aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test/x509_test.erl
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2017-03-31 15:39:57 +0200
committerIngela Anderton Andin <[email protected]>2017-04-12 11:01:49 +0200
commit1d019afd9d69eaa566d652117b607c83bfb93b31 (patch)
tree3024a6e68eba1dc399941d3817570535dd688f9d /lib/ssl/test/x509_test.erl
parentf606520095236e8dabb85564d3e91361e0b57b6e (diff)
downloadotp-1d019afd9d69eaa566d652117b607c83bfb93b31.tar.gz
otp-1d019afd9d69eaa566d652117b607c83bfb93b31.tar.bz2
otp-1d019afd9d69eaa566d652117b607c83bfb93b31.zip
ssl: Generate correct certificate chains for the ECC tests
The certificate chain handling had become quite entangled and was not correct.
Diffstat (limited to 'lib/ssl/test/x509_test.erl')
-rw-r--r--lib/ssl/test/x509_test.erl155
1 files changed, 83 insertions, 72 deletions
diff --git a/lib/ssl/test/x509_test.erl b/lib/ssl/test/x509_test.erl
index 5cd5c8eca7..13f8dfdaa9 100644
--- a/lib/ssl/test/x509_test.erl
+++ b/lib/ssl/test/x509_test.erl
@@ -20,36 +20,36 @@
%%
--module(x509_test).
+ -module(x509_test).
--include_lib("public_key/include/public_key.hrl").
+ -include_lib("public_key/include/public_key.hrl").
--export([gen_test_certs/1, gen_pem_config_files/4]).
+ -export([gen_test_certs/1, gen_pem_config_files/3]).
-gen_test_certs(Opts) ->
- SRootKey = gen_key(proplists:get_value(server_key_gen, Opts)),
- CRootKey = gen_key(proplists:get_value(client_key_gen, Opts)),
- ServerRoot = root_cert("server", SRootKey, Opts),
- ClientRoot = root_cert("client", CRootKey, Opts),
- [{ServerCert, ServerKey} | ServerCAsKeys] = config(server, ServerRoot, SRootKey, Opts),
- [{ClientCert, ClientKey} | ClientCAsKeys] = config(client, ClientRoot, CRootKey, Opts),
- ServerCAs = ca_config(ClientRoot, ServerCAsKeys),
- ClientCAs = ca_config(ServerRoot, ClientCAsKeys),
- [{server_config, [{cert, ServerCert}, {key, ServerKey}, {cacerts, ServerCAs}]},
- {client_config, [{cert, ClientCert}, {key, ClientKey}, {cacerts, ClientCAs}]}].
+ gen_test_certs(Opts) ->
+ SRootKey = gen_key(proplists:get_value(server_key_gen, Opts)),
+ CRootKey = gen_key(proplists:get_value(client_key_gen, Opts)),
+ ServerRoot = root_cert("server", SRootKey, Opts),
+ ClientRoot = root_cert("client", CRootKey, Opts),
+ [{ServerCert, ServerKey} | ServerCAsKeys] = config(server, ServerRoot, SRootKey, Opts),
+ [{ClientCert, ClientKey} | ClientCAsKeys] = config(client, ClientRoot, CRootKey, Opts),
+ ServerCAs = ca_config(ClientRoot, ServerCAsKeys),
+ ClientCAs = ca_config(ServerRoot, ClientCAsKeys),
+ [{server_config, [{cert, ServerCert}, {key, ServerKey}, {cacerts, ServerCAs}]},
+ {client_config, [{cert, ClientCert}, {key, ClientKey}, {cacerts, ClientCAs}]}].
