3 files changed, 93 insertions, 25 deletions

diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
index c9db0d3851..f8aef55754 100644
--- a/lib/ssl/test/erl_make_certs.erl
+++ b/lib/ssl/test/erl_make_certs.erl
@@ -66,9 +66,9 @@ make_cert(Opts) ->
 %% @end
 %%--------------------------------------------------------------------
 write_pem(Dir, FileName, {Cert, Key = {_,_,not_encrypted}}) when is_binary(Cert) ->
-    ok = ssl_test_lib:der_to_pem(filename:join(Dir, FileName ++ ".pem"), 
+    ok = der_to_pem(filename:join(Dir, FileName ++ ".pem"),
 			       [{'Certificate', Cert, not_encrypted}]),
-    ok = ssl_test_lib:der_to_pem(filename:join(Dir, FileName ++ "_key.pem"), [Key]).
+    ok = der_to_pem(filename:join(Dir, FileName ++ "_key.pem"), [Key]).
 
 %%--------------------------------------------------------------------
 %% @doc Creates a rsa key (OBS: for testing only)
@@ -144,34 +144,39 @@ encode_key(Key = #'DSAPrivateKey'{}) ->
 
 make_tbs(SubjectKey, Opts) ->    
     Version = list_to_atom("v"++integer_to_list(proplists:get_value(version, Opts, 3))),
-    {Issuer, IssuerKey}  = issuer(Opts, SubjectKey),
+
+    IssuerProp = proplists:get_value(issuer, Opts, true),
+    {Issuer, IssuerKey}  = issuer(IssuerProp, Opts, SubjectKey),
 
     {Algo, Parameters} = sign_algorithm(IssuerKey, Opts),
     
     SignAlgo = #'SignatureAlgorithm'{algorithm  = Algo,
 				     parameters = Parameters},    
-    
+    Subject = case IssuerProp of
+		  true -> %% Is a Root Ca
+		      Issuer;
+		  _ ->
+		      subject(proplists:get_value(subject, Opts),false)
+	      end,
+
     {#'OTPTBSCertificate'{serialNumber = trunc(random:uniform()*100000000)*10000 + 1,
 			  signature    = SignAlgo,
 			  issuer       = Issuer,
 			  validity     = validity(Opts),
-			  subject      = subject(proplists:get_value(subject, Opts),false),
+			  subject      = Subject,
 			  subjectPublicKeyInfo = publickey(SubjectKey),
 			  version      = Version,
 			  extensions   = extensions(Opts)
 			 }, IssuerKey}.
 
-issuer(Opts, SubjectKey) ->
-    IssuerProp = proplists:get_value(issuer, Opts, true),
-    case IssuerProp of 
-	true -> %% Self signed
-	    {subject(proplists:get_value(subject, Opts), true), SubjectKey};
-	{Issuer, IssuerKey} when is_binary(Issuer) ->
-	    {issuer_der(Issuer), decode_key(IssuerKey)};
-        {File, IssuerKey} when is_list(File) ->
-	    {ok, [{cert, Cert, _}|_]} = public_key:pem_to_der(File),
-	    {issuer_der(Cert), decode_key(IssuerKey)}
-    end.
+issuer(true, Opts, SubjectKey) ->
+    %% Self signed
+    {subject(proplists:get_value(subject, Opts), true), SubjectKey};
+issuer({Issuer, IssuerKey}, _Opts, _SubjectKey) when is_binary(Issuer) ->
+    {issuer_der(Issuer), decode_key(IssuerKey)};
+issuer({File, IssuerKey}, _Opts, _SubjectKey) when is_list(File) ->
+    {ok, [{cert, Cert, _}|_]} = public_key:pem_to_der(File),
+    {issuer_der(Cert), decode_key(IssuerKey)}.
 
 issuer_der(Issuer) ->
     Decoded = public_key:pkix_decode_cert(Issuer, otp),
@@ -179,8 +184,8 @@ issuer_der(Issuer) ->
     #'OTPTBSCertificate'{subject=Subject} = Tbs,
     Subject.
 
-subject(undefined, IsCA) ->
-    User = if IsCA -> "CA"; true -> os:getenv("USER") end,
+subject(undefined, IsRootCA) ->
+    User = if IsRootCA -> "RootCA"; true -> os:getenv("USER") end,
     Opts = [{email, User ++ "@erlang.org"},
 	    {name, User},
 	    {city, "Stockholm"},
@@ -267,7 +272,7 @@ publickey(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}) ->
     #'OTPSubjectPublicKeyInfo'{algorithm = Algo, subjectPublicKey = Y}.
 
