Empty certificate chain

Handling of unkown CA certificats was changed in ssl and
public_key to work as intended.

In the process of doing this some test cases has been corrected as
they where wrong but happened to work together with the
incorrect unknown CA handling.

3 files changed, 93 insertions, 25 deletions

diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
index c9db0d3851..f8aef55754 100644
--- a/lib/ssl/test/erl_make_certs.erl
+++ b/lib/ssl/test/erl_make_certs.erl
@@ -66,9 +66,9 @@ make_cert(Opts) ->
 %% @end
 %%--------------------------------------------------------------------
 write_pem(Dir, FileName, {Cert, Key = {_,_,not_encrypted}}) when is_binary(Cert) ->
-    ok = ssl_test_lib:der_to_pem(filename:join(Dir, FileName ++ ".pem"), 
+    ok = der_to_pem(filename:join(Dir, FileName ++ ".pem"),
 			       [{'Certificate', Cert, not_encrypted}]),
-    ok = ssl_test_lib:der_to_pem(filename:join(Dir, FileName ++ "_key.pem"), [Key]).
+    ok = der_to_pem(filename:join(Dir, FileName ++ "_key.pem"), [Key]).
 
 %%--------------------------------------------------------------------
 %% @doc Creates a rsa key (OBS: for testing only)
@@ -144,34 +144,39 @@ encode_key(Key = #'DSAPrivateKey'{}) ->
 
 make_tbs(SubjectKey, Opts) ->    
     Version = list_to_atom("v"++integer_to_list(proplists:get_value(version, Opts, 3))),
-    {Issuer, IssuerKey}  = issuer(Opts, SubjectKey),
+
+    IssuerProp = proplists:get_value(issuer, Opts, true),
+    {Issuer, IssuerKey}  = issuer(IssuerProp, Opts, SubjectKey),
 
     {Algo, Parameters} = sign_algorithm(IssuerKey, Opts),
     
     SignAlgo = #'SignatureAlgorithm'{algorithm  = Algo,
 				     parameters = Parameters},    
-    
+    Subject = case IssuerProp of
+		  true -> %% Is a Root Ca
+		      Issuer;
+		  _ ->
+		      subject(proplists:get_value(subject, Opts),false)
+	      end,
+
     {#'OTPTBSCertificate'{serialNumber = trunc(random:uniform()*100000000)*10000 + 1,
 			  signature    = SignAlgo,
 			  issuer       = Issuer,
 			  validity     = validity(Opts),
-			  subject      = subject(proplists:get_value(subject, Opts),false),
+			  subject      = Subject,
 			  subjectPublicKeyInfo = publickey(SubjectKey),
 			  version      = Version,
 			  extensions   = extensions(Opts)
 			 }, IssuerKey}.
 
-issuer(Opts, SubjectKey) ->
-    IssuerProp = proplists:get_value(issuer, Opts, true),
-    case IssuerProp of 
-	true -> %% Self signed
-	    {subject(proplists:get_value(subject, Opts), true), SubjectKey};
-	{Issuer, IssuerKey} when is_binary(Issuer) ->
-	    {issuer_der(Issuer), decode_key(IssuerKey)};
-        {File, IssuerKey} when is_list(File) ->
-	    {ok, [{cert, Cert, _}|_]} = public_key:pem_to_der(File),
-	    {issuer_der(Cert), decode_key(IssuerKey)}
-    end.
+issuer(true, Opts, SubjectKey) ->
+    %% Self signed
+    {subject(proplists:get_value(subject, Opts), true), SubjectKey};
+issuer({Issuer, IssuerKey}, _Opts, _SubjectKey) when is_binary(Issuer) ->
+    {issuer_der(Issuer), decode_key(IssuerKey)};
+issuer({File, IssuerKey}, _Opts, _SubjectKey) when is_list(File) ->
+    {ok, [{cert, Cert, _}|_]} = public_key:pem_to_der(File),
+    {issuer_der(Cert), decode_key(IssuerKey)}.
 
 issuer_der(Issuer) ->
     Decoded = public_key:pkix_decode_cert(Issuer, otp),
@@ -179,8 +184,8 @@ issuer_der(Issuer) ->
     #'OTPTBSCertificate'{subject=Subject} = Tbs,
     Subject.
 
-subject(undefined, IsCA) ->
-    User = if IsCA -> "CA"; true -> os:getenv("USER") end,
+subject(undefined, IsRootCA) ->
+    User = if IsRootCA -> "RootCA"; true -> os:getenv("USER") end,
     Opts = [{email, User ++ "@erlang.org"},
 	    {name, User},
 	    {city, "Stockholm"},
@@ -267,7 +272,7 @@ publickey(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}) ->
     #'OTPSubjectPublicKeyInfo'{algorithm = Algo, subjectPublicKey = Y}.
 
