aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorMagnus Henoch <[email protected]>2016-03-21 14:57:10 +0000
committerMagnus Henoch <[email protected]>2016-04-01 15:45:15 +0100
commite5776f33e6aa8ea99b14d3fd0525e9117bbe698a (patch)
treeb696dddd940b2dbb4a857fb1d2ca6f46b3bb3f8a /lib
parent1a5ef986efb0461b3b87dc836036d661def4c4b5 (diff)
downloadotp-e5776f33e6aa8ea99b14d3fd0525e9117bbe698a.tar.gz
otp-e5776f33e6aa8ea99b14d3fd0525e9117bbe698a.tar.bz2
otp-e5776f33e6aa8ea99b14d3fd0525e9117bbe698a.zip
Add public_key:pkix_match_dist_point
Diffstat (limited to 'lib')
-rw-r--r--lib/public_key/doc/src/public_key.xml17
-rw-r--r--lib/public_key/src/public_key.erl33
2 files changed, 50 insertions, 0 deletions
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index 6923066da7..becb5338e0 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -728,6 +728,23 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
</func>
<func>
+ <name>pkix_match_dist_point(CRL, DistPoint) -> boolean()</name>
+ <fsummary>Checks whether the given distribution point matches the
+ Issuing Distribution Point of the CRL.</fsummary>
+
+ <type>
+ <v>CRL = der_encoded() | #'CertificateList'{} </v>
+ <v>DistPoint = #'DistributionPoint'{}</v>
+ </type>
+ <desc>
+ <p>Checks whether the given distribution point matches the
+ Issuing Distribution Point of the CRL, as described in RFC 5280.
+ If the CRL doesn't have an Issuing Distribution Point extension,
+ the distribution point always matches.</p>
+ </desc>
+ </func>
+
+ <func>
<name>pkix_sign(#'OTPTBSCertificate'{}, Key) -> der_encoded()</name>
<fsummary>Signs certificate.</fsummary>
<type>
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index a5944bd604..27bf2093a1 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -53,6 +53,7 @@
pkix_crls_validate/3,
pkix_dist_point/1,
pkix_dist_points/1,
+ pkix_match_dist_point/2,
pkix_crl_verify/2,
pkix_crl_issuer/1
]).
@@ -524,6 +525,38 @@ pkix_dist_points(OtpCert) ->
[], Value).
%%--------------------------------------------------------------------
+-spec pkix_match_dist_point(der_encoded() | #'CertificateList'{},
+ #'DistributionPoint'{}) -> boolean().
+%% Description: Check whether the given distribution point matches
+%% the "issuing distribution point" of the CRL.
+%%--------------------------------------------------------------------
+pkix_match_dist_point(CRL, DistPoint) when is_binary(CRL) ->
+ pkix_match_dist_point(der_decode('CertificateList', CRL), DistPoint);
+pkix_match_dist_point(#'CertificateList'{},
+ #'DistributionPoint'{distributionPoint = asn1_NOVALUE}) ->
+ %% No distribution point name specified - that's considered a match.
+ true;
+pkix_match_dist_point(#'CertificateList'{
+ tbsCertList =
+ #'TBSCertList'{
+ crlExtensions = Extensions}},
+ #'DistributionPoint'{
+ distributionPoint = {fullName, DPs}}) ->
+ case pubkey_cert:select_extension(?'id-ce-issuingDistributionPoint', Extensions) of
+ undefined ->
+ %% If the CRL doesn't have an IDP extension, it
+ %% automatically qualifies.
+ true;
+ #'Extension'{extnValue = IDPValue} ->
+ %% If the CRL does have an IDP extension, it must match
+ %% the given DistributionPoint to be considered a match.
+ IDPEncoded = der_decode('IssuingDistributionPoint', IDPValue),
+ #'IssuingDistributionPoint'{distributionPoint = {fullName, IDPs}} =
+ pubkey_cert_records:transform(IDPEncoded, decode),
+ pubkey_crl:match_one(IDPs, DPs)
+ end.
+
+%%--------------------------------------------------------------------
-spec pkix_sign(#'OTPTBSCertificate'{},
rsa_private_key() | dsa_private_key()) -> Der::binary().
%%