diff options
author | Raimo Niskanen <[email protected]> | 2018-04-24 09:34:51 +0200 |
---|---|---|
committer | Raimo Niskanen <[email protected]> | 2018-04-24 09:34:51 +0200 |
commit | b5ec77bf908877d7471997527959e3d98d45bd96 (patch) | |
tree | b9f626e0ecfcd0b05c7d0975f4e45090753fb3d5 /lib/ssl/src | |
parent | 4c4d861792d79ac7773548c089b7a93bc2c72a51 (diff) | |
download | otp-b5ec77bf908877d7471997527959e3d98d45bd96.tar.gz otp-b5ec77bf908877d7471997527959e3d98d45bd96.tar.bz2 otp-b5ec77bf908877d7471997527959e3d98d45bd96.zip |
Parse cert primarily for host names
Diffstat (limited to 'lib/ssl/src')
-rw-r--r-- | lib/ssl/src/inet_tls_dist.erl | 65 |
1 files changed, 36 insertions, 29 deletions
diff --git a/lib/ssl/src/inet_tls_dist.erl b/lib/ssl/src/inet_tls_dist.erl index d4215c8f83..3fab89fa97 100644 --- a/lib/ssl/src/inet_tls_dist.erl +++ b/lib/ssl/src/inet_tls_dist.erl @@ -585,7 +585,10 @@ get_ifs(#sslsocket{fd = {gen_tcp, Socket, _}}) -> %% Look in Extensions, in all subjectAltName:s -%% to find node names in this certificate +%% to find node names in this certificate. +%% Host names are picked up as a subjectAltName containing +%% a dNSName, and the first subjectAltName containing +%% a commonName is the node name. %% cert_nodes( #'OTPCertificate'{ @@ -594,48 +597,52 @@ cert_nodes( parse_extensions(Extensions) when is_list(Extensions) -> - parse_extensions(Extensions, []); + parse_extensions(Extensions, [], none); parse_extensions(asn1_NOVALUE) -> []. %% -parse_extensions([], CertNodes) -> - CertNodes; -%% -%% XXX Why are all extnValue:s sequences? -%% Should we parse all members? -%% -parse_extensions( - [#'Extension'{ - extnID = ?'id-ce-subjectAltName', - extnValue = [{dNSName,OtherNode}|_]} - |Extensions], - CertNodes) -> - parse_extensions(Extensions, [OtherNode|CertNodes]); -parse_extensions( - [#'Extension'{ - extnID = ?'id-ce-subjectAltName', - extnValue = [{rfc822Name,OtherNode}|_]} - |Extensions], - CertNodes) -> - parse_extensions(Extensions, [OtherNode|CertNodes]); +parse_extensions([], Hosts, none) -> + lists:reverse(Hosts); +parse_extensions([], Hosts, Name) -> + [Name ++ "@" ++ Host || Host <- lists:reverse(Hosts)]; parse_extensions( [#'Extension'{ extnID = ?'id-ce-subjectAltName', - extnValue = [{directoryName,{rdnSequence,[Rdn|_]}}|_]} + extnValue = AltNames} |Extensions], - CertNodes) -> + Hosts, Name) -> + case parse_subject_altname(AltNames) of + none -> + parse_extensions(Extensions, Hosts, Name); + {host,Host} -> + parse_extensions(Extensions, [Host|Hosts], Name); + {name,NewName} when Name =:= none -> + parse_extensions(Extensions, Hosts, NewName); + {Name,_} -> + parse_extensions(Extensions, Hosts, Name) + end; +parse_extensions([_|Extensions], Hosts, Name) -> + parse_extensions(Extensions, Hosts, Name). + +parse_subject_altname([]) -> + none; +parse_subject_altname([{dNSName,Host}|_AltNames]) -> + {host,Host}; +parse_subject_altname( + [{directoryName,{rdnSequence,[Rdn|_]}}|AltNames]) -> %% %% XXX Why is rdnSequence a sequence? %% Should we parse all members? %% case parse_rdn(Rdn) of none -> - parse_extensions(Extensions, CertNodes); - OtherNode -> - parse_extensions(Extensions, [OtherNode|CertNodes]) + parse_subject_altname(AltNames); + Name -> + {name,Name} end; -parse_extensions([_|Extensions], CertNodes) -> - parse_extensions(Extensions, CertNodes). +parse_subject_altname([_|AltNames]) -> + parse_subject_altname(AltNames). + parse_rdn([]) -> none; |