aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2013-02-26 15:52:18 +0100
committerIngela Anderton Andin <[email protected]>2013-03-13 14:40:59 +0100
commit006f45a738a6612958381b2fcbf48586c008d911 (patch)
tree600bc9e688ad286e1b4f6dad72a65a514cacc207 /lib
parent03bc63bed74af4c392d160005b77aca43d4cd4aa (diff)
downloadotp-006f45a738a6612958381b2fcbf48586c008d911.tar.gz
otp-006f45a738a6612958381b2fcbf48586c008d911.tar.bz2
otp-006f45a738a6612958381b2fcbf48586c008d911.zip
public_key & ssl: Add support for ISO oids 1.3.14.3.2.29 and 1.3.14.3.2.27
Some certificates may use these OIDs instead of the ones defined by PKIX/PKCS standard. Refactor code so that all handling of the "duplicate" oids is done by public_key. Update algorithm information in documentation.
Diffstat (limited to 'lib')
-rw-r--r--lib/public_key/asn1/OTP-PKIX.asn122
-rw-r--r--lib/public_key/asn1/PKCS-1.asn14
-rw-r--r--lib/public_key/asn1/PKIX1Algorithms88.asn13
-rw-r--r--lib/public_key/doc/src/cert_records.xml27
-rw-r--r--lib/public_key/doc/src/public_key.xml21
-rw-r--r--lib/public_key/src/pubkey_cert.erl22
-rw-r--r--lib/public_key/src/pubkey_crl.erl4
-rw-r--r--lib/public_key/src/public_key.erl32
-rw-r--r--lib/public_key/test/public_key_SUITE.erl30
-rw-r--r--lib/public_key/test/public_key_SUITE_data/dsa_ISO.pem24
-rw-r--r--lib/public_key/test/public_key_SUITE_data/rsa_ISO.pem14
-rw-r--r--lib/ssl/src/ssl_certificate.erl21
-rw-r--r--lib/ssl/src/ssl_cipher.erl8
13 files changed, 167 insertions, 65 deletions
diff --git a/lib/public_key/asn1/OTP-PKIX.asn1 b/lib/public_key/asn1/OTP-PKIX.asn1
index 4f20208bce..a90fe2840c 100644
--- a/lib/public_key/asn1/OTP-PKIX.asn1
+++ b/lib/public_key/asn1/OTP-PKIX.asn1
@@ -97,9 +97,9 @@ IMPORTS
id-pkix1-implicit(19) }
--Keys and Signatures
- id-dsa, Dss-Parms, DSAPublicKey,
- id-dsa-with-sha1,
- md2WithRSAEncryption,
+ id-dsa, Dss-Parms, DSAPublicKey,
+ id-dsa-with-sha1, id-dsaWithSHA1,
+ md2WithRSAEncryption,
md5WithRSAEncryption,
sha1WithRSAEncryption,
rsaEncryption, RSAPublicKey,
@@ -115,7 +115,6 @@ IMPORTS
FROM PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-algorithms(17) }
-
md2WithRSAEncryption,
md5WithRSAEncryption,
sha1WithRSAEncryption,
@@ -316,8 +315,8 @@ PublicKeyAlgorithm ::= SEQUENCE {
OPTIONAL }
SupportedSignatureAlgorithms SIGNATURE-ALGORITHM-CLASS ::= {
- dsa-with-sha1 | md2-with-rsa-encryption |
- md5-with-rsa-encryption | sha1-with-rsa-encryption |
+ dsa-with-sha1 | dsaWithSHA1 | md2-with-rsa-encryption |
+ md5-with-rsa-encryption | sha1-with-rsa-encryption | sha-1with-rsa-encryption |
sha224-with-rsa-encryption |
sha256-with-rsa-encryption |
sha384-with-rsa-encryption |
@@ -325,7 +324,7 @@ SupportedSignatureAlgorithms SIGNATURE-ALGORITHM-CLASS ::= {
ecdsa-with-sha1 }
SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {
- dsa | rsa-encryption | dh | kea | ec-public-key }
+ dsa | rsa-encryption | dh | kea | ec-public-key }
-- DSA Keys and Signatures
@@ -349,6 +348,11 @@ SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {
ID id-dsa-with-sha1
TYPE DSAParams }
+
+ dsaWithSHA1 SIGNATURE-ALGORITHM-CLASS ::= {
+ ID id-dsaWithSHA1
+ TYPE DSAParams }
+
--
-- RSA Keys and Signatures
--
@@ -367,6 +371,10 @@ SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {
ID sha1WithRSAEncryption
TYPE NULL }
+ sha-1with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
+ ID sha-1WithRSAEncryption
+ TYPE NULL }
+
sha224-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= {
