From e5776f33e6aa8ea99b14d3fd0525e9117bbe698a Mon Sep 17 00:00:00 2001 From: Magnus Henoch Date: Mon, 21 Mar 2016 14:57:10 +0000 Subject: Add public_key:pkix_match_dist_point --- lib/public_key/doc/src/public_key.xml | 17 +++++++++++++++++ lib/public_key/src/public_key.erl | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml index 6923066da7..becb5338e0 100644 --- a/lib/public_key/doc/src/public_key.xml +++ b/lib/public_key/doc/src/public_key.xml @@ -727,6 +727,23 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, + + pkix_match_dist_point(CRL, DistPoint) -> boolean() + Checks whether the given distribution point matches the + Issuing Distribution Point of the CRL. + + + CRL = der_encoded() | #'CertificateList'{} + DistPoint = #'DistributionPoint'{} + + +

Checks whether the given distribution point matches the + Issuing Distribution Point of the CRL, as described in RFC 5280. + If the CRL doesn't have an Issuing Distribution Point extension, + the distribution point always matches.

+
+
+ pkix_sign(#'OTPTBSCertificate'{}, Key) -> der_encoded() Signs certificate. diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index a5944bd604..27bf2093a1 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -53,6 +53,7 @@ pkix_crls_validate/3, pkix_dist_point/1, pkix_dist_points/1, + pkix_match_dist_point/2, pkix_crl_verify/2, pkix_crl_issuer/1 ]). @@ -523,6 +524,38 @@ pkix_dist_points(OtpCert) -> end, [], Value). +%%-------------------------------------------------------------------- +-spec pkix_match_dist_point(der_encoded() | #'CertificateList'{}, + #'DistributionPoint'{}) -> boolean(). +%% Description: Check whether the given distribution point matches +%% the "issuing distribution point" of the CRL. +%%-------------------------------------------------------------------- +pkix_match_dist_point(CRL, DistPoint) when is_binary(CRL) -> + pkix_match_dist_point(der_decode('CertificateList', CRL), DistPoint); +pkix_match_dist_point(#'CertificateList'{}, + #'DistributionPoint'{distributionPoint = asn1_NOVALUE}) -> + %% No distribution point name specified - that's considered a match. + true; +pkix_match_dist_point(#'CertificateList'{ + tbsCertList = + #'TBSCertList'{ + crlExtensions = Extensions}}, + #'DistributionPoint'{ + distributionPoint = {fullName, DPs}}) -> + case pubkey_cert:select_extension(?'id-ce-issuingDistributionPoint', Extensions) of + undefined -> + %% If the CRL doesn't have an IDP extension, it + %% automatically qualifies. + true; + #'Extension'{extnValue = IDPValue} -> + %% If the CRL does have an IDP extension, it must match + %% the given DistributionPoint to be considered a match. + IDPEncoded = der_decode('IssuingDistributionPoint', IDPValue), + #'IssuingDistributionPoint'{distributionPoint = {fullName, IDPs}} = + pubkey_cert_records:transform(IDPEncoded, decode), + pubkey_crl:match_one(IDPs, DPs) + end. + %%-------------------------------------------------------------------- -spec pkix_sign(#'OTPTBSCertificate'{}, rsa_private_key() | dsa_private_key()) -> Der::binary(). -- cgit v1.2.3