aboutsummaryrefslogtreecommitdiffstats
path: root/lib/public_key/src
diff options
context:
space:
mode:
Diffstat (limited to 'lib/public_key/src')
-rw-r--r--lib/public_key/src/public_key.erl33
1 files changed, 33 insertions, 0 deletions
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index a5944bd604..27bf2093a1 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -53,6 +53,7 @@
pkix_crls_validate/3,
pkix_dist_point/1,
pkix_dist_points/1,
+ pkix_match_dist_point/2,
pkix_crl_verify/2,
pkix_crl_issuer/1
]).
@@ -524,6 +525,38 @@ pkix_dist_points(OtpCert) ->
[], Value).
%%--------------------------------------------------------------------
+-spec pkix_match_dist_point(der_encoded() | #'CertificateList'{},
+ #'DistributionPoint'{}) -> boolean().
+%% Description: Check whether the given distribution point matches
+%% the "issuing distribution point" of the CRL.
+%%--------------------------------------------------------------------
+pkix_match_dist_point(CRL, DistPoint) when is_binary(CRL) ->
+ pkix_match_dist_point(der_decode('CertificateList', CRL), DistPoint);
+pkix_match_dist_point(#'CertificateList'{},
+ #'DistributionPoint'{distributionPoint = asn1_NOVALUE}) ->
+ %% No distribution point name specified - that's considered a match.
+ true;
+pkix_match_dist_point(#'CertificateList'{
+ tbsCertList =
+ #'TBSCertList'{
+ crlExtensions = Extensions}},
+ #'DistributionPoint'{
+ distributionPoint = {fullName, DPs}}) ->
+ case pubkey_cert:select_extension(?'id-ce-issuingDistributionPoint', Extensions) of
+ undefined ->
+ %% If the CRL doesn't have an IDP extension, it
+ %% automatically qualifies.
+ true;
+ #'Extension'{extnValue = IDPValue} ->
+ %% If the CRL does have an IDP extension, it must match
+ %% the given DistributionPoint to be considered a match.
+ IDPEncoded = der_decode('IssuingDistributionPoint', IDPValue),
+ #'IssuingDistributionPoint'{distributionPoint = {fullName, IDPs}} =
+ pubkey_cert_records:transform(IDPEncoded, decode),
+ pubkey_crl:match_one(IDPs, DPs)
+ end.
+
+%%--------------------------------------------------------------------
-spec pkix_sign(#'OTPTBSCertificate'{},
rsa_private_key() | dsa_private_key()) -> Der::binary().
%%