OTP-8554 Certificate extensions

author: Ingela Anderton Andin <[email protected]> 2010-04-13 14:00:59 +0000
committer: Erlang/OTP <[email protected]> 2010-04-13 14:00:59 +0000
commit: e8b92d40b92142d1654994f16855922b8060a484 (patch)
tree: a7fdce2a9c564646d8c309c3e6683f27a92e9bfd /lib/ssl/src
parent: 3137955104f78ab1c42a00e9309d1b39577f506f (diff)
download: otp-e8b92d40b92142d1654994f16855922b8060a484.tar.gz
otp-e8b92d40b92142d1654994f16855922b8060a484.tar.bz2
otp-e8b92d40b92142d1654994f16855922b8060a484.zip
5 files changed, 78 insertions, 13 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index da5f750762..95133cb216 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -547,6 +547,7 @@ handle_options(Opts0, Role) ->
       fail_if_no_peer_cert = validate_option(fail_if_no_peer_cert, 
 					     FailIfNoPeerCert),
       verify_client_once =  handle_option(verify_client_once, Opts, false),
+      validate_extensions_fun = handle_option(validate_extensions_fun, Opts, undefined),
       depth      = handle_option(depth,  Opts, 1),
       certfile   = CertFile,
       keyfile    = handle_option(keyfile,  Opts, CertFile),
@@ -563,7 +564,7 @@ handle_options(Opts0, Role) ->
      },
 
     CbInfo  = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed}),    
-    SslOptions = [versions, verify, verify_fun, 
+    SslOptions = [versions, verify, verify_fun, validate_extensions_fun, 
 		  fail_if_no_peer_cert, verify_client_once,
 		  depth, certfile, keyfile,
 		  key, password, cacertfile, dhfile, ciphers,
@@ -598,6 +599,9 @@ validate_option(fail_if_no_peer_cert, Value)
 validate_option(verify_client_once, Value) 
   when Value == true; Value == false ->
     Value;
+
+validate_option(validate_extensions_fun, Value) when Value == undefined; is_function(Value) ->
+    Value;
 validate_option(depth, Value) when is_integer(Value), 
                                    Value >= 0, Value =< 255->
     Value;
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index d97b61a5ce..686e90a70c 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -1,19 +1,19 @@
 %%
 %% %CopyrightBegin%
-%% 
-%% Copyright Ericsson AB 2007-2009. All Rights Reserved.
-%% 
+%%
+%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
 %% compliance with the License. You should have received a copy of the
 %% Erlang Public License along with this software. If not, it can be
 %% retrieved online at http://www.erlang.org/.
-%% 
+%%
 %% Software distributed under the License is distributed on an "AS IS"
 %% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
 %% the License for the specific language governing rights and limitations
 %% under the License.
-%% 
+%%
 %% %CopyrightEnd%
 %%
 
@@ -29,10 +29,12 @@
 -include("ssl_alert.hrl").
 -include("ssl_internal.hrl").
 -include("ssl_debug.hrl").
+-include_lib("public_key/include/public_key.hrl"). 
 
 -export([trusted_cert_and_path/3, 
 	 certificate_chain/2, 
-	 file_to_certificats/1]).
+	 file_to_certificats/1,
+	 validate_extensions/6]).
  
 %%====================================================================
 %% Internal application API
@@ -87,6 +89,30 @@ file_to_certificats(File) ->
     {ok, List} = ssl_manager:cache_pem_file(File),
     [Bin || {cert, Bin, not_encrypted} <- List].
 
+
+%% Validates ssl/tls specific extensions
+validate_extensions([], ValidationState, UnknownExtensions, _, AccErr, _) -> 
+    {UnknownExtensions, ValidationState, AccErr};
+
+validate_extensions([#'Extension'{extnID = ?'id-ce-extKeyUsage',
+				  extnValue = KeyUse,
+				  critical = true} | Rest], 
+		    ValidationState, UnknownExtensions, Verify, AccErr0, Role) ->
+    case is_valid_extkey_usage(KeyUse, Role) of
+	true ->
+	    validate_extensions(Rest, ValidationState, UnknownExtensions, 
+				Verify, AccErr0, Role);
+	false ->
+	    AccErr = 
+		not_valid_extension({bad_cert, invalid_ext_key_usage}, Verify, AccErr0),
+	    validate_extensions(Rest, ValidationState, UnknownExtensions, Verify, AccErr, Role)
+    end;
+
+validate_extensions([Extension | Rest],  ValidationState, UnknownExtensions, 
+		    Verify, AccErr, Role) ->
+    validate_extensions(Rest, ValidationState, [Extension | UnknownExtensions],
+		       Verify, AccErr, Role).
+    
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
@@ -154,3 +180,18 @@ not_valid(Alert, true, _) ->
     throw(Alert);
 not_valid(_, false, {ErlCert, Path}) ->
     {ErlCert, Path, [{bad_cert, unknown_ca}]}.
+
+is_valid_extkey_usage(KeyUse, client) ->
+    %% Client wants to verify server
+    is_valid_key_usage(KeyUse,?'id-kp-serverAuth');
+is_valid_extkey_usage(KeyUse, server) ->
+    %% Server wants to verify client
+    is_valid_key_usage(KeyUse, ?'id-kp-clientAuth').
+
+is_valid_key_usage(KeyUse, Use) ->
+    lists:member(Use, KeyUse).
+
+not_valid_extension(Error, true, _) ->
+    throw(Error);
+not_valid_extension(Error, false, AccErrors) ->
+    [Error | AccErrors].
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 2d8f20bc29..6dd05688f0 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -436,15 +436,16 @@ certify(#certificate{asn1_certificates = []},
 
