Overview

File 1441-fix-crl-unwrap-outer-list-of-CRLs-when-an-URI-is-pro.patch of Package erlang

From f3948cd90e84c59439c00bff473b5cd40adefbb3 Mon Sep 17 00:00:00 2001
From: Thales Macedo Garitezi <thalesmg@gmail.com>
Date: Tue, 17 May 2022 17:28:33 -0300
Subject: [PATCH 1/4] fix(crl): unwrap outer list of CRLs when an URI is
 provided

Currently, if one uses `ssl_crl_cache:insert/2` providing the URI of
the distribution point of a CRL, when a connection is attempted, it
fails with a `{unexpected_error,function_clause}`.

This traces to `ssl_handshake:dps_and_crls/3`, which eventually ends
up calling `public_key:der_decode/2` with a list-wrapped CRL DER
binary instead of simply the DER binary.
---
 lib/ssl/src/ssl_crl_cache.erl  | 2 +-
 lib/ssl/src/ssl_pkix_db.erl    | 2 +-
 lib/ssl/test/ssl_crl_SUITE.erl | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/ssl/src/ssl_crl_cache.erl b/lib/ssl/src/ssl_crl_cache.erl
index 095e3e8b44..7a8bcf5758 100644
--- a/lib/ssl/src/ssl_crl_cache.erl
+++ b/lib/ssl/src/ssl_crl_cache.erl
@@ -175,7 +175,7 @@ cache_lookup(URL, {{Cache, _}, _}) ->
     case ssl_pkix_db:lookup(string:strip(Path, left, $/), Cache) of
 	undefined ->
 	    [];
-	CRLs ->
+	[CRLs] ->
 	    CRLs
     end.
 
diff --git a/lib/ssl/src/ssl_pkix_db.erl b/lib/ssl/src/ssl_pkix_db.erl
index dbdae5307c..88ef23a60a 100644
--- a/lib/ssl/src/ssl_pkix_db.erl
+++ b/lib/ssl/src/ssl_pkix_db.erl
@@ -352,7 +352,7 @@ new_trusted_cert_entry(File, [CertsDb, RefsDb, _ | _]) ->
 add_crls([_,_,_, {_, Mapping} | _], ?NO_DIST_POINT, CRLs) ->
     [add_crls(CRL, Mapping) || CRL <- CRLs];
 add_crls([_,_,_, {Cache, Mapping} | _], Path, CRLs) ->
-    insert(Path, CRLs, Cache), 
+    insert(Path, CRLs, Cache),
     [add_crls(CRL, Mapping) || CRL <- CRLs].
 
 add_crls(CRL, Mapping) ->
diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl
index 58b0f8cb76..ce614cbfeb 100644
--- a/lib/ssl/test/ssl_crl_SUITE.erl
+++ b/lib/ssl/test/ssl_crl_SUITE.erl
@@ -240,6 +240,8 @@ crl_verify_valid(Config) when is_list(Config) ->
 		  end,			  
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
 
+    ssl_crl_cache:insert("http://localhost/erlangCA/crl.pem", {file, filename:join([PrivDir, "erlangCA", "crl.pem"])}),
+    ssl_crl_cache:insert("http://localhost/otpCA/crl.pem", {file, filename:join([PrivDir, "otpCA", "crl.pem"])}),
     ssl_crl_cache:insert({file, filename:join([PrivDir, "erlangCA", "crl.pem"])}),
     ssl_crl_cache:insert({file, filename:join([PrivDir, "otpCA", "crl.pem"])}),
     
-- 
2.35.3
openSUSE Build Service is sponsored by
Places