From f5d3597bcaff3109f0b9b1bd8b5d661bb04bb1e4 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Thu, 23 Sep 2010 14:03:08 +0200
Subject: Better handling of v1 and v2 certificates.

V1 and v2 certificates does not have any extensions
so then validate_extensions should just accept that
there are none and not end up in missing_basic_constraints clause.
---
 lib/public_key/src/pubkey_cert.erl | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'lib/public_key/src')

diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index e704c168f1..f3e32617af 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -223,10 +223,15 @@ validate_revoked_status(_OtpCert, UserState, _VerifyFun) ->
 %%--------------------------------------------------------------------	
 validate_extensions(OtpCert, ValidationState, UserState, VerifyFun) ->
     TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
-    Extensions = TBSCert#'OTPTBSCertificate'.extensions,
-    validate_extensions(OtpCert, Extensions, ValidationState, no_basic_constraint,
-			is_self_signed(OtpCert), UserState, VerifyFun).
-
+    case TBSCert#'OTPTBSCertificate'.version of
+	N when N >= 3 ->
+	    Extensions = TBSCert#'OTPTBSCertificate'.extensions,
+	    validate_extensions(OtpCert, Extensions,
+				ValidationState, no_basic_constraint,
+				is_self_signed(OtpCert), UserState, VerifyFun);
+	_ -> %% Extensions not present in versions 1 & 2
+	    {ValidationState, UserState}
+    end.
 %%--------------------------------------------------------------------
 -spec normalize_general_name({rdnSequence, term()}) -> {rdnSequence, term()}. 
 %%
-- 
cgit v1.2.3


From e501709bec61bf8813cab741b0e39c211c73c89e Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 27 Sep 2010 13:59:29 +0200
Subject: Peer awarness

Changed the verify fun so that it differentiate between the peer
certificate and CA certificates by using valid_peer or valid as the
second argument to the verify fun. It may not always be trivial or
even possible to know when the peer certificate is reached otherwise.
---
 lib/public_key/src/pubkey_cert.erl      |  2 +-
 lib/public_key/src/public_key.appup.src |  4 ++--
 lib/public_key/src/public_key.erl       | 11 +++++++++--
 3 files changed, 12 insertions(+), 5 deletions(-)

(limited to 'lib/public_key/src')

diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index e704c168f1..d8d999a944 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -291,7 +291,7 @@ is_fixed_dh_cert(#'OTPCertificate'{tbsCertificate =
 
 %%--------------------------------------------------------------------
 -spec verify_fun(#'OTPTBSCertificate'{}, {bad_cert, atom()} | {extension, #'Extension'{}}|
-		 valid, term(), fun()) -> term().
+		 valid | valid_peer, term(), fun()) -> term().
 %%
 %% Description: Gives the user application the opportunity handle path
 %% validation errors and unknown extensions and optional do other
diff --git a/lib/public_key/src/public_key.appup.src b/lib/public_key/src/public_key.appup.src
index c9d15b8747..d18cfd3536 100644
--- a/lib/public_key/src/public_key.appup.src
+++ b/lib/public_key/src/public_key.appup.src
@@ -6,7 +6,7 @@
     {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
     {update, public_key, soft, soft_purge, soft_purge, []},
     {update, pubkey_pem, soft, soft_purge, soft_purge, []},
-    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}
+    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []},
     {update, pubkey_cert, soft, soft_purge, soft_purge, []}
    ]
   },
@@ -36,7 +36,7 @@
     {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
     {update, public_key, soft, soft_purge, soft_purge, []},
     {update, pubkey_pem, soft, soft_purge, soft_purge, []},
-    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}
+    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []},
     {update, pubkey_cert, soft, soft_purge, soft_purge, []}
    ]
   },
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 9c7817fa8e..c449c430fb 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -557,9 +557,16 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer,
 
     %% We want the key_usage extension to be checked before we validate
     %% the signature. 
-    UserState0 = pubkey_cert:validate_signature(OtpCert, DerCert,
+    UserState6 = pubkey_cert:validate_signature(OtpCert, DerCert,
 						Key, KeyParams, UserState5, VerifyFun),
-    UserState = pubkey_cert:verify_fun(OtpCert, valid, UserState0, VerifyFun),
+    UserState = case Last of
+		    false ->
+			pubkey_cert:verify_fun(OtpCert, valid, UserState6, VerifyFun);
+		    true ->
+			pubkey_cert:verify_fun(OtpCert, valid_peer,
+					       UserState6, VerifyFun)
+		end,
+
     ValidationState  = 
 	ValidationState1#path_validation_state{user_state = UserState},
 
-- 
cgit v1.2.3