ID sha224WithRSAEncryption
TYPE NULL }
diff --git a/lib/public_key/asn1/PKCS-1.asn1 b/lib/public_key/asn1/PKCS-1.asn1
index c83289e779..b5754790e7 100644
--- a/lib/public_key/asn1/PKCS-1.asn1
+++ b/lib/public_key/asn1/PKCS-1.asn1
@@ -35,7 +35,9 @@ sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 }
-
+-- ISO oid - equvivalent to sha1WithRSAEncryption
+sha-1WithRSAEncryption OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) sha-1WithRSAEncryption(29)}
id-sha1 OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) oiw(14) secsig(3)
diff --git a/lib/public_key/asn1/PKIX1Algorithms88.asn1 b/lib/public_key/asn1/PKIX1Algorithms88.asn1
index f895b6d0cd..74225747d3 100644
--- a/lib/public_key/asn1/PKIX1Algorithms88.asn1
+++ b/lib/public_key/asn1/PKIX1Algorithms88.asn1
@@ -35,6 +35,9 @@
id-dsa-with-sha1 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
+ id-dsaWithSHA1 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) dsaWithSHA1(27)
+ }
-- encoding for DSA signature generated with SHA-1 hash
Dss-Sig-Value ::= SEQUENCE {
diff --git a/lib/public_key/doc/src/cert_records.xml b/lib/public_key/doc/src/cert_records.xml
index ac4b4e4489..c9249d40c3 100644
--- a/lib/public_key/doc/src/cert_records.xml
+++ b/lib/public_key/doc/src/cert_records.xml
@@ -60,9 +60,6 @@
marker="public_key">public key reference manual </seealso> or
follows here.</p>
- <p><c>oid() - a tuple of integers
- as generated by the ASN1 compiler.</c></p>
-
<p><c>time() = uct_time() | general_time()</c></p>
<p><c>uct_time() = {utcTime, "YYMMDDHHMMSSZ"} </c></p>
@@ -158,6 +155,9 @@ oid names see table below. Ex: ?'id-dsa-with-sha1'</p>
<cell align="left" valign="middle">id-dsa-with-sha1</cell>
</row>
<row>
+ <cell align="left" valign="middle">id-dsaWithSHA1 (ISO alt oid to above)</cell>
+ </row>
+ <row>
<cell align="left" valign="middle">md2WithRSAEncryption</cell>
</row>
<row>
@@ -166,9 +166,21 @@ oid names see table below. Ex: ?'id-dsa-with-sha1'</p>
<row>
<cell align="left" valign="middle">sha1WithRSAEncryption</cell>
</row>
+ <row>
+ <cell align="left" valign="middle">sha-1WithRSAEncryption (ISO alt oid to above)</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">sha224WithRSAEncryption</cell>
+ </row>
<row>
- <cell align="left" valign="middle">ecdsa-with-SHA1</cell>
+ <cell align="left" valign="middle">sha256WithRSAEncryption</cell>
</row>
+ <row>
+ <cell align="left" valign="middle">sha512WithRSAEncryption</cell>
+ </row>
+ <row>
+ <cell align="left" valign="middle">ecdsa-with-SHA1</cell>
+ </row>
<tcaption>Signature algorithm oids </tcaption>
</table>
@@ -276,15 +288,14 @@ oid names see table below. Ex: ?'id-dsa-with-sha1'</p>
<cell align="left" valign="middle">dhpublicnumber</cell>
</row>
<row>
- <cell align="left" valign="middle">ecdsa-with-SHA1</cell>
- </row>
- <row>
<cell align="left" valign="middle">id-keyExchangeAlgorithm</cell>
</row>
+ <row>
+ <cell align="left" valign="middle">id-ecPublicKey</cell>
+ </row>
<tcaption>Public key algorithm oids </tcaption>
</table>
-
<code>
#'Extension'{
extnID, % id_extensions() | oid()
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index 5864de2d57..84300f6e65 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -48,7 +48,7 @@
<item>Supports <url href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280 </url> -
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile </item>
