diff options
| -rw-r--r-- | lib/public_key/doc/src/notes.xml | 53 | ||||
| -rw-r--r-- | lib/public_key/include/public_key.hrl | 2 | ||||
| -rw-r--r-- | lib/public_key/src/pubkey_cert.erl | 4 | ||||
| -rw-r--r-- | lib/public_key/src/public_key.appup.src | 4 | ||||
| -rw-r--r-- | lib/public_key/src/public_key.erl | 11 | ||||
| -rw-r--r-- | lib/public_key/test/public_key_SUITE.erl | 2 | ||||
| -rw-r--r-- | lib/ssl/doc/src/notes.xml | 42 | ||||
| -rw-r--r-- | lib/ssl/doc/src/ssl.xml | 20 | ||||
| -rw-r--r-- | lib/ssl/src/ssl.erl | 4 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_certificate.erl | 2 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_basic_SUITE.erl | 6 | ||||
| -rw-r--r-- | lib/ssl/vsn.mk | 2 |
12 files changed, 134 insertions, 18 deletions
diff --git a/lib/public_key/doc/src/notes.xml b/lib/public_key/doc/src/notes.xml index baa0e6c464..6e7381eb18 100644 --- a/lib/public_key/doc/src/notes.xml +++ b/lib/public_key/doc/src/notes.xml @@ -1,11 +1,11 @@ -<?xml version="1.0" encoding="latin1" ?> +<?xml version="1.0" encoding="iso-8859-1" ?> <!DOCTYPE chapter SYSTEM "chapter.dtd"> <chapter> <header> <copyright> <year>2008</year> - <year>2008</year> + <year>2010</year> <holder>Ericsson AB, All Rights Reserved</holder> </copyright> <legalnotice> @@ -34,6 +34,55 @@ <file>notes.xml</file> </header> +<section><title>Public_Key 0.9</title> + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Updated ssl to ignore CA certs that violate the asn1-spec + for a certificate, and updated public key asn1 spec to + handle inherited DSS-params.</p> + <p> + Own Id: OTP-7884</p> + </item> + <item> + <p> + Changed ssl implementation to retain backwards + compatibility for old option {verify, 0} that shall be + equivalent to {verify, verify_none}, also separate the + cases unknown ca and selfsigned peer cert, and restored + return value of deprecated function + public_key:pem_to_der/1.</p> + <p> + Own Id: OTP-8858</p> + </item> + <item> + <p> + Better handling of v1 and v2 certificates. V1 and v2 + certificates does not have any extensions so then + validate_extensions should just accept that there are + none and not end up in missing_basic_constraints clause.</p> + <p> + Own Id: OTP-8867</p> + </item> + <item> + <p> + Changed the verify fun so that it differentiate between + the peer certificate and CA certificates by using + valid_peer or valid as the second argument to the verify + fun. It may not always be trivial or even possible to + know when the peer certificate is reached otherwise.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-8873</p> + </item> + </list> + </section> + +</section> + <section><title>Public_Key 0.8</title> <section><title>Fixed Bugs and Malfunctions</title> diff --git a/lib/public_key/include/public_key.hrl b/lib/public_key/include/public_key.hrl index a16eb10fe6..4950597fb5 100644 --- a/lib/public_key/include/public_key.hrl +++ b/lib/public_key/include/public_key.hrl @@ -34,6 +34,8 @@ (_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> + {valid, UserState}; + (_, valid_peer, UserState) -> {valid, UserState} end, []}). diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl index ac59b6313d..c467e24741 100644 --- a/lib/public_key/src/pubkey_cert.erl +++ b/lib/public_key/src/pubkey_cert.erl @@ -295,8 +295,8 @@ is_fixed_dh_cert(#'OTPCertificate'{tbsCertificate = %%-------------------------------------------------------------------- --spec verify_fun(#'OTPCertificate'{}, {bad_cert, atom()} | {extension, #'Extension'{}}| - valid, term(), fun()) -> term(). +-spec verify_fun(#'OTPTBSCertificate'{}, {bad_cert, atom()} | {extension, #'Extension'{}}| + valid | valid_peer, term(), fun()) -> term(). %% %% Description: Gives the user application the opportunity handle path %% validation errors and unknown extensions and optional do other diff --git a/lib/public_key/src/public_key.appup.src b/lib/public_key/src/public_key.appup.src index adc50d1d45..0f9f62d2f6 100644 --- a/lib/public_key/src/public_key.appup.src +++ b/lib/public_key/src/public_key.appup.src @@ -6,7 +6,7 @@ {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []}, {update, public_key, soft, soft_purge, soft_purge, []}, {update, pubkey_pem, soft, soft_purge, soft_purge, []}, - {update, pubkey_cert_records, soft, soft_purge, soft_purge, []} + {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}, {update, pubkey_cert, soft, soft_purge, soft_purge, []} ] } @@ -17,7 +17,7 @@ {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []}, {update, public_key, soft, soft_purge, soft_purge, []}, {update, pubkey_pem, soft, soft_purge, soft_purge, []}, - {update, pubkey_cert_records, soft, soft_purge, soft_purge, []} + {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}, {update, pubkey_cert, soft, soft_purge, soft_purge, []} ] } diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index aa3018bd2d..095a6ff0e0 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -556,9 +556,16 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer, %% We want the key_usage extension to be checked before we validate %% the signature. - UserState0 = pubkey_cert:validate_signature(OtpCert, DerCert, + UserState6 = pubkey_cert:validate_signature(OtpCert, DerCert, Key, KeyParams, UserState5, VerifyFun), - UserState = pubkey_cert:verify_fun(OtpCert, valid, UserState0, VerifyFun), + UserState = case Last of + false -> + pubkey_cert:verify_fun(OtpCert, valid, UserState6, VerifyFun); + true -> + pubkey_cert:verify_fun(OtpCert, valid_peer, + UserState6, VerifyFun) + end, + ValidationState = ValidationState1#path_validation_state{user_state = UserState}, diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index 829b6a9215..81e01f3a02 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -379,6 +379,8 @@ pkix_path_validation(Config) when is_list(Config) -> (_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> + {valid, UserState}; + (_, valid_peer, UserState) -> {valid, UserState} end, []}, {ok, _} = diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 5f9e436348..756c0d1b1f 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -31,7 +31,47 @@ <p>This document describes the changes made to the SSL application. </p> - <section><title>SSL 4.0.1</title> + <section><title>SSL 4.1</title> + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Updated ssl to ignore CA certs that violate the asn1-spec + for a certificate, and updated public key asn1 spec to + handle inherited DSS-params.