From 6cced538abd4f8053c009b163efa8c6d568b9580 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Thu, 9 Sep 2010 17:07:22 +0200 Subject: Improved certificate extension handling Added the functionality so that the verification fun will be called when a certificate is considered valid by the path validation to allow access to eachs certificate in the path to the user application. Removed clause that only check that a extension is not critical, it does alter the verification rusult only withholds information from the application. Try to verify subject-AltName, if unable to verify it let application try. --- lib/public_key/src/public_key.erl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib/public_key/src/public_key.erl') diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index 68bf04eeff..9c7817fa8e 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -539,6 +539,7 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer, user_state = UserState0, verify_fun = VerifyFun} = ValidationState0) -> + OtpCert = pkix_decode_cert(DerCert, otp), UserState1 = pubkey_cert:validate_time(OtpCert, UserState0, VerifyFun), @@ -556,10 +557,12 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer, %% We want the key_usage extension to be checked before we validate %% the signature. - UserState = pubkey_cert:validate_signature(OtpCert, DerCert, + UserState0 = pubkey_cert:validate_signature(OtpCert, DerCert, Key, KeyParams, UserState5, VerifyFun), + UserState = pubkey_cert:verify_fun(OtpCert, valid, UserState0, VerifyFun), ValidationState = ValidationState1#path_validation_state{user_state = UserState}, + pubkey_cert:prepare_for_next_cert(OtpCert, ValidationState). sized_binary(Binary) when is_binary(Binary) -> -- cgit v1.2.3