From 044f622ac3759001b0fa100e7dc5ab378caa4c72 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Fri, 17 Sep 2010 17:06:46 +0200
Subject: Handling of DSA key parameters

DSS-Params  may be null in a certificate as it can inherit the
parameters.

Also ignore CA-certs that do not follow ASN-1 spec in RFC 5280.
---
 lib/ssl/src/ssl_certificate_db.erl | 18 ++++++++++++------
 lib/ssl/test/erl_make_certs.erl    |  4 ++--
 2 files changed, 14 insertions(+), 8 deletions(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/src/ssl_certificate_db.erl b/lib/ssl/src/ssl_certificate_db.erl
index 86477f369d..39d9847e3b 100644
--- a/lib/ssl/src/ssl_certificate_db.erl
+++ b/lib/ssl/src/ssl_certificate_db.erl
@@ -216,9 +216,15 @@ add_certs_from_file(File, Ref, CertsDb) ->
     [Add(Cert) || {'Certificate', Cert, not_encrypted} <- PemEntries].
     
 add_certs(Cert, Ref, CertsDb) ->
-    ErlCert = public_key:pkix_decode_cert(Cert, otp),
-    TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
-    SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
-    Issuer = public_key:pkix_normalize_name(
-	       TBSCertificate#'OTPTBSCertificate'.issuer),
-    insert({Ref, SerialNumber, Issuer}, {Cert,ErlCert}, CertsDb).
+    try  ErlCert = public_key:pkix_decode_cert(Cert, otp),
+	 TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
+	 SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
+	 Issuer = public_key:pkix_normalize_name(
+		    TBSCertificate#'OTPTBSCertificate'.issuer),
+	 insert({Ref, SerialNumber, Issuer}, {Cert,ErlCert}, CertsDb)
+    catch
+	error:Reason ->
+	    Report = io_lib:format("SSL WARNING: Ignoring CA cert: ~p~n Due to decoding error:~p ~n",
+				   [Cert, Reason]),
+	    error_logger:info_report(Report)
+    end.
diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
index f8aef55754..8b01ca3ad4 100644
--- a/lib/ssl/test/erl_make_certs.erl
+++ b/lib/ssl/test/erl_make_certs.erl
@@ -268,7 +268,7 @@ publickey(#'RSAPrivateKey'{modulus=N, publicExponent=E}) ->
 			       subjectPublicKey = Public};
 publickey(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}) ->
     Algo = #'PublicKeyAlgorithm'{algorithm= ?'id-dsa', 
-				 parameters=#'Dss-Parms'{p=P, q=Q, g=G}},
+				 parameters={params, #'Dss-Parms'{p=P, q=Q, g=G}}},
     #'OTPSubjectPublicKeyInfo'{algorithm = Algo, subjectPublicKey = Y}.
 
 validity(Opts) ->
@@ -290,7 +290,7 @@ sign_algorithm(#'RSAPrivateKey'{}, Opts) ->
 	   end,
     {Type, 'NULL'};
 sign_algorithm(#'DSAPrivateKey'{p=P, q=Q, g=G}, _Opts) ->
-    {?'id-dsa-with-sha1', #'Dss-Parms'{p=P, q=Q, g=G}}.
+    {?'id-dsa-with-sha1', {params,#'Dss-Parms'{p=P, q=Q, g=G}}}.
 
 make_key(rsa, _Opts) ->
     %% (OBS: for testing only)
-- 
cgit v1.2.3