From fbe15664033aecd247aa3ee7446562639c10a0f4 Mon Sep 17 00:00:00 2001 From: Wil Tan Date: Wed, 6 Jan 2010 04:10:10 +1100 Subject: Send CA list during Certificate Request in new_ssl When requesting for client certificate, an SSL/TLS server may send a list of the distinguished names of acceptable certificate authorities. OpenSSL does this by default. --- lib/public_key/src/pubkey_cert_records.erl | 2 +- lib/ssl/src/ssl_handshake.erl | 28 +++++++++++++++++++++++++--- 2 files changed, 26 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl index 36b7c47a9c..7f9f3c84f4 100644 --- a/lib/public_key/src/pubkey_cert_records.erl +++ b/lib/public_key/src/pubkey_cert_records.erl @@ -23,7 +23,7 @@ -include("public_key.hrl"). --export([decode_cert/2, encode_cert/1, encode_tbs_cert/1]). +-export([decode_cert/2, encode_cert/1, encode_tbs_cert/1, transform/2]). -export([old_decode_cert/2, old_encode_cert/1]). %% Debugging and testing new code. diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 829e0c2ba6..85dc61d3aa 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -860,9 +860,31 @@ certificate_types(_) -> %% a RSA_FIXED_DH or DSS_FIXED_DH <>. -certificate_authorities(_) -> - %%TODO Make list of know CA:s - <<>>. +certificate_authorities(CertDbRef) -> + Authorities = certificate_authorities_from_db(CertDbRef), + Enc = fun(Cert) -> + TBSCert = Cert#'OTPCertificate'.tbsCertificate, + Subj = pubkey_cert_records:transform(TBSCert#'OTPTBSCertificate'.subject, encode), + {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj), + DNEncodedBin = iolist_to_binary(DNEncoded), + DNEncodedLen = byte_size(DNEncodedBin), + <> + end, + list_to_binary(lists:map(Enc, [Cert || {_, Cert} <- Authorities])). + +certificate_authorities_from_db(CertDbRef) -> + certificate_authorities_from_db(CertDbRef, no_candidate, []). + +certificate_authorities_from_db(CertDbRef, PrevKey, Acc) -> + case ssl_certificate_db:issuer_candidate(PrevKey) of + no_more_candidates -> + lists:reverse(Acc); + {{CertDbRef, _, _} = Key, Cert} -> + certificate_authorities_from_db(CertDbRef, Key, [Cert|Acc]); + {Key, _Cert} -> + % skip certs not from this ssl connection + certificate_authorities_from_db(CertDbRef, Key, Acc) + end. digitally_signed(Hashes, #'RSAPrivateKey'{} = Key) -> public_key:encrypt_private(Hashes, Key, -- cgit v1.2.3 From bce8acaa10f2265e5454c29097e33680076c7ccb Mon Sep 17 00:00:00 2001 From: Dan Gudmundsson Date: Tue, 12 Jan 2010 13:43:59 +0100 Subject: Code cleanup --- lib/ssl/src/ssl_handshake.erl | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'lib') diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 85dc61d3aa..e502c21df4 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -862,15 +862,15 @@ certificate_types(_) -> certificate_authorities(CertDbRef) -> Authorities = certificate_authorities_from_db(CertDbRef), - Enc = fun(Cert) -> - TBSCert = Cert#'OTPCertificate'.tbsCertificate, - Subj = pubkey_cert_records:transform(TBSCert#'OTPTBSCertificate'.subject, encode), - {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj), - DNEncodedBin = iolist_to_binary(DNEncoded), - DNEncodedLen = byte_size(DNEncodedBin), - <> - end, - list_to_binary(lists:map(Enc, [Cert || {_, Cert} <- Authorities])). + Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) -> + OTPSubj = TBSCert#'OTPTBSCertificate'.subject, + Subj = pubkey_cert_records:transform(OTPSubj, encode), + {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj), + DNEncodedBin = iolist_to_binary(DNEncoded), + DNEncodedLen = byte_size(DNEncodedBin), + <> + end, + list_to_binary([Enc(Cert) || {_, Cert} <- Authorities]). certificate_authorities_from_db(CertDbRef) -> certificate_authorities_from_db(CertDbRef, no_candidate, []). @@ -882,7 +882,7 @@ certificate_authorities_from_db(CertDbRef, PrevKey, Acc) -> {{CertDbRef, _, _} = Key, Cert} -> certificate_authorities_from_db(CertDbRef, Key, [Cert|Acc]); {Key, _Cert} -> - % skip certs not from this ssl connection + %% skip certs not from this ssl connection certificate_authorities_from_db(CertDbRef, Key, Acc) end. -- cgit v1.2.3 From c9c70aa3cc4e2087cf0da4c4ba36f3dd4e4e4627 Mon Sep 17 00:00:00 2001 From: Wil Tan Date: Thu, 7 Jan 2010 03:18:45 +1100 Subject: new_ssl fix session reuse When an SSL client presents a previous session ID, the server should either honour the request to reuse the parameters previously negotiated for the given session ID, or ignore the request and generate a new session ID. In this situation, new_ssl tries to complete the handshake by sending the client a "Finished" handshake message, which violates the SSL/TLS specs. It should instead send a ChangeCipherSpec message before sending the FInished message. This