fdmanana/OTP R14B SSL certificate parsing fix

## OTP R14B SSL certificate parsing fix
diff --git a/lib/public_key/asn1/OTP-PKIX.asn1 b/lib/public_key/asn1/OTP-PKIX.asn1
index c0cf440..ad70419 100644
--- a/lib/public_key/asn1/OTP-PKIX.asn1
+++ b/lib/public_key/asn1/OTP-PKIX.asn1
@@ -302,18 +302,25 @@ SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {

    --   DSA Keys and Signatures

+
+      DSAParams  ::=  CHOICE
+       {
+        params     Dss-Parms,
+        null       NULL
+       }
+
    -- SubjectPublicKeyInfo:

    dsa PUBLIC-KEY-ALGORITHM-CLASS ::= {
        ID id-dsa
-       TYPE Dss-Parms -- XXX Must be OPTIONAL
+       TYPE DSAParams -- XXX Must be OPTIONAL
        PUBLIC-KEY-TYPE DSAPublicKey }

    -- Certificate.signatureAlgorithm

    dsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= {
-		 ID id-dsa-with-sha1
-		 TYPE Dss-Parms }
+		 ID id-dsa-with-sha1
+		 TYPE  DSAParams }

 				  --
    --   RSA Keys and Signatures
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index c1819e6..8b15d7f 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -223,9 +223,15 @@ validate_revoked_status(_OtpCert, UserState, _VerifyFun) ->
 %%--------------------------------------------------------------------
 validate_extensions(OtpCert, ValidationState, UserState, VerifyFun) ->
     TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
-    Extensions = TBSCert#'OTPTBSCertificate'.extensions,
-    validate_extensions(OtpCert, Extensions, ValidationState, no_basic_constraint,
-			is_self_signed(OtpCert), UserState, VerifyFun).
+    case TBSCert#'OTPTBSCertificate'.version of
+       N when N >= 3 ->
+           Extensions = TBSCert#'OTPTBSCertificate'.extensions,
+           validate_extensions(OtpCert, Extensions,
+                               ValidationState, no_basic_constraint,
+                               is_self_signed(OtpCert), UserState, VerifyFun);
+       _ -> %% Extensions not present in versions 1 & 2
+           {ValidationState, UserState}
+    end.

 %%--------------------------------------------------------------------
 -spec normalize_general_name({rdnSequence, term()}) -> {rdnSequence, term()}.
@@ -389,10 +395,12 @@ public_key_info(PublicKeyInfo,

     NewPublicKeyParams =
 	case PublicKeyParams of
-	    'NULL' when WorkingAlgorithm == Algorithm ->
+	    {null, 'NULL'} when WorkingAlgorithm == Algorithm ->
 		WorkingParams;
-	    _ ->
-		PublicKeyParams
+	    {params, Params} ->
+		Params;
+	    Params ->
+		Params
 	end,
     {Algorithm, PublicKey, NewPublicKeyParams}.

diff --git a/lib/public_key/test/erl_make_certs.erl b/lib/public_key/test/erl_make_certs.erl
index e31e555..8b01ca3 100644
--- a/lib/public_key/test/erl_make_certs.erl
+++ b/lib/public_key/test/erl_make_certs.erl
@@ -66,7 +66,7 @@ make_cert(Opts) ->
 %% @end
 %%--------------------------------------------------------------------
 write_pem(Dir, FileName, {Cert, Key = {_,_,not_encrypted}}) when is_binary(Cert) ->
-    ok = der_to_pem(filename:join(Dir, FileName ++ ".pem"),
+    ok = der_to_pem(filename:join(Dir, FileName ++ ".pem"),
 			       [{'Certificate', Cert, not_encrypted}]),
     ok = der_to_pem(filename:join(Dir, FileName ++ "_key.pem"), [Key]).

