File 7921-public_key-Move-decode-of-CRLDistributionPoints-exte.patch of Package erlang
From a893290747a5bee833203bf964bd08f06ed10a27 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Fri, 17 Feb 2023 13:34:23 +0100
Subject: [PATCH] public_key: Move decode of CRLDistributionPoints extension
As different solutions of verifying certificate revocation exists
move the decode of 'CRLDistributionPoints' so that it will only be decode
when it is actually used in the verification process. This would enable
interoperability with systems that use certificates with an invalid empty
CRLDistributionPoints extension that they want to ignore and make verification
by other means.
Closes #6402
---
lib/public_key/src/pubkey_cert.erl | 3 +++
lib/public_key/src/pubkey_cert_records.erl | 19 +++++++++----------
lib/public_key/test/public_key_SUITE.erl | 14 ++++++++++++++
3 files changed, 26 insertions(+), 10 deletions(-)
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index 9d67901e9b..b7e0b178de 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -370,6 +370,9 @@ select_extension(_, asn1_NOVALUE) ->
undefined;
select_extension(_, []) ->
undefined;
+select_extension(Id, [#'Extension'{extnID = ?'id-ce-cRLDistributionPoints' = Id,
+ extnValue = Value} = Extension | _]) when is_binary(Value) ->
+ Extension#'Extension'{extnValue = public_key:der_decode('CRLDistributionPoints', Value)};
select_extension(Id, [#'Extension'{extnID = Id} = Extension | _]) ->
Extension;
select_extension(Id, [_ | Extensions]) ->
diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl
index d837d8cf7b..3207ebb4ae 100644
--- a/lib/public_key/src/pubkey_cert_records.erl
+++ b/lib/public_key/src/pubkey_cert_records.erl
@@ -262,21 +262,20 @@ extension_id(?'id-ce-keyUsage') -> 'KeyUsage';
extension_id(?'id-ce-privateKeyUsagePeriod') -> 'PrivateKeyUsagePeriod';
extension_id(?'id-ce-certificatePolicies') -> 'CertificatePolicies';
extension_id(?'id-ce-policyMappings') -> 'PolicyMappings';
-extension_id(?'id-ce-subjectAltName') -> 'SubjectAltName';
-extension_id(?'id-ce-issuerAltName') -> 'IssuerAltName';
+extension_id(?'id-ce-subjectAltName') -> 'SubjectAltName';
+extension_id(?'id-ce-issuerAltName') -> 'IssuerAltName';
extension_id(?'id-ce-subjectDirectoryAttributes') -> 'SubjectDirectoryAttributes';
-extension_id(?'id-ce-basicConstraints' ) -> 'BasicConstraints';
-extension_id(?'id-ce-nameConstraints') -> 'NameConstraints';
-extension_id(?'id-ce-policyConstraints') -> 'PolicyConstraints';
-extension_id(?'id-ce-cRLDistributionPoints') -> 'CRLDistributionPoints';
-extension_id(?'id-ce-extKeyUsage') -> 'ExtKeyUsageSyntax';
-extension_id(?'id-ce-inhibitAnyPolicy') -> 'InhibitAnyPolicy';
+extension_id(?'id-ce-basicConstraints' ) -> 'BasicConstraints';
+extension_id(?'id-ce-nameConstraints') -> 'NameConstraints';
+extension_id(?'id-ce-policyConstraints') -> 'PolicyConstraints';
