6 files changed, 144 insertions, 54 deletions
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index dc8d68c78f..ae517ca642 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -319,6 +319,8 @@ verify_fun(Otpcert, Result, UserState0, VerifyFun) ->
 %%
 %% Description: Extracts a specific extension from a list of extensions.
 %%--------------------------------------------------------------------
+select_extension(_, asn1_NOVALUE) ->
+    undefined;
 select_extension(_, []) ->
     undefined;
 select_extension(Id, [#'Extension'{extnID = Id} = Extension | _]) ->
@@ -342,8 +344,11 @@ match_name(uniformResourceIdentifier, URI,  [PermittedName | Rest]) ->
 	incomplete ->
 	    false;
 	{_, _, Host, _, _} ->
-	    match_name(fun is_valid_host_or_domain/2, Host,
-		       PermittedName, Rest)
+	    PN = case split_uri(PermittedName) of
+		     {_, _, PNhost, _, _} -> PNhost;
+		     _X -> PermittedName
+		 end,
+	    match_name(fun is_valid_host_or_domain/2, Host, PN, Rest)
     end;
 
 match_name(emailAddress, Name, [PermittedName | Rest]) ->
@@ -511,10 +516,10 @@ is_dir_name2(Value, Value) -> true;
 is_dir_name2({printableString, Value1}, {printableString, Value2}) ->
     string:to_lower(strip_spaces(Value1)) =:= 
 	string:to_lower(strip_spaces(Value2));
-is_dir_name2({utf8String, Value1}, String) ->  %% BUGBUG FIX UTF8 conv
-    is_dir_name2({printableString, binary_to_list(Value1)}, String);
-is_dir_name2(String, {utf8String, Value1}) ->  %% BUGBUG FIX UTF8 conv
-    is_dir_name2(String, {printableString, binary_to_list(Value1)});
+is_dir_name2({utf8String, Value1}, String) ->
+    is_dir_name2({printableString, unicode:characters_to_list(Value1)}, String);
+is_dir_name2(String, {utf8String, Value1}) ->
+    is_dir_name2(String, {printableString, unicode:characters_to_list(Value1)});
 is_dir_name2(_, _) ->
     false.
 
diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl
index eaba5bfa1b..f0df4bc3f2 100644
--- a/lib/public_key/src/pubkey_crl.erl
+++ b/lib/public_key/src/pubkey_crl.erl
@@ -39,7 +39,13 @@ validate(OtpCert, OtherDPCRLs, DP, {DerCRL, CRL}, {DerDeltaCRL, DeltaCRL},
 		CertIssuer = TBSCert#'OTPTBSCertificate'.issuer,
 		TBSCRL = CRL#'CertificateList'.tbsCertList,
 		CRLIssuer =  TBSCRL#'TBSCertList'.issuer,
-		AltNames = subject_alt_names(TBSCert#'OTPTBSCertificate'.extensions),
+		AltNames = case pubkey_cert:select_extension(?'id-ce-subjectAltName',
+							     TBSCert#'OTPTBSCertificate'.extensions) of
+			     undefined ->
+				[];
+			     Ext ->
+				Ext#'Extension'.extnValue
+			   end,
 		revoked_status(DP, IDP, {directoryName, CRLIssuer},
 			       [ {directoryName, CertIssuer} | AltNames], SerialNumber, Revoked,
 			       DeltaRevoked, RevokedState1);
@@ -397,16 +403,18 @@ verify_dp_name(IDPNames, DPorIssuerNames) ->
 match_one([], _) ->
     false;
 match_one([{Type, Name} | Names], CandidateNames) ->
-    Candidates = [NameName || {NameType, NameName} <- CandidateNames, NameType == Type],
+    Candidates = [NameName || {NameType, NameName} <- CandidateNames, 
+			      NameType == Type],
     case Candidates of
 	[] ->
 	    false;
-	[_|_] -> case pubkey_cert:match_name(Type, Name, Candidates) of
-		     true ->
-			 true;
-		 false ->
-			 match_one(Names, CandidateNames)
-		 end
+	[_|_] ->
+	    case pubkey_cert:match_name(Type, Name, Candidates) of
+		true ->
+		    true;
+		false ->
+		    match_one(Names, CandidateNames)
+	    end
     end.
 
