aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2010-09-09 17:07:22 +0200
committerIngela Anderton Andin <[email protected]>2010-09-10 12:16:34 +0200
commit6cced538abd4f8053c009b163efa8c6d568b9580 (patch)
tree20bd2188463ef85a9af163355f4da6bdaccd0e7a /lib/ssl
parentfb29cd6c08a77778fdf7258f5682108e46fe26af (diff)
downloadotp-6cced538abd4f8053c009b163efa8c6d568b9580.tar.gz
otp-6cced538abd4f8053c009b163efa8c6d568b9580.tar.bz2
otp-6cced538abd4f8053c009b163efa8c6d568b9580.zip
Improved certificate extension handling
Added the functionality so that the verification fun will be called when a certificate is considered valid by the path validation to allow access to eachs certificate in the path to the user application. Removed clause that only check that a extension is not critical, it does alter the verification rusult only withholds information from the application. Try to verify subject-AltName, if unable to verify it let application try.
Diffstat (limited to 'lib/ssl')
-rw-r--r--lib/ssl/doc/src/ssl.xml55
-rw-r--r--lib/ssl/src/ssl.erl8
-rw-r--r--lib/ssl/src/ssl_certificate.erl10
-rw-r--r--lib/ssl/test/ssl_basic_SUITE.erl10
4 files changed, 46 insertions, 37 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 0f3054aec3..d5b7253ef3 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -202,16 +202,19 @@
<p>The verification fun should be defined as:</p>
<code>
- fun(OtpCert :: #'OtpCertificate'{},
- Event :: {bad_cert, Reason :: atom()} |
- {extension, #'Extension'{}}, InitialUserState :: term()) ->
- {valid, UserState :: term()} | {fail, Reason :: term()} |
- {unknown, UserState :: term()}.
+fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
+ {extension, #'Extension'{}}, InitialUserState :: term()) ->
+ {valid, UserState :: term()} | {fail, Reason :: term()} |
+ {unknown, UserState :: term()}.
</code>
<p>The verify fun will be called during the X509-path
validation when an error or an extension unknown to the ssl
- application is encountered. See
+ application is encountered. Additionally it will be called
+ when a certificate is considered valid by the path validation
+ to allow access to each certificate in the path to the user
+ application.
+ See
<seealso marker="public_key:application">public_key(3)</seealso>
for definition of #'OtpCertificate'{} and #'Extension'{}.</p>
@@ -229,34 +232,32 @@
<p>The default verify_fun option in verify_peer mode:</p>
<code>
- {fun(_,{bad_cert, _} = Reason, _) ->
- {fail, Reason};
- (_,{extension, _}, UserState) ->
- {unknown, UserState}
- end, []}
+{fun(_,{bad_cert, _} = Reason, _) ->
+ {fail, Reason};
+ (_,{extension, _}, UserState) ->
+ {unknown, UserState};
+ (_, valid, UserState) ->
+ {valid, UserState}
+ end, []}
</code>
<p>The default verify_fun option in verify_none mode:</p>
<code>
- {fun(_,{bad_cert, unknown_ca}, UserState) ->
- {valid, UserState};
- (_,{bad_cert, _} = Reason, _) ->
- {fail, Reason};
- (_,{extension, _}, UserState) ->
- {unknown, UserState}
- end, []}
+{fun(_,{bad_cert, unknown_ca}, UserState) ->
+ {valid, UserState};
+ (_,{bad_cert, _} = Reason, _) ->
+ {fail, Reason};
+ (_,{extension, _}, UserState) ->
+ {unknown, UserState};
+ (_, valid, UserState) ->
+ {valid, UserState}
+ end, []}
</code>
- <p> Possible path validation errors:
- {bad_cert, cert_expired},
- {bad_cert, invalid_issuer},
- {bad_cert, invalid_signature},
- {bad_cert, unknown_ca},
- {bad_cert, name_not_permitted},
- {bad_cert, missing_basic_constraint},