<item>Supports <url href="http://www.rsa.com/rsalabs/node.asp?id=2125"> PKCS-1 </url> - RSA Cryptography Standard </item>
- <item>Supports <url href="http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf"> DSA</url>- Digital Signature Algorithm</item>
+ <item>Supports <url href="http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf"> DSS</url>- Digital Signature Standard (DSA - Digital Signature Algorithm)</item>
<item>Supports <url href="http://www.rsa.com/rsalabs/node.asp?id=2126"> PKCS-3 </url> - Diffie-Hellman Key Agreement Standard </item>
<item>Supports <url href="http://www.rsa.com/rsalabs/node.asp?id=2127"> PKCS-5</url> - Password-Based Cryptography Standard </item>
<item>Supports <url href="http://www.rsa.com/rsalabs/node.asp?id=2130"> PKCS-8</url> - Private-Key Information Syntax Standard</item>
@@ -72,8 +72,10 @@
<code> -include_lib("public_key/include/public_key.hrl"). </code>
- <p><em>Data Types </em></p>
+ <p><em>Data Types </em></p>
+ <p><code>oid() - a tuple of integers as generated by the ASN1 compiler.</code></p>
+
<p><code>boolean() = true | false</code></p>
<p><code>string() = [bytes()]</code></p>
@@ -491,6 +493,21 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
</desc>
</func>
+ <func>
+ <name>pkix_sign_types(AlgorithmId) -> {DigestType, SignatureType}</name>
+ <fsummary>Translates signature algorithm oid to erlang digest and signature algorithm types.</fsummary>
+ <type>
+ <v>AlgorithmId = oid()</v>
+ <d>Signature oid from a certificate or a certificate revocation list</d>
+ <v>DigestType = rsa_digest_type() | dss_digest_type() </v>
+ <v>SignatureType = rsa | dsa</v>
+ </type>
+ <desc>
+ <p>Translates signature algorithm oid to erlang digest and signature types.
+ </p>
+ </desc>
+ </func>
+
<func>
<name>pkix_verify(Cert, Key) -> boolean()</name>
<fsummary> Verify pkix x.509 certificate signature.</fsummary>
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index f53c94b334..dc8d68c78f 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2008-2011. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -27,7 +27,7 @@
validate_time/3, validate_signature/6,
validate_issuer/4, validate_names/6,
validate_extensions/4,
- normalize_general_name/1, digest_type/1, is_self_signed/1,
+ normalize_general_name/1, is_self_signed/1,
is_issuer/2, issuer_id/2, is_fixed_dh_cert/1,
verify_data/1, verify_fun/4, select_extension/2, match_name/3,
extensions_list/1, cert_auth_key_id/1, time_str_2_gregorian_sec/1]).
@@ -426,13 +426,12 @@ extensions_list(asn1_NOVALUE) ->
extensions_list(Extensions) ->
Extensions.
-
extract_verify_data(OtpCert, DerCert) ->
{_, Signature} = OtpCert#'OTPCertificate'.signature,
SigAlgRec = OtpCert#'OTPCertificate'.signatureAlgorithm,
SigAlg = SigAlgRec#'SignatureAlgorithm'.algorithm,
PlainText = encoded_tbs_cert(DerCert),
- DigestType = digest_type(SigAlg),
+ {DigestType,_} = public_key:pkix_sign_types(SigAlg),
{DigestType, PlainText, Signature}.
verify_signature(OtpCert, DerCert, Key, KeyParams) ->
@@ -451,21 +450,6 @@ encoded_tbs_cert(Cert) ->
{'Certificate_tbsCertificate', EncodedTBSCert}, _, _} = PKIXCert,
EncodedTBSCert.
-digest_type(?sha1WithRSAEncryption) ->
- sha;
-digest_type(?sha224WithRSAEncryption) ->
- sha224;
-digest_type(?sha256WithRSAEncryption) ->
- sha256;
-digest_type(?sha384WithRSAEncryption) ->
- sha384;
-digest_type(?sha512WithRSAEncryption) ->
- sha512;
-digest_type(?md5WithRSAEncryption) ->
- md5;
-digest_type(?'id-dsa-with-sha1') ->
- sha.
