From 1564b5853f286c97a7c9e1d6715d3c6f10bea50f Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Wed, 19 Oct 2011 10:08:25 +0200
Subject: Added PKCS-8 support in ssl

---
 lib/ssl/doc/src/ssl.xml               |  5 +++--
 lib/ssl/src/ssl.erl                   |  7 +++++--
 lib/ssl/src/ssl_connection.erl        | 28 ++++++++++++++++++++++++----
 lib/ssl/test/ssl_basic_SUITE.erl      | 16 ++++++++--------
 lib/ssl/test/ssl_test_lib.erl         | 14 ++++++++++++++
 lib/ssl/test/ssl_to_openssl_SUITE.erl | 11 +++++++++++
 6 files changed, 65 insertions(+), 16 deletions(-)

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 70122e4393..50268ae206 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -71,7 +71,8 @@
       {fail_if_no_peer_cert, boolean()}
       {depth, integer()} |
       {cert, der_encoded()}| {certfile, path()} |
-      {key, der_encoded()} | {keyfile, path()} | {password, string()} |
+      {key, {'RSAPrivateKey'| 'DSAPrivateKey' | 'PrivateKeyInfo', der_encoded()}} |
+      {keyfile, path()} | {password, string()} |
       {cacerts, [der_encoded()]} | {cacertfile, path()} |
       |{dh, der_encoded()} | {dhfile, path()} | {ciphers, ciphers()} |
       {ssl_imp, ssl_imp()} | {reuse_sessions, boolean()} | {reuse_session, fun()} 
@@ -139,7 +140,7 @@
       <tag>{certfile, path()}</tag>
       <item>Path to a file containing the user's certificate.</item>
       
-      <tag>{key, der_encoded()}</tag>
+      <tag>{key, {'RSAPrivateKey'| 'DSAPrivateKey' | 'PrivateKeyInfo', der_encoded()}}</tag>
       <item> The DER encoded users private key. If this option
       is supplied it will override the keyfile option.</item>
       
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 35f9410562..d0693445e0 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -608,8 +608,11 @@ validate_option(certfile, Value) when Value == undefined; is_list(Value) ->
 validate_option(key, undefined) ->
     undefined;
 validate_option(key, {KeyType, Value}) when is_binary(Value),
-					    KeyType == rsa;
-					    KeyType == dsa ->
+					    KeyType == rsa; %% Backwards compatibility
+					    KeyType == dsa; %% Backwards compatibility
+					    KeyType == 'RSAPrivateKey';
+					    KeyType == 'DSAPrivateKey';
+					    KeyType == 'PrivateKeyInfo' ->
     {KeyType, Value};
 validate_option(keyfile, Value) when is_list(Value) ->
     Value;
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index c772697f1d..59b0132ff5 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1126,18 +1126,38 @@ init_private_key(DbHandle, undefined, KeyFile, Password, _) ->
 	{ok, List} = ssl_manager:cache_pem_file(KeyFile, DbHandle),
 	[PemEntry] = [PemEntry || PemEntry = {PKey, _ , _} <- List,
 				  PKey =:= 'RSAPrivateKey' orelse
-				      PKey =:= 'DSAPrivateKey'],
-	public_key:pem_entry_decode(PemEntry, Password)
+				      PKey =:= 'DSAPrivateKey' orelse
+				      PKey =:= 'PrivateKeyInfo'
+		     ],
+	private_key(public_key:pem_entry_decode(PemEntry, Password))
     catch 
 	Error:Reason ->
 	    handle_file_error(?LINE, Error, Reason, KeyFile, ekeyfile,
 			      erlang:get_stacktrace()) 
     end;
 
+%% First two clauses are for backwards compatibility
 init_private_key(_,{rsa, PrivateKey}, _, _,_) ->
-    public_key:der_decode('RSAPrivateKey', PrivateKey);
+    init_private_key('RSAPrivateKey', PrivateKey);
 init_private_key(_,{dsa, PrivateKey},_,_,_) ->
-    public_key:der_decode('DSAPrivateKey', PrivateKey).
+    init_private_key('DSAPrivateKey', PrivateKey);
+init_private_key(_,{Asn1Type, PrivateKey},_,_,_) ->
+    private_key(init_private_key(Asn1Type, PrivateKey)).
+
+init_private_key(Asn1Type, PrivateKey) ->
+    public_key:der_decode(Asn1Type, PrivateKey).
+
+private_key(#'PrivateKeyInfo'{privateKeyAlgorithm =
+				 #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'rsaEncryption'},
+			     privateKey = Key}) ->
+    public_key:der_decode('RSAPrivateKey', iolist_to_binary(Key));
+
+private_key(#'PrivateKeyInfo'{privateKeyAlgorithm =
+				 #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'id-dsa'},
+			     privateKey = Key}) ->
+    public_key:der_decode('DSAPrivateKey', iolist_to_binary(Key));
+private_key(Key) ->
+    Key.
 