 verify_dp_bools(TBSCert, IDP) ->
@@ -664,6 +672,8 @@ verify_extensions([#'TBSCertList_revokedCertificates_SEQOF'{crlEntryExtensions =
     verify_extensions(pubkey_cert:extensions_list(Ext)) and verify_extensions(Rest);
 verify_extensions([]) ->
     true;
+verify_extensions(asn1_NOVALUE) ->
+    true;
 verify_extensions([#'Extension'{critical = true, extnID = Id} | Rest]) ->
     case lists:member(Id, [?'id-ce-authorityKeyIdentifier',
 			   ?'id-ce-issuerAltName',
@@ -689,13 +699,3 @@ authority_key_identifier(Extensions) ->
     Enc = extension_value(?'id-ce-authorityKeyIdentifier',
 			  'AuthorityKeyIdentifier', Extensions),
     pubkey_cert_records:transform(Enc, decode).
-
-subject_alt_names(Extensions) ->
-    Enc = extension_value(?'id-ce-subjectAltName',
-			  'GeneralNames', Extensions),
-    case Enc of
-	undefined ->
-	    [];
-	_ ->
-	    pubkey_cert_records:transform(Enc, decode)
-    end.
diff --git a/lib/public_key/src/pubkey_pbe.erl b/lib/public_key/src/pubkey_pbe.erl
index 460624163b..521a32189d 100644
--- a/lib/public_key/src/pubkey_pbe.erl
+++ b/lib/public_key/src/pubkey_pbe.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2011-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2011-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -22,7 +22,7 @@
 
 -include("public_key.hrl").
 
--export([encode/4, decode/4, decrypt_parameters/1]). 
+-export([encode/4, decode/4, decrypt_parameters/1, encrypt_parameters/1]). 
 -export([pbdkdf1/4, pbdkdf2/7]).
 
 -define(DEFAULT_SHA_MAC_KEYLEN, 20).
@@ -40,16 +40,16 @@
 %%--------------------------------------------------------------------
 encode(Data, Password, "DES-CBC" = Cipher, KeyDevParams) ->
     {Key, IV} = password_to_key_and_iv(Password, Cipher, KeyDevParams),
-    crypto:block_encrypt(des_cbc, Key, IV, Data);
+    crypto:block_encrypt(des_cbc, Key, IV, pbe_pad(Data, KeyDevParams));
 
 encode(Data, Password, "DES-EDE3-CBC" = Cipher, KeyDevParams) ->
     {Key, IV} = password_to_key_and_iv(Password, Cipher, KeyDevParams),
     <<Key1:8/binary, Key2:8/binary, Key3:8/binary>> = Key,
-    crypto:block_encrypt(des3_cbc, [Key1, Key2, Key3], IV, Data);
+    crypto:block_encrypt(des3_cbc, [Key1, Key2, Key3], IV, pbe_pad(Data));
 
 encode(Data, Password, "RC2-CBC" = Cipher, KeyDevParams) ->
     {Key, IV} = password_to_key_and_iv(Password, Cipher, KeyDevParams),
-    crypto:block_encrypt(rc2_cbc, Key, IV, Data).
+    crypto:block_encrypt(rc2_cbc, Key, IV, pbe_pad(Data, KeyDevParams)).
 %%--------------------------------------------------------------------
 -spec decode(binary(), string(), string(), term()) -> binary().
 %%
@@ -108,6 +108,15 @@ decrypt_parameters(#'EncryptedPrivateKeyInfo_encryptionAlgorithm'{
 		      algorithm = Oid, parameters = Param}) ->
      decrypt_parameters(Oid, Param).
     
