Merge branch 'ia/ssl/certificate_types/certificate_requests/OTP-12026' into maint

* ia/ssl/certificate_types/certificate_requests/OTP-12026:
  public_key: Updated User Guide with ECC records
  ssl: Make sure the correct ROOT-cert is used
  ssl: Test ECDSA and improve test suite maintainability
  public_key: Correct ASN1-type EcpkParameters in PEM handling
  public_key: Correct ASN-1 spec
  ssl: Correct handling of certificate_types in Certificate Requests

2 files changed, 46 insertions, 13 deletions

diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index b186a1015a..53366b060c 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2014 All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -232,7 +232,12 @@ find_issuer(OtpCert, CertDbHandle) ->
     IsIssuerFun = fun({_Key, {_Der, #'OTPCertificate'{} = ErlCertCandidate}}, Acc) ->
 			  case public_key:pkix_is_issuer(OtpCert, ErlCertCandidate) of
 			      true ->
-				  throw(public_key:pkix_issuer_id(ErlCertCandidate, self));
+				  case verify_cert_signer(OtpCert, ErlCertCandidate#'OTPCertificate'.tbsCertificate) of
+				      true ->
+					  throw(public_key:pkix_issuer_id(ErlCertCandidate, self));
+				      false ->
+					  Acc
+				  end;
 			      false ->
 				  Acc
 			  end;
@@ -254,3 +259,19 @@ is_valid_extkey_usage(KeyUse, client) ->
 is_valid_extkey_usage(KeyUse, server) ->
     %% Server wants to verify client
     is_valid_key_usage(KeyUse, ?'id-kp-clientAuth').
+
+verify_cert_signer(OtpCert, SignerTBSCert) -> 
+    PublicKey = public_key(SignerTBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo),
+    public_key:pkix_verify(public_key:pkix_encode('OTPCertificate', OtpCert, otp),  PublicKey).
+
+public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorithm = ?'id-ecPublicKey',
+									parameters = Params},
+				      subjectPublicKey = Point}) ->
+    {Point, Params};
+public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorithm = ?'rsaEncryption'}, 
+				      subjectPublicKey = Key}) ->
+    Key;
+public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorithm = ?'id-dsa',
+									parameters = {params, Params}},
+				      subjectPublicKey = Key}) ->
+    {Key, Params}.
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index b018332df1..25bdc5ef93 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -207,7 +207,7 @@ client_certificate_verify(OwnCert, MasterSecret, Version,
 %% Description: Creates a certificate_request message, called by the server.
 %%--------------------------------------------------------------------
 certificate_request(CipherSuite, CertDbHandle, CertDbRef, Version) ->
-    Types = certificate_types(CipherSuite),
+    Types = certificate_types(ssl_cipher:suite_definition(CipherSuite), Version),
     HashSigns = advertised_hash_signs(Version),
     Authorities = certificate_authorities(CertDbHandle, CertDbRef),
     #certificate_request{
@@ -1098,19 +1098,31 @@ supported_ecc(_) ->
 
 %%-------------certificate handling --------------------------------
 
-certificate_types({KeyExchange, _, _, _})
-  when KeyExchange == rsa;
-       KeyExchange == dhe_dss;
-       KeyExchange == dhe_rsa;
-       KeyExchange == ecdhe_rsa ->
-    <<?BYTE(?RSA_SIGN), ?BYTE(?DSS_SIGN)>>;
+certificate_types(_, {N, M}) when N >= 3 andalso M >= 3 ->
+    case proplists:get_bool(ecdsa,  
+			    proplists:get_value(public_keys, crypto:supports())) of
+	true ->
+	    <<?BYTE(?ECDSA_SIGN), ?BYTE(?RSA_SIGN), ?BYTE(?DSS_SIGN)>>;
+	false ->
+	    <<?BYTE(?RSA_SIGN), ?BYTE(?DSS_SIGN)>>
+    end;
+
+certificate_types({KeyExchange, _, _, _}, _) when KeyExchange == rsa;
+						  KeyExchange == dhe_rsa;
+						  KeyExchange == ecdhe_rsa ->
+    <<?BYTE(?RSA_SIGN)>>;
+
+certificate_types({KeyExchange, _, _, _}, _)  when KeyExchange == dhe_dss,
+						   KeyExchange == srp_dss ->
+    <<?BYTE(?DSS_SIGN)>>;
 
-certificate_types({KeyExchange, _, _, _})
-  when KeyExchange == dh_ecdsa;
-       KeyExchange == dhe_ecdsa ->
+certificate_types({KeyExchange, _, _, _}, _) when KeyExchange == dh_ecdsa;
+						  KeyExchange == dhe_ecdsa;
+						  KeyExchange == ecdh_ecdsa;
+						  KeyExchange == ecdhe_ecdsa ->
     <<?BYTE(?ECDSA_SIGN)>>;
 
-certificate_types(_) ->
+certificate_types(_, _) ->
     <<?BYTE(?RSA_SIGN)>>.
 
 certificate_authorities(CertDbHandle, CertDbRef) ->