From 9756dcd97cd819c9b2d64c35dd36550f99600e92 Mon Sep 17 00:00:00 2001 From: Andrew Thompson Date: Sat, 8 Feb 2014 00:58:11 -0500 Subject: Rework IDP validation according to the RFC, fix public_key tests --- lib/public_key/src/pubkey_cert.erl | 4 ++-- lib/public_key/src/pubkey_crl.erl | 14 +++++++++----- lib/ssl/test/make_certs.erl | 4 ++-- lib/ssl/test/ssl_crl_SUITE.erl | 31 ++++++++++++++----------------- 4 files changed, 27 insertions(+), 26 deletions(-) diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl index 07469e342f..6272fae91b 100644 --- a/lib/public_key/src/pubkey_cert.erl +++ b/lib/public_key/src/pubkey_cert.erl @@ -343,8 +343,8 @@ match_name(uniformResourceIdentifier, URI, [PermittedName | Rest]) -> case split_uri(URI) of incomplete -> false; - {_, _, _Host, _, _} -> - match_name(fun is_valid_host_or_domain/2, URI, + {_, _, Host, _, _} -> + match_name(fun is_valid_host_or_domain/2, Host, PermittedName, Rest) end; diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl index 503d0205a6..2d947058de 100644 --- a/lib/public_key/src/pubkey_crl.erl +++ b/lib/public_key/src/pubkey_crl.erl @@ -393,11 +393,15 @@ verify_dp_name(asn1_NOVALUE, _) -> ok; verify_dp_name(IDPNames, DPorIssuerNames) -> - case match_one(DPorIssuerNames, IDPNames) of - true -> - ok; - false -> - throw({bad_crl, scope_error}) + %% RFC 5280 section 5.2.5 + %% Check that at least one IssuingDistributionPointName in the CRL lines up + %% with a DistributionPointName in the certificate. + Matches = [X || X <- IDPNames, Y <- DPorIssuerNames, X == Y], + case Matches of + [] -> + throw({bad_crl, scope_error}); + _ -> + ok end. match_one([], _) -> diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl index 2b4eaaef53..c438ae2b87 100644 --- a/lib/ssl/test/make_certs.erl +++ b/lib/ssl/test/make_certs.erl @@ -410,7 +410,6 @@ ca_cnf(C) -> "[idpsec]\n" "fullname=URI:http://localhost:8000/",C#config.commonName,"/crl.pem\n" - %"fullname=URI:file://$ROOTDIR/",C#config.commonName,"/crl.pem\n" "[user_cert]\n" "basicConstraints = CA:false\n" @@ -422,7 +421,8 @@ ca_cnf(C) -> "crlDistributionPoints=@crl_section\n" "[crl_section]\n" - "URI.1=file://$ROOTDIR/",C#config.commonName,"/crl.pem\n" + %% intentionally invalid + "URI.1=http://localhost/",C#config.commonName,"/crl.pem\n" "URI.2=http://localhost:8000/",C#config.commonName,"/crl.pem\n" "\n" diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl index 8afd926ee6..7cf09aa419 100644 --- a/lib/ssl/test/ssl_crl_SUITE.erl +++ b/lib/ssl/test/ssl_crl_SUITE.erl @@ -69,6 +69,7 @@ init_per_suite(Config0) -> false -> {skip, "Openssl not found"}; _ -> + inets:start(), catch crypto:stop(), try crypto:start() of ok -> @@ -81,6 +82,7 @@ init_per_suite(Config0) -> end_per_suite(_Config) -> ssl:stop(), + inets:stop(), application:stop(crypto). init_per_group(v1_crl, Config) -> @@ -91,7 +93,12 @@ init_per_group(v1_crl, Config) -> CertDir, [{v2_crls, false}])), ct:log("Make certs ~p~n", [Result]), - [{make_cert_result, Result}, {cert_dir, CertDir} | Config]; + %% start a HTTP server to serve the CRLs + {ok, Httpd} = inets:start(httpd, [{port, 8000}, {server_name, "localhost"}, + {server_root, "/tmp"}, + {document_root, CertDir}, + {modules, [mod_get]}]), + [{make_cert_result, Result}, {cert_dir, CertDir}, {httpd, Httpd} | Config]; init_per_group(idp_crl, Config) -> ssl:start(), CertDir = filename:join(?config(priv_dir, Config), "idp_crl"), @@ -113,7 +120,12 @@ init_per_group(_GroupName, Config) -> (catch make_certs:all(?config(data_dir, Config), CertDir)), ct:log("Make certs ~p~n", [Result]), - [{make_cert_result, Result}, {cert_dir, CertDir} | Config]. + %% start a HTTP server to serve the CRLs + {ok, Httpd} = inets:start(httpd, [{port, 8000}, {server_name, "localhost"}, + {server_root, "/tmp"}, + {document_root, CertDir}, + {modules, [mod_get]}]), + [{make_cert_result, Result}, {cert_dir, CertDir}, {httpd, Httpd} | Config]. end_per_group(_GroupName, Config) -> case ?config(httpd, Config) of @@ -185,8 +197,6 @@ crl_verify_revoked(Config) when is_list(Config) -> {cacertfile, filename:join([PrivDir, "revoked", "cacerts.pem"])}], {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Data = "From openssl to erlang", Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, {from, self()}, @@ -462,19 +472,6 @@ fetch_point(#'DistributionPoint'{distributionPoint={fullName, Names}}) -> %% fetch([]) -> not_available; -fetch([{uniformResourceIdentifier, "file://"++File}|Rest]) -> - io:format("getting CRL from ~p~n", [File]), - try file:read_file(File) of - {ok, Bin} -> - %% assume PEM - [{'CertificateList', DER, _}=CertList] = public_key:pem_decode(Bin), - {DER, public_key:pem_entry_decode(CertList)}; - _ -> - fetch(Rest) - catch - _:_ -> - fetch(Rest) - end; fetch([{uniformResourceIdentifier, "http"++_=URL}|Rest]) -> io:format("getting CRL from ~p~n", [URL]), _ = inets:start(), -- cgit v1.2.3