aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/ssl_crl.erl
blob: b8761f06016d12164e484d0f4d46cb52486617f8 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
%%
%% %CopyrightBegin%
%%
%% Copyright Ericsson AB 2015-2015. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
%%
%% %CopyrightEnd%

%----------------------------------------------------------------------
%% Purpose: CRL handling 
%%----------------------------------------------------------------------

-module(ssl_crl).

-include("ssl_alert.hrl").
-include("ssl_internal.hrl").
-include_lib("public_key/include/public_key.hrl"). 

-export([trusted_cert_and_path/3]).

trusted_cert_and_path(CRL, {SerialNumber, Issuer},{Db, DbRef} = DbHandle) -> 
    case ssl_pkix_db:lookup_trusted_cert(Db, DbRef, SerialNumber, Issuer) of
	undefined ->
	    trusted_cert_and_path(CRL, issuer_not_found, DbHandle);
	{ok, {_, OtpCert}}  ->
	    {ok, Root, Chain} = ssl_certificate:certificate_chain(OtpCert, Db, DbRef),
	    {ok, Root,  lists:reverse(Chain)}
    end;

trusted_cert_and_path(CRL, issuer_not_found, {Db, DbRef} = DbHandle) -> 
    try find_issuer(CRL, DbHandle) of
	OtpCert ->
	    {ok, Root, Chain} = ssl_certificate:certificate_chain(OtpCert, Db, DbRef),
	    {ok, Root, lists:reverse(Chain)}
    catch
	throw:_ ->
	    {error, issuer_not_found}
    end.

find_issuer(CRL, {Db,_}) ->
    Issuer = public_key:pkix_normalize_name(public_key:pkix_crl_issuer(CRL)),
    IsIssuerFun =
	fun({_Key, {_Der,ErlCertCandidate}}, Acc) ->
		verify_crl_issuer(CRL, ErlCertCandidate, Issuer, Acc);
	   (_, Acc) ->
		Acc
	end,
    
    try ssl_pkix_db:foldl(IsIssuerFun, issuer_not_found, Db) of
	issuer_not_found ->
	    {error, issuer_not_found}
    catch 
	{ok, IssuerCert}  ->
	    IssuerCert
    end.


verify_crl_issuer(CRL, ErlCertCandidate, Issuer, NotIssuer) ->
    TBSCert =  ErlCertCandidate#'OTPCertificate'.tbsCertificate,
    case public_key:pkix_normalize_name(TBSCert#'OTPTBSCertificate'.subject) of
	Issuer ->
	    case public_key:pkix_crl_verify(CRL, ErlCertCandidate) of
		true ->
		    throw({ok, ErlCertCandidate});
		false ->
		    NotIssuer;
		_ ->
		    NotIssuer
	    end;
	_ ->
	    NotIssuer
    end.