diff options
| author | Ingela Anderton Andin <[email protected]> | 2014-08-07 15:26:58 +0200 |
|---|---|---|
| committer | Ingela Anderton Andin <[email protected]> | 2014-08-11 10:26:50 +0200 |
| commit | ad92184636f134b8fc6f3e897c55dd5b27bac560 (patch) | |
| tree | b6e8560eba332b590ca93f7793c0f2b729232311 /lib | |
| parent | cc4dbea1229e8903f3cca1589d7f87000cdb775a (diff) | |
| download | otp-ad92184636f134b8fc6f3e897c55dd5b27bac560.tar.gz otp-ad92184636f134b8fc6f3e897c55dd5b27bac560.tar.bz2 otp-ad92184636f134b8fc6f3e897c55dd5b27bac560.zip | |
ssl: Make sure the correct ROOT-cert is used
When dealing with older certificates that does not indicate its signer
with a certificate extension, we must search the database for the issure.
Finding the issuer is not enough, we need to verify the signature
with the key in the found issuer cert.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ssl/src/ssl_certificate.erl | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index b186a1015a..53366b060c 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2007-2013. All Rights Reserved. +%% Copyright Ericsson AB 2007-2014 All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -232,7 +232,12 @@ find_issuer(OtpCert, CertDbHandle) -> IsIssuerFun = fun({_Key, {_Der, #'OTPCertificate'{} = ErlCertCandidate}}, Acc) -> case public_key:pkix_is_issuer(OtpCert, ErlCertCandidate) of true -> - throw(public_key:pkix_issuer_id(ErlCertCandidate, self)); + case verify_cert_signer(OtpCert, ErlCertCandidate#'OTPCertificate'.tbsCertificate) of + true -> + throw(public_key:pkix_issuer_id(ErlCertCandidate, self)); + false -> + Acc + end; false -> Acc end; @@ -254,3 +259,19 @@ is_valid_extkey_usage(KeyUse, client) -> is_valid_extkey_usage(KeyUse, server) -> %% Server wants to verify client is_valid_key_usage(KeyUse, ?'id-kp-clientAuth'). + +verify_cert_signer(OtpCert, SignerTBSCert) -> + PublicKey = public_key(SignerTBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo), + public_key:pkix_verify(public_key:pkix_encode('OTPCertificate', OtpCert, otp), PublicKey). + +public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorithm = ?'id-ecPublicKey', + parameters = Params}, + subjectPublicKey = Point}) -> + {Point, Params}; +public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorithm = ?'rsaEncryption'}, + subjectPublicKey = Key}) -> + Key; +public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorithm = ?'id-dsa', + parameters = {params, Params}}, + subjectPublicKey = Key}) -> + {Key, Params}. |