-
public_key_info(PublicKeyInfo,
#path_validation_state{working_public_key_algorithm =
WorkingAlgorithm,
diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl
index 3e4c3c8b6d..eaba5bfa1b 100644
--- a/lib/public_key/src/pubkey_crl.erl
+++ b/lib/public_key/src/pubkey_crl.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2010-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2010-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -561,7 +561,7 @@ extract_crl_verify_data(CRL, DerCRL) ->
#'AlgorithmIdentifier'{algorithm = SigAlg} =
CRL#'CertificateList'.signatureAlgorithm,
PlainText = encoded_tbs_crl(DerCRL),
- DigestType = pubkey_cert:digest_type(SigAlg),
+ {DigestType, _} = public_key:pkix_sign_types(SigAlg),
{DigestType, PlainText, Signature}.
encoded_tbs_crl(CRL) ->
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index e753cf3867..736c18cdd4 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -36,6 +36,7 @@
decrypt_public/2, decrypt_public/3,
sign/3, verify/4,
pkix_sign/2, pkix_verify/2,
+ pkix_sign_types/1,
pkix_is_self_signed/1,
pkix_is_fixed_dh_cert/1,
pkix_is_issuer/2,
@@ -53,6 +54,7 @@
-type dss_digest_type() :: 'none' | 'sha'. %% None is for backwards compatibility
-type crl_reason() :: unspecified | keyCompromise | cACompromise | affiliationChanged | superseded
| cessationOfOperation | certificateHold | privilegeWithdrawn | aACompromise.
+-type oid() :: tuple().
-define(UINT32(X), X:32/unsigned-big-integer).
-define(DER_NULL, <<5, 0>>).
@@ -335,6 +337,34 @@ format_rsa_private_key(#'RSAPrivateKey'{modulus = N, publicExponent = E,
[crypto:mpint(K) || K <- [E, N, D]].
%%--------------------------------------------------------------------
+
+-spec pkix_sign_types(SignatureAlg::oid()) ->
+ %% Relevant dsa digest type is subpart of rsa digest type
+ { DigestType :: rsa_digest_type(),
+ SignatureType :: rsa | dsa
+ }.
+%% Description:
+%%--------------------------------------------------------------------
+pkix_sign_types(?sha1WithRSAEncryption) ->
+ {sha, rsa};
+pkix_sign_types(?'sha-1WithRSAEncryption') ->
+ {sha, rsa};
+pkix_sign_types(?sha224WithRSAEncryption) ->
+ {sha224, rsa};
+pkix_sign_types(?sha256WithRSAEncryption) ->
+ {sha256, rsa};
+pkix_sign_types(?sha384WithRSAEncryption) ->
+ {sha384, rsa};
+pkix_sign_types(?sha512WithRSAEncryption) ->
+ {sha512, rsa};
+pkix_sign_types(?md5WithRSAEncryption) ->
+ {md5, rsa};
+pkix_sign_types(?'id-dsa-with-sha1') ->
+ {sha, dsa};
+pkix_sign_types(?'id-dsaWithSHA1') ->
+ {sha, dsa}.
+
+%%--------------------------------------------------------------------
-spec sign(binary() | {digest, binary()}, rsa_digest_type() | dss_digest_type(),
rsa_private_key() |
dsa_private_key()) -> Signature :: binary().
@@ -406,7 +436,7 @@ pkix_sign(#'OTPTBSCertificate'{signature =
= SigAlg} = TBSCert, Key) ->
Msg = pkix_encode('OTPTBSCertificate', TBSCert, otp),
- DigestType = pubkey_cert:digest_type(Alg),
+ {DigestType, _} = pkix_sign_types(Alg),
Signature = sign(Msg, DigestType, Key),
Cert = #'OTPCertificate'{tbsCertificate= TBSCert,
signatureAlgorithm = SigAlg,
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index ea48479f0b..0de80edeac 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2008-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -41,7 +41,8 @@ all() ->
{group, ssh_public_key_decode_encode},
encrypt_decrypt,
{group, sign_verify},
- pkix, pkix_countryname, pkix_path_validation].
+ pkix, pkix_countryname, pkix_path_validation,
+ pkix_iso_rsa_oid, pkix_iso_dsa_oid].
groups() ->
[{pem_decode_encode, [], [dsa_pem, rsa_pem, encrypted_pem,
@@ -688,6 +689,31 @@ pkix_path_validation(Config) when is_list(Config) ->
public_key:pkix_path_validation(unknown_ca, [Cert1], [{verify_fun,
VerifyFunAndState1}]),
ok.
+
+%%--------------------------------------------------------------------
+pkix_iso_rsa_oid() ->
+ [{doc, "Test workaround for supporting certs that use ISO oids"
+ " 1.3.14.3.2.29 instead of PKIX/PKCS oid"}].
