From 9756dcd97cd819c9b2d64c35dd36550f99600e92 Mon Sep 17 00:00:00 2001
From: Andrew Thompson <andrew@hijacked.us>
Date: Sat, 8 Feb 2014 00:58:11 -0500
Subject: Rework IDP validation according to the RFC, fix public_key tests

---
 lib/public_key/src/pubkey_cert.erl |  4 ++--
 lib/public_key/src/pubkey_crl.erl  | 14 +++++++++-----
 lib/ssl/test/make_certs.erl        |  4 ++--
 lib/ssl/test/ssl_crl_SUITE.erl     | 31 ++++++++++++++-----------------
 4 files changed, 27 insertions(+), 26 deletions(-)

(limited to 'lib')

diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index 07469e342f..6272fae91b 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -343,8 +343,8 @@ match_name(uniformResourceIdentifier, URI,  [PermittedName | Rest]) ->
     case split_uri(URI) of
 	incomplete ->
 	    false;
-	{_, _, _Host, _, _} ->
-	    match_name(fun is_valid_host_or_domain/2, URI,
+	{_, _, Host, _, _} ->
+	    match_name(fun is_valid_host_or_domain/2, Host,
 		       PermittedName, Rest)
     end;
 
diff --git a/lib/public_key/src/pubkey_crl.erl b/lib/public_key/src/pubkey_crl.erl
index 503d0205a6..2d947058de 100644
--- a/lib/public_key/src/pubkey_crl.erl
+++ b/lib/public_key/src/pubkey_crl.erl
@@ -393,11 +393,15 @@ verify_dp_name(asn1_NOVALUE, _) ->
     ok;
 
 verify_dp_name(IDPNames, DPorIssuerNames) ->
-    case match_one(DPorIssuerNames, IDPNames) of
-	true ->
-	    ok;
-	false ->
-	    throw({bad_crl, scope_error})
+    %% RFC 5280 section 5.2.5
+    %% Check that at least one IssuingDistributionPointName in the CRL lines up
+    %% with a DistributionPointName in the certificate.
+    Matches = [X || X <- IDPNames, Y <- DPorIssuerNames, X == Y],
+    case Matches of
+	[] ->
+	    throw({bad_crl, scope_error});
+	_ ->
+	    ok
     end.
 
 match_one([], _) ->
diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl
index 2b4eaaef53..c438ae2b87 100644
--- a/lib/ssl/test/make_certs.erl
+++ b/lib/ssl/test/make_certs.erl
@@ -410,7 +410,6 @@ ca_cnf(C) ->
 
      "[idpsec]\n"
      "fullname=URI:http://localhost:8000/",C#config.commonName,"/crl.pem\n"
-     %"fullname=URI:file://$ROOTDIR/",C#config.commonName,"/crl.pem\n"
 
      "[user_cert]\n"
      "basicConstraints	= CA:false\n"
@@ -422,7 +421,8 @@ ca_cnf(C) ->
      "crlDistributionPoints=@crl_section\n"
 
      "[crl_section]\n"
-     "URI.1=file://$ROOTDIR/",C#config.commonName,"/crl.pem\n"
+     %% intentionally invalid
+     "URI.1=http://localhost/",C#config.commonName,"/crl.pem\n"
      "URI.2=http://localhost:8000/",C#config.commonName,"/crl.pem\n"
      "\n"
 
diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl
index 8afd926ee6..7cf09aa419 100644
--- a/lib/ssl/test/ssl_crl_SUITE.erl
+++ b/lib/ssl/test/ssl_crl_SUITE.erl
@@ -69,6 +69,7 @@ init_per_suite(Config0) ->
 	false ->
 	    {skip, "Openssl not found"};
 	_ ->
+	    inets:start(),
 	    catch crypto:stop(),
 	    try crypto:start() of
 		ok ->
@@ -81,6 +82,7 @@ init_per_suite(Config0) ->
 
 end_per_suite(_Config) ->
     ssl:stop(),
+    inets:stop(),
     application:stop(crypto).
 
 init_per_group(v1_crl, Config) ->
@@ -91,7 +93,12 @@ init_per_group(v1_crl, Config) ->
 			      CertDir,
 			      [{v2_crls, false}])),
     ct:log("Make certs  ~p~n", [Result]),
-    [{make_cert_result, Result}, {cert_dir, CertDir} | Config];
+    %% start a HTTP server to serve the CRLs
+    {ok, Httpd} = inets:start(httpd, [{port, 8000}, {server_name, "localhost"},
+				      {server_root, "/tmp"},
+				      {document_root, CertDir},
+				      {modules, [mod_get]}]),
+    [{make_cert_result, Result}, {cert_dir, CertDir}, {httpd, Httpd} | Config];
 init_per_group(idp_crl, Config) ->
     ssl:start(),
     CertDir = filename:join(?config(priv_dir, Config), "idp_crl"),
@@ -113,7 +120,12 @@ init_per_group(_GroupName, Config) ->
 	(catch make_certs:all(?config(data_dir, Config),
 			      CertDir)),
     ct:log("Make certs  ~p~n", [Result]),
-    [{make_cert_result, Result}, {cert_dir, CertDir} | Config].
+    %% start a HTTP server to serve the CRLs
+    {ok, Httpd} = inets:start(httpd, [{port, 8000}, {server_name, "localhost"},
+				      {server_root, "/tmp"},
+				      {document_root, CertDir},
+				      {modules, [mod_get]}]),
+    [{make_cert_result, Result}, {cert_dir, CertDir}, {httpd, Httpd} | Config].
 
 end_per_group(_GroupName, Config) ->
     case ?config(httpd, Config) of
@@ -185,8 +197,6 @@ crl_verify_revoked(Config) when is_list(Config) ->
 		  {cacertfile, filename:join([PrivDir, "revoked", "cacerts.pem"])}],
 
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
-    
-    Data = "From openssl to erlang",
 
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
 					{from, self()}, 
@@ -462,19 +472,6 @@ fetch_point(#'DistributionPoint'{distributionPoint={fullName, Names}}) ->
 %%
 fetch([]) ->
     not_available;
-fetch([{uniformResourceIdentifier, "file://"++File}|Rest]) ->
-    io:format("getting CRL from ~p~n", [File]),
-    try file:read_file(File) of
-        {ok, Bin} ->
-            %% assume PEM
-            [{'CertificateList', DER, _}=CertList] = public_key:pem_decode(Bin),
-            {DER, public_key:pem_entry_decode(CertList)};
-        _ ->
-            fetch(Rest)
-    catch
-        _:_ ->
-            fetch(Rest)
-    end;
 fetch([{uniformResourceIdentifier, "http"++_=URL}|Rest]) ->
     io:format("getting CRL from ~p~n", [URL]),
     _ = inets:start(),
-- 
cgit v1.2.3