Merge branch 'maint-r14' into dev

Conflicts: lib/public_key/src/pubkey_cert.erl
bwhittle · Oct 1, 2010 · 132e46f · 132e46f
2 parents 800a07c + 9c6842d
commit 132e46f
Show file tree

Hide file tree

Showing 12 changed files with 134 additions and 18 deletions.
diff --git a/lib/public_key/doc/src/notes.xml b/lib/public_key/doc/src/notes.xml
@@ -1,11 +1,11 @@
-<?xml version="1.0" encoding="latin1" ?>
+<?xml version="1.0" encoding="iso-8859-1" ?>
 <!DOCTYPE chapter SYSTEM "chapter.dtd">
 
 <chapter>
   <header>
     <copyright>
       <year>2008</year>
-      <year>2008</year>
+      <year>2010</year>
       <holder>Ericsson AB, All Rights Reserved</holder>
     </copyright>
     <legalnotice>
@@ -34,6 +34,55 @@
     <file>notes.xml</file>
   </header>
 
+<section><title>Public_Key 0.9</title>
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    Updated ssl to ignore CA certs that violate the asn1-spec
+	    for a certificate, and updated public key asn1 spec to
+	    handle inherited DSS-params.</p>
+          <p>
+	    Own Id: OTP-7884</p>
+        </item>
+        <item>
+          <p>
+	    Changed ssl implementation to retain backwards
+	    compatibility for old option {verify, 0} that shall be
+	    equivalent to {verify, verify_none}, also separate the
+	    cases unknown ca and selfsigned peer cert, and restored
+	    return value of deprecated function
+	    public_key:pem_to_der/1.</p>
+          <p>
+	    Own Id: OTP-8858</p>
+        </item>
+        <item>
+          <p>
+	    Better handling of v1 and v2 certificates. V1 and v2
+	    certificates does not have any extensions so then
+	    validate_extensions should just accept that there are
+	    none and not end up in missing_basic_constraints clause.</p>
+          <p>
+	    Own Id: OTP-8867</p>
+        </item>
+        <item>
+          <p>
+	    Changed the verify fun so that it differentiate between
+	    the peer certificate and CA certificates by using
+	    valid_peer or valid as the second argument to the verify
+	    fun. It may not always be trivial or even possible to
+	    know when the peer certificate is reached otherwise.</p>
+          <p>
+	    *** POTENTIAL INCOMPATIBILITY ***</p>
+          <p>
+	    Own Id: OTP-8873</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>Public_Key 0.8</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>

diff --git a/lib/public_key/include/public_key.hrl b/lib/public_key/include/public_key.hrl
@@ -34,6 +34,8 @@
 	    (_,{extension, _}, UserState) ->
 		 {unknown, UserState};
 	    (_, valid, UserState) ->
+		 {valid, UserState};
+	    (_, valid_peer, UserState) ->
 		 {valid, UserState}
 	 end, []}).
 

diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
@@ -295,8 +295,8 @@ is_fixed_dh_cert(#'OTPCertificate'{tbsCertificate =
 
 
 %%--------------------------------------------------------------------
--spec verify_fun(#'OTPCertificate'{}, {bad_cert, atom()} | {extension, #'Extension'{}}|
-		 valid, term(), fun()) -> term().
+-spec verify_fun(#'OTPTBSCertificate'{}, {bad_cert, atom()} | {extension, #'Extension'{}}|
+		 valid | valid_peer, term(), fun()) -> term().
 %%
 %% Description: Gives the user application the opportunity handle path
 %% validation errors and unknown extensions and optional do other

diff --git a/lib/public_key/src/public_key.appup.src b/lib/public_key/src/public_key.appup.src
@@ -6,7 +6,7 @@
     {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
     {update, public_key, soft, soft_purge, soft_purge, []},
     {update, pubkey_pem, soft, soft_purge, soft_purge, []},
-    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}
+    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []},
     {update, pubkey_cert, soft, soft_purge, soft_purge, []}
    ]
   }
@@ -17,7 +17,7 @@
     {update, 'OTP-PUB-KEY', soft, soft_purge, soft_purge, []},
     {update, public_key, soft, soft_purge, soft_purge, []},
     {update, pubkey_pem, soft, soft_purge, soft_purge, []},
-    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []}
+    {update, pubkey_cert_records, soft, soft_purge, soft_purge, []},
     {update, pubkey_cert, soft, soft_purge, soft_purge, []}
    ]
    }

diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
@@ -556,9 +556,16 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer,
 
     %% We want the key_usage extension to be checked before we validate
     %% the signature. 
-    UserState0 = pubkey_cert:validate_signature(OtpCert, DerCert,
+    UserState6 = pubkey_cert:validate_signature(OtpCert, DerCert,
 						Key, KeyParams, UserState5, VerifyFun),
-    UserState = pubkey_cert:verify_fun(OtpCert, valid, UserState0, VerifyFun),
+    UserState = case Last of
+		    false ->
+			pubkey_cert:verify_fun(OtpCert, valid, UserState6, VerifyFun);
+		    true ->
+			pubkey_cert:verify_fun(OtpCert, valid_peer,
+					       UserState6, VerifyFun)
+		end,
+
     ValidationState  = 
 	ValidationState1#path_validation_state{user_state = UserState},
 

diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
@@ -379,6 +379,8 @@ pkix_path_validation(Config) when is_list(Config) ->
 			      (_,{extension, _}, UserState) ->
 				   {unknown, UserState};
 			      (_, valid, UserState) ->
+				   {valid, UserState};
+			      (_, valid_peer, UserState) ->
 				   {valid, UserState}
 			   end, []},
     {ok, _} =

diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
@@ -31,7 +31,47 @@
   <p>This document describes the changes made to the SSL application.
     </p>
 