+pkix_iso_rsa_oid(Config) when is_list(Config) ->
+ Datadir = ?config(data_dir, Config),
+ {ok, PemCert} = file:read_file(filename:join(Datadir, "rsa_ISO.pem")),
+ [{_, Cert, _}] = public_key:pem_decode(PemCert),
+ OTPCert = public_key:pkix_decode_cert(Cert, otp),
+ SigAlg = OTPCert#'OTPCertificate'.signatureAlgorithm,
+ {_, rsa} = public_key:pkix_sign_types(SigAlg#'SignatureAlgorithm'.algorithm).
+
+%%--------------------------------------------------------------------
+pkix_iso_dsa_oid() ->
+ [{doc, "Test workaround for supporting certs that use ISO oids"
+ "1.3.14.3.2.27 instead of PKIX/PKCS oid"}].
+pkix_iso_dsa_oid(Config) when is_list(Config) ->
+ Datadir = ?config(data_dir, Config),
+ {ok, PemCert} = file:read_file(filename:join(Datadir, "dsa_ISO.pem")),
+ [{_, Cert, _}] = public_key:pem_decode(PemCert),
+ OTPCert = public_key:pkix_decode_cert(Cert, otp),
+ SigAlg = OTPCert#'OTPCertificate'.signatureAlgorithm,
+ {_, dsa} = public_key:pkix_sign_types(SigAlg#'SignatureAlgorithm'.algorithm).
+
%%--------------------------------------------------------------------
%% Internal functions ------------------------------------------------
%%--------------------------------------------------------------------
diff --git a/lib/public_key/test/public_key_SUITE_data/dsa_ISO.pem b/lib/public_key/test/public_key_SUITE_data/dsa_ISO.pem
new file mode 100644
index 0000000000..d3541367f0
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/dsa_ISO.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEEjCCAqygAwIBAgIQZIIqq4RXfpBKJXV69Jc4BjCCASwGByqGSM44BAMwggEf
+AoGBALez5tklY5CdFeTMos899pA6i4u4uCtszgBzrdBk6cl5FVqzdzWMGTQiynnT
+pGsrOESinzP06Ip+pG15We2OORwgvCxD/W95aCiN0/+MdiXqlsmboBARMzsa+SmB
+ENN3gF/+tuuEAFzOXU1q2cmEywRLyfbM2KIBVE/TChWYw2eRAhUA1R64VvcQ90XA
+8SOKVDmMA0dBzukCgYEAlLMYP0pbgBlgHQVO3/avAHlWNrIq52Lxk7SdPJWgMvPj
+TK9Z6sv88kxsCcydtjvO439j1yqcwk50GQc+86ktBWWz93/HkIdnFyqafef4mmWv
+m2Uq6ClQKS+A0Asfaj8Mys+HUMiI+qsfdjRbyIpwb7MX1nsVdsKzALnZNMW27A0w
+HTEbMBkGA1UEAxMSSVNBIFRlc3QgQXV0aG9yaXR5MB4XDTEyMDMyMDE3MTMyMVoX
+DTM5MTIzMTIzNTk1OVowHTEbMBkGA1UEAxMSSVNBIFRlc3QgQXV0aG9yaXR5MIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqe3oVLIVBVIPI/uZjrciELODKxPEE
+SDWoNvycEeP1ERF5kDlRDmLIQ51Nt0vI5pKTasnIDbB1ONiQ2cvMrj2dkWWl/z2v
+f9tqQAzBm/r1LcUmL1bbP2bgk+//n5AJicU1FKecfDeZo0SXChDKSfH3ojdbsS5U
+68q0qGHgNoPRawIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/ME4GA1UdAQRHMEWA
+EEIfCfbwCZs35y8mXWInVuyhHzAdMRswGQYDVQQDExJJU0EgVGVzdCBBdXRob3Jp
+dHmCEGSCKquEV36QSiV1evSXOAYwggEsBgcqhkjOOAQDMIIBHwKBgQC3s+bZJWOQ
+nRXkzKLPPfaQOouLuLgrbM4Ac63QZOnJeRVas3c1jBk0Isp506RrKzhEop8z9OiK
+fqRteVntjjkcILwsQ/1veWgojdP/jHYl6pbJm6AQETM7GvkpgRDTd4Bf/rbrhABc
+zl1NatnJhMsES8n2zNiiAVRP0woVmMNnkQIVANUeuFb3EPdFwPEjilQ5jANHQc7p
+AoGBAJSzGD9KW4AZYB0FTt/2rwB5VjayKudi8ZO0nTyVoDLz40yvWerL/PJMbAnM
+nbY7zuN/Y9cqnMJOdBkHPvOpLQVls/d/x5CHZxcqmn3n+Jplr5tlKugpUCkvgNAL
+H2o/DMrPh1DIiPqrH3Y0W8iKcG+zF9Z7FXbCswC52TTFtuwNAzAAMC0CFH/KmkwI
