File 1031-fix-crl-unwrap-outer-list-of-CRLs-when-an-URI-is-pro.patch of Package erlang
From f3948cd90e84c59439c00bff473b5cd40adefbb3 Mon Sep 17 00:00:00 2001
From: Thales Macedo Garitezi <thalesmg@gmail.com>
Date: Tue, 17 May 2022 17:28:33 -0300
Subject: [PATCH 1/4] fix(crl): unwrap outer list of CRLs when an URI is
provided
Currently, if one uses `ssl_crl_cache:insert/2` providing the URI of
the distribution point of a CRL, when a connection is attempted, it
fails with a `{unexpected_error,function_clause}`.
This traces to `ssl_handshake:dps_and_crls/3`, which eventually ends
up calling `public_key:der_decode/2` with a list-wrapped CRL DER
binary instead of simply the DER binary.
---
lib/ssl/src/ssl_crl_cache.erl | 2 +-
lib/ssl/src/ssl_pkix_db.erl | 2 +-
lib/ssl/test/ssl_crl_SUITE.erl | 2 ++
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/ssl/src/ssl_crl_cache.erl b/lib/ssl/src/ssl_crl_cache.erl
index 095e3e8b44..7a8bcf5758 100644
--- a/lib/ssl/src/ssl_crl_cache.erl
+++ b/lib/ssl/src/ssl_crl_cache.erl
@@ -175,7 +175,7 @@ cache_lookup(URL, {{Cache, _}, _}) ->
case ssl_pkix_db:lookup(string:trim(Path, leading, "/"), Cache) of
undefined ->
[];
- CRLs ->
+ [CRLs] ->
CRLs
end.
diff --git a/lib/ssl/src/ssl_pkix_db.erl b/lib/ssl/src/ssl_pkix_db.erl
index dbdae5307c..88ef23a60a 100644
--- a/lib/ssl/src/ssl_pkix_db.erl
+++ b/lib/ssl/src/ssl_pkix_db.erl
@@ -352,7 +352,7 @@ new_trusted_cert_entry(File, [CertsDb, RefsDb, _ | _]) ->
add_crls([_,_,_, {_, Mapping} | _], ?NO_DIST_POINT, CRLs) ->
[add_crls(CRL, Mapping) || CRL <- CRLs];
add_crls([_,_,_, {Cache, Mapping} | _], Path, CRLs) ->
- insert(Path, CRLs, Cache),
+ insert(Path, CRLs, Cache),
[add_crls(CRL, Mapping) || CRL <- CRLs].
add_crls(CRL, Mapping) ->
diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl
index 58b0f8cb76..ce614cbfeb 100644
--- a/lib/ssl/test/ssl_crl_SUITE.erl
+++ b/lib/ssl/test/ssl_crl_SUITE.erl
@@ -240,6 +240,8 @@ crl_verify_valid(Config) when is_list(Config) ->
end,
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+ ssl_crl_cache:insert("http://localhost/erlangCA/crl.pem", {file, filename:join([PrivDir, "erlangCA", "crl.pem"])}),
+ ssl_crl_cache:insert("http://localhost/otpCA/crl.pem", {file, filename:join([PrivDir, "otpCA", "crl.pem"])}),
ssl_crl_cache:insert({file, filename:join([PrivDir, "erlangCA", "crl.pem"])}),
ssl_crl_cache:insert({file, filename:join([PrivDir, "otpCA", "crl.pem"])}),
--
2.35.3