- {bad_cert, invalid_key_usage},
- {bad_cert, invalid_subject_altname}</p>
+<p>Possible path validation errors: </p>
+
+<p> {bad_cert, cert_expired}, {bad_cert, invalid_issuer}, {bad_cert, invalid_signature}, {bad_cert, unknown_ca}, {bad_cert, name_not_permitted}, {bad_cert, missing_basic_constraint}, {bad_cert, invalid_key_usage}</p>
</item>
</taglist>
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index cc01b35b64..12dffb413c 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -535,7 +535,9 @@ handle_options(Opts0, _Role) ->
(_,{bad_cert, _} = Reason, _) ->
{fail, Reason};
(_,{extension, _}, UserState) ->
- {unknown, UserState}
+ {unknown, UserState};
+ (_, valid, UserState) ->
+ {valid, UserState}
end, []},
UserFailIfNoPeerCert = handle_option(fail_if_no_peer_cert, Opts, false),
@@ -631,7 +633,9 @@ validate_option(verify_fun, Fun) when is_function(Fun) ->
{fail, Reason}
end;
(_,{extension, _}, UserState) ->
- {unknown, UserState}
+ {unknown, UserState};
+ (_, valid, UserState) ->
+ {valid, UserState}
end, Fun};
validate_option(verify_fun, {Fun, _} = Value) when is_function(Fun) ->
Value;
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 6cf57ced81..206024315e 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -34,7 +34,6 @@
-export([trusted_cert_and_path/2,
certificate_chain/2,
file_to_certificats/1,
- %validate_extensions/6,
validate_extension/3,
is_valid_extkey_usage/2,
is_valid_key_usage/2,
@@ -118,8 +117,7 @@ file_to_certificats(File) ->
%% Description: Validates ssl/tls specific extensions
%%--------------------------------------------------------------------
validate_extension(_,{extension, #'Extension'{extnID = ?'id-ce-extKeyUsage',
- extnValue = KeyUse,
- critical = true}}, Role) ->
+ extnValue = KeyUse}}, Role) ->
case is_valid_extkey_usage(KeyUse, Role) of
true ->
{valid, Role};
@@ -128,8 +126,10 @@ validate_extension(_,{extension, #'Extension'{extnID = ?'id-ce-extKeyUsage',
end;
validate_extension(_, {bad_cert, _} = Reason, _) ->
{fail, Reason};
-validate_extension(_, _, Role) ->
- {unknown, Role}.
+validate_extension(_, {extension, _}, Role) ->
+ {unknown, Role};
+validate_extension(_, valid, Role) ->
+ {valid, Role}.
%%--------------------------------------------------------------------
-spec is_valid_key_usage(list(), term()) -> boolean().
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 1e96880801..3cb9337775 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -2860,7 +2860,9 @@ unknown_server_ca_fail(Config) when is_list(Config) ->
FunAndState = {fun(_,{bad_cert, _} = Reason, _) ->
{fail, Reason};
(_,{extension, _}, UserState) ->
- {unknown, UserState}
+ {unknown, UserState};
+ (_, valid, UserState) ->
+ {valid, UserState}
end, []},
Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
@@ -2926,7 +2928,9 @@ unknown_server_ca_accept_verify_peer(Config) when is_list(Config) ->
(_,{bad_cert, _} = Reason, _) ->
{fail, Reason};
(_,{extension, _}, UserState) ->
- {unknown, UserState}
+ {unknown, UserState};
+ (_, valid, UserState) ->
+ {valid, UserState}
end, []},
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
@@ -3095,7 +3099,7 @@ session_cache_process_mnesia(suite) ->
session_cache_process_mnesia(Config) when is_list(Config) ->
session_cache_process(mnesia,Config).
-session_cache_process(Type,Config) when is_list(Config) ->
+session_cache_process(_Type,Config) when is_list(Config) ->
reuse_session(Config).
init([Type]) ->