+
+%%--------------------------------------------------------------------
+-spec encrypt_parameters({Cipher::string(), Params::term()}) -> 
+			#'EncryptedPrivateKeyInfo_encryptionAlgorithm'{}.
+%%
+%% Description: Performs ANS1-decoding of encryption parameters.
+%%--------------------------------------------------------------------
+encrypt_parameters({Cipher, Params}) ->
+    encrypt_parameters(Cipher, Params).
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
@@ -117,14 +126,18 @@ password_to_key_and_iv(Password, _, #'PBES2-params'{} = Params) ->
     <<Key:KeyLen/binary, _/binary>> = 
 	pbdkdf2(Password, Salt, ItrCount, KeyLen, PseudoRandomFunction, PseudoHash, PseudoOtputLen),
     {Key, IV};
+password_to_key_and_iv(Password, _Cipher, {#'PBEParameter'{salt = Salt,
+							  iterationCount = Count}, Hash}) ->
+    <<Key:8/binary, IV:8/binary, _/binary>> 
+	= pbdkdf1(Password, erlang:iolist_to_binary(Salt), Count, Hash),
+    {Key, IV};
 password_to_key_and_iv(Password, Cipher, Salt) ->
-    KeyLen = derived_key_length(Cipher, undefined),
+ KeyLen = derived_key_length(Cipher, undefined),
     <<Key:KeyLen/binary, _/binary>> = 
 	pem_encrypt(<<>>, Password, Salt, ceiling(KeyLen div 16), <<>>, md5),
     %% Old PEM encryption does not use standard encryption method
-    %% pbdkdf1 and uses then salt as IV
+    %% pbdkdf1 and uses then salt as IV 
     {Key, Salt}.
-
 pem_encrypt(_, _, _, 0, Acc, _) ->
     Acc;
 pem_encrypt(Prev, Password, Salt, Count, Acc, Hash) ->
@@ -169,7 +182,52 @@ do_xor_sum(Prf, PrfHash, PrfLen, Prev, Password, Count, Acc)->
 
 decrypt_parameters(?'id-PBES2', DekParams) ->
     {ok, Params} = 'PKCS-FRAME':decode('PBES2-params', DekParams),
-    {cipher(Params#'PBES2-params'.encryptionScheme), Params}.
+    {cipher(Params#'PBES2-params'.encryptionScheme), Params};
+decrypt_parameters(?'pbeWithSHA1AndRC2-CBC', DekParams) ->
+    {ok, Params} = 'PKCS-FRAME':decode('PBEParameter', DekParams),
+    {"RC2-CBC", {Params, sha}};
+decrypt_parameters(?'pbeWithSHA1AndDES-CBC', DekParams) ->
+    {ok, Params} = 'PKCS-FRAME':decode('PBEParameter', DekParams),
+    {"DES-CBC", {Params, sha}};
+decrypt_parameters(?'pbeWithMD5AndRC2-CBC', DekParams) ->
+    {ok, Params} = 'PKCS-FRAME':decode('PBEParameter', DekParams),
+    {"RC2-CBC", {Params, md5}};
+decrypt_parameters(?'pbeWithMD5AndDES-CBC', DekParams) ->
+    {ok, Params} = 'PKCS-FRAME':decode('PBEParameter', DekParams),
+    {"DES-CBC", {Params, md5}}.
+
+encrypt_parameters(_Cipher, #'PBES2-params'{} = Params) ->
+    {ok, Der} ='PKCS-FRAME':encode('PBES2-params', Params),
+    #'EncryptedPrivateKeyInfo_encryptionAlgorithm'{
+       algorithm = ?'id-PBES2', 
+       parameters = Der};
+
+encrypt_parameters(Cipher, {#'PBEParameter'{} = Params, Hash}) ->
+    {ok, Der} ='PKCS-FRAME':encode('PBEParameter', Params),
+    #'EncryptedPrivateKeyInfo_encryptionAlgorithm'{
+       algorithm = pbe1_oid(Cipher, Hash), 
+       parameters = Der}.
+
+pbe1_oid("RC2-CBC", sha) ->
+    ?'pbeWithSHA1AndRC2-CBC';
+pbe1_oid("DES-CBC", sha) ->
+    ?'pbeWithSHA1AndDES-CBC';
+pbe1_oid("RC2-CBC", md5) ->
+    ?'pbeWithMD5AndRC2-CBC';
+pbe1_oid("DES-CBC", md5) ->
+    ?'pbeWithMD5AndDES-CBC'.
+
+pbe_pad(Data, {#'PBEParameter'{}, _}) ->
+    pbe_pad(Data);
+pbe_pad(Data, #'PBES2-params'{}) ->
+    pbe_pad(Data);
+pbe_pad(Data, _) ->
+    Data.
+
+pbe_pad(Data) ->
+    N = 8 - (erlang:byte_size(Data) rem 8), 
+    Pad = list_to_binary(lists:duplicate(N, N)),
+    <<Data/binary, Pad/binary>>.
 
