aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2010-08-27 10:06:22 +0200
committerIngela Anderton Andin <[email protected]>2010-09-01 08:34:52 +0200
commita6de8740405037bad55c09089f1d69c8c5511d6c (patch)
tree68e7c67d5809a6f6e05ac631fb64e70a447a9f35 /lib/ssl/src
parentcdf4fceaf40ddd00fa2d54d398828f0a4def1d70 (diff)
downloadotp-a6de8740405037bad55c09089f1d69c8c5511d6c.tar.gz
otp-a6de8740405037bad55c09089f1d69c8c5511d6c.tar.bz2
otp-a6de8740405037bad55c09089f1d69c8c5511d6c.zip
Empty certificate chain
Handling of unkown CA certificats was changed in ssl and public_key to work as intended. In the process of doing this some test cases has been corrected as they where wrong but happened to work together with the incorrect unknown CA handling.
Diffstat (limited to 'lib/ssl/src')
-rw-r--r--lib/ssl/src/ssl_certificate.erl31
-rw-r--r--lib/ssl/src/ssl_handshake.erl15
2 files changed, 19 insertions, 27 deletions
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 917e75157b..a42cd0c10d 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -31,7 +31,7 @@
-include("ssl_debug.hrl").
-include_lib("public_key/include/public_key.hrl").
--export([trusted_cert_and_path/3,
+-export([trusted_cert_and_path/2,
certificate_chain/2,
file_to_certificats/1,
validate_extensions/6,
@@ -47,14 +47,14 @@
%%====================================================================
%%--------------------------------------------------------------------
--spec trusted_cert_and_path([der_cert()], certdb_ref(), boolean()) ->
- {der_cert(), [der_cert()], list()}.
+-spec trusted_cert_and_path([der_cert()], certdb_ref()) ->
+ {der_cert() | unknown_ca, [der_cert()]}.
%%
%% Description: Extracts the root cert (if not presents tries to
%% look it up, if not found {bad_cert, unknown_ca} will be added verification
%% errors. Returns {RootCert, Path, VerifyErrors}
%%--------------------------------------------------------------------
-trusted_cert_and_path(CertChain, CertDbRef, Verify) ->
+trusted_cert_and_path(CertChain, CertDbRef) ->
[Cert | RestPath] = lists:reverse(CertChain),
OtpCert = public_key:pkix_decode_cert(Cert, otp),
IssuerAnPath =
@@ -71,24 +71,22 @@ trusted_cert_and_path(CertChain, CertDbRef, Verify) ->
{ok, IssuerId} ->
{IssuerId, [Cert | RestPath]};
Other ->
- {Other, RestPath}
+ {Other, [Cert | RestPath]}
end
end
end,
case IssuerAnPath of
- {{error, issuer_not_found}, _ } ->
- %% The root CA was not sent and can not be found, we fail if verify = true
- not_valid(?ALERT_REC(?FATAL, ?UNKNOWN_CA), Verify, {Cert, RestPath});
+ {{error, issuer_not_found}, Path} ->
+ %% The root CA was not sent and can not be found.
+ {unknown_ca, Path};
{{SerialNr, Issuer}, Path} ->
- case ssl_manager:lookup_trusted_cert(CertDbRef,
- SerialNr, Issuer) of
+ case ssl_manager:lookup_trusted_cert(CertDbRef, SerialNr, Issuer) of
{ok, {BinCert,_}} ->
- {BinCert, Path, []};
+ {BinCert, Path};
_ ->
- %% Fail if verify = true
- not_valid(?ALERT_REC(?FATAL, ?UNKNOWN_CA),
- Verify, {Cert, RestPath})
+ %% Root CA could not be verified
+ {unknown_ca, Path}
end
end.
@@ -244,11 +242,6 @@ find_issuer(OtpCert, PrevCandidateKey) ->
end
end.
-not_valid(Alert, true, _) ->
- throw(Alert);
-not_valid(_, false, {ErlCert, Path}) ->
- {ErlCert, Path, [{bad_cert, unknown_ca}]}.
-
is_valid_extkey_usage(KeyUse, client) ->
%% Client wants to verify server
is_valid_key_usage(KeyUse,?'id-kp-serverAuth');
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index ee725997a4..add5147fb4 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -203,18 +203,15 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef,
end
end,
try
- %% Allow missing root_cert and check that with VerifyFun
- ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbRef, false) of
- {TrustedErlCert, CertPath, VerifyErrors} ->
+ ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbRef) of
+ {TrustedErlCert, CertPath} ->
Result = public_key:pkix_path_validation(TrustedErlCert,
CertPath,
[{max_path_length,
MaxPathLen},
{verify, VerifyBool},
{validate_extensions_fun,
- ValidateExtensionFun},
- {acc_errors,
- VerifyErrors}]),
+ ValidateExtensionFun}]),
case Result of
{error, Reason} ->
path_validation_alert(Reason, Verify);
@@ -474,7 +471,7 @@ get_tls_handshake(Data, Buffer) ->
get_tls_handshake_aux(list_to_binary([Buffer, Data]), []).
%%--------------------------------------------------------------------
--spec dec_client_key(binary(), key_algo(), tls_version()) ->
+-spec decode_client_key(binary(), key_algo(), tls_version()) ->
#encrypted_premaster_secret{} | #client_diffie_hellman_public{}.
%%
%% Description: Decode client_key data and return appropriate type
@@ -510,6 +507,8 @@ path_validation_alert({bad_cert, unknown_critical_extension}, _) ->
?ALERT_REC(?FATAL, ?UNSUPPORTED_CERTIFICATE);
path_validation_alert({bad_cert, cert_revoked}, _) ->
?ALERT_REC(?FATAL, ?CERTIFICATE_REVOKED);
+path_validation_alert({bad_cert, unknown_ca}, _) ->
+ ?ALERT_REC(?FATAL, ?UNKNOWN_CA);
path_validation_alert(_, _) ->
?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE).
@@ -1129,7 +1128,7 @@ sig_alg(_) ->
key_exchange_alg(rsa) ->
?KEY_EXCHANGE_RSA;
key_exchange_alg(Alg) when Alg == dhe_rsa; Alg == dhe_dss;
- Alg == dh_dss; Alg == dh_rsa; Alg == dh_anon ->
+ Alg == dh_dss; Alg == dh_rsa ->
?KEY_EXCHANGE_DIFFIE_HELLMAN;
key_exchange_alg(_) ->
?NULL.