Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:24
erlang
3141-public_key-Move-decode-of-CRLDistributionP...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 3141-public_key-Move-decode-of-CRLDistributionPoints-exte.patch of Package erlang
From a893290747a5bee833203bf964bd08f06ed10a27 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin <ingela@erlang.org> Date: Fri, 17 Feb 2023 13:34:23 +0100 Subject: [PATCH] public_key: Move decode of CRLDistributionPoints extension As different solutions of verifying certificate revocation exists move the decode of 'CRLDistributionPoints' so that it will only be decode when it is actually used in the verification process. This would enable interoperability with systems that use certificates with an invalid empty CRLDistributionPoints extension that they want to ignore and make verification by other means. Closes #6402 --- lib/public_key/src/pubkey_cert.erl | 3 +++ lib/public_key/src/pubkey_cert_records.erl | 19 +++++++++---------- lib/public_key/test/public_key_SUITE.erl | 14 ++++++++++++++ 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl index 9d67901e9b..b7e0b178de 100644 --- a/lib/public_key/src/pubkey_cert.erl +++ b/lib/public_key/src/pubkey_cert.erl @@ -370,6 +370,9 @@ select_extension(_, asn1_NOVALUE) -> undefined; select_extension(_, []) -> undefined; +select_extension(Id, [#'Extension'{extnID = ?'id-ce-cRLDistributionPoints' = Id, + extnValue = Value} = Extension | _]) when is_binary(Value) -> + Extension#'Extension'{extnValue = public_key:der_decode('CRLDistributionPoints', Value)}; select_extension(Id, [#'Extension'{extnID = Id} = Extension | _]) -> Extension; select_extension(Id, [_ | Extensions]) -> diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl index d837d8cf7b..3207ebb4ae 100644 --- a/lib/public_key/src/pubkey_cert_records.erl +++ b/lib/public_key/src/pubkey_cert_records.erl @@ -262,21 +262,20 @@ extension_id(?'id-ce-keyUsage') -> 'KeyUsage'; extension_id(?'id-ce-privateKeyUsagePeriod') -> 'PrivateKeyUsagePeriod'; extension_id(?'id-ce-certificatePolicies') -> 'CertificatePolicies'; extension_id(?'id-ce-policyMappings') -> 'PolicyMappings'; -extension_id(?'id-ce-subjectAltName') -> 'SubjectAltName'; -extension_id(?'id-ce-issuerAltName') -> 'IssuerAltName'; +extension_id(?'id-ce-subjectAltName') -> 'SubjectAltName'; +extension_id(?'id-ce-issuerAltName') -> 'IssuerAltName'; extension_id(?'id-ce-subjectDirectoryAttributes') -> 'SubjectDirectoryAttributes'; -extension_id(?'id-ce-basicConstraints' ) -> 'BasicConstraints'; -extension_id(?'id-ce-nameConstraints') -> 'NameConstraints'; -extension_id(?'id-ce-policyConstraints') -> 'PolicyConstraints'; -extension_id(?'id-ce-cRLDistributionPoints') -> 'CRLDistributionPoints'; -extension_id(?'id-ce-extKeyUsage') -> 'ExtKeyUsageSyntax'; -extension_id(?'id-ce-inhibitAnyPolicy') -> 'InhibitAnyPolicy'; +extension_id(?'id-ce-basicConstraints' ) -> 'BasicConstraints'; +extension_id(?'id-ce-nameConstraints') -> 