 -spec(handle_file_error(_,_,_,_,_,_) -> no_return()).
 handle_file_error(Line, Error, {badmatch, Reason}, File, Throw, Stack) ->
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index a9109c5a6e..42dc44c39b 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -2784,7 +2784,7 @@ extended_key_usage_verify_peer(Config) when is_list(Config) ->
    
     KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"), 
     [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
-    Key = public_key:pem_entry_decode(KeyEntry),
+    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)),
 
     ServerCertFile = proplists:get_value(certfile, ServerOpts),
     NewServerCertFile = filename:join(PrivDir, "server/new_cert.pem"),
@@ -2846,7 +2846,7 @@ extended_key_usage_verify_none(Config) when is_list(Config) ->
 
     KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"),
     [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
-    Key = public_key:pem_entry_decode(KeyEntry),
+    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)),
 
     ServerCertFile = proplists:get_value(certfile, ServerOpts),
     NewServerCertFile = filename:join(PrivDir, "server/new_cert.pem"),
@@ -2908,7 +2908,7 @@ no_authority_key_identifier(Config) when is_list(Config) ->
    
     KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"),
     [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
-    Key = public_key:pem_entry_decode(KeyEntry),
+    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)),
 
     CertFile = proplists:get_value(certfile, ServerOpts),
     NewCertFile = filename:join(PrivDir, "server/new_cert.pem"),
@@ -2966,7 +2966,7 @@ invalid_signature_server(Config) when is_list(Config) ->
    
     KeyFile = filename:join(PrivDir, "server/key.pem"),
     [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
-    Key = public_key:pem_entry_decode(KeyEntry),
+    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)),
 
     ServerCertFile = proplists:get_value(certfile, ServerOpts),
     NewServerCertFile = filename:join(PrivDir, "server/invalid_cert.pem"),
@@ -3006,7 +3006,7 @@ invalid_signature_client(Config) when is_list(Config) ->
    
     KeyFile = filename:join(PrivDir, "client/key.pem"),
     [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
-    Key = public_key:pem_entry_decode(KeyEntry),
+    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)),
 
     ClientCertFile = proplists:get_value(certfile, ClientOpts),
     NewClientCertFile = filename:join(PrivDir, "client/invalid_cert.pem"),
@@ -3083,7 +3083,7 @@ cert_expired(Config) when is_list(Config) ->
    
     KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"),
     [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
-    Key = public_key:pem_entry_decode(KeyEntry),
+    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)),
 
     ServerCertFile = proplists:get_value(certfile, ServerOpts),
     NewServerCertFile = filename:join(PrivDir, "server/expired_cert.pem"),
@@ -3358,14 +3358,14 @@ der_input_opts(Opts) ->
     Keyfile = proplists:get_value(keyfile, Opts),
     Dhfile = proplists:get_value(dhfile, Opts),
     [{_, Cert, _}] = ssl_test_lib:pem_to_der(Certfile),
-    [{_, Key, _}]  = ssl_test_lib:pem_to_der(Keyfile),
+    [{Asn1Type, Key, _}]  = ssl_test_lib:pem_to_der(Keyfile),
     [{_, DHParams, _}]  = ssl_test_lib:pem_to_der(Dhfile),
     CaCerts =
 	lists:map(fun(Entry) ->
 			  {_, CaCert, _} = Entry,
 			  CaCert
 		  end, ssl_test_lib:pem_to_der(CaCertsfile)),
-    {Cert, {rsa, Key}, CaCerts, DHParams}.
+    {Cert, {Asn1Type, Key}, CaCerts, DHParams}.
 
 %%--------------------------------------------------------------------
 %% different_ca_peer_sign(doc) ->
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index b7916b96eb..46a8112a41 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -22,6 +22,7 @@
 
 -include("test_server.hrl").
 -include("test_server_line.hrl").
+-include_lib("public_key/include/public_key.hrl").
 
 %% Note: This directive should only be used in test suites.
 -compile(export_all).
@@ -673,3 +674,16 @@ cipher_result(Socket, Result) ->
 
 session_info_result(Socket) ->
     ssl:session_info(Socket).
+
+
+public_key(#'PrivateKeyInfo'{privateKeyAlgorithm =
+				 #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?rsaEncryption},
+			     privateKey = Key}) ->
+    public_key:der_decode('RSAPrivateKey', iolist_to_binary(Key));
+
+public_key(#'PrivateKeyInfo'{privateKeyAlgorithm =
+				 #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'id-dsa'},
+			     privateKey = Key}) ->
+    public_key:der_decode('DSAPrivateKey', iolist_to_binary(Key));
+public_key(Key) ->
+    Key.
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index 64a6a9eaf8..8ccbb3ffa1 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -109,6 +109,9 @@ special_init(TestCase, Config)
        TestCase == erlang_server_openssl_client_no_wrap_sequence_number ->
     check_sane_openssl_renegotaite(Config);
 
+special_init(ssl2_erlang_server_openssl_client, Config) ->
+    check_sane_openssl_sslv2(Config);
+
 special_init(_, Config) ->
     Config.
     
@@ -1433,3 +1436,11 @@ check_sane_openssl_renegotaite(Config) ->
 	_ ->
 	    Config
     end.
+
+check_sane_openssl_sslv2(Config) ->
+    case os:cmd("openssl version") of
+	"OpenSSL 1.0.0e" ++ _ ->
+	    {skip, "Known option bug"};
+	_ ->
+	    Config
+    end.
-- 
cgit v1.2.3