@@ -268,7 +268,7 @@ publickey(#'RSAPrivateKey'{modulus=N, publicExponent=E}) ->
 			       subjectPublicKey = Public};
 publickey(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}) ->
     Algo = #'PublicKeyAlgorithm'{algorithm= ?'id-dsa',
-				 parameters=#'Dss-Parms'{p=P, q=Q, g=G}},
+				 parameters={params, #'Dss-Parms'{p=P, q=Q, g=G}}},
     #'OTPSubjectPublicKeyInfo'{algorithm = Algo, subjectPublicKey = Y}.

 validity(Opts) ->
@@ -290,7 +290,7 @@ sign_algorithm(#'RSAPrivateKey'{}, Opts) ->
 	   end,
     {Type, 'NULL'};
 sign_algorithm(#'DSAPrivateKey'{p=P, q=Q, g=G}, _Opts) ->
-    {?'id-dsa-with-sha1', #'Dss-Parms'{p=P, q=Q, g=G}}.
+    {?'id-dsa-with-sha1', {params,#'Dss-Parms'{p=P, q=Q, g=G}}}.

 make_key(rsa, _Opts) ->
     %% (OBS: for testing only)
diff --git a/lib/ssl/src/ssl_certificate_db.erl b/lib/ssl/src/ssl_certificate_db.erl
index 86477f3..39d9847 100644
--- a/lib/ssl/src/ssl_certificate_db.erl
+++ b/lib/ssl/src/ssl_certificate_db.erl
@@ -216,9 +216,15 @@ add_certs_from_file(File, Ref, CertsDb) ->
     [Add(Cert) || {'Certificate', Cert, not_encrypted} <- PemEntries].

 add_certs(Cert, Ref, CertsDb) ->
-    ErlCert = public_key:pkix_decode_cert(Cert, otp),
-    TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
-    SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
-    Issuer = public_key:pkix_normalize_name(
-	       TBSCertificate#'OTPTBSCertificate'.issuer),
-    insert({Ref, SerialNumber, Issuer}, {Cert,ErlCert}, CertsDb).
+    try  ErlCert = public_key:pkix_decode_cert(Cert, otp),
+	 TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
+	 SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
+	 Issuer = public_key:pkix_normalize_name(
+		    TBSCertificate#'OTPTBSCertificate'.issuer),
+	 insert({Ref, SerialNumber, Issuer}, {Cert,ErlCert}, CertsDb)
+    catch
+	error:Reason ->
+	    Report = io_lib:format("SSL WARNING: Ignoring CA cert: ~p~n Due to decoding error:~p ~n",
+				   [Cert, Reason]),
+	    error_logger:info_report(Report)
+    end.
diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
index f8aef55..8b01ca3 100644
--- a/lib/ssl/test/erl_make_certs.erl
+++ b/lib/ssl/test/erl_make_certs.erl
@@ -268,7 +268,7 @@ publickey(#'RSAPrivateKey'{modulus=N, publicExponent=E}) ->
 			       subjectPublicKey = Public};
 publickey(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}) ->
     Algo = #'PublicKeyAlgorithm'{algorithm= ?'id-dsa',
-				 parameters=#'Dss-Parms'{p=P, q=Q, g=G}},
+				 parameters={params, #'Dss-Parms'{p=P, q=Q, g=G}}},
     #'OTPSubjectPublicKeyInfo'{algorithm = Algo, subjectPublicKey = Y}.

 validity(Opts) ->
@@ -290,7 +290,7 @@ sign_algorithm(#'RSAPrivateKey'{}, Opts) ->
 	   end,
     {Type, 'NULL'};
 sign_algorithm(#'DSAPrivateKey'{p=P, q=Q, g=G}, _Opts) ->
-    {?'id-dsa-with-sha1', #'Dss-Parms'{p=P, q=Q, g=G}}.
+    {?'id-dsa-with-sha1', {params,#'Dss-Parms'{p=P, q=Q, g=G}}}.

 make_key(rsa, _Opts) ->
     %% (OBS: for testing only)
	diff --git a/lib/public_key/asn1/OTP-PKIX.asn1 b/lib/public_key/asn1/OTP-PKIX.asn1
	index c0cf440..ad70419 100644
	--- a/lib/public_key/asn1/OTP-PKIX.asn1
	+++ b/lib/public_key/asn1/OTP-PKIX.asn1
	@@ -302,18 +302,25 @@ SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= {