'NameConstraints'; +extension_id(?'id-ce-policyConstraints') -> 'PolicyConstraints'; +extension_id(?'id-ce-extKeyUsage') -> 'ExtKeyUsageSyntax'; +extension_id(?'id-ce-inhibitAnyPolicy') -> 'InhibitAnyPolicy'; extension_id(?'id-ce-freshestCRL') -> 'FreshestCRL'; -%% Missing in public_key doc +extension_id(?'id-ce-issuingDistributionPoint') -> 'IssuingDistributionPoint'; +%% Missing in public_key doc extension_id(?'id-pe-authorityInfoAccess') -> 'AuthorityInfoAccessSyntax'; extension_id(?'id-pe-subjectInfoAccess') -> 'SubjectInfoAccessSyntax'; extension_id(?'id-ce-cRLNumber') -> 'CRLNumber'; -extension_id(?'id-ce-issuingDistributionPoint') -> 'IssuingDistributionPoint'; extension_id(?'id-ce-deltaCRLIndicator') -> 'BaseCRLNumber'; extension_id(?'id-ce-cRLReasons') -> 'CRLReason'; extension_id(?'id-ce-certificateIssuer') -> 'CertificateIssuer'; diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index b4de6f1926..0b6c2a3b87 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -89,6 +89,8 @@ pkix_countryname/1, pkix_emailaddress/0, pkix_emailaddress/1, + pkix_decode_cert/0, + pkix_decode_cert/1, pkix_path_validation/0, pkix_path_validation/1, pkix_path_validation_root_expired/0, @@ -149,6 +151,7 @@ all() -> pkix, pkix_countryname, pkix_emailaddress, + pkix_decode_cert, pkix_path_validation, pkix_path_validation_root_expired, pkix_iso_rsa_oid, @@ -795,6 +798,17 @@ pkix_emailaddress(Config) when is_list(Config) -> check_emailaddress(Issuer), check_emailaddress(Subj). + +%%-------------------------------------------------------------------- +pkix_decode_cert() -> + [{doc, "Test that extension IssuerDistributionPoint is not decoded in 'otp' decoding mode. We want to leave it for later " + "to increase interopability for sites that does not use this extension and will not care if it is properly encoded"}]. +pkix_decode_cert(Config) when is_list(Config) -> + Der = base64:decode( + <<"MIICXDCCAgKgAwIBAgIBATAKBggqhkjOPQQDAjApMRkwFwYDVQQFExBjOTY4NDI4OTMyNzUwOGRiMQwwCgYDVQQMDANURUUwHhcNMjIxMDI5MTczMTA3WhcNMjkwNDE2MjAzNDUzWjAfMR0wGwYDVQQDExRBbmRyb2lkIEtleXN0b3JlIEtleTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFmIQDus/jIZ0cPnRCITCzUUuCjQBw8MetO6154mmTL8O/fFlGgYkZ6C8jSSntKC/lMwaZHxAgW1AGgoCrPuX5ejggEjMIIBHzALBgNVHQ8EBAMCB4AwCAYDVR0fBAEAMIIBBAYKKwYBBAHWeQIBEQSB9TCB8gIBAgoBAQIBAwoBAQQgyvsSa116xqleaXs6xA84wqpAPWFgaaTjCWBnZpHslmoEADBEv4VFQAQ+MDwxFjAUBAxjb20ud2hhdHNhcHACBA0+oAQxIgQgOYfQQ9EK769ahxCzZxQY/lfg4ZtlPJ34JVj+tf/OXUQweqEFMQMCAQKiAwIBA6MEAgIBAKUIMQYCAQYCAQSqAwIBAb+DdwIFAL+FPQgCBgGEJMweob+FPgMCAQC/hUAqMCgEIFNB5rJkaXmnDldlMAeh8xAWlCHsm92fGlZI91reAFrxAQH/CgEAv4VBBQIDAV+Qv4VCBQIDAxUYMAoGCCqGSM49BAMCA0gAMEUCIF0BwvRQipVoaz5SIhsYbIeK+FHbAjWPgOxWgQ6Juq64AiEA83ZLsK37DjZ/tZNRi271VHQqIU8mdqUIMboVUiy3DaM=">>), + + #'OTPCertificate'{} = public_key:pkix_decode_cert(Der, otp). + %%-------------------------------------------------------------------- pkix_path_validation() -> [{doc, "Test PKIX path validation"}]. -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor