File 3231-public_key-Add-input-sanity-check.patch of Package erlang
From 432b254449b2de95316ceae109c0ca554318bbb4 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Fri, 19 Mar 2021 16:38:46 +0100
Subject: [PATCH] public_key: Add input sanity check
Although checking the trusted anchor is not part of the
path validation algorithm, doing the expire check is easiest
done in this context and will in a natural way protect users
of public_key against accepting expired trusted anchors.
---
lib/public_key/src/public_key.erl | 17 ++++++++---
lib/public_key/test/public_key_SUITE.erl | 39 +++++++++++++++++++-----
2 files changed, 44 insertions(+), 12 deletions(-)
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 597aca35d5..8c8b5585a0 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -992,10 +992,19 @@ pkix_path_validation(TrustedCert, CertChain, Options)
pkix_path_validation(#'OTPCertificate'{} = TrustedCert, CertChain, Options)
when is_list(CertChain), is_list(Options) ->
MaxPathDefault = length(CertChain),
- ValidationState = pubkey_cert:init_validation_state(TrustedCert,
- MaxPathDefault,
- Options),
- path_validation(CertChain, ValidationState).
+ {VerifyFun, Userstat0} =
+ proplists:get_value(verify_fun, Options, ?DEFAULT_VERIFYFUN),
+ try pubkey_cert:validate_time(TrustedCert, Userstat0, VerifyFun) of
+ Userstate1 ->
+ ValidationState = pubkey_cert:init_validation_state(TrustedCert,
+ MaxPathDefault,
+ [{verify_fun, {VerifyFun, Userstate1}} |
+ proplists:delete(verify_fun, Options)]),
+ path_validation(CertChain, ValidationState)
+ catch
+ throw:{bad_cert, cert_expired} = Reason ->
+ {error, Reason}
+ end.
%--------------------------------------------------------------------
-spec pkix_crls_validate(OTPcertificate, DPandCRLs, Options) ->
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index 348e0daa62..cf3b5ea0c8 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -126,12 +127,18 @@ suite() ->
[].
all() ->
- [app, appup,
+ [app,
+ appup,
{group, pem_decode_encode},
encrypt_decrypt,
{group, sign_verify},
- pkix, pkix_countryname, pkix_emailaddress, pkix_path_validation,
- pkix_iso_rsa_oid, pkix_iso_dsa_oid,
+ pkix,
+ pkix_countryname,
+ pkix_emailaddress,
+ pkix_path_validation,
+ pkix_path_validation_root_expired,
+ pkix_iso_rsa_oid,
+ pkix_iso_dsa_oid,
pkix_dsa_sha2_oid,
pkix_crl,
pkix_hash_type,
@@ -142,7 +149,8 @@ all() ->
pkix_verify_hostname_options,
pkix_test_data_all_default,
pkix_test_data,
- short_cert_issuer_hash, short_crl_issuer_hash
+ short_cert_issuer_hash,
+ short_crl_issuer_hash
].
groups() ->
@@ -737,9 +745,24 @@ pkix_path_validation(Config) when is_list(Config) ->
{error, custom_reason} =
public_key:pkix_path_validation(selfsigned_peer, [Trusted], [{verify_fun,
- VerifyFunAndState2}]),
- ok.
-
+ VerifyFunAndState2}]).
+pkix_path_validation_root_expired() ->
+ [{doc, "Test root expiration so that it does not fall between chairs"}].
+pkix_path_validation_root_expired(Config) when is_list(Config) ->
+ {Year, Month, Day} = date(),
+ SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", [{validity, {{Year-2, Month, Day},
+ {Year-1, Month, Day}}}]),
+ #{server_config := Conf} = public_key:pkix_test_data(#{server_chain => #{root => SRoot,
+ intermediates => [],
+ peer => []},
+ client_chain => #{root => [],
+ intermediates => [],
+ peer => []}}),
+ [ICA, Root] = proplists:get_value(cacerts, Conf),
+ true = public_key:pkix_is_self_signed(Root),
+ Peer = proplists:get_value(cert, Conf),
+ {error, {bad_cert, cert_expired}} = public_key:pkix_path_validation(Root, [ICA, Peer], []).
+
%%--------------------------------------------------------------------
%% To generate the PEM file contents:
%%
--
2.26.2