+extension_id(?'id-ce-extKeyUsage') -> 'ExtKeyUsageSyntax';
+extension_id(?'id-ce-inhibitAnyPolicy') -> 'InhibitAnyPolicy';
extension_id(?'id-ce-freshestCRL') -> 'FreshestCRL';
-%% Missing in public_key doc
+extension_id(?'id-ce-issuingDistributionPoint') -> 'IssuingDistributionPoint';
+%% Missing in public_key doc
extension_id(?'id-pe-authorityInfoAccess') -> 'AuthorityInfoAccessSyntax';
extension_id(?'id-pe-subjectInfoAccess') -> 'SubjectInfoAccessSyntax';
extension_id(?'id-ce-cRLNumber') -> 'CRLNumber';
-extension_id(?'id-ce-issuingDistributionPoint') -> 'IssuingDistributionPoint';
extension_id(?'id-ce-deltaCRLIndicator') -> 'BaseCRLNumber';
extension_id(?'id-ce-cRLReasons') -> 'CRLReason';
extension_id(?'id-ce-certificateIssuer') -> 'CertificateIssuer';
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index b4de6f1926..0b6c2a3b87 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -89,6 +89,8 @@
pkix_countryname/1,
pkix_emailaddress/0,
pkix_emailaddress/1,
+ pkix_decode_cert/0,
+ pkix_decode_cert/1,
pkix_path_validation/0,
pkix_path_validation/1,
pkix_path_validation_root_expired/0,
@@ -149,6 +151,7 @@ all() ->
pkix,
pkix_countryname,
pkix_emailaddress,
+ pkix_decode_cert,
pkix_path_validation,
pkix_path_validation_root_expired,
pkix_ext_key_usage,
@@ -795,6 +798,17 @@ pkix_emailaddress(Config) when is_list(Config) ->
check_emailaddress(Issuer),
check_emailaddress(Subj).
+
+%%--------------------------------------------------------------------
+pkix_decode_cert() ->
+ [{doc, "Test that extension IssuerDistributionPoint is not decoded in 'otp' decoding mode. We want to leave it for later "
+ "to increase interopability for sites that does not use this extension and will not care if it is properly encoded"}].
+pkix_decode_cert(Config) when is_list(Config) ->
+ Der = base64:decode(
+ <<"MIICXDCCAgKgAwIBAgIBATAKBggqhkjOPQQDAjApMRkwFwYDVQQFExBjOTY4NDI4OTMyNzUwOGRiMQwwCgYDVQQMDANURUUwHhcNMjIxMDI5MTczMTA3WhcNMjkwNDE2MjAzNDUzWjAfMR0wGwYDVQQDExRBbmRyb2lkIEtleXN0b3JlIEtleTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFmIQDus/jIZ0cPnRCITCzUUuCjQBw8MetO6154mmTL8O/fFlGgYkZ6C8jSSntKC/lMwaZHxAgW1AGgoCrPuX5ejggEjMIIBHzALBgNVHQ8EBAMCB4AwCAYDVR0fBAEAMIIBBAYKKwYBBAHWeQIBEQSB9TCB8gIBAgoBAQIBAwoBAQQgyvsSa116xqleaXs6xA84wqpAPWFgaaTjCWBnZpHslmoEADBEv4VFQAQ+MDwxFjAUBAxjb20ud2hhdHNhcHACBA0+oAQxIgQgOYfQQ9EK769ahxCzZxQY/lfg4ZtlPJ34JVj+tf/OXUQweqEFMQMCAQKiAwIBA6MEAgIBAKUIMQYCAQYCAQSqAwIBAb+DdwIFAL+FPQgCBgGEJMweob+FPgMCAQC/hUAqMCgEIFNB5rJkaXmnDldlMAeh8xAWlCHsm92fGlZI91reAFrxAQH/CgEAv4VBBQIDAV+Qv4VCBQIDAxUYMAoGCCqGSM49BAMCA0gAMEUCIF0BwvRQipVoaz5SIhsYbIeK+FHbAjWPgOxWgQ6Juq64AiEA83ZLsK37DjZ/tZNRi271VHQqIU8mdqUIMboVUiy3DaM=">>),
+
+ #'OTPCertificate'{} = public_key:pkix_decode_cert(Der, otp).
+
%%--------------------------------------------------------------------
pkix_path_validation() ->
[{doc, "Test PKIX path validation"}].
--
2.35.3
