aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2014-08-07 15:26:58 +0200
committerIngela Anderton Andin <[email protected]>2014-08-11 10:26:50 +0200
commitad92184636f134b8fc6f3e897c55dd5b27bac560 (patch)
treeb6e8560eba332b590ca93f7793c0f2b729232311 /lib/ssl
parentcc4dbea1229e8903f3cca1589d7f87000cdb775a (diff)
downloadotp-ad92184636f134b8fc6f3e897c55dd5b27bac560.tar.gz
otp-ad92184636f134b8fc6f3e897c55dd5b27bac560.tar.bz2
otp-ad92184636f134b8fc6f3e897c55dd5b27bac560.zip
ssl: Make sure the correct ROOT-cert is used
When dealing with older certificates that does not indicate its signer with a certificate extension, we must search the database for the issure. Finding the issuer is not enough, we need to verify the signature with the key in the found issuer cert.
Diffstat (limited to 'lib/ssl')
-rw-r--r--lib/ssl/src/ssl_certificate.erl25
1 files changed, 23 insertions, 2 deletions
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index b186a1015a..53366b060c 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2014 All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -232,7 +232,12 @@ find_issuer(OtpCert, CertDbHandle) ->
IsIssuerFun = fun({_Key, {_Der, #'OTPCertificate'{} = ErlCertCandidate}}, Acc) ->
case public_key:pkix_is_issuer(OtpCert, ErlCertCandidate) of
true ->
- throw(public_key:pkix_issuer_id(ErlCertCandidate, self));
+ case verify_cert_signer(OtpCert, ErlCertCandidate#'OTPCertificate'.tbsCertificate) of
+ true ->
+ throw(public_key:pkix_issuer_id(ErlCertCandidate, self));
+ false ->
+ Acc
+ end;
false ->
Acc
end;
@@ -254,3 +259,19 @@ is_valid_extkey_usage(KeyUse, client) ->
is_valid_extkey_usage(KeyUse, server) ->
%% Server wants to verify client
is_valid_key_usage(KeyUse, ?'id-kp-clientAuth').
+
+verify_cert_signer(OtpCert, SignerTBSCert) ->
+ PublicKey = public_key(SignerTBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo),
+ public_key:pkix_verify(public_key:pkix_encode('OTPCertificate', OtpCert, otp), PublicKey).
+
+public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorithm = ?'id-ecPublicKey',
+ parameters = Params},
+ subjectPublicKey = Point}) ->
+ {Point, Params};
+public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorithm = ?'rsaEncryption'},
+ subjectPublicKey = Key}) ->
+ Key;
+public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorithm = ?'id-dsa',
+ parameters = {params, Params}},
+ subjectPublicKey = Key}) ->
+ {Key, Params}.