File 1330-public_key-Add-check-for-duplicate-certificates.patch of Package erlang
From 5ece05987cb5c8ca95d3d5b610f99f37584805fc Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Wed, 16 Aug 2023 15:02:48 +0200
Subject: [PATCH] public_key: Add check for duplicate certificates
Closes #6394
---
lib/public_key/src/public_key.erl | 23 +++++++++++++++++++++--
lib/public_key/test/public_key_SUITE.erl | 6 +++++-
2 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 8c3805c219..33b404089a 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -1161,7 +1161,12 @@ pkix_path_validation(#'OTPCertificate'{} = TrustedCert, CertChain, Options)
MaxPathDefault,
[{verify_fun, {VerifyFun, UserState1}} |
proplists:delete(verify_fun, Options)]),
- path_validation(CertChain, ValidationState)
+ case exists_duplicate_cert(CertChain) of
+ true ->
+ {error, {bad_cert, duplicate_cert_in_path}};
+ false ->
+ path_validation(CertChain, ValidationState)
+ end
catch
throw:{bad_cert, _} = Result ->
{error, Result}
@@ -1553,6 +1558,20 @@ do_pem_entry_decode({Asn1Type,_, _} = PemEntry, Password) ->
Der = pubkey_pem:decipher(PemEntry, Password),
der_decode(Asn1Type, Der).
+%% The only way a path with duplicates could be somehow wrongly
+%% passed is if the certs are located together and also are
+%% self-signed. This is what we need to possible protect against. We
+%% only check for togetherness here as it helps with the case not
+%% otherwise caught. It can result in a different error message for
+%% cases already failing before but that is not important, the
+%% important thing is that it will be rejected.
+exists_duplicate_cert([]) ->
+ false;
+exists_duplicate_cert([Cert, Cert | _]) ->
+ true;
+exists_duplicate_cert([_ | Rest]) ->
+ exists_duplicate_cert(Rest).
+
path_validation([], #path_validation_state{working_public_key_algorithm
= Algorithm,
working_public_key =
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index 1a779e03bd..c5fef5b885 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -836,8 +836,12 @@ pkix_path_validation(Config) when is_list(Config) ->
{error, {bad_cert,invalid_issuer}} =
public_key:pkix_path_validation(Trusted, [Cert2], []),
-
+
{ok, _} = public_key:pkix_path_validation(Trusted, [Cert1, Cert2], []),
+
+ {error, {bad_cert, duplicate_cert_in_path}} =
+ public_key:pkix_path_validation(Trusted, [Cert1, Cert1, Cert2], []),
+
{error, issuer_not_found} = public_key:pkix_issuer_id(Cert2, other),
CertK3 = {Cert3,_} = erl_make_certs:make_cert([{issuer, CertK1},
--
2.35.3