 certify(#certificate{} = Cert, 
         #state{negotiated_version = Version,
+	       role = Role,
 	       cert_db_ref = CertDbRef,
 	       ssl_options = Opts} = State) ->
     case ssl_handshake:certify(Cert, CertDbRef, Opts#ssl_options.depth, 
 			       Opts#ssl_options.verify,
-			       Opts#ssl_options.verify_fun) of
+			       Opts#ssl_options.verify_fun,
+			       Opts#ssl_options.validate_extensions_fun, Role) of
         {PeerCert, PublicKeyInfo} ->
 	    handle_peer_cert(PeerCert, PublicKeyInfo, 
-			     State#state{client_certificate_requested 
-					 = false});
+			     State#state{client_certificate_requested = false});
 	#alert{} = Alert ->
             handle_own_alert(Alert, Version, certify_certificate, State),
             {stop, normal, State}
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 02f689f251..9f5ac7106a 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -32,7 +32,7 @@
 -include_lib("public_key/include/public_key.hrl").
 
 -export([master_secret/4, client_hello/4, server_hello/3, hello/2,
-	 hello_request/0, certify/5, certificate/3, 
+	 hello_request/0, certify/7, certificate/3, 
 	 client_certificate_verify/6, 
 	 certificate_verify/6, certificate_request/2,
 	 key_exchange/2, server_key_exchange_hash/2,  finished/4,
@@ -161,10 +161,25 @@ hello(#client_hello{client_version = ClientVersion, random = Random} = Hello,
 %% Description: Handles a certificate handshake message
 %%--------------------------------------------------------------------
 certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef, 
-	MaxPathLen, Verify, VerifyFun) -> 
+	MaxPathLen, Verify, VerifyFun, ValidateFun, Role) -> 
     [PeerCert | _] = ASN1Certs,
     VerifyBool =  verify_bool(Verify),
-  
+      
+    ValidateExtensionFun = 
+	case ValidateFun of
+	    undefined ->
+		fun(Extensions, ValidationState, Verify0, AccError) ->
+			ssl_certificate:validate_extensions(Extensions, ValidationState,
+							   [], Verify0, AccError, Role)
+		end;
+	    Fun ->
+		fun(Extensions, ValidationState, Verify0, AccError) ->
+		 {NewExtensions, NewValidationState, NewAccError} 
+			    = ssl_certificate:validate_extensions(Extensions, ValidationState,
+								  [], Verify0, AccError, Role),
+			Fun(NewExtensions, NewValidationState, Verify0, NewAccError)
+		end
+	end,
     try
 	%% Allow missing root_cert and check that with VerifyFun
 	ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbRef, false) of
@@ -174,6 +189,8 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef,
 						     [{max_path_length, 
 						       MaxPathLen},
 						      {verify, VerifyBool},
+						      {validate_extensions_fun, 
+						       ValidateExtensionFun},
 						      {acc_errors, 
 						       VerifyErrors}]),
 	    case Result of
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index ab24c28b2f..8d19abfe1e 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -57,6 +57,8 @@
 	  verify_fun, % fun(CertVerifyErrors) -> boolean()
 	  fail_if_no_peer_cert, % boolean()
 	  verify_client_once,  % boolean()
+	  %% fun(Extensions, State, Verify, AccError) ->  {Extensions, State, AccError}
+	  validate_extensions_fun, 
 	  depth,      % integer()
 	  certfile,   % file()
 	  keyfile,    % file()
author	Ingela Anderton Andin <[email protected]>	2010-04-13 14:00:59 +0000
committer	Erlang/OTP <[email protected]>	2010-04-13 14:00:59 +0000
commit	e8b92d40b92142d1654994f16855922b8060a484 (patch)
tree	a7fdce2a9c564646d8c309c3e6683f27a92e9bfd /lib/ssl/src
parent	3137955104f78ab1c42a00e9309d1b39577f506f (diff)
download	otp-e8b92d40b92142d1654994f16855922b8060a484.tar.gz otp-e8b92d40b92142d1654994f16855922b8060a484.tar.bz2 otp-e8b92d40b92142d1654994f16855922b8060a484.zip