diff options
author | Ingela Anderton Andin <[email protected]> | 2010-09-09 17:07:22 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2010-09-10 12:16:34 +0200 |
commit | 6cced538abd4f8053c009b163efa8c6d568b9580 (patch) | |
tree | 20bd2188463ef85a9af163355f4da6bdaccd0e7a /lib/ssl | |
parent | fb29cd6c08a77778fdf7258f5682108e46fe26af (diff) | |
download | otp-6cced538abd4f8053c009b163efa8c6d568b9580.tar.gz otp-6cced538abd4f8053c009b163efa8c6d568b9580.tar.bz2 otp-6cced538abd4f8053c009b163efa8c6d568b9580.zip |
Improved certificate extension handling
Added the functionality so that the verification fun will be called
when a certificate is considered valid by the path validation to allow
access to eachs certificate in the path to the user application.
Removed clause that only check that a extension is not critical,
it does alter the verification rusult only withholds information from
the application.
Try to verify subject-AltName, if unable to verify it let
application try.
Diffstat (limited to 'lib/ssl')
-rw-r--r-- | lib/ssl/doc/src/ssl.xml | 55 | ||||
-rw-r--r-- | lib/ssl/src/ssl.erl | 8 | ||||
-rw-r--r-- | lib/ssl/src/ssl_certificate.erl | 10 | ||||
-rw-r--r-- | lib/ssl/test/ssl_basic_SUITE.erl | 10 |
4 files changed, 46 insertions, 37 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 0f3054aec3..d5b7253ef3 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -202,16 +202,19 @@ <p>The verification fun should be defined as:</p> <code> - fun(OtpCert :: #'OtpCertificate'{}, - Event :: {bad_cert, Reason :: atom()} | - {extension, #'Extension'{}}, InitialUserState :: term()) -> - {valid, UserState :: term()} | {fail, Reason :: term()} | - {unknown, UserState :: term()}. +fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} | + {extension, #'Extension'{}}, InitialUserState :: term()) -> + {valid, UserState :: term()} | {fail, Reason :: term()} | + {unknown, UserState :: term()}. </code> <p>The verify fun will be called during the X509-path validation when an error or an extension unknown to the ssl - application is encountered. See + application is encountered. Additionally it will be called + when a certificate is considered valid by the path validation + to allow access to each certificate in the path to the user + application. + See <seealso marker="public_key:application">public_key(3)</seealso> for definition of #'OtpCertificate'{} and #'Extension'{}.</p> @@ -229,34 +232,32 @@ <p>The default verify_fun option in verify_peer mode:</p> <code> - {fun(_,{bad_cert, _} = Reason, _) -> - {fail, Reason}; - (_,{extension, _}, UserState) -> - {unknown, UserState} - end, []} +{fun(_,{bad_cert, _} = Reason, _) -> + {fail, Reason}; + (_,{extension, _}, UserState) -> + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} + end, []} </code> <p>The default verify_fun option in verify_none mode:</p> <code> - {fun(_,{bad_cert, unknown_ca}, UserState) -> - {valid, UserState}; - (_,{bad_cert, _} = Reason, _) -> - {fail, Reason}; - (_,{extension, _}, UserState) -> - {unknown, UserState} - end, []} +{fun(_,{bad_cert, unknown_ca}, UserState) -> + {valid, UserState}; + (_,{bad_cert, _} = Reason, _) -> + {fail, Reason}; + (_,{extension, _}, UserState) -> + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} + end, []} </code> - <p> Possible path validation errors: - {bad_cert, cert_expired}, - {bad_cert, invalid_issuer}, - {bad_cert, invalid_signature}, - {bad_cert, unknown_ca}, - {bad_cert, name_not_permitted}, - {bad_cert, missing_basic_constraint}, - {bad_cert, invalid_key_usage}, - {bad_cert, invalid_subject_altname}</p> +<p>Possible path validation errors: </p> + +<p> {bad_cert, cert_expired}, {bad_cert, invalid_issuer}, {bad_cert, invalid_signature}, {bad_cert, unknown_ca}, {bad_cert, name_not_permitted}, {bad_cert, missing_basic_constraint}, {bad_cert, invalid_key_usage}</p> </item> </taglist> diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index cc01b35b64..12dffb413c 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -535,7 +535,9 @@ handle_options(Opts0, _Role) -> (_,{bad_cert, _} = Reason, _) -> {fail, Reason}; (_,{extension, _}, UserState) -> - {unknown, UserState} + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} end, []}, UserFailIfNoPeerCert = handle_option(fail_if_no_peer_cert, Opts, false), @@ -631,7 +633,9 @@ validate_option(verify_fun, Fun) when is_function(Fun) -> {fail, Reason} end; (_,{extension, _}, UserState) -> - {unknown, UserState} + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} end, Fun}; validate_option(verify_fun, {Fun, _} = Value) when is_function(Fun) -> Value; diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index 6cf57ced81..206024315e 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -34,7 +34,6 @@ -export([trusted_cert_and_path/2, certificate_chain/2, file_to_certificats/1, - %validate_extensions/6, validate_extension/3, is_valid_extkey_usage/2, is_valid_key_usage/2, @@ -118,8 +117,7 @@ file_to_certificats(File) -> %% Description: Validates ssl/tls specific extensions %%-------------------------------------------------------------------- validate_extension(_,{extension, #'Extension'{extnID = ?'id-ce-extKeyUsage', - extnValue = KeyUse, - critical = true}}, Role) -> + extnValue = KeyUse}}, Role) -> case is_valid_extkey_usage(KeyUse, Role) of true -> {valid, Role}; @@ -128,8 +126,10 @@ validate_extension(_,{extension, #'Extension'{extnID = ?'id-ce-extKeyUsage', end; validate_extension(_, {bad_cert, _} = Reason, _) -> {fail, Reason}; -validate_extension(_, _, Role) -> - {unknown, Role}. +validate_extension(_, {extension, _}, Role) -> + {unknown, Role}; +validate_extension(_, valid, Role) -> + {valid, Role}. %%-------------------------------------------------------------------- -spec is_valid_key_usage(list(), term()) -> boolean(). diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index 1e96880801..3cb9337775 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -2860,7 +2860,9 @@ unknown_server_ca_fail(Config) when is_list(Config) -> FunAndState = {fun(_,{bad_cert, _} = Reason, _) -> {fail, Reason}; (_,{extension, _}, UserState) -> - {unknown, UserState} + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} end, []}, Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, @@ -2926,7 +2928,9 @@ unknown_server_ca_accept_verify_peer(Config) when is_list(Config) -> (_,{bad_cert, _} = Reason, _) -> {fail, Reason}; (_,{extension, _}, UserState) -> - {unknown, UserState} + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} end, []}, Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, @@ -3095,7 +3099,7 @@ session_cache_process_mnesia(suite) -> session_cache_process_mnesia(Config) when is_list(Config) -> session_cache_process(mnesia,Config). -session_cache_process(Type,Config) when is_list(Config) -> +session_cache_process(_Type,Config) when is_list(Config) -> reuse_session(Config). init([Type]) -> |