diff options
Diffstat (limited to 'lib/public_key')
| -rw-r--r-- | lib/public_key/src/pubkey_cert.erl | 4 | ||||
| -rw-r--r-- | lib/public_key/src/pubkey_crl.erl | 14 |
2 files changed, 11 insertions, 7 deletions
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl index 07469e342f..6272fae91b 100644 --- a/lib/public_key/src/pubkey_cert.erl +++ b/lib/public_key/src/pubkey_cert.erl @@ -343,8 +343,8 @@ match_name(uniformResourceIdentifier, URI, [PermittedName | Rest]) -> case split_uri(URI) of incomplete -> false; - {_, _, _Host, _, _} -> - match_name(fun is_valid_host_or_domain/2, URI, + {_, _, Host, _, _} -> + match_name(fun is_valid_host_or_domain/2, Host, PermittedName, Rest) end; diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl index 503d0205a6..2d947058de 100644 --- a/lib/public_key/src/pubkey_crl.erl +++ b/lib/public_key/src/pubkey_crl.erl @@ -393,11 +393,15 @@ verify_dp_name(asn1_NOVALUE, _) -> ok; verify_dp_name(IDPNames, DPorIssuerNames) -> - case match_one(DPorIssuerNames, IDPNames) of - true -> - ok; - false -> - throw({bad_crl, scope_error}) + %% RFC 5280 section 5.2.5 + %% Check that at least one IssuingDistributionPointName in the CRL lines up + %% with a DistributionPointName in the certificate. + Matches = [X || X <- IDPNames, Y <- DPorIssuerNames, X == Y], + case Matches of + [] -> + throw({bad_crl, scope_error}); + _ -> + ok end. match_one([], _) -> |