Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:24
erlang
4002-ssl-public_key-Adjust-handling-of-extended...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 4002-ssl-public_key-Adjust-handling-of-extended-key-usage.patch of Package erlang
From 4c8c99b74bd84cc4460c50be982c22607d456e0b Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin <ingela@erlang.org> Date: Tue, 29 Aug 2023 08:26:28 +0200 Subject: [PATCH 2/2] ssl, public_key: Adjust handling of extended key usage certificate extension This extension is in general found in end entity certificates, but can apper in CA certificates. See RFC 5280. ssl application will validate id-kp-serverAuth and id-kp-clientAuth in end entity certificates. --- lib/public_key/src/pubkey_cert.erl | 11 ++------- lib/ssl/src/ssl_certificate.erl | 24 +++++++++---------- lib/ssl/src/ssl_handshake.erl | 4 +++- lib/ssl/src/tls_handshake_1_3.erl | 38 ++++++++++++++++-------------- 4 files changed, 37 insertions(+), 40 deletions(-) diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl index 39084f3e76..7fbf8dfe06 100644 --- a/lib/public_key/src/pubkey_cert.erl +++ b/lib/public_key/src/pubkey_cert.erl @@ -908,24 +908,17 @@ validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-policyConstraints', validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-extKeyUsage', critical = true, extnValue = KeyUse} = Extension | Rest], - ValidationState#path_validation_state{last_cert = false}, ExistBasicCon, + #path_validation_state{last_cert = false} = ValidationState, ExistBasicCon, SelfSigned, UserState0, VerifyFun) -> UserState = case ext_keyusage_includes_any(KeyUse) of true -> %% CA cert that specifies ?anyExtendedKeyUsage should not be marked critical verify_fun(OtpCert, {bad_cert, invalid_ext_key_usage}, UserState0, VerifyFun); false -> - verify_fun(OtpCert, {extension, Extension}, UserState0, VerifyFun); + verify_fun(OtpCert, {extension, Extension}, UserState0, VerifyFun) end, validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, SelfSigned, UserState, VerifyFun); -validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-extKeyUsage', - extnValue = KeyUse} = Extension | Rest], - ValidationState, ExistBasicCon, - SelfSigned, UserState0, VerifyFun) -> - UserState = verify_fun(OtpCert, {extension, Ext}, UserState0, VerifyFun), - validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, SelfSigned, - UserState, VerifyFun); validate_extensions(OtpCert, [#'Extension'{} = Extension | Rest], ValidationState, ExistBasicCon, SelfSigned, UserState0, VerifyFun) -> diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index cb1ddbfa05..78dccd6a5c 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -73,7 +73,6 @@ file_to_certificats/2, file_to_crls/2, validate/3, - is_valid_extkey_usage/2, is_valid_key_usage/2, select_extension/2, extensions_list/1, @@ -204,7 +203,8 @@ file_to_crls(File, DbHandle) -> %%-------------------------------------------------------------------- validate(_,{extension, #'Extension'{extnID = ?'id-ce-extKeyUsage', critical = Critical, - extnValue = KeyUse}}, #{pathlen := 1} = UserState) -> + extnValue = KeyUse}}, #{path_len := 1} = UserState) -> + %% If extension in peer, check for TLS server/client usage case is_valid_extkey_usage(KeyUse, Critical, UserState) of true -> {valid, UserState}; @@ -217,14 +217,14 @@ validate(Issuer, {bad_cert, cert_expired}, #{issuer := Issuer}) -> {fail, {bad_cert, root_cert_expired}}; validate(_, {bad_cert, _} = Reason, _) -> {fail, Reason}; -validate(Cert, valid, #{pathlen := N} = UserState) -> +validate(Cert, valid, #{path_len := N} = UserState) -> case verify_sign(Cert, UserState) of true -> case maps:get(cert_ext, UserState, undefined) of undefined -> - {valid, UserState#{pathlen => N-1}}; + {valid, UserState#{path_len => N-1}}; _ -> - verify_cert_extensions(Cert, UserState#{pathlen => N -1}) + verify_cert_extensions(Cert, UserState#{path_len => N-1}) end; false -> {fail, {bad_cert, invalid_signature}} @@ -495,19 +495,19 @@ do_find_issuer(IssuerFun, CertDbHandle, CertDb) -> Return end. -is_valid_extkey_usage(KeyUse, true, #{role := Role, pathlen := 1}) when is_list(KeyUse) -> - is_valid_key_usage(ext_keysage(Role), KeyUse); -is_valid_key_usage(KeyUse, true, #{role := Role, pathlen := 1}) -> - is_valid_key_usage(ext_keysage(Role), [KeyUse]); -is_valid_key_usage(_, false, _) -> +is_valid_extkey_usage(KeyUse, true, #{role := Role}) when is_list(KeyUse) -> + is_valid_key_usage(KeyUse, ext_keysage(Role)); +is_valid_extkey_usage(KeyUse, true, #{role := Role}) -> + is_valid_key_usage([KeyUse], ext_keysage(Role)); +is_valid_extkey_usage(_, false, _) -> false. ext_keysage(client) -> %% Client wants to verify server - ?'id-kp-serverAuth'. + ?'id-kp-serverAuth'; ext_keysage(server) -> %% Server wants to verify client - ?'id-kp-serverAuth'. + ?'id-kp-clientAuth'. verify_cert_signer(BinCert, SignerTBSCert) -> PublicKey = public_key(SignerTBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo), diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 56a1ca81b9..04601dfbf2 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -3879,7 +3879,9 @@ path_validation(TrustedCert, Path, ServerName, Role, CertDbHandle, CertDbRef, CR cert_ext => CertExt, issuer => TrustedCert, ocsp_responder_certs => OcspResponderCerts, - ocsp_state => OcspState}, + ocsp_state => OcspState, + path_len => length(Path) + }, Path, Level), Options = [{max_path_length, Depth}, {verify_fun, ValidationFunAndState}], diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl index 750a79887f..34690ef9dd 100644 --- a/lib/ssl/src/tls_handshake_1_3.erl +++ b/lib/ssl/src/tls_handshake_1_3.erl @@ -2943,24 +2943,26 @@ path_validation(TrustedCert, Path, ServerName, Role, CertDbHandle, CertDbRef, CR #{cert_ext := CertExt, ocsp_responder_certs := OcspResponderCerts, ocsp_state := OcspState}) -> - ValidationFunAndState = - ssl_handshake:validation_fun_and_state(VerifyFun, #{role => Role, - certdb => CertDbHandle, - certdb_ref => CertDbRef, - server_name => ServerName, - customize_hostname_check => - CustomizeHostnameCheck, - crl_check => CrlCheck, - crl_db => CRLDbHandle, - signature_algs => filter_tls13_algs(SignAlgos), - signature_algs_cert => - filter_tls13_algs(SignAlgosCert), - version => Version, - issuer => TrustedCert, - cert_ext => CertExt, - ocsp_responder_certs => OcspResponderCerts, - ocsp_state => OcspState - }, + ValidationFunAndState = + ssl_handshake:validation_fun_and_state(VerifyFun, + #{role => Role, + certdb => CertDbHandle, + certdb_ref => CertDbRef, + server_name => ServerName, + customize_hostname_check => + CustomizeHostnameCheck, + crl_check => CrlCheck, + crl_db => CRLDbHandle, + signature_algs => filter_tls13_algs(SignAlgos), + signature_algs_cert => + filter_tls13_algs(SignAlgosCert), + version => Version, + issuer => TrustedCert, + cert_ext => CertExt, + ocsp_responder_certs => OcspResponderCerts, + ocsp_state => OcspState, + path_len => length(Path) + }, Path, LogLevel), Options = [{max_path_length, Depth}, {verify_fun, ValidationFunAndState}], -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor