From af68c9d17e99254c216c16a01167d95023cbd1cd Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Thu, 24 Aug 2017 17:59:31 +0200 Subject: public_key, ssl: Provide certitifate test data generation function in public_key The ssl application uses the new function in many of its test cases. --- lib/public_key/doc/src/public_key.xml | 86 ++++++++++++++++++++++++++++++++++- 1 file changed, 84 insertions(+), 2 deletions(-) (limited to 'lib/public_key/doc/src') diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml index 942203bd12..5a4fdf057b 100644 --- a/lib/public_key/doc/src/public_key.xml +++ b/lib/public_key/doc/src/public_key.xml @@ -119,6 +119,10 @@ ec_private_key() =

#'ECPrivateKey'{}

 + key_params() = +

#'DHParameter'{} | {namedCurve, oid()} | #'ECParameters'{} + | {rsa, Size::integer(), PubExp::integer()}

+ public_crypt_options() =

[{rsa_pad, rsa_padding()}]

 @@ -347,8 +351,7 @@ generate_key(Params) -> {Public::binary(), Private::binary()} | #'ECPrivateKey'{} | #'RSAPrivateKey'{} Generates a new keypair. - Params = #'DHParameter'{} | {namedCurve, oid()} | #'ECParameters'{} - | {rsa, Size::integer(), PubExp::integer} + Params = key_params()

Generates a new keypair. Note that except for Diffie-Hellman @@ -769,6 +772,85 @@ fun(#'DistributionPoint'{}, #'CertificateList'{}, + + pkix_test_data(Options) -> Config + Creates certificate test data. + + Options = #{chain_type() := chain_opts()} + Options for ROOT, Intermediate and Peer certs + + chain_type() = server_chain | client_chain + + chain_opts() = #{chain_end() := [cert_opt()], + intermediates => [[cert_opt()]]} + A valid chain must have at least a ROOT and a peer cert + + chain_end() = root | peer + + cert_opt() = {Key, Value} + For available options see cert_opt() below. + + Config = #{server_config := [conf_opt()], + client_config := [conf_opt()]} + + conf_opt() = {cert, der_encoded()} | {key, der_encoded()} |{cacerts, [der_encoded()]} + This is a subset of the type ssl:ssl_option() + + + +

Creates certificate test data to facilitate automated testing + of applications using X509-certificates often through + SSL/TLS. The test data can be used when you have control + over both the client and the server in a test scenario. +

+ +

The cert_opt() type consists of the following options:

+ + {digest, digest_type()} +

Hash algorithm to be used for + signing the certificate together with the key option. Defaults to sha that is sha1. +

+ {key, key_params() | private_key()} +

Parameters to be used to call public_key:generate_key/1, to generate a key, or an existing + key. Defaults to generating an ECDSA key. Note this could fail if Erlang/OTP is compiled with a very old + cryptolib.

 + {validity, {From::erlang:timestamp(), To::erlang:timestamp()}} +

The validity period of the certificate.

 + {extensions, [#'Extension'{}]} +

Extensions to include in the certificate.

+ +

Default extensions included in CA certificates if not + otherwise specified are:

+ [#'Extension'{extnID = ?'id-ce-keyUsage', + extnValue = [keyCertSign, cRLSign], + critical = false}, +#'Extension'{extnID = ?'id-ce-basicConstraints', + extnValue = #'BasicConstraints'{cA = true}, + critical = true}] + + +

Default extensions included in the server peer cert if not + otherwise specified are:

+ [#'Extension'{extnID = ?'id-ce-keyUsage', + extnValue = [digitalSignature, keyAgreement], + critical = false}, +#'Extension'{extnID = ?'id-ce-subjectAltName', + extnValue = [{dNSName, Hostname}], + critical = false}] + +

Hostname is the result of calling net_adm:localhost() in the Erlang node + where this funcion is called. +

+ + + +

+ Note that the generated certificates and keys does not provide a formally correct PKIX-trust-chain + and they can not be used to achieve real security. This function is provided for testing purposes only. +

 + + + pkix_verify(Cert, Key) -> boolean() Verifies PKIX x.509 certificate signature. -- cgit v1.2.3