1 files changed, 61 insertions, 9 deletions

diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index cc01b61433..6788c1ee92 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -850,10 +850,10 @@ pkix_crls_validate(OtpCert, DPAndCRLs0, Options) ->
 
 %--------------------------------------------------------------------
 -spec pkix_verify_hostname(Cert :: #'OTPCertificate'{} | binary(),
-			   ReferenceIDs :: [{uri_id | dns_id | oid(),  string()}]) -> boolean().
+			   ReferenceIDs :: [{uri_id | dns_id | ip | srv_id | oid(),  string()}]) -> boolean().
 
 -spec pkix_verify_hostname(Cert :: #'OTPCertificate'{} | binary(),
-			   ReferenceIDs :: [{uri_id | dns_id | oid(),  string()}],
+			   ReferenceIDs :: [{uri_id | dns_id | ip | srv_id | oid(),  string()}],
 			   Options :: proplists:proplist()) -> boolean().
 
 %% Description: Validates a hostname to RFC 6125
@@ -942,7 +942,6 @@ ssh_decode(SshBin, Type) when is_binary(SshBin),
 %%--------------------------------------------------------------------
 -spec ssh_encode([{public_key(), Attributes::list()}], ssh_file()) -> binary()
 	      ; (public_key(), ssh2_pubkey) -> binary()
-	      ; ({public_key(),atom()}, ssh2_pubkey) -> binary()
 	      .
 %%
 %% Description: Encodes a list of ssh file entries (public keys and
@@ -1324,9 +1323,9 @@ ec_normalize_params(#'ECParameters'{} = ECParams) ->
 ec_normalize_params(Other) -> Other.
 
 -spec ec_curve_spec(ecpk_parameters_api()) -> term().
-ec_curve_spec( #'ECParameters'{fieldID = FieldId, curve = PCurve, base = Base, order = Order, cofactor = CoFactor }) ->
-    Field = {pubkey_cert_records:supportedCurvesTypes(FieldId#'FieldID'.fieldType),
-	     FieldId#'FieldID'.parameters},
+ec_curve_spec( #'ECParameters'{fieldID = #'FieldID'{fieldType = Type,
+                                                    parameters = Params}, curve = PCurve, base = Base, order = Order, cofactor = CoFactor }) ->
+    Field = format_field(pubkey_cert_records:supportedCurvesTypes(Type), Params),
     Curve = {PCurve#'Curve'.a, PCurve#'Curve'.b, none},
     {Field, Curve, Base, Order, CoFactor};
 ec_curve_spec({ecParameters, ECParams}) ->
@@ -1336,6 +1335,26 @@ ec_curve_spec({namedCurve, OID}) when is_tuple(OID), is_integer(element(1,OID))
 ec_curve_spec({namedCurve, Name}) when is_atom(Name) ->
     crypto:ec_curve(Name).
 
+format_field(characteristic_two_field = Type, Params0) ->
+    #'Characteristic-two'{
+       m = M,
+       basis = BasisOid,
+       parameters = Params} = der_decode('Characteristic-two', Params0),
+    {Type, M, field_param_decode(BasisOid, Params)};
+format_field(prime_field, Params0) ->
+    Prime = der_decode('Prime-p', Params0),
+    {prime_field, Prime}.
+
+field_param_decode(?'ppBasis', Params) ->
+    #'Pentanomial'{k1 = K1, k2 = K2, k3 = K3} =
+        der_decode('Pentanomial', Params),
+    {ppbasis, K1, K2, K3};
+field_param_decode(?'tpBasis', Params) ->
+    K = der_decode('Trinomial', Params),
+    {tpbasis, K};
+field_param_decode(?'gnBasis', _) ->
+    onbasis.
+        
 -spec ec_key({PubKey::term(), PrivateKey::term()}, Params::ecpk_parameters()) -> #'ECPrivateKey'{}.
 ec_key({PubKey, PrivateKey}, Params) ->
     #'ECPrivateKey'{version = 1,
@@ -1454,13 +1473,43 @@ verify_hostname_match_default0({dns_id,R}, {dNSName,P}) ->
     R==P;
 verify_hostname_match_default0({uri_id,R}, {uniformResourceIdentifier,P}) ->
     R==P;
-verify_hostname_match_default0({srv_id,R}, {T,P}) when T == srvName ;
-                                                       T == ?srvName_OID ->
+verify_hostname_match_default0({ip,R}, {iPAddress,P}) when length(P) == 4 ->
+    %% IPv4
+    try
+        list_to_tuple(P)
+            == if is_tuple(R), size(R)==4 -> R;
+                  is_list(R) -> ok(inet:parse_ipv4strict_address(R))
+               end
+    catch
+        _:_ ->
+            false
+    end;
+
+verify_hostname_match_default0({ip,R}, {iPAddress,P}) when length(P) == 16 ->
+    %% IPv6. The length 16 is due to the certificate specification.
+    try
+        l16_to_tup(P)
+            == if is_tuple(R), size(R)==8 -> R;
+                  is_list(R) -> ok(inet:parse_ipv6strict_address(R))
+               end
+    catch
+        _:_ ->
+            false
+    end;
+verify_hostname_match_default0({srv_id,R}, {srvName,P}) ->
+    R==P;
+verify_hostname_match_default0({srv_id,R}, {?srvName_OID,P}) ->
     R==P;
 verify_hostname_match_default0(_, _) ->
     false.
 
+ok({ok,X}) -> X.
 
+l16_to_tup(L) -> list_to_tuple(l16_to_tup(L, [])).
+%%
+l16_to_tup([A,B|T], Acc) -> l16_to_tup(T, [(A bsl 8) bor B | Acc]);
+l16_to_tup([], Acc) -> lists:reverse(Acc).
+    
 match_wild(A,     [$*|B]) -> match_wild_suffixes(A, B);
 match_wild([C|A], [ C|B]) -> match_wild(A, B);
 match_wild([],        []) -> true;
@@ -1499,13 +1548,16 @@ verify_hostname_match_loop(Refs, Pres, MatchFun, FailCB, Cert) ->
       Refs).
 
 
+to_lower_ascii({ip,_}=X) -> X;
+to_lower_ascii({iPAddress,_}=X) -> X;
 to_lower_ascii(S) when is_list(S) -> lists:map(fun to_lower_ascii/1, S);
 to_lower_ascii({T,S}) -> {T, to_lower_ascii(S)};
 to_lower_ascii(C) when $A =< C,C =< $Z -> C + ($a-$A);
 to_lower_ascii(C) -> C.
 
 to_string(S) when is_list(S) -> S;
-to_string(B) when is_binary(B) -> binary_to_list(B).
+to_string(B) when is_binary(B) -> binary_to_list(B);
+to_string(X) -> X.
 
 format_details([]) ->
     no_relevant_crls;