Empty certificate chain

Handling of unkown CA certificats was changed in ssl and
public_key to work as intended.

In the process of doing this some test cases has been corrected as
they where wrong but happened to work together with the
incorrect unknown CA handling.

2 files changed, 19 insertions, 27 deletions

diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 917e75157b..a42cd0c10d 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -31,7 +31,7 @@
 -include("ssl_debug.hrl").
 -include_lib("public_key/include/public_key.hrl"). 
 
--export([trusted_cert_and_path/3, 
+-export([trusted_cert_and_path/2,
 	 certificate_chain/2, 
 	 file_to_certificats/1,
 	 validate_extensions/6,
@@ -47,14 +47,14 @@
 %%====================================================================
 
 %%--------------------------------------------------------------------
--spec trusted_cert_and_path([der_cert()], certdb_ref(), boolean()) -> 
-				   {der_cert(), [der_cert()], list()}.
+-spec trusted_cert_and_path([der_cert()], certdb_ref()) ->
+				   {der_cert() | unknown_ca, [der_cert()]}.
 %%
 %% Description: Extracts the root cert (if not presents tries to 
 %% look it up, if not found {bad_cert, unknown_ca} will be added verification
 %% errors. Returns {RootCert, Path, VerifyErrors}
 %%--------------------------------------------------------------------
-trusted_cert_and_path(CertChain, CertDbRef, Verify) ->
+trusted_cert_and_path(CertChain, CertDbRef) ->
     [Cert | RestPath] = lists:reverse(CertChain),
     OtpCert = public_key:pkix_decode_cert(Cert, otp),
     IssuerAnPath = 
@@ -71,24 +71,22 @@ trusted_cert_and_path(CertChain, CertDbRef, Verify) ->
 			    {ok, IssuerId} ->
 				{IssuerId, [Cert | RestPath]};
 			    Other ->
-				{Other, RestPath}
+				{Other, [Cert | RestPath]}
 			end
 		end
 	end,
     
     case IssuerAnPath of
-	{{error, issuer_not_found}, _ } ->
-	    %% The root CA was not sent and can not be found, we fail if verify = true
-	    not_valid(?ALERT_REC(?FATAL, ?UNKNOWN_CA), Verify, {Cert, RestPath});
+	{{error, issuer_not_found}, Path} ->
+	    %% The root CA was not sent and can not be found.
+	    {unknown_ca, Path};
 	{{SerialNr, Issuer}, Path} ->
-	    case ssl_manager:lookup_trusted_cert(CertDbRef, 
-							SerialNr, Issuer) of
+	    case ssl_manager:lookup_trusted_cert(CertDbRef, SerialNr, Issuer) of
 		{ok, {BinCert,_}} ->
-		    {BinCert, Path, []};
+		    {BinCert, Path};
 		_ ->
-		    %%  Fail if verify = true
-		    not_valid(?ALERT_REC(?FATAL, ?UNKNOWN_CA),
-			     Verify,  {Cert, RestPath})
+		    %% Root CA could not be verified
+		    {unknown_ca, Path}
 	    end
     end.
 
@@ -244,11 +242,6 @@ find_issuer(OtpCert, PrevCandidateKey) ->
 	    end
     end.
 
-not_valid(Alert, true, _) ->
-    throw(Alert);
-not_valid(_, false, {ErlCert, Path}) ->
-    {ErlCert, Path, [{bad_cert, unknown_ca}]}.
-
 is_valid_extkey_usage(KeyUse, client) ->
     %% Client wants to verify server
     is_valid_key_usage(KeyUse,?'id-kp-serverAuth');
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index ee725997a4..add5147fb4 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -203,18 +203,15 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef,
 		end
 	end,
     try
-	%% Allow missing root_cert and check that with VerifyFun
-	ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbRef, false) of
-	{TrustedErlCert, CertPath, VerifyErrors} ->
+	ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbRef) of
+	{TrustedErlCert, CertPath} ->
 	    Result = public_key:pkix_path_validation(TrustedErlCert, 
 						     CertPath, 
 						     [{max_path_length, 
 						       MaxPathLen},
 						      {verify, VerifyBool},
 						      {validate_extensions_fun, 
-						       ValidateExtensionFun},
-						      {acc_errors, 
-						       VerifyErrors}]),
+						       ValidateExtensionFun}]),
 	    case Result of
 		{error, Reason} ->
 		    path_validation_alert(Reason, Verify);
@@ -474,7 +471,7 @@ get_tls_handshake(Data, Buffer) ->
     get_tls_handshake_aux(list_to_binary([Buffer, Data]), []).
 
 %%--------------------------------------------------------------------
--spec dec_client_key(binary(), key_algo(), tls_version()) ->
+-spec decode_client_key(binary(), key_algo(), tls_version()) ->
 			    #encrypted_premaster_secret{} | #client_diffie_hellman_public{}.
 %%
 %% Description: Decode client_key data and return appropriate type
@@ -510,6 +507,8 @@ path_validation_alert({bad_cert, unknown_critical_extension}, _) ->
     ?ALERT_REC(?FATAL, ?UNSUPPORTED_CERTIFICATE);
 path_validation_alert({bad_cert, cert_revoked}, _) ->
     ?ALERT_REC(?FATAL, ?CERTIFICATE_REVOKED);
+path_validation_alert({bad_cert, unknown_ca}, _) ->
+     ?ALERT_REC(?FATAL, ?UNKNOWN_CA);
 path_validation_alert(_, _) ->
     ?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE).
 
@@ -1129,7 +1128,7 @@ sig_alg(_) ->
 key_exchange_alg(rsa) ->
     ?KEY_EXCHANGE_RSA;
 key_exchange_alg(Alg) when Alg == dhe_rsa; Alg == dhe_dss;
-			    Alg == dh_dss; Alg == dh_rsa; Alg == dh_anon ->
+			    Alg == dh_dss; Alg == dh_rsa  ->
     ?KEY_EXCHANGE_DIFFIE_HELLMAN;
 key_exchange_alg(_) ->
     ?NULL.