	-- DSA Keys and Signatures

	+
	+ DSAParams ::= CHOICE
	+ {
	+ params Dss-Parms,
	+ null NULL
	+ }
	+
	-- SubjectPublicKeyInfo:

	dsa PUBLIC-KEY-ALGORITHM-CLASS ::= {
	ID id-dsa
	- TYPE Dss-Parms -- XXX Must be OPTIONAL
	+ TYPE DSAParams -- XXX Must be OPTIONAL
	PUBLIC-KEY-TYPE DSAPublicKey }

	-- Certificate.signatureAlgorithm

	dsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= {
	- ID id-dsa-with-sha1
	- TYPE Dss-Parms }
	+ ID id-dsa-with-sha1
	+ TYPE DSAParams }

	--
	-- RSA Keys and Signatures
	diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
	index c1819e6..8b15d7f 100644
	--- a/lib/public_key/src/pubkey_cert.erl
	+++ b/lib/public_key/src/pubkey_cert.erl
	@@ -223,9 +223,15 @@ validate_revoked_status(_OtpCert, UserState, _VerifyFun) ->
	%%--------------------------------------------------------------------
	validate_extensions(OtpCert, ValidationState, UserState, VerifyFun) ->
	TBSCert = OtpCert#'OTPCertificate'.tbsCertificate,
	- Extensions = TBSCert#'OTPTBSCertificate'.extensions,
	- validate_extensions(OtpCert, Extensions, ValidationState, no_basic_constraint,
	- is_self_signed(OtpCert), UserState, VerifyFun).
	+ case TBSCert#'OTPTBSCertificate'.version of
	+ N when N >= 3 ->
	+ Extensions = TBSCert#'OTPTBSCertificate'.extensions,
	+ validate_extensions(OtpCert, Extensions,
	+ ValidationState, no_basic_constraint,
	+ is_self_signed(OtpCert), UserState, VerifyFun);
	+ _ -> %% Extensions not present in versions 1 & 2
	+ {ValidationState, UserState}
	+ end.

	%%--------------------------------------------------------------------
	-spec normalize_general_name({rdnSequence, term()}) -> {rdnSequence, term()}.
	@@ -389,10 +395,12 @@ public_key_info(PublicKeyInfo,

	NewPublicKeyParams =
	case PublicKeyParams of
	- 'NULL' when WorkingAlgorithm == Algorithm ->
	+ {null, 'NULL'} when WorkingAlgorithm == Algorithm ->
	WorkingParams;
	- _ ->
	- PublicKeyParams
	+ {params, Params} ->
	+ Params;
	+ Params ->
	+ Params
	end,
	{Algorithm, PublicKey, NewPublicKeyParams}.

	diff --git a/lib/public_key/test/erl_make_certs.erl b/lib/public_key/test/erl_make_certs.erl
	index e31e555..8b01ca3 100644
	--- a/lib/public_key/test/erl_make_certs.erl
	+++ b/lib/public_key/test/erl_make_certs.erl
	@@ -66,7 +66,7 @@ make_cert(Opts) ->
	%% @end
	%%--------------------------------------------------------------------
	write_pem(Dir, FileName, {Cert, Key = {_,_,not_encrypted}}) when is_binary(Cert) ->
	- ok = der_to_pem(filename:join(Dir, FileName ++ ".pem"),
	+ ok = der_to_pem(filename:join(Dir, FileName ++ ".pem"),
	[{'Certificate', Cert, not_encrypted}]),
	ok = der_to_pem(filename:join(Dir, FileName ++ "_key.pem"), [Key]).