+wnL9ecefLjQZ9Au52Kt5AhUAqJ5UEy2hIjCkdBoyuwOVPp5qnUw=
+-----END CERTIFICATE-----
diff --git a/lib/public_key/test/public_key_SUITE_data/rsa_ISO.pem b/lib/public_key/test/public_key_SUITE_data/rsa_ISO.pem
new file mode 100644
index 0000000000..f82efdefc5
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/rsa_ISO.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGjCCAYegAwIBAgIQZIIqq4RXfpBKJXV69Jc4BjAJBgUrDgMCHQUAMB0xGzAZ
+BgNVBAMTEklTQSBUZXN0IEF1dGhvcml0eTAeFw0xMjAzMjAxNzEzMjFaFw0zOTEy
+MzEyMzU5NTlaMB0xGzAZBgNVBAMTEklTQSBUZXN0IEF1dGhvcml0eTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAqnt6FSyFQVSDyP7mY63IhCzgysTxBEg1qDb8
+nBHj9REReZA5UQ5iyEOdTbdLyOaSk2rJyA2wdTjYkNnLzK49nZFlpf89r3/bakAM
+wZv69S3FJi9W2z9m4JPv/5+QCYnFNRSnnHw3maNElwoQyknx96I3W7EuVOvKtKhh
+4DaD0WsCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zBOBgNVHQEERzBFgBBCHwn2
+8AmbN+cvJl1iJ1bsoR8wHTEbMBkGA1UEAxMSSVNBIFRlc3QgQXV0aG9yaXR5ghBk
+giqrhFd+kEoldXr0lzgGMAkGBSsOAwIdBQADgYEAIlVecua5Cr1z/cdwQ8znlgOU
+U+y/uzg0nupKkopzVnRYhwV4hxZt3izAz4C/SJZB7eL0bUKlg1ceGjbQsGEm0fzF
+LEV3vym4G51bxv03Iecwo96G4NgjJ7+9/7ciBVzfxZyfuCpYG1M2LyrbOyuevtTy
+2+vIueT0lv6UftgBfIE=
+-----END CERTIFICATE-----
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 86f5617b54..01a7cd93b5 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -37,8 +37,7 @@
is_valid_extkey_usage/2,
is_valid_key_usage/2,
select_extension/2,
- extensions_list/1,
- signature_type/1
+ extensions_list/1
]).
%%====================================================================
@@ -167,22 +166,6 @@ extensions_list(Extensions) ->
Extensions.
%%--------------------------------------------------------------------
--spec signature_type(term()) -> rsa | dsa .
-%%
-%% Description:
-%%--------------------------------------------------------------------
-signature_type(RSA) when RSA == ?sha1WithRSAEncryption;
- RSA == ?md5WithRSAEncryption;
- RSA == ?sha224WithRSAEncryption;
- RSA == ?sha256WithRSAEncryption;
- RSA == ?sha384WithRSAEncryption;
- RSA == ?sha512WithRSAEncryption
- ->
- rsa;
-signature_type(?'id-dsa-with-sha1') ->
- dsa.
-
-%%--------------------------------------------------------------------
%%% Internal functions
%%--------------------------------------------------------------------
certificate_chain(OtpCert, _Cert, CertDbHandle, CertsDbRef, Chain) ->
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 567690a413..d91e2a89a0 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -483,10 +483,10 @@ filter(undefined, Ciphers) ->
filter(DerCert, Ciphers) ->
OtpCert = public_key:pkix_decode_cert(DerCert, otp),
SigAlg = OtpCert#'OTPCertificate'.signatureAlgorithm,
- case ssl_certificate:signature_type(SigAlg#'SignatureAlgorithm'.algorithm) of
- rsa ->
+ case public_key:pkix_sign_types(SigAlg#'SignatureAlgorithm'.algorithm) of
+ {_, rsa} ->
filter_rsa(OtpCert, Ciphers -- dsa_signed_suites());
- dsa ->
+ {_, dsa} ->
Ciphers -- rsa_signed_suites()
end.