</p> + <p> + Own Id: OTP-7884</p> + </item> + <item> + <p> + Changed ssl implementation to retain backwards + compatibility for old option {verify, 0} that shall be + equivalent to {verify, verify_none}, also separate the + cases unknown ca and selfsigned peer cert, and restored + return value of deprecated function + public_key:pem_to_der/1.</p> + <p> + Own Id: OTP-8858</p> + </item> + <item> + <p> + Changed the verify fun so that it differentiate between + the peer certificate and CA certificates by using + valid_peer or valid as the second argument to the verify + fun. It may not always be trivial or even possible to + know when the peer certificate is reached otherwise.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-8873</p> + </item> + </list> + </section> + +</section> + +<section><title>SSL 4.0.1</title> <section><title>Fixed Bugs and Malfunctions</title> <list> diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 8348301aed..413703deca 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -202,10 +202,10 @@ <p>The verification fun should be defined as:</p> <code> -fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} | +fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} | {extension, #'Extension'{}}, InitialUserState :: term()) -> - {valid, UserState :: term()} | {fail, Reason :: term()} | - {unknown, UserState :: term()}. + {valid, UserState :: term()} | {valid_peer, UserState :: term()} | + {fail, Reason :: term()} | {unknown, UserState :: term()}. </code> <p>The verify fun will be called during the X509-path @@ -213,10 +213,12 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} | application is encountered. Additionally it will be called when a certificate is considered valid by the path validation to allow access to each certificate in the path to the user - application. + application. Note that the it will differentiate between + the peer certificate and CA certificates by using valid_peer + or valid as the second argument to the verify fun. See <seealso marker="public_key:application">public_key(3)</seealso> - for definition of #'OtpCertificate'{} and #'Extension'{}.</p> + for definition of #'OTPCertificate'{} and #'Extension'{}.</p> <p>If the verify callback fun returns {fail, Reason}, the verification process is immediately stopped and an alert is @@ -237,7 +239,9 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} | (_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> - {valid, UserState} + {valid, UserState}; + (_, valid_peer, UserState) -> + {valid, UserState} end, []} </code> @@ -249,7 +253,9 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} | (_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> - {valid, UserState} + {valid, UserState}; + (_, valid_peer, UserState) -> + {valid, UserState} end, []} </code> diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index c13dee96f1..ef94750d02 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -627,6 +627,8 @@ handle_options(Opts0, _Role) -> (_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> + {valid, UserState}; + (_, valid_peer, UserState) -> {valid, UserState} end, []}, @@ -727,6 +729,8 @@ validate_option(verify_fun, Fun) when is_function(Fun) -> (_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> + {valid, UserState}; + (_, valid_peer, UserState) -> {valid, UserState} end, Fun}; validate_option(verify_fun, {Fun, _} = Value) when is_function(Fun) -> diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index 3c7ce837e4..5571fb01f6 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -132,6 +132,8 @@ validate_extension(_, {bad_cert, _} = Reason, _) -> validate_extension(_, {extension, _}, Role) -> {unknown, Role}; validate_extension(_, valid, Role) -> + {valid, Role}; +validate_extension(_, valid_peer, Role) -> {valid, Role}. %%-------------------------------------------------------------------- diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index 3cb9337775..fade67f3ba 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -2857,11 +2857,13 @@ unknown_server_ca_fail(Config) when is_list(Config) -> {options, ServerOpts}]), Port = ssl_test_lib:inet_port(Server), - FunAndState = {fun(_,{bad_cert, _} = Reason, _) -> + FunAndState = {fun(_,{bad_cert, unknown_ca} = Reason, _) -> {fail, Reason}; (_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> + {valid, [test_to_update_user_state | UserState]}; + (_, valid_peer, UserState) -> {valid, UserState} end, []}, @@ -2930,6 +2932,8 @@ unknown_server_ca_accept_verify_peer(Config) when is_list(Config) -> (_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, UserState) -> + {valid, UserState}; + (_, valid_peer, UserState) -> {valid, UserState} end, []}, diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk index dd75d44aca..30a0a3b3f7 100644 --- a/lib/ssl/vsn.mk +++ b/lib/ssl/vsn.mk @@ -1,2 +1,2 @@ -SSL_VSN = 4.0.2 +SSL_VSN = 4.1 |