aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test/x509_test.erl
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2017-03-22 14:49:22 +0100
committerIngela Anderton Andin <[email protected]>2017-05-06 07:31:16 +0200
commite9b0dbb4a95dbc8e328f08d6df6654dcbe13db09 (patch)
treeb64d031b0f0d78a56fb4d5b25efdab3477f64aa8 /lib/ssl/test/x509_test.erl
parent9ac8bdb19f55c593b8b4b10a5d72032e33bef406 (diff)
downloadotp-e9b0dbb4a95dbc8e328f08d6df6654dcbe13db09.tar.gz
otp-e9b0dbb4a95dbc8e328f08d6df6654dcbe13db09.tar.bz2
otp-e9b0dbb4a95dbc8e328f08d6df6654dcbe13db09.zip
ssl: Add hostname check of server certificate
When the server_name_indication is sent automatize the clients check of that the hostname is present in the servers certificate. Currently server_name_indication shall be on the dns_id format. If server_name_indication is disabled it is up to the user to do its own check in the verify_fun.
Diffstat (limited to 'lib/ssl/test/x509_test.erl')
-rw-r--r--lib/ssl/test/x509_test.erl25
1 files changed, 17 insertions, 8 deletions
diff --git a/lib/ssl/test/x509_test.erl b/lib/ssl/test/x509_test.erl
index c36e96013b..4da1537ef6 100644
--- a/lib/ssl/test/x509_test.erl
+++ b/lib/ssl/test/x509_test.erl
@@ -105,7 +105,7 @@ root_cert(Role, PrivKey, Opts) ->
validity = validity(Opts),
subject = Issuer,
subjectPublicKeyInfo = public_key(PrivKey),
- extensions = extensions(ca, Opts)
+ extensions = extensions(Role, ca, Opts)
},
public_key:pkix_sign(OTPTBS, PrivKey).
@@ -175,22 +175,27 @@ validity(Opts) ->
#'Validity'{notBefore={generalTime, Format(DefFrom)},
notAfter ={generalTime, Format(DefTo)}}.
-extensions(Type, Opts) ->
+extensions(Role, Type, Opts) ->
Exts = proplists:get_value(extensions, Opts, []),
- lists:flatten([extension(Ext) || Ext <- default_extensions(Type, Exts)]).
+ lists:flatten([extension(Ext) || Ext <- default_extensions(Role, Type, Exts)]).
%% Common extension: name_constraints, policy_constraints, ext_key_usage, inhibit_any,
%% auth_key_id, subject_key_id, policy_mapping,
-default_extensions(ca, Exts) ->
+default_extensions(_, ca, Exts) ->
Def = [{key_usage, [keyCertSign, cRLSign]},
{basic_constraints, default}],
add_default_extensions(Def, Exts);
-default_extensions(peer, Exts) ->
- Def = [{key_usage, [digitalSignature, keyAgreement]}],
- add_default_extensions(Def, Exts).
+default_extensions(server, peer, Exts) ->
+ Hostname = net_adm:localhost(),
+ Def = [{key_usage, [digitalSignature, keyAgreement]},
+ {subject_alt, Hostname}],
+ add_default_extensions(Def, Exts);
+default_extensions(_, peer, Exts) ->
+ Exts.
+
add_default_extensions(Def, Exts) ->
Filter = fun({Key, _}, D) ->
lists:keydelete(Key, 1, D);
@@ -228,6 +233,10 @@ extension({key_usage, Value}) ->
#'Extension'{extnID = ?'id-ce-keyUsage',
extnValue = Value,
critical = false};
+extension({subject_alt, Hostname}) ->
+ #'Extension'{extnID = ?'id-ce-subjectAltName',
+ extnValue = [{dNSName, Hostname}],
+ critical = false};
extension({Id, Data, Critical}) ->
#'Extension'{extnID = Id, extnValue = Data, critical = Critical}.
@@ -309,7 +318,7 @@ cert(Role, #'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{subject = Iss
validity = validity(CertOpts),
subject = subject(Contact, atom_to_list(Role) ++ Name),
subjectPublicKeyInfo = public_key(Key),
- extensions = extensions(Type,
+ extensions = extensions(Role, Type,
add_default_extensions([{auth_key_id, {auth_key_oid(Role), Issuer, SNr}}],
CertOpts))
},