 key_derivation_params(#'PBES2-params'{keyDerivationFunc = KeyDerivationFunc,
 				      encryptionScheme = EncScheme}) ->
diff --git a/lib/public_key/src/pubkey_pem.erl b/lib/public_key/src/pubkey_pem.erl
index 3a1653d989..98881c4a6a 100644
--- a/lib/public_key/src/pubkey_pem.erl
+++ b/lib/public_key/src/pubkey_pem.erl
@@ -68,7 +68,8 @@ encode(PemEntries) ->
 
 %%--------------------------------------------------------------------
 -spec decipher({public_key:pki_asn1_type(), DerEncrypted::binary(),
-		{Cipher :: string(), Salt :: iodata() | #'PBES2-params'{}}},
+		{Cipher :: string(), Salt :: iodata() | #'PBES2-params'{} 
+					   | {#'PBEParameter'{}, atom()}}},
 	       string()) -> Der::binary().
 %%
 %% Description: Deciphers a decrypted pem entry.
@@ -77,7 +78,8 @@ decipher({_, DecryptDer, {Cipher, KeyDevParams}}, Password) ->
     pubkey_pbe:decode(DecryptDer, Password, Cipher, KeyDevParams).
 
 %%--------------------------------------------------------------------
--spec cipher(Der::binary(), {Cipher :: string(), Salt :: iodata() | #'PBES2-params'{}} ,
+-spec cipher(Der::binary(), {Cipher :: string(), Salt :: iodata() | #'PBES2-params'{} 
+						       | {#'PBEParameter'{}, atom()}}, 
 	     string()) -> binary().
 %%
 %% Description: Ciphers a PEM entry
@@ -94,6 +96,10 @@ encode_pem_entries(Entries) ->
 encode_pem_entry({Type, Der, not_encrypted}) ->
     StartStr = pem_start(Type),
     [StartStr, "\n", b64encode_and_split(Der), "\n", pem_end(StartStr) ,"\n\n"];
+encode_pem_entry({'PrivateKeyInfo', Der, EncParams}) -> 
+    EncDer = encode_encrypted_private_keyinfo(Der, EncParams),
+    StartStr = pem_start('EncryptedPrivateKeyInfo'),
+    [StartStr, "\n", b64encode_and_split(EncDer), "\n", pem_end(StartStr) ,"\n\n"];
 encode_pem_entry({Type, Der, {Cipher, Salt}}) ->
     StartStr = pem_start(Type),
     [StartStr,"\n", pem_decrypt(),"\n", pem_decrypt_info(Cipher, Salt),"\n",
@@ -139,6 +145,12 @@ decode_encrypted_private_keyinfo(Der) ->
     DecryptParams = pubkey_pbe:decrypt_parameters(AlgorithmInfo), 
     {'PrivateKeyInfo', iolist_to_binary(Data), DecryptParams}.
 
