Age | Commit message (Collapse) | Author |
|
|
|
* E.I bitstrings will not be decode as {Unused, Binary}, they are now
Erlang bitstrings.
* Also the compact_bit_string implies the legacy_erlang_types switch
- So removing the switch will also make OCTET STRING values be represented
as binaries.
- Undecoded open type will now be wrapped in a asn1_OPENTYPE tuple.
We need to handle this in pubkey_pbe.erl, maybe this can be eliminated
later by updating/refreshing ASN1-specs.
This will change some values in records returned by the public_key API
making this change a potentiall incompatibility.
|
|
|
|
|
|
|
|
* Handle v1 CRLs, with no extensions.
* Compare the IDP on a CRL correctly, if present
* Don't try to double-decode altnames
Tests are also included, and the make_certs testing tool in the SSL
application has been greatly extended.
|
|
|
|
Some certificates may use these OIDs instead of the ones defined by
PKIX/PKCS standard.
Refactor code so that all handling of the "duplicate" oids is done by
public_key.
Update algorithm information in documentation.
|
|
|
|
|
|
to deal with changes to the pkits suite.
|
|
This reverts commit c7e5f7576e213060cbb332be64a7c3798f6a2cc2.
|
|
|
|
|
|
|
|
|
|
Conflicts:
lib/public_key/src/pubkey_cert.erl
|
|
maint-r14
* ia/ssl-and-public_key/verify_fun_peer_awarness/OTP-8873:
Peer awarness
|
|
Changed the verify fun so that it differentiate between the peer
certificate and CA certificates by using valid_peer or valid as the
second argument to the verify fun. It may not always be trivial or
even possible to know when the peer certificate is reached otherwise.
|
|
V1 and v2 certificates does not have any extensions
so then validate_extensions should just accept that
there are none and not end up in missing_basic_constraints clause.
|
|
V1 and v2 certificates does not have any extensions
so then validate_extensions should just accept that
there are none and not end up in missing_basic_constraints clause.
|
|
DSS-Params may be null in a certificate as it can inherit the
parameters.
Also ignore CA-certs that do not follow ASN-1 spec in RFC 5280.
|
|
|
|
Added the functionality so that the verification fun will be called
when a certificate is considered valid by the path validation to allow
access to eachs certificate in the path to the user application.
Removed clause that only check that a extension is not critical,
it does alter the verification rusult only withholds information from
the application.
Try to verify subject-AltName, if unable to verify it let
application try.
|
|
|
|
Changed the behavior of the verify_fun option so that
the application can be responsible for handling path validation
errors even on the server side. Also replaced the not yet
documented validate_extensions_fun to be handled by the
verify_fun instead.
If the verify callback fun returns {fail, Reason}, the verification process is
immediately stopped and an alert is sent to the peer and the TLS/SSL
handshake is terminated. If the verify callback fun returns {valid,
UserState}, the verification process is continued. If the verify callback
fun always returns {valid, UserState}, the TLS/SSL handshake will not be
terminated with respect to verification failures and the connection
will be established. The verify callback fun will also be
able to verify application specific extensions.
|
|
Cleaned up and documented the public_key API to
make it useful for general use.
|
|
|
|
|
|
|
|
|