patch fixes it. --- lib/ssl/src/ssl_connection.erl | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'lib') diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index 178c055cdf..c292fd70c7 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -1115,13 +1115,13 @@ do_server_hello(Type, #state{negotiated_version = Version, case ssl_handshake:master_secret(Version, Session, ConnectionStates0, server) of {_, ConnectionStates1} -> - {ConnectionStates, Hashes} = - finished(State#state{connection_states = - ConnectionStates1}), - {next_state, abbreviated, - next_record(State#state{connection_states = - ConnectionStates, - tls_handshake_hashes = Hashes})}; + {ConnectionStates, Hashes} = + finalize_server_handshake(State#state{connection_states=ConnectionStates1, session = Session}), + NewState = + State#state{connection_states = ConnectionStates, + session = Session, + tls_handshake_hashes = Hashes}, + {next_state, abbreviated, next_record(NewState)}; #alert{} = Alert -> handle_own_alert(Alert, Version, hello, State), {stop, normal, State} -- cgit v1.2.3 From 5c0e1b1642002cfd906ac5a03b9814ae0836d8c1 Mon Sep 17 00:00:00 2001 From: Dan Gudmundsson Date: Tue, 12 Jan 2010 14:59:08 +0100 Subject: Minor code cleanup --- lib/ssl/src/ssl_connection.erl | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'lib') diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index c292fd70c7..8e563f36f9 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -1115,13 +1115,12 @@ do_server_hello(Type, #state{negotiated_version = Version, case ssl_handshake:master_secret(Version, Session, ConnectionStates0, server) of {_, ConnectionStates1} -> - {ConnectionStates, Hashes} = - finalize_server_handshake(State#state{connection_states=ConnectionStates1, session = Session}), - NewState = - State#state{connection_states = ConnectionStates, - session = Session, - tls_handshake_hashes = Hashes}, - {next_state, abbreviated, next_record(NewState)}; + State1 = State#state{connection_states=ConnectionStates1, + session = Session}, + {ConnectionStates, Hashes} = finalize_server_handshake(State1), + Resumed = State1#state{connection_states = ConnectionStates, + tls_handshake_hashes = Hashes}, + {next_state, abbreviated, next_record(Resumed)}; #alert{} = Alert -> handle_own_alert(Alert, Version, hello, State), {stop, normal, State} -- cgit v1.2.3 From fe93630eaef3c403edda47e0531dbd5c11c2aa4a Mon Sep 17 00:00:00 2001 From: Dan Gudmundsson Date: Wed, 13 Jan 2010 13:20:18 +0100 Subject: Added a public_key:pkix_transform/2 instead and used it from ssl. --- lib/public_key/src/public_key.erl | 16 +++++++++++++++- lib/ssl/src/ssl_handshake.erl | 2 +- 2 files changed, 16 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index b0b0b7a832..b7d0d8c286 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -30,7 +30,7 @@ sign/2, sign/3, verify_signature/3, verify_signature/4, verify_signature/5, pem_to_der/1, pem_to_der/2, - pkix_decode_cert/2, pkix_encode_cert/1, + pkix_decode_cert/2, pkix_encode_cert/1, pkix_transform/2, pkix_is_self_signed/1, pkix_is_fixed_dh_cert/1, pkix_issuer_id/2, pkix_is_issuer/2, pkix_normalize_general_name/1, @@ -161,6 +161,20 @@ pkix_decode_cert(BinCert, Type) -> pkix_encode_cert(Cert) -> pubkey_cert_records:encode_cert(Cert). +%%-------------------------------------------------------------------- +%% Function: pkix_transform(CertPart, Op) -> TransformedCertPart +%% +%% CertPart = pkix part data +%% Op = encode | decode +%% +%% Description: Transform parts of a pkix certificate between 'plain' format +%% and the internal 'otp' format, see pkix_decode_cert/2. +%% Decode transforms from 'plain' to 'otp' and encode from 'otp' to 'plain' +%% format. +%%-------------------------------------------------------------------- +pkix_transform(CertPart, Op) -> + pubkey_cert_records:transform(CertPart, Op). + %%-------------------------------------------------------------------- %% Function: pkix_path_validation(TrustedCert, CertChain, Options) -> %% {ok, {{algorithm(), public_key(), public_key_params()} policy_tree()}} | diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index e502c21df4..07a9f644fa 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -864,7 +864,7 @@ certificate_authorities(CertDbRef) -> Authorities = certificate_authorities_from_db(CertDbRef), Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) -> OTPSubj = TBSCert#'OTPTBSCertificate'.subject, - Subj = pubkey_cert_records:transform(OTPSubj, encode), + Subj = public_key:pkix_transform(OTPSubj, encode), {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj), DNEncodedBin = iolist_to_binary(DNEncoded), DNEncodedLen = byte_size(DNEncodedBin), -- cgit v1.2.3