From a893290747a5bee833203bf964bd08f06ed10a27 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Fri, 17 Feb 2023 13:34:23 +0100 Subject: [PATCH] public_key: Move decode of CRLDistributionPoints extension As different solutions of verifying certificate revocation exists move the decode of 'CRLDistributionPoints' so that it will only be decode when it is actually used in the verification process. This would enable interoperability with systems that use certificates with an invalid empty CRLDistributionPoints extension that they want to ignore and make verification by other means. Closes #6402 --- lib/public_key/src/pubkey_cert.erl | 3 +++ lib/public_key/src/pubkey_cert_records.erl | 19 +++++++++---------- lib/public_key/test/public_key_SUITE.erl | 14 ++++++++++++++ 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl index 9d67901e9b67..b7e0b178de00 100644 --- a/lib/public_key/src/pubkey_cert.erl +++ b/lib/public_key/src/pubkey_cert.erl @@ -370,6 +370,9 @@ select_extension(_, asn1_NOVALUE) -> undefined; select_extension(_, []) -> undefined; +select_extension(Id, [#'Extension'{extnID = ?'id-ce-cRLDistributionPoints' = Id, + extnValue = Value} = Extension | _]) when is_binary(Value) -> + Extension#'Extension'{extnValue = public_key:der_decode('CRLDistributionPoints', Value)}; select_extension(Id, [#'Extension'{extnID = Id} = Extension | _]) -> Extension; select_extension(Id, [_ | Extensions]) -> diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl index d837d8cf7b57..3207ebb4aebf 100644 --- a/lib/public_key/src/pubkey_cert_records.erl +++ b/lib/public_key/src/pubkey_cert_records.erl @@ -262,21 +262,20 @@ extension_id(?'id-ce-keyUsage') -> 'KeyUsage'; extension_id(?'id-ce-privateKeyUsagePeriod') -> 'PrivateKeyUsagePeriod'; extension_id(?'id-ce-certificatePolicies') -> 'CertificatePolicies'; extension_id(?'id-ce-policyMappings') -> 'PolicyMappings'; -extension_id(?'id-ce-subjectAltName') -> 'SubjectAltName'; -extension_id(?'id-ce-issuerAltName') -> 'IssuerAltName'; +extension_id(?'id-ce-subjectAltName') -> 'SubjectAltName'; +extension_id(?'id-ce-issuerAltName') -> 'IssuerAltName'; extension_id(?'id-ce-subjectDirectoryAttributes') -> 'SubjectDirectoryAttributes'; -extension_id(?'id-ce-basicConstraints' ) -> 'BasicConstraints'; -extension_id(?'id-ce-nameConstraints') -> 'NameConstraints'; -extension_id(?'id-ce-policyConstraints') -> 'PolicyConstraints'; -extension_id(?'id-ce-cRLDistributionPoints') -> 'CRLDistributionPoints'; -extension_id(?'id-ce-extKeyUsage') -> 'ExtKeyUsageSyntax'; -extension_id(?'id-ce-inhibitAnyPolicy') -> 'InhibitAnyPolicy'; +extension_id(?'id-ce-basicConstraints' ) -> 'BasicConstraints'; +extension_id(?'id-ce-nameConstraints') -> 'NameConstraints'; +extension_id(?'id-ce-policyConstraints') -> 'PolicyConstraints'; +extension_id(?'id-ce-extKeyUsage') -> 'ExtKeyUsageSyntax'; +extension_id(?'id-ce-inhibitAnyPolicy') -> 'InhibitAnyPolicy'; extension_id(?'id-ce-freshestCRL') -> 'FreshestCRL'; -%% Missing in public_key doc +extension_id(?'id-ce-issuingDistributionPoint') -> 'IssuingDistributionPoint'; +%% Missing in public_key doc extension_id(?'id-pe-authorityInfoAccess') -> 'AuthorityInfoAccessSyntax'; extension_id(?'id-pe-subjectInfoAccess') -> 'SubjectInfoAccessSyntax'; extension_id(?'id-ce-cRLNumber') -> 'CRLNumber'; -extension_id(?'id-ce-issuingDistributionPoint') -> 'IssuingDistributionPoint'; extension_id(?'id-ce-deltaCRLIndicator') -> 'BaseCRLNumber'; extension_id(?'id-ce-cRLReasons') -> 'CRLReason'; extension_id(?'id-ce-certificateIssuer') -> 'CertificateIssuer'; diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index b4de6f1926b1..0b6c2a3b8772 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -89,6 +89,8 @@ pkix_countryname/1, pkix_emailaddress/0, pkix_emailaddress/1, + pkix_decode_cert/0, + pkix_decode_cert/1, pkix_path_validation/0, pkix_path_validation/1, pkix_path_validation_root_expired/0, @@ -149,6 +151,7 @@ all() -> pkix, pkix_countryname, pkix_emailaddress, + pkix_decode_cert, pkix_path_validation, pkix_path_validation_root_expired, pkix_iso_rsa_oid, @@ -795,6 +798,17 @@ pkix_emailaddress(Config) when is_list(Config) -> check_emailaddress(Issuer), check_emailaddress(Subj). + +%%-------------------------------------------------------------------- +pkix_decode_cert() -> + [{doc, "Test that extension IssuerDistributionPoint is not decoded in 'otp' decoding mode. We want to leave it for later " + "to increase interopability for sites that does not use this extension and will not care if it is properly encoded"}]. +pkix_decode_cert(Config) when is_list(Config) -> + Der = base64:decode( + <<"MIICXDCCAgKgAwIBAgIBATAKBggqhkjOPQQDAjApMRkwFwYDVQQFExBjOTY4NDI4OTMyNzUwOGRiMQwwCgYDVQQMDANURUUwHhcNMjIxMDI5MTczMTA3WhcNMjkwNDE2MjAzNDUzWjAfMR0wGwYDVQQDExRBbmRyb2lkIEtleXN0b3JlIEtleTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFmIQDus/jIZ0cPnRCITCzUUuCjQBw8MetO6154mmTL8O/fFlGgYkZ6C8jSSntKC/lMwaZHxAgW1AGgoCrPuX5ejggEjMIIBHzALBgNVHQ8EBAMCB4AwCAYDVR0fBAEAMIIBBAYKKwYBBAHWeQIBEQSB9TCB8gIBAgoBAQIBAwoBAQQgyvsSa116xqleaXs6xA84wqpAPWFgaaTjCWBnZpHslmoEADBEv4VFQAQ+MDwxFjAUBAxjb20ud2hhdHNhcHACBA0+oAQxIgQgOYfQQ9EK769ahxCzZxQY/lfg4ZtlPJ34JVj+tf/OXUQweqEFMQMCAQKiAwIBA6MEAgIBAKUIMQYCAQYCAQSqAwIBAb+DdwIFAL+FPQgCBgGEJMweob+FPgMCAQC/hUAqMCgEIFNB5rJkaXmnDldlMAeh8xAWlCHsm92fGlZI91reAFrxAQH/CgEAv4VBBQIDAV+Qv4VCBQIDAxUYMAoGCCqGSM49BAMCA0gAMEUCIF0BwvRQipVoaz5SIhsYbIeK+FHbAjWPgOxWgQ6Juq64AiEA83ZLsK37DjZ/tZNRi271VHQqIU8mdqUIMboVUiy3DaM=">>), + + #'OTPCertificate'{} = public_key:pkix_decode_cert(Der, otp). + %%-------------------------------------------------------------------- pkix_path_validation() -> [{doc, "Test PKIX path validation"}].