1 files changed, 39 insertions, 57 deletions
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 8a79f75725..6cf57ced81 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -31,10 +31,11 @@
 -include("ssl_debug.hrl").
 -include_lib("public_key/include/public_key.hrl"). 
 
--export([trusted_cert_and_path/3, 
+-export([trusted_cert_and_path/2,
 	 certificate_chain/2, 
 	 file_to_certificats/1,
-	 validate_extensions/6,
+	 %validate_extensions/6,
+	 validate_extension/3,
 	 is_valid_extkey_usage/2,
 	 is_valid_key_usage/2,
 	 select_extension/2,
@@ -47,61 +48,59 @@
 %%====================================================================
 
 %%--------------------------------------------------------------------
--spec trusted_cert_and_path([der_cert()], certdb_ref(), boolean()) -> 
-				   {der_cert(), [der_cert()], list()}.
+-spec trusted_cert_and_path([der_cert()], certdb_ref()) ->
+				   {der_cert() | unknown_ca, [der_cert()]}.
 %%
 %% Description: Extracts the root cert (if not presents tries to 
 %% look it up, if not found {bad_cert, unknown_ca} will be added verification
 %% errors. Returns {RootCert, Path, VerifyErrors}
 %%--------------------------------------------------------------------
-trusted_cert_and_path(CertChain, CertDbRef, Verify) ->
-    [Cert | RestPath] = lists:reverse(CertChain),
-    {ok, OtpCert} = public_key:pkix_decode_cert(Cert, otp),
-    IssuerAnPath = 
+trusted_cert_and_path(CertChain, CertDbRef) ->
+    Path = [Cert | _] = lists:reverse(CertChain),
+    OtpCert = public_key:pkix_decode_cert(Cert, otp),
+    IssuerID =
 	case public_key:pkix_is_self_signed(OtpCert) of
 	    true ->
 		{ok, IssuerId} = public_key:pkix_issuer_id(OtpCert, self),
-		{IssuerId, RestPath};
-	    false  ->
+		IssuerId;
+	    false ->
 		case public_key:pkix_issuer_id(OtpCert, other) of
 		    {ok, IssuerId} ->
-			{IssuerId, [Cert | RestPath]};
+			IssuerId;
 		    {error, issuer_not_found} ->
 			case find_issuer(OtpCert, no_candidate) of
 			    {ok, IssuerId} ->
-				{IssuerId, [Cert | RestPath]};
+				IssuerId;
 			    Other ->
-				{Other, RestPath}
+				Other
 			end
 		end
 	end,
     
-    case IssuerAnPath of
-	{{error, issuer_not_found}, _ } ->
-	    %% The root CA was not sent and can not be found, we fail if verify = true
-	    not_valid(?ALERT_REC(?FATAL, ?UNKNOWN_CA), Verify, {Cert, RestPath});
-	{{SerialNr, Issuer}, Path} ->
-	    case ssl_manager:lookup_trusted_cert(CertDbRef, 
-							SerialNr, Issuer) of
+    case IssuerID of
+	{error, issuer_not_found} ->
+	    %% The root CA was not sent and can not be found.
+	    {unknown_ca, Path};
+	{SerialNr, Issuer} ->
+	    case ssl_manager:lookup_trusted_cert(CertDbRef, SerialNr, Issuer) of
 		{ok, {BinCert,_}} ->
-		    {BinCert, Path, []};
+		    {BinCert, Path};
 		_ ->
-		    %%  Fail if verify = true
-		    not_valid(?ALERT_REC(?FATAL, ?UNKNOWN_CA),
-			     Verify,  {Cert, RestPath})
+		    %% Root CA could not be verified
+		    {unknown_ca, Path}
 	    end
     end.
 