	@@ -268,7 +268,7 @@ publickey(#'RSAPrivateKey'{modulus=N, publicExponent=E}) ->
	subjectPublicKey = Public};
	publickey(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}) ->
	Algo = #'PublicKeyAlgorithm'{algorithm= ?'id-dsa',
	- parameters=#'Dss-Parms'{p=P, q=Q, g=G}},
	+ parameters={params, #'Dss-Parms'{p=P, q=Q, g=G}}},
	#'OTPSubjectPublicKeyInfo'{algorithm = Algo, subjectPublicKey = Y}.

	validity(Opts) ->
	@@ -290,7 +290,7 @@ sign_algorithm(#'RSAPrivateKey'{}, Opts) ->
	end,
	{Type, 'NULL'};
	sign_algorithm(#'DSAPrivateKey'{p=P, q=Q, g=G}, _Opts) ->
	- {?'id-dsa-with-sha1', #'Dss-Parms'{p=P, q=Q, g=G}}.
	+ {?'id-dsa-with-sha1', {params,#'Dss-Parms'{p=P, q=Q, g=G}}}.

	make_key(rsa, _Opts) ->
	%% (OBS: for testing only)
	diff --git a/lib/ssl/src/ssl_certificate_db.erl b/lib/ssl/src/ssl_certificate_db.erl
	index 86477f3..39d9847 100644
	--- a/lib/ssl/src/ssl_certificate_db.erl
	+++ b/lib/ssl/src/ssl_certificate_db.erl
	@@ -216,9 +216,15 @@ add_certs_from_file(File, Ref, CertsDb) ->
	[Add(Cert) \|\| {'Certificate', Cert, not_encrypted} <- PemEntries].

	add_certs(Cert, Ref, CertsDb) ->
	- ErlCert = public_key:pkix_decode_cert(Cert, otp),
	- TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
	- SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
	- Issuer = public_key:pkix_normalize_name(
	- TBSCertificate#'OTPTBSCertificate'.issuer),
	- insert({Ref, SerialNumber, Issuer}, {Cert,ErlCert}, CertsDb).
	+ try ErlCert = public_key:pkix_decode_cert(Cert, otp),
	+ TBSCertificate = ErlCert#'OTPCertificate'.tbsCertificate,
	+ SerialNumber = TBSCertificate#'OTPTBSCertificate'.serialNumber,
	+ Issuer = public_key:pkix_normalize_name(
	+ TBSCertificate#'OTPTBSCertificate'.issuer),
	+ insert({Ref, SerialNumber, Issuer}, {Cert,ErlCert}, CertsDb)
	+ catch
	+ error:Reason ->
	+ Report = io_lib:format("SSL WARNING: Ignoring CA cert: ~p~n Due to decoding error:~p ~n",
	+ [Cert, Reason]),
	+ error_logger:info_report(Report)
	+ end.
	diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
	index f8aef55..8b01ca3 100644
	--- a/lib/ssl/test/erl_make_certs.erl
	+++ b/lib/ssl/test/erl_make_certs.erl
	@@ -268,7 +268,7 @@ publickey(#'RSAPrivateKey'{modulus=N, publicExponent=E}) ->
	subjectPublicKey = Public};
	publickey(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}) ->
	Algo = #'PublicKeyAlgorithm'{algorithm= ?'id-dsa',
	- parameters=#'Dss-Parms'{p=P, q=Q, g=G}},
	+ parameters={params, #'Dss-Parms'{p=P, q=Q, g=G}}},
	#'OTPSubjectPublicKeyInfo'{algorithm = Algo, subjectPublicKey = Y}.

	validity(Opts) ->
	@@ -290,7 +290,7 @@ sign_algorithm(#'RSAPrivateKey'{}, Opts) ->
	end,
	{Type, 'NULL'};
	sign_algorithm(#'DSAPrivateKey'{p=P, q=Q, g=G}, _Opts) ->
	- {?'id-dsa-with-sha1', #'Dss-Parms'{p=P, q=Q, g=G}}.
	+ {?'id-dsa-with-sha1', {params,#'Dss-Parms'{p=P, q=Q, g=G}}}.

	make_key(rsa, _Opts) ->
	%% (OBS: for testing only)