 validity(Opts) ->
-    DefFrom0 = date(),
+    DefFrom0 = calendar:gregorian_days_to_date(calendar:date_to_gregorian_days(date())-1),
     DefTo0   = calendar:gregorian_days_to_date(calendar:date_to_gregorian_days(date())+7),
     {DefFrom, DefTo} = proplists:get_value(validity, Opts, {DefFrom0, DefTo0}),
     Format = fun({Y,M,D}) -> lists:flatten(io_lib:format("~w~2..0w~2..0w000000Z",[Y,M,D])) end,
@@ -406,3 +411,11 @@ extended_gcd(A, B) ->
 	    {X, Y} = extended_gcd(B, N),
 	    {Y, X-Y*(A div B)}
     end.
+
+pem_to_der(File) ->
+    {ok, PemBin} = file:read_file(File),
+    public_key:pem_decode(PemBin).
+
+der_to_pem(File, Entries) ->
+    PemBin = public_key:pem_encode(Entries),
+    file:write_file(File, PemBin).
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index c6807c7b32..d50b34b6ac 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -234,7 +234,8 @@ all(suite) ->
      server_no_wrap_sequence_number, extended_key_usage,
      validate_extensions_fun, no_authority_key_identifier,
      invalid_signature_client, invalid_signature_server, cert_expired,
-     client_with_cert_cipher_suites_handshake
+     client_with_cert_cipher_suites_handshake, unknown_server_ca_fail,
+     unknown_server_ca_accept
     ].
 
 %% Test cases starts here.
@@ -2613,12 +2614,13 @@ validate_extensions_fun(Config) when is_list(Config) ->
 
 %%--------------------------------------------------------------------
 no_authority_key_identifier(doc) -> 
-    ["Test cert that does not have authorityKeyIdentifier extension"];
+    ["Test cert that does not have authorityKeyIdentifier extension"
+     " but are present in trusted certs db."];
 
 no_authority_key_identifier(suite) -> 
     [];
 no_authority_key_identifier(Config) when is_list(Config) -> 
-    ClientOpts = ?config(client_opts, Config),
+    ClientOpts = ?config(client_verification_opts, Config),
     ServerOpts = ?config(server_opts, Config),
     PrivDir = ?config(priv_dir, Config),
    
@@ -2676,7 +2678,7 @@ invalid_signature_server(suite) ->
     [];
 
 invalid_signature_server(Config) when is_list(Config) -> 
-    ClientOpts = ?config(client_opts, Config),
+    ClientOpts = ?config(client_verification_opts, Config),
     ServerOpts = ?config(server_verification_opts, Config),
     PrivDir = ?config(priv_dir, Config),
    
@@ -2793,7 +2795,7 @@ cert_expired(suite) ->
     [];
 
 cert_expired(Config) when is_list(Config) -> 
-    ClientOpts = ?config(client_opts, Config),
+    ClientOpts = ?config(client_verification_opts, Config),
     ServerOpts = ?config(server_verification_opts, Config),
     PrivDir = ?config(priv_dir, Config),
    
@@ -2882,6 +2884,59 @@ client_with_cert_cipher_suites_handshake(Config) when is_list(Config) ->
     ssl_test_lib:check_result(Server, ok, Client, ok),
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
+%%--------------------------------------------------------------------
+unknown_server_ca_fail(doc) ->
+    ["Test that the client fails if the ca is unknown in verify_peer mode"];
+unknown_server_ca_fail(suite) ->
+    [];
+unknown_server_ca_fail(Config) when is_list(Config) ->
+    ClientOpts =  ?config(client_opts, Config),
+    ServerOpts =  ?config(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
+					      {from, self()},
+					      {mfa, {ssl_test_lib,
+						     no_result, []}},
+					      {options, ServerOpts}]),
+    Port  = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+					      {host, Hostname},
+					      {from, self()},
+					      {mfa, {ssl_test_lib,
+						     no_result, []}},
+					      {options,
+					       [{verify, verify_peer}| ClientOpts]}]),
+
+    ssl_test_lib:check_result(Server, {error,"unknown ca"}, Client, {error, "unknown ca"}),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
+%%--------------------------------------------------------------------
+unknown_server_ca_accept(doc) ->
+    ["Test that the client succeds if the ca is unknown in verify_none mode"];
+unknown_server_ca_accept(suite) ->
+    [];
+unknown_server_ca_accept(Config) when is_list(Config) ->
+    ClientOpts =  ?config(client_opts, Config),
+    ServerOpts =  ?config(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {?MODULE,
+					       send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    Port  = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()},
+					{mfa, {?MODULE,
+					       send_recv_result_active, []}},
+					{options,
+					 [{verify, verify_none}| ClientOpts]}]),
+
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
 
 %%--------------------------------------------------------------------
 %%% Internal functions
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index c35178460f..ce164f7e4c 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -332,7 +332,7 @@ make_dsa_cert(Config) ->
 				 {cacertfile, ServerCaCertFile},
 				 {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]},
      {server_dsa_verify_opts, [{ssl_imp, new},{reuseaddr, true}, 
-			       {cacertfile, ServerCaCertFile},
+			       {cacertfile, ClientCaCertFile},
 			       {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
 			       {verify, verify_peer}]},
      {client_dsa_opts, [{ssl_imp, new},{reuseaddr, true},