 %%--------------------------------------------------------------------
 -spec certificate_chain(undefined | binary(), certdb_ref()) -> 
-			  {error, no_cert} | [der_cert()].
+			  {error, no_cert} | {ok, [der_cert()]}.
 %%
 %% Description: Return the certificate chain to send to peer.
 %%--------------------------------------------------------------------
 certificate_chain(undefined, _CertsDbRef) ->
     {error, no_cert};
 certificate_chain(OwnCert, CertsDbRef) ->
-    {ok, ErlCert} = public_key:pkix_decode_cert(OwnCert, otp),
+    ErlCert = public_key:pkix_decode_cert(OwnCert, otp),
     certificate_chain(ErlCert, OwnCert, CertsDbRef, [OwnCert]).
 %%--------------------------------------------------------------------
 -spec file_to_certificats(string()) -> [der_cert()].
@@ -110,34 +109,27 @@ certificate_chain(OwnCert, CertsDbRef) ->
 %%--------------------------------------------------------------------
 file_to_certificats(File) -> 
     {ok, List} = ssl_manager:cache_pem_file(File),
-    [Bin || {cert, Bin, not_encrypted} <- List].
+    [Bin || {'Certificate', Bin, not_encrypted} <- List].
 %%--------------------------------------------------------------------
--spec validate_extensions([#'Extension'{}], term(), [#'Extension'{}],
-			  boolean(), list(), client | server) -> {[#'Extension'{}], term(), list()}.
+-spec validate_extension(term(), #'Extension'{}, term()) -> {valid, term()} |
+							    {fail, tuple()} |
+							    {unknown, term()}.
 %%
 %% Description:  Validates ssl/tls specific extensions
 %%--------------------------------------------------------------------
-validate_extensions([], ValidationState, UnknownExtensions, _, AccErr, _) -> 
-    {UnknownExtensions, ValidationState, AccErr};
-
-validate_extensions([#'Extension'{extnID = ?'id-ce-extKeyUsage',
-				  extnValue = KeyUse,
-				  critical = true} | Rest], 
-		    ValidationState, UnknownExtensions, Verify, AccErr0, Role) ->
+validate_extension(_,{extension, #'Extension'{extnID = ?'id-ce-extKeyUsage',
+					      extnValue = KeyUse,
+					      critical = true}}, Role) ->
     case is_valid_extkey_usage(KeyUse, Role) of
 	true ->
-	    validate_extensions(Rest, ValidationState, UnknownExtensions, 
-				Verify, AccErr0, Role);
+	    {valid, Role};
 	false ->
-	    AccErr = 
-		not_valid_extension({bad_cert, invalid_ext_key_usage}, Verify, AccErr0),
-	    validate_extensions(Rest, ValidationState, UnknownExtensions, Verify, AccErr, Role)
+	    {fail, {bad_cert, invalid_ext_key_usage}}
     end;
-
-validate_extensions([Extension | Rest],  ValidationState, UnknownExtensions, 
-		    Verify, AccErr, Role) ->
-    validate_extensions(Rest, ValidationState, [Extension | UnknownExtensions],
-		       Verify, AccErr, Role).
+validate_extension(_, {bad_cert, _} = Reason, _) ->
+    {fail, Reason};
+validate_extension(_, _, Role) ->
+    {unknown, Role}.
 
 %%--------------------------------------------------------------------
 -spec is_valid_key_usage(list(), term()) -> boolean().
@@ -219,7 +211,7 @@ certificate_chain(CertsDbRef, Chain, SerialNr, Issuer, _SelfSigned) ->
     case ssl_manager:lookup_trusted_cert(CertsDbRef, 
 						SerialNr, Issuer) of
 	{ok, {IssuerCert, ErlCert}} ->
-	    {ok, ErlCert} = public_key:pkix_decode_cert(IssuerCert, otp),
+	    ErlCert = public_key:pkix_decode_cert(IssuerCert, otp),
 	    certificate_chain(ErlCert, IssuerCert, 
 			      CertsDbRef, [IssuerCert | Chain]);
 	_ ->
@@ -244,19 +236,9 @@ find_issuer(OtpCert, PrevCandidateKey) ->
 	    end
     end.
 
-not_valid(Alert, true, _) ->
-    throw(Alert);
-not_valid(_, false, {ErlCert, Path}) ->
-    {ErlCert, Path, [{bad_cert, unknown_ca}]}.
-
 is_valid_extkey_usage(KeyUse, client) ->
     %% Client wants to verify server
     is_valid_key_usage(KeyUse,?'id-kp-serverAuth');
 is_valid_extkey_usage(KeyUse, server) ->
     %% Server wants to verify client
     is_valid_key_usage(KeyUse, ?'id-kp-clientAuth').
-
-not_valid_extension(Error, true, _) ->
-    throw(Error);
-not_valid_extension(Error, false, AccErrors) ->
-    [Error | AccErrors].