Names, CRLDbInfo);
-lookup(_,_) ->
+lookup(_,_,_) ->
     not_available.
 
 select(Issuer, {{_Cache, Mapping},_}) ->
diff --git a/lib/ssl/src/ssl_crl_cache_api.erl b/lib/ssl/src/ssl_crl_cache_api.erl
index d7b31f280e..c3a57e2f49 100644
--- a/lib/ssl/src/ssl_crl_cache_api.erl
+++ b/lib/ssl/src/ssl_crl_cache_api.erl
@@ -24,8 +24,9 @@
 
 -include_lib("public_key/include/public_key.hrl"). 
 
--type db_handle() :: term(). 
+-type db_handle() :: term().
+-type issuer_name() :: {rdnSequence, [#'AttributeTypeAndValue'{}]}.
 
--callback lookup(#'DistributionPoint'{}, db_handle()) -> not_available | [public_key:der_encoded()].
--callback select(term(), db_handle()) ->  [public_key:der_encoded()].
+-callback lookup(#'DistributionPoint'{}, issuer_name(), db_handle()) -> not_available | [public_key:der_encoded()].
+-callback select(issuer_name(), db_handle()) ->  [public_key:der_encoded()].
 -callback fresh_crl(#'DistributionPoint'{}, public_key:der_encoded()) -> public_key:der_encoded().
diff --git a/lib/ssl/src/ssl_crl_hash_dir.erl b/lib/ssl/src/ssl_crl_hash_dir.erl
new file mode 100644
index 0000000000..bb62737232
--- /dev/null
+++ b/lib/ssl/src/ssl_crl_hash_dir.erl
@@ -0,0 +1,106 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2016-2016. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+
+-module(ssl_crl_hash_dir).
+
+-include_lib("public_key/include/public_key.hrl").
+
+-behaviour(ssl_crl_cache_api).
+
+-export([lookup/3, select/2, fresh_crl/2]).
+
+lookup(#'DistributionPoint'{cRLIssuer = CRLIssuer} = DP, CertIssuer, CRLDbInfo) ->
+    Issuer =
+	case CRLIssuer of
+	    asn1_NOVALUE ->
+		%% If the distribution point extension doesn't
+		%% indicate a CRL issuer, use the certificate issuer.
+		CertIssuer;
+	    _ ->
+		CRLIssuer
+	end,
+    %% Find all CRLs for this issuer, and return those that match the
+    %% given distribution point.
+    AllCRLs = select(Issuer, CRLDbInfo),
+    lists:filter(fun(DER) ->
+			 public_key:pkix_match_dist_point(DER, DP)
+		 end, AllCRLs).
+
+fresh_crl(#'DistributionPoint'{}, CurrentCRL) ->
+    CurrentCRL.
+
+select(Issuer, {_DbHandle, [{dir, Dir}]}) ->
+    case find_crls(Issuer, Dir) of
+        [_|_] = DERs ->
+	    DERs;
+        [] ->
+            %% That's okay, just report that we didn't find any CRL.
+            %% If the crl_check setting is best_effort, ssl_handshake
+            %% is happy with that, but if it's true, this is an error.
+            [];
+        {error, Error} ->
+            error_logger:error_report(
+              [{cannot_find_crl, Error},
+               {dir, Dir},
+               {module, ?MODULE},
+               {line, ?LINE}]),
+            []
+    end.
+
+find_crls(Issuer, Dir) ->
+    case filelib:is_dir(Dir) of
+        true ->
+	    Hash = public_key:short_name_hash(Issuer),
+	    find_crls(Issuer, Hash, Dir, 0, []);
+        false ->
+            {error, not_a_directory}
+    end.
+
+find_crls(Issuer, Hash, Dir, N, Acc) ->
+    Filename = filename:join(Dir, Hash ++ ".r" ++ integer_to_list(N)),
+    case file:read_file(Filename) of
+	{error, enoent} ->
+	    Acc;
+	{ok, Bin} ->
+	    try maybe_parse_pem(Bin) of
+		DER when is_binary(DER) ->
+		    %% Found one file.  Let's see if there are more.
+		    find_crls(Issuer, Hash, Dir, N + 1, [DER] ++ Acc)
+	    catch
+		error:Error ->
+		    %% Something is wrong with the file.  Report
+		    %% it, and try the next one.
+		    error_logger:error_report(
+		      [{crl_parse_error, Error},
+		       {filename, Filename},
+		       {module, ?MODULE},
+		       {line, ?LINE}]),
+		    find_crls(Issuer, Hash, Dir, N + 1, Acc)
+	    end
+    end.
+
+maybe_parse_pem(<<"-----BEGIN", _/binary>> = PEM) ->
+    %% It's a PEM encoded file.  Need to extract the DER
+    %% encoded data.
+    [{'CertificateList', DER, not_encrypted}] = public_key:pem_decode(PEM),
+    DER;
+maybe_parse_pem(DER) when is_binary(DER) ->
+    %% Let's assume it's DER-encoded.
+    DER.
+
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 0787e151c0..acc5ae6bd7 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -2128,13 +2128,14 @@ crl_check_same_issuer(OtpCert, _, Dps, Options) ->
     public_key:pkix_crls_validate(OtpCert, Dps, Options).
 
 dps_and_crls(OtpCert, Callback, CRLDbHandle, ext) ->
-	case public_key:pkix_dist_points(OtpCert) of
-	    [] ->
-		no_dps;
-	    DistPoints ->
-		distpoints_lookup(DistPoints, Callback, CRLDbHandle) 
-	end;
-    
+    case public_key:pkix_dist_points(OtpCert) of
+	[] ->
+	    no_dps;
+	DistPoints ->
+	    Issuer = OtpCert#'OTPCertificate'.tbsCertificate#'OTPTBSCertificate'.issuer,
+	    distpoints_lookup(DistPoints, Issuer, Callback, CRLDbHandle)
+    end;
+
 dps_and_crls(OtpCert, Callback, CRLDbHandle, same_issuer) ->    
     DP = #'DistributionPoint'{distributionPoint = {fullName, GenNames}} = 
 	public_key:pkix_dist_point(OtpCert),
@@ -2145,12 +2146,20 @@ dps_and_crls(OtpCert, Callback, CRLDbHandle, same_issuer) ->
 			 end, GenNames),
     [{DP, {CRL, public_key:der_decode('CertificateList', CRL)}} ||  CRL <- CRLs].
 
-distpoints_lookup([], _, _) ->
+distpoints_lookup([], _, _, _) ->
     [];
-distpoints_lookup([DistPoint | Rest], Callback, CRLDbHandle) ->
-    case Callback:lookup(DistPoint, CRLDbHandle) of
+distpoints_lookup([DistPoint | Rest], Issuer, Callback, CRLDbHandle) ->
+    Result =
+	try Callback:lookup(DistPoint, Issuer, CRLDbHandle)
+	catch
+	    error:undef ->
+		%% The callback module still uses the 2-argument
+		%% version of the lookup function.
+		Callback:lookup(DistPoint, CRLDbHandle)
+	end,
+    case Result of
 	not_available ->
-	    distpoints_lookup(Rest, Callback, CRLDbHandle);
+	    distpoints_lookup(Rest, Issuer, Callback, CRLDbHandle);
 	CRLs ->
 	    [{DistPoint, {CRL, public_key:der_decode('CertificateList', CRL)}} ||  CRL <- CRLs]
     end.