Showing with 766 additions and 97 deletions.
  1. +2 −0 lib/public_key/src/pubkey_cert.erl
  2. +20 −7 lib/public_key/src/pubkey_crl.erl
  3. +1 −0 lib/ssl/test/Makefile
  4. +222 −88 lib/ssl/test/make_certs.erl
  5. +517 −0 lib/ssl/test/ssl_crl_SUITE.erl
  6. +4 −2 lib/ssl/test/ssl_test_lib.erl
2 changes: 2 additions & 0 deletions lib/public_key/src/pubkey_cert.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,8 @@ verify_fun(Otpcert, Result, UserState0, VerifyFun) ->
%%
%% Description: Extracts a specific extension from a list of extensions.
%%--------------------------------------------------------------------
select_extension(_, asn1_NOVALUE) ->
undefined;
select_extension(_, []) ->
undefined;
select_extension(Id, [#'Extension'{extnID = Id} = Extension | _]) ->
Expand Down
27 changes: 20 additions & 7 deletions lib/public_key/src/pubkey_crl.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,13 @@ validate(OtpCert, OtherDPCRLs, DP, {DerCRL, CRL}, {DerDeltaCRL, DeltaCRL},
CertIssuer = TBSCert#'OTPTBSCertificate'.issuer,
TBSCRL = CRL#'CertificateList'.tbsCertList,
CRLIssuer = TBSCRL#'TBSCertList'.issuer,
AltNames = subject_alt_names(TBSCert#'OTPTBSCertificate'.extensions),
AltNames = case pubkey_cert:select_extension(?'id-ce-subjectAltName',
TBSCert#'OTPTBSCertificate'.extensions) of
undefined ->
[];
Ext ->
Ext#'Extension'.extnValue
end,
revoked_status(DP, IDP, {directoryName, CRLIssuer},
[ {directoryName, CertIssuer} | AltNames], SerialNumber, Revoked,
DeltaRevoked, RevokedState1);
Expand Down Expand Up @@ -387,11 +393,15 @@ verify_dp_name(asn1_NOVALUE, _) ->
ok;

verify_dp_name(IDPNames, DPorIssuerNames) ->
case match_one(DPorIssuerNames, IDPNames) of
true ->
ok;
false ->
throw({bad_crl, scope_error})
%% RFC 5280 section 5.2.5
%% Check that at least one IssuingDistributionPointName in the CRL lines up
%% with a DistributionPointName in the certificate.
Matches = [X || X <- IDPNames, Y <- DPorIssuerNames, X == Y],
case Matches of
[] ->
throw({bad_crl, scope_error});
_ ->
ok
end.

match_one([], _) ->
Expand All @@ -401,7 +411,8 @@ match_one([{Type, Name} | Names], CandidateNames) ->
case Candidates of
[] ->
false;
[_|_] -> case pubkey_cert:match_name(Type, Name, Candidates) of
[_|_] ->
case pubkey_cert:match_name(Type, Name, Candidates) of
true ->
true;
false ->
Expand Down Expand Up @@ -664,6 +675,8 @@ verify_extensions([#'TBSCertList_revokedCertificates_SEQOF'{crlEntryExtensions =
verify_extensions(pubkey_cert:extensions_list(Ext)) and verify_extensions(Rest);
verify_extensions([]) ->
true;
verify_extensions(asn1_NOVALUE) ->
true;
verify_extensions([#'Extension'{critical = true, extnID = Id} | Rest]) ->
case lists:member(Id, [?'id-ce-authorityKeyIdentifier',
?'id-ce-issuerAltName',
Expand Down
1 change: 1 addition & 0 deletions lib/ssl/test/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ MODULES = \
ssl_basic_SUITE \
ssl_cipher_SUITE \
ssl_certificate_verify_SUITE\
ssl_crl_SUITE\
ssl_dist_SUITE \
ssl_handshake_SUITE \
ssl_npn_hello_SUITE \
Expand Down
Loading