-    <section><title>SSL 4.0.1</title>
+    <section><title>SSL 4.1</title>
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    Updated ssl to ignore CA certs that violate the asn1-spec
+	    for a certificate, and updated public key asn1 spec to
+	    handle inherited DSS-params.</p>
+          <p>
+	    Own Id: OTP-7884</p>
+        </item>
+        <item>
+          <p>
+	    Changed ssl implementation to retain backwards
+	    compatibility for old option {verify, 0} that shall be
+	    equivalent to {verify, verify_none}, also separate the
+	    cases unknown ca and selfsigned peer cert, and restored
+	    return value of deprecated function
+	    public_key:pem_to_der/1.</p>
+          <p>
+	    Own Id: OTP-8858</p>
+        </item>
+        <item>
+          <p>
+	    Changed the verify fun so that it differentiate between
+	    the peer certificate and CA certificates by using
+	    valid_peer or valid as the second argument to the verify
+	    fun. It may not always be trivial or even possible to
+	    know when the peer certificate is reached otherwise.</p>
+          <p>
+	    *** POTENTIAL INCOMPATIBILITY ***</p>
+          <p>
+	    Own Id: OTP-8873</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 4.0.1</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
       <list>

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
@@ -202,21 +202,23 @@
 	<p>The verification fun should be defined as:</p>
 
 	<code>
-fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
+fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
 	     {extension, #'Extension'{}}, InitialUserState :: term()) ->
-	{valid, UserState :: term()} | {fail, Reason :: term()} |
-	{unknown, UserState :: term()}.
+	{valid, UserState :: term()} | {valid_peer, UserState :: term()} |
+	{fail, Reason :: term()} | {unknown, UserState :: term()}.
 	</code>
 
 	<p>The verify fun will be called during the X509-path
 	validation when an error or an extension unknown to the ssl
 	application is encountered. Additionally it will be called
 	when a certificate is considered valid by the path validation
 	to allow access to each certificate in the path to the user
-	application.
+	application. Note that the it will differentiate between
+	the peer certificate and CA certificates by using valid_peer
+	or valid as the second argument to the verify fun.
 	See
 	<seealso marker="public_key:application">public_key(3)</seealso>
-	for definition of #'OtpCertificate'{} and #'Extension'{}.</p>
+	for definition of #'OTPCertificate'{} and #'Extension'{}.</p>
 
 	<p>If the verify callback fun returns {fail, Reason}, the
 	verification process is immediately stopped and an alert is
@@ -237,7 +239,9 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
     (_,{extension, _}, UserState) ->
 	 {unknown, UserState};
     (_, valid, UserState) ->
-	 {valid, UserState}
+	 {valid, UserState};
+    (_, valid_peer, UserState) ->
+         {valid, UserState}
  end, []}
       </code>
 
@@ -249,7 +253,9 @@ fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
     (_,{extension, _}, UserState) ->
 	 {unknown, UserState};
     (_, valid, UserState) ->
-	 {valid, UserState}
+	 {valid, UserState};
+    (_, valid_peer, UserState) ->
+         {valid, UserState}
  end, []}
       </code>
 

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
@@ -627,6 +627,8 @@ handle_options(Opts0, _Role) ->
 	    (_,{extension, _}, UserState) ->
 		 {unknown, UserState};
 	    (_, valid, UserState) ->
+		 {valid, UserState};
+	    (_, valid_peer, UserState) ->
 		 {valid, UserState}
 	 end, []},
 
@@ -727,6 +729,8 @@ validate_option(verify_fun, Fun) when is_function(Fun) ->
 	(_,{extension, _}, UserState) ->
 	     {unknown, UserState};
 	(_, valid, UserState) ->
+	     {valid, UserState};
+	(_, valid_peer, UserState) ->
 	     {valid, UserState}
      end, Fun};
 validate_option(verify_fun, {Fun, _} = Value) when is_function(Fun) ->

diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
@@ -132,6 +132,8 @@ validate_extension(_, {bad_cert, _} = Reason, _) ->
 validate_extension(_, {extension, _}, Role) ->
     {unknown, Role};
 validate_extension(_, valid, Role) ->
+    {valid, Role};
+validate_extension(_, valid_peer, Role) ->
     {valid, Role}.
 
 %%--------------------------------------------------------------------

diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -2857,11 +2857,13 @@ unknown_server_ca_fail(Config) when is_list(Config) ->
 					      {options, ServerOpts}]),
     Port  = ssl_test_lib:inet_port(Server),
 
-    FunAndState =  {fun(_,{bad_cert, _} = Reason, _) ->
+    FunAndState =  {fun(_,{bad_cert, unknown_ca} = Reason, _) ->
 			    {fail, Reason};
 		       (_,{extension, _}, UserState) ->
 			    {unknown, UserState};
 		       (_, valid, UserState) ->
+			    {valid, [test_to_update_user_state | UserState]};
+		       (_, valid_peer, UserState) ->
 			    {valid, UserState}
 		    end, []},
 
@@ -2930,6 +2932,8 @@ unknown_server_ca_accept_verify_peer(Config) when is_list(Config) ->
 		       (_,{extension, _}, UserState) ->
 			    {unknown, UserState};
 		       (_, valid, UserState) ->
+			    {valid, UserState};
+		       (_, valid_peer, UserState) ->
 			    {valid, UserState}
 		    end, []},
 

diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk
@@ -1,2 +1,2 @@
 
-SSL_VSN = 4.0.2
+SSL_VSN = 4.1