 validity(Opts) ->
-    DefFrom0 = date(),
+    DefFrom0 = calendar:gregorian_days_to_date(calendar:date_to_gregorian_days(date())-1),
     DefTo0   = calendar:gregorian_days_to_date(calendar:date_to_gregorian_days(date())+7),
     {DefFrom, DefTo} = proplists:get_value(validity, Opts, {DefFrom0, DefTo0}),
     Format = fun({Y,M,D}) -> lists:flatten(io_lib:format("~w~2..0w~2..0w000000Z",[Y,M,D])) end,
@@ -406,3 +411,11 @@ extended_gcd(A, B) ->
 	    {X, Y} = extended_gcd(B, N),
 	    {Y, X-Y*(A div B)}
     end.
+
+pem_to_der(File) ->
+    {ok, PemBin} = file:read_file(File),
+    public_key:pem_decode(PemBin).
+
+der_to_pem(File, Entries) ->
+    PemBin = public_key:pem_encode(Entries),
+    file:write_file(File, PemBin).
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index c6807c7b32..d50b34b6ac 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -234,7 +234,8 @@ all(suite) ->
      server_no_wrap_sequence_number, extended_key_usage,
      validate_extensions_fun, no_authority_key_identifier,
      invalid_signature_client, invalid_signature_server, cert_expired,
-     client_with_cert_cipher_suites_handshake
+     client_with_cert_cipher_suites_handshake, unknown_server_ca_fail,
+     unknown_server_ca_accept
     ].
 
 %% Test cases starts here.
@@ -2613,12 +2614,13 @@ validate_extensions_fun(Config) when is_list(Config) ->
 
 %%--------------------------------------------------------------------
 no_authority_key_identifier(doc) -> 
-    ["Test cert that does not have authorityKeyIdentifier extension"];
+    ["Test cert that does not have authorityKeyIdentifier extension"
+     " but are present in trusted certs db."];
 
 no_authority_key_identifier(suite) -> 
     [];
 no_authority_key_identifier(Config) when is_list(Config) -> 
-    ClientOpts = ?config(client_opts, Config),
+    ClientOpts = ?config(client_verification_opts, Config),
     ServerOpts = ?config(server_opts, Config),
     PrivDir = ?config(priv_dir, Config),
    
@@ -2676,7 +2678,7 @@ invalid_signature_server(suite) ->
     [];
 
 invalid_signature_server(Config) when is_list(Config) -> 
-    ClientOpts = ?config(client_opts, Config),
+    ClientOpts = ?config(client_verification_opts, Config),
     ServerOpts = ?config(server_verification_opts, Config),
     PrivDir = ?config(priv_dir, Config),
    
@@ -2793,7 +2795,7 @@ cert_expired(suite) ->
     [];
 
 cert_expired(Config) when is_list(Config) -> 
-    ClientOpts = ?config(client_opts, Config),
+    ClientOpts = ?config(client_verification_opts, Config),
     ServerOpts = ?config(server_verification_opts, Config),
     PrivDir = ?config(priv_dir, Config),
    
@@ -2882,6 +2884,59 @@ client_with_cert_cipher_suites_handshake(Config) when is_list(Config) ->
     ssl_test_lib:check_result(Server, ok, Client, ok),
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
+%%--------------------------------------------------------------------
+unknown_server_ca_fail(doc) ->
+    ["Test that the client fails if the ca is unknown in verify_peer mode"];
+unknown_server_ca_fail(suite) ->
+    [];
+unknown_server_ca_fail(Config) when is_list(Config) ->
+    ClientOpts =  ?config(client_opts, Config),
+    ServerOpts =  ?config(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
+					      {from, self()},
+					      {mfa, {ssl_test_lib,
+						     no_result, []}},
+					      {options, ServerOpts}]),
+    Port  = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+					      {host, Hostname},
+					      {from, self()},
+					      {mfa, {ssl_test_lib,
+						     no_result, []}},
+					      {options,
+					       [{verify, verify_peer}| ClientOpts]}]),
+
+    ssl_test_lib:check_result(Server, {error,"unknown ca"}, Client, {error, "unknown ca"}),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
+%%--------------------------------------------------------------------
+unknown_server_ca_accept(doc) ->
+    ["Test that the client succeds if the ca is unknown in verify_none mode"];
+unknown_server_ca_accept(suite) ->
+    [];
+unknown_server_ca_accept(Config) when is_list(Config) ->
+    ClientOpts =  ?config(client_opts, Config),
+    ServerOpts =  ?config(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {?MODULE,
+					       send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    Port  = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()},
+					{mfa, {?MODULE,
+					       send_recv_result_active, []}},
+					{options,
+					 [{verify, verify_none}| ClientOpts]}]),
+
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
 
 %%--------------------------------------------------------------------
 %%% Internal functions
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index c35178460f..ce164f7e4c 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -332,7 +332,7 @@ make_dsa_cert(Config) ->
 				 {cacertfile, ServerCaCertFile},
 				 {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]},
      {server_dsa_verify_opts, [{ssl_imp, new},{reuseaddr, true}, 
-			       {cacertfile, ServerCaCertFile},
+			       {cacertfile, ClientCaCertFile},
 			       {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
 			       {verify, verify_peer}]},
      {client_dsa_opts, [{ssl_imp, new},{reuseaddr, true},