public

  • Download Gist
OTP R13B03 new SSL certificate parsing fix
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index 0ccc747..b53f8e7 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -176,9 +176,15 @@ validate_revoked_status(_OtpCert, _Verify, AccErr) ->
validate_extensions(OtpCert, ValidationState, Verify, AccErr) ->
TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
- Extensions = TBSCert#'OTPTBSCertificate'.extensions,
- validate_extensions(Extensions, ValidationState, no_basic_constraint,
- is_self_signed(OtpCert), [], Verify, AccErr).
+ case TBSCert#'OTPTBSCertificate'.version of
+ N when N >= 3 ->
+ Extensions = TBSCert#'OTPTBSCertificate'.extensions,
+ validate_extensions(Extensions, ValidationState,
+ no_basic_constraint, is_self_signed(OtpCert),
+ [], Verify, AccErr);
+ _ -> %% Extensions not present in versions 1 & 2
+ {ValidationState, [], AccErr}
+ end.
validate_unknown_extensions([], AccErr, _Verify) ->
AccErr;
diff --git a/lib/ssl/src/ssl_certificate_db.erl b/lib/ssl/src/ssl_certificate_db.erl
index decc6c9..336d64a 100644
--- a/lib/ssl/src/ssl_certificate_db.erl
+++ b/lib/ssl/src/ssl_certificate_db.erl
@@ -206,14 +206,24 @@ remove_certs(Ref, CertsDb) ->
ets:match_delete(CertsDb, {{Ref, '_', '_'}, '_'}).
add_certs_from_file(File, Ref, CertsDb) ->
- Decode = fun(Cert) ->
- {ok, ErlCert} = public_key:pkix_decode_cert(Cert, otp),
- TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
- SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
- Issuer = public_key:pkix_normalize_general_name(
- TBSCertificate#'OTPTBSCertificate'.issuer),
- insert({Ref, SerialNumber, Issuer}, {Cert,ErlCert}, CertsDb)
- end,
- {ok,Der} = public_key:pem_to_der(File),
- [Decode(Cert) || {cert, Cert, not_encrypted} <- Der].
+ {ok, Der} = public_key:pem_to_der(File),
+ lists:reverse(lists:foldl(
+ fun({cert, Cert, not_encrypted}, Acc) ->
+ try
+ {ok, ErlCert} = public_key:pkix_decode_cert(Cert, otp),
+ TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
+ SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
+ Issuer = public_key:pkix_normalize_general_name(
+ TBSCertificate#'OTPTBSCertificate'.issuer),
+ [insert({Ref, SerialNumber, Issuer}, {Cert, ErlCert}, CertsDb) | Acc]
+ catch
+ error:Reason ->
+ Report = io_lib:format("SSL WARNING: Ignoring CA cert: ~p"
+ "~n Due to decoding error:~p ~n", [Cert, Reason]),
+ error_logger:info_report(Report),
+ Acc
+ end;
+ (_, Acc) ->
+ Acc
+ end, [], Der)).

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.