Merge pull request #6883 from IngelaAndin/ingela/public_key/decode_cr…

…l_distpoint_ext_later/GH-6402/OTP-18316 public_key: Move decode of CRLDistributionPoints extension
erlang · Feb 23, 2023 · 205da37 · 205da37
2 parents d2e7956 + a893290
commit 205da37
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 10 deletions.
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
@@ -370,6 +370,9 @@ select_extension(_, asn1_NOVALUE) ->
     undefined;
 select_extension(_, []) ->
     undefined;
+select_extension(Id, [#'Extension'{extnID = ?'id-ce-cRLDistributionPoints' = Id,
+                                   extnValue = Value} = Extension | _]) when is_binary(Value) ->
+    Extension#'Extension'{extnValue = public_key:der_decode('CRLDistributionPoints', Value)};
 select_extension(Id, [#'Extension'{extnID = Id} = Extension | _]) ->
     Extension;
 select_extension(Id, [_ | Extensions]) ->

diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl
@@ -262,21 +262,20 @@ extension_id(?'id-ce-keyUsage') -> 	          'KeyUsage';
 extension_id(?'id-ce-privateKeyUsagePeriod') ->   'PrivateKeyUsagePeriod';
 extension_id(?'id-ce-certificatePolicies') -> 	  'CertificatePolicies';
 extension_id(?'id-ce-policyMappings') -> 	  'PolicyMappings';
-extension_id(?'id-ce-subjectAltName') -> 	  'SubjectAltName'; 	        
-extension_id(?'id-ce-issuerAltName') -> 	  'IssuerAltName'; 	        
+extension_id(?'id-ce-subjectAltName') -> 	  'SubjectAltName';
+extension_id(?'id-ce-issuerAltName') -> 	  'IssuerAltName';
 extension_id(?'id-ce-subjectDirectoryAttributes') -> 	  'SubjectDirectoryAttributes';
-extension_id(?'id-ce-basicConstraints' ) -> 	  'BasicConstraints';	        
-extension_id(?'id-ce-nameConstraints') -> 	  'NameConstraints'; 	        
-extension_id(?'id-ce-policyConstraints') -> 	  'PolicyConstraints'; 	
-extension_id(?'id-ce-cRLDistributionPoints') ->   'CRLDistributionPoints'; 	
-extension_id(?'id-ce-extKeyUsage') -> 	          'ExtKeyUsageSyntax'; 	        
-extension_id(?'id-ce-inhibitAnyPolicy') -> 	  'InhibitAnyPolicy'; 	        
+extension_id(?'id-ce-basicConstraints' ) -> 	  'BasicConstraints';
+extension_id(?'id-ce-nameConstraints') -> 	  'NameConstraints';
+extension_id(?'id-ce-policyConstraints') -> 	  'PolicyConstraints';
+extension_id(?'id-ce-extKeyUsage') -> 	          'ExtKeyUsageSyntax';
+extension_id(?'id-ce-inhibitAnyPolicy') -> 	  'InhibitAnyPolicy';
 extension_id(?'id-ce-freshestCRL') -> 	          'FreshestCRL';
-%% Missing in public_key doc 
+extension_id(?'id-ce-issuingDistributionPoint') -> 'IssuingDistributionPoint';
+%% Missing in public_key doc
 extension_id(?'id-pe-authorityInfoAccess') -> 	  'AuthorityInfoAccessSyntax';
 extension_id(?'id-pe-subjectInfoAccess') -> 	  'SubjectInfoAccessSyntax';
 extension_id(?'id-ce-cRLNumber') -> 	          'CRLNumber';
-extension_id(?'id-ce-issuingDistributionPoint') -> 'IssuingDistributionPoint';
 extension_id(?'id-ce-deltaCRLIndicator') -> 	   'BaseCRLNumber';
 extension_id(?'id-ce-cRLReasons') -> 	          'CRLReason';
 extension_id(?'id-ce-certificateIssuer') -> 	  'CertificateIssuer';

diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
@@ -89,6 +89,8 @@
          pkix_countryname/1,
          pkix_emailaddress/0,
          pkix_emailaddress/1,
+         pkix_decode_cert/0,
+         pkix_decode_cert/1,
          pkix_path_validation/0,
          pkix_path_validation/1,
          pkix_path_validation_root_expired/0,
@@ -149,6 +151,7 @@ all() ->
      pkix, 
      pkix_countryname, 
      pkix_emailaddress, 
+     pkix_decode_cert,
      pkix_path_validation,
      pkix_path_validation_root_expired,
      pkix_iso_rsa_oid, 
@@ -795,6 +798,17 @@ pkix_emailaddress(Config) when is_list(Config) ->
     check_emailaddress(Issuer),
     check_emailaddress(Subj).
 
+
+%%--------------------------------------------------------------------
+pkix_decode_cert() ->
+    [{doc, "Test that extension IssuerDistributionPoint is not decoded in 'otp' decoding mode. We want to leave it for later "
+      "to increase interopability for sites that does not use this extension and will not care if it is properly encoded"}].
+pkix_decode_cert(Config) when is_list(Config) ->
+    Der = base64:decode(
+            <<"MIICXDCCAgKgAwIBAgIBATAKBggqhkjOPQQDAjApMRkwFwYDVQQFExBjOTY4NDI4OTMyNzUwOGRiMQwwCgYDVQQMDANURUUwHhcNMjIxMDI5MTczMTA3WhcNMjkwNDE2MjAzNDUzWjAfMR0wGwYDVQQDExRBbmRyb2lkIEtleXN0b3JlIEtleTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFmIQDus/jIZ0cPnRCITCzUUuCjQBw8MetO6154mmTL8O/fFlGgYkZ6C8jSSntKC/lMwaZHxAgW1AGgoCrPuX5ejggEjMIIBHzALBgNVHQ8EBAMCB4AwCAYDVR0fBAEAMIIBBAYKKwYBBAHWeQIBEQSB9TCB8gIBAgoBAQIBAwoBAQQgyvsSa116xqleaXs6xA84wqpAPWFgaaTjCWBnZpHslmoEADBEv4VFQAQ+MDwxFjAUBAxjb20ud2hhdHNhcHACBA0+oAQxIgQgOYfQQ9EK769ahxCzZxQY/lfg4ZtlPJ34JVj+tf/OXUQweqEFMQMCAQKiAwIBA6MEAgIBAKUIMQYCAQYCAQSqAwIBAb+DdwIFAL+FPQgCBgGEJMweob+FPgMCAQC/hUAqMCgEIFNB5rJkaXmnDldlMAeh8xAWlCHsm92fGlZI91reAFrxAQH/CgEAv4VBBQIDAV+Qv4VCBQIDAxUYMAoGCCqGSM49BAMCA0gAMEUCIF0BwvRQipVoaz5SIhsYbIeK+FHbAjWPgOxWgQ6Juq64AiEA83ZLsK37DjZ/tZNRi271VHQqIU8mdqUIMboVUiy3DaM=">>),
+
+    #'OTPCertificate'{} = public_key:pkix_decode_cert(Der, otp).
+
 %%--------------------------------------------------------------------
 pkix_path_validation() ->
     [{doc, "Test PKIX path validation"}].