-gen_pem_config_files(GenCertData, CertFileBase, KeyFileBase, CAFileBase) ->
+gen_pem_config_files(GenCertData, ClientBase, ServerBase) ->
ServerConf = proplists:get_value(server_config, GenCertData),
ClientConf = proplists:get_value(client_config, GenCertData),
- ServerCaCertFile = filename:join("server_", CAFileBase),
- ServerCertFile = filename:join("server_", CertFileBase),
- ServerKeyFile = filename:join("server_", KeyFileBase),
-
- ClientCaCertFile = filename:join("client_", CAFileBase),
- ClientCertFile = filename:join("client_", CertFileBase),
- ClientKeyFile = filename:join("client_", KeyFileBase),
+ ServerCaCertFile = ServerBase ++ "_server_cacerts.pem",
+ ServerCertFile = ServerBase ++ "_server_cert.pem",
+ ServerKeyFile = ServerBase ++ "_server_key.pem",
+ ClientCaCertFile = ClientBase ++ "_client_cacerts.pem",
+ ClientCertFile = ClientBase ++ "_client_cert.pem",
+ ClientKeyFile = ClientBase ++ "_client_key.pem",
+
do_gen_pem_config_files(ServerConf,
ServerCertFile,
ServerKeyFile,
@@ -58,59 +58,60 @@ gen_pem_config_files(GenCertData, CertFileBase, KeyFileBase, CAFileBase) ->
ClientCertFile,
ClientKeyFile,
ClientCaCertFile),
- [{server_config, [{certfile, ServerCertFile}, {keyfile, ServerKeyFile}, {cacertfile, ServerCaCertFile}]},
- {client_config, [{certfile, ClientCertFile}, {keyfile, ClientKeyFile}, {cacertfile, ClientCaCertFile}]}].
+ [{server_config, [{certfile, ServerCertFile},
+ {keyfile, ServerKeyFile}, {cacertfile, ServerCaCertFile}]},
+ {client_config, [{certfile, ClientCertFile},
+ {keyfile, ClientKeyFile}, {cacertfile, ClientCaCertFile}]}].
-
-do_gen_pem_config_files(Config, CertFile, KeyFile, CAFile) ->
- CAs = proplists:get_value(cacerts, Config),
- Cert = proplists:get_value(cert, Config),
- Key = proplists:get_value(key, Config),
- der_to_pem(CertFile, [cert_entry(Cert)]),
- der_to_pem(KeyFile, [key_entry(Key)]),
- der_to_pem(CAFile, ca_entries(CAs)).
-
-cert_entry(Cert) ->
- {'Certificate', Cert, not_encrypted}.
-
-key_entry(Key = #'RSAPrivateKey'{}) ->
- Der = public_key:der_encode('RSAPrivateKey', Key),
- {'RSAPrivateKey', Der, not_encrypted};
-key_entry(Key = #'DSAPrivateKey'{}) ->
- Der = public_key:der_encode('DSAPrivateKey', Key),
- {'DSAPrivateKey', Der, not_encrypted};
-key_entry(Key = #'ECPrivateKey'{}) ->
- Der = public_key:der_encode('ECPrivateKey', Key),
- {'ECPrivateKey', Der, not_encrypted}.
-
-ca_entries(CAs) ->
- [{'Certificate', CACert, not_encrypted} || CACert <- CAs].
-
-gen_key(KeyGen) ->
- case is_key(KeyGen) of
- true ->
- KeyGen;
- false ->
- public_key:generate_key(KeyGen)
- end.
-root_cert(Role, PrivKey, Opts) ->
- TBS = cert_template(),
- Issuer = issuer("root", Role, " ROOT CA"),
- OTPTBS = TBS#'OTPTBSCertificate'{
- signature = sign_algorithm(PrivKey, Opts),
- issuer = Issuer,
- validity = validity(Opts),
- subject = Issuer,
- subjectPublicKeyInfo = public_key(PrivKey),
- extensions = extensions(Opts)
- },
- public_key:pkix_sign(OTPTBS, PrivKey).
+ do_gen_pem_config_files(Config, CertFile, KeyFile, CAFile) ->
+ CAs = proplists:get_value(cacerts, Config),
+ Cert = proplists:get_value(cert, Config),
+ Key = proplists:get_value(key, Config),
+ der_to_pem(CertFile, [cert_entry(Cert)]),
+ der_to_pem(KeyFile, [key_entry(Key)]),
+ der_to_pem(CAFile, ca_entries(CAs)).
+
+ cert_entry(Cert) ->
+ {'Certificate', Cert, not_encrypted}.
+
+ key_entry(Key = #'RSAPrivateKey'{}) ->
+ Der = public_key:der_encode('RSAPrivateKey', Key),
+ {'RSAPrivateKey', Der, not_encrypted};
+ key_entry(Key = #'DSAPrivateKey'{}) ->
+ Der = public_key:der_encode('DSAPrivateKey', Key),
+ {'DSAPrivateKey', Der, not_encrypted};
+ key_entry(Key = #'ECPrivateKey'{}) ->
+ Der = public_key:der_encode('ECPrivateKey', Key),
+ {'ECPrivateKey', Der, not_encrypted}.
+
+ ca_entries(CAs) ->
+ [{'Certificate', CACert, not_encrypted} || CACert <- CAs].
+
+ gen_key(KeyGen) ->
+ case is_key(KeyGen) of
+ true ->
+ KeyGen;
+ false ->
+ public_key:generate_key(KeyGen)
+ end.
+
+ root_cert(Role, PrivKey, Opts) ->
+ TBS = cert_template(),
+ Issuer = issuer("root", Role, " ROOT CA"),
+ OTPTBS = TBS#'OTPTBSCertificate'{
+ signature = sign_algorithm(PrivKey, Opts),
+ issuer = Issuer,
+ validity = validity(Opts),
+ subject = Issuer,
+ subjectPublicKeyInfo = public_key(PrivKey),
+ extensions = extensions(Opts)
+ },
+ public_key:pkix_sign(OTPTBS, PrivKey).
config(Role, Root, Key, Opts) ->
- KeyGenOpt = list_to_atom(atom_to_list(Role) ++ "key_gen_chain"),
- KeyGens = proplists:get_value(KeyGenOpt, Opts, [{namedCurve, hd(tls_v1:ecc_curves(0))},
- {namedCurve, hd(tls_v1:ecc_curves(0))}]),
+ KeyGenOpt = list_to_atom(atom_to_list(Role) ++ "_key_gen_chain"),
+ KeyGens = proplists:get_value(KeyGenOpt, Opts, default_key_gen()),
Keys = lists:map(fun gen_key/1, KeyGens),
cert_chain(Role, Root, Key, Opts, Keys).
@@ -276,7 +277,8 @@ cert_chain(Role, Root, RootKey, Opts, Keys) ->
cert_chain(Role, Root, RootKey, Opts, Keys, 0, []).
cert_chain(Role, IssuerCert, IssuerKey, Opts, [Key], _, Acc) ->
- Cert = cert(Role, public_key:pkix_decode_cert(IssuerCert, otp), IssuerKey, Key, "admin", " Peer cert", Opts),
+ Cert = cert(Role, public_key:pkix_decode_cert(IssuerCert, otp),
+ IssuerKey, Key, "admin", " Peer cert", Opts),
[{Cert, Key}, {IssuerCert, IssuerKey} | Acc];
cert_chain(Role, IssuerCert, IssuerKey, Opts, [Key | Keys], N, Acc) ->
Cert = cert(Role, public_key:pkix_decode_cert(IssuerCert, otp), IssuerKey, Key, "webadmin",
@@ -308,3 +310,12 @@ is_key(_) ->
der_to_pem(File, Entries) ->
PemBin = public_key:pem_encode(Entries),
file:write_file(File, PemBin).
+
+default_key_gen() ->
+ case tls_v1:ecc_curves(0) of
+ [] ->
+ [{rsa, 2048, 17}, {rsa, 2048, 17}];
+ [_|_] ->
+ [{namedCurve, hd(tls_v1:ecc_curves(0))},
+ {namedCurve, hd(tls_v1:ecc_curves(0))}]
+ end.