+
+encode_encrypted_private_keyinfo(EncData, EncryptParmams) ->
+    AlgorithmInfo = pubkey_pbe:encrypt_parameters(EncryptParmams),
+    public_key:der_encode('EncryptedPrivateKeyInfo',   
+			  #'EncryptedPrivateKeyInfo'{encryptionAlgorithm = AlgorithmInfo,
+						     encryptedData = EncData}).
 split_bin(Bin) ->
     split_bin(0, Bin).
 
@@ -197,13 +209,15 @@ pem_start('DSAPrivateKey') ->
     <<"-----BEGIN DSA PRIVATE KEY-----">>;
 pem_start('DHParameter') ->
     <<"-----BEGIN DH PARAMETERS-----">>;
+pem_start('EncryptedPrivateKeyInfo') ->
+    <<"-----BEGIN ENCRYPTED PRIVATE KEY-----">>;
 pem_start('CertificationRequest') ->
     <<"-----BEGIN CERTIFICATE REQUEST-----">>;
 pem_start('ContentInfo') ->
     <<"-----BEGIN PKCS7-----">>;
 pem_start('CertificateList') ->
      <<"-----BEGIN X509 CRL-----">>;
-pem_start('OTPEcpkParameters') ->
+pem_start('EcpkParameters') ->
     <<"-----BEGIN EC PARAMETERS-----">>;
 pem_start('ECPrivateKey') ->
     <<"-----BEGIN EC PRIVATE KEY-----">>.
@@ -260,7 +274,7 @@ asn1_type(<<"-----BEGIN PKCS7-----">>) ->
 asn1_type(<<"-----BEGIN X509 CRL-----">>) ->
     'CertificateList';
 asn1_type(<<"-----BEGIN EC PARAMETERS-----">>) ->
-    'OTPEcpkParameters';
+    'EcpkParameters';
 asn1_type(<<"-----BEGIN EC PRIVATE KEY-----">>) ->
     'ECPrivateKey'.
 
diff --git a/lib/public_key/src/public_key.app.src b/lib/public_key/src/public_key.app.src
index 736a778a4b..88ef07c5a6 100644
--- a/lib/public_key/src/public_key.app.src
+++ b/lib/public_key/src/public_key.app.src
@@ -13,7 +13,9 @@
             ]},
    {applications, [asn1, crypto, kernel, stdlib]},
    {registered, []},
-   {env, []}  
+   {env, []},
+   {runtime_dependencies, ["stdlib-2.0","kernel-3.0","erts-6.0","crypto-3.3",
+			   "asn1-3.0"]}
    ]
 }.
 
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index a732455aa7..1bbf4ef416 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -64,9 +64,15 @@
 -type der_encoded()          :: binary().
 -type pki_asn1_type()        ::  'Certificate' | 'RSAPrivateKey' | 'RSAPublicKey'
 			       | 'DSAPrivateKey' | 'DSAPublicKey' | 'DHParameter'
-                               | 'SubjectPublicKeyInfo' | 'CertificationRequest' | 'CertificateList'.
--type pem_entry()            :: {pki_asn1_type(), binary(), %% DER or Encrypted DER
-				 not_encrypted | {Cipher :: string(), Salt :: binary()}}.
+                               | 'SubjectPublicKeyInfo' | 'PrivateKeyInfo' | 
+				 'CertificationRequest' | 'CertificateList' |
+				 'ECPrivateKey' | 'EcpkParameters'.
+-type pem_entry()            :: {pki_asn1_type(), 
+				 binary(), %% DER or Encrypted DER
+				 not_encrypted | {Cipher :: string(), Salt :: binary()} |
+				 {Cipher :: string(), #'PBES2-params'{}} | 
+				 {Cipher :: string(), {#'PBEParameter'{}, atom()}} %% hash type
+				}.
 -type asn1_type()            :: atom(). %% see "OTP-PUB-KEY.hrl
 -type ssh_file()             :: openssh_public_key | rfc4716_public_key | known_hosts |
 				auth_keys.
@@ -133,20 +139,19 @@ pem_entry_decode({Asn1Type, CryptDer, {Cipher, #'PBES2-params'{}}} = PemEntry,
 				is_binary(CryptDer) andalso
 				is_list(Cipher) ->
     do_pem_entry_decode(PemEntry, Password);
+pem_entry_decode({Asn1Type, CryptDer, {Cipher, {#'PBEParameter'{},_}}} = PemEntry, 
+ 		 Password) when is_atom(Asn1Type) andalso
+ 				is_binary(CryptDer) andalso
+ 				is_list(Cipher) ->
+    do_pem_entry_decode(PemEntry, Password);
 pem_entry_decode({Asn1Type, CryptDer, {Cipher, Salt}} = PemEntry, 
 		 Password) when is_atom(Asn1Type) andalso
 				is_binary(CryptDer) andalso
 				is_list(Cipher) andalso
 				is_binary(Salt) andalso
-				erlang:byte_size(Salt) == 8 ->
-    do_pem_entry_decode(PemEntry, Password);
-pem_entry_decode({Asn1Type, CryptDer, {"AES-128-CBC"=Cipher, IV}} = PemEntry,
-		 Password) when is_atom(Asn1Type) andalso
-				is_binary(CryptDer) andalso
-				is_list(Cipher) andalso
-				is_binary(IV) andalso
-				erlang:byte_size(IV) == 16 ->
-    do_pem_entry_decode(PemEntry, Password).
+				((erlang:byte_size(Salt) == 8) or (erlang:byte_size(Salt) == 16)) ->
+    do_pem_entry_decode(PemEntry, Password).	
+
 
 %%--------------------------------------------------------------------
 -spec pem_entry_encode(pki_asn1_type(), term()) -> pem_entry().
@@ -174,13 +179,19 @@ pem_entry_encode(Asn1Type, Entity, {{Cipher, #'PBES2-params'{}} = CipherInfo,
 						    is_list(Password) andalso
 						    is_list(Cipher) ->
     do_pem_entry_encode(Asn1Type, Entity, CipherInfo, Password);
-
+pem_entry_encode(Asn1Type, Entity, {{Cipher,
+ 				     {#'PBEParameter'{}, _}} = CipherInfo,
+ 				    Password}) when is_atom(Asn1Type) andalso
+ 						    is_list(Password) andalso
+ 						    is_list(Cipher) ->
+    do_pem_entry_encode(Asn1Type, Entity, CipherInfo, Password);
 pem_entry_encode(Asn1Type, Entity, {{Cipher, Salt} = CipherInfo, 
 				    Password}) when is_atom(Asn1Type) andalso
 						    is_list(Password) andalso
 						    is_list(Cipher) andalso
 						    is_binary(Salt) andalso
-						    erlang:byte_size(Salt) == 8 ->
+						    ((erlang:byte_size(Salt) == 8) or
+						     (erlang:byte_size(Salt) == 16)) ->
     do_pem_entry_encode(Asn1Type, Entity, CipherInfo, Password).
     
 %%--------------------------------------------------------------------
@@ -615,11 +626,11 @@ pkix_path_validation(#'OTPCertificate'{} = TrustedCert, CertChain, Options)
 
 %--------------------------------------------------------------------
 -spec pkix_crls_validate(#'OTPCertificate'{},
-			 [{DP::#'DistributionPoint'{} ,CRL::#'CertificateList'{}}],
+			 [{DP::#'DistributionPoint'{}, {DerCRL::binary(), CRL::#'CertificateList'{}}}],
 			 Options :: proplists:proplist()) -> valid | {bad_cert, revocation_status_undetermined}
 								| {bad_cert, {revoked, crl_reason()}}.
 
-%% Description: Performs a basic path validation according to RFC 5280.
+%% Description: Performs a CRL validation according to RFC 5280.
 %%--------------------------------------------------------------------
 pkix_crls_validate(OtpCert, [{_,_,_} |_] = DPAndCRLs, Options) ->
     pkix_crls_validate(OtpCert, DPAndCRLs, DPAndCRLs,