File 3121-public_key-date-sliding-window-validation-function.patch of Package erlang
From 2da6b55ae28713c876ca27f7b374d0f921468cb5 Mon Sep 17 00:00:00 2001
From: Kiko Fernandez-Reyes <kiko@erlang.org>
Date: Mon, 19 Dec 2022 10:23:41 +0100
Subject: [PATCH 1/3] public_key: date sliding window validation function
---
lib/public_key/src/pubkey_cert.erl | 79 ++++++++++---
lib/public_key/test/Makefile | 3 +-
lib/public_key/test/pubkey_cert_SUITE.erl | 128 ++++++++++++++++++++++
3 files changed, 193 insertions(+), 17 deletions(-)
create mode 100644 lib/public_key/test/pubkey_cert_SUITE.erl
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index 7770f02da6..7bfcf1e24d 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -134,7 +134,7 @@ prepare_for_next_cert(OtpCert, ValidationState = #path_validation_state{
}.
%%--------------------------------------------------------------------
--spec validate_time(#'OTPCertificate'{}, term(), fun()) -> term().
+-spec validate_time(#'OTPCertificate'{}, term(), fun()) -> term() | no_return().
%%
%% Description: Check that the certificate validity period includes the
%% current time.
@@ -144,8 +144,8 @@ validate_time(OtpCert, UserState, VerifyFun) ->
{'Validity', NotBeforeStr, NotAfterStr}
= TBSCert#'OTPTBSCertificate'.validity,
Now = calendar:datetime_to_gregorian_seconds(calendar:universal_time()),
- NotBefore = time_str_2_gregorian_sec(NotBeforeStr),
- NotAfter = time_str_2_gregorian_sec(NotAfterStr),
+ NotBefore = time_str_2_gregorian_sec(notBefore, NotBeforeStr),
+ NotAfter = time_str_2_gregorian_sec(notAfter, NotAfterStr),
case ((NotBefore =< Now) and (Now =< NotAfter)) of
true ->
@@ -633,19 +633,44 @@ public_key_info(PublicKeyInfo,
end,
{Algorithm, PublicKey, NewPublicKeyParams}.
-time_str_2_gregorian_sec({utcTime, [Y1,Y2,M1,M2,D1,D2,H1,H2,M3,M4,S1,S2,Z]}) ->
- case list_to_integer([Y1,Y2]) of
- N when N >= 50 ->
- time_str_2_gregorian_sec({generalTime,
- [$1,$9,Y1,Y2,M1,M2,D1,D2,
- H1,H2,M3,M4,S1,S2,Z]});
- _ ->
- time_str_2_gregorian_sec({generalTime,
- [$2,$0,Y1,Y2,M1,M2,D1,D2,
- H1,H2,M3,M4,S1,S2,Z]})
- end;
-
-time_str_2_gregorian_sec({_,[Y1,Y2,Y3,Y4,M1,M2,D1,D2,H1,H2,M3,M4,S1,S2,$Z]}) ->
+%% time_str_2_gregorian_sec/2 is a wrapper (decorator pattern) over
+%% time_str_2_gregorian_sec/1. the decorator deals with notBefore and notAfter
+%% property differently when we pass utcTime because the data format is
+%% ambiguous YYMMDD. on generalTime the year ambiguity cannot happen because
+%% years are expressed in a 4-digit format, i.e., YYYYMMDD.
+-spec time_str_2_gregorian_sec(PeriodOfTime, Time) -> Seconds :: non_neg_integer() when
+ PeriodOfTime :: notBefore | notAfter,
+ Time :: {utcTime | generalTime, [non_neg_integer() | char()]}.
+time_str_2_gregorian_sec(notBefore, {utcTime, [FirstDigitYear | _]=UtcTime}) ->
+ %% To be compliant with PKITS Certification Path Validation,
+ %% we must accept certificates with notBefore = 50, meaning 1950.
+ %% Once the PKITS certification path validation is updated,
+ %% we must update this function body and test case
+ %% {"4.2.3", "Valid pre2000 UTC notBefore Date Test3 EE"}
+ %% in pkits_SUITE.erl
+ Y1 = erlang:list_to_integer([FirstDigitYear]),
+ YearPrefix = case (Y1 > 4 andalso Y1 =< 9) of
+ true -> [$1, $9];
+ false ->
+ {Y, _M, _D} = erlang:date(),
+ integer_to_list(Y div 100)
+ end,
+ time_str_2_gregorian_sec({generalTime, YearPrefix ++ UtcTime});
+
+time_str_2_gregorian_sec(notAfter, {utcTime, UtcTime}) ->
+ SlidingDate = sliding_year_window(UtcTime),
+ time_str_2_gregorian_sec({generalTime, SlidingDate});
+
+time_str_2_gregorian_sec(_, {generalTime, _Time}=GeneralTime) ->
+ time_str_2_gregorian_sec(GeneralTime).
+
+%% converts 'Time' as a string into gregorian time in seconds.
+-spec time_str_2_gregorian_sec(Time) -> Seconds :: non_neg_integer() when
+ Time :: {generalTime | utcTime, string()}.
+time_str_2_gregorian_sec({utcTime, UtcTime}) ->
+ time_str_2_gregorian_sec(notAfter, {utcTime, UtcTime});
+
+time_str_2_gregorian_sec({generalTime,[Y1,Y2,Y3,Y4,M1,M2,D1,D2,H1,H2,M3,M4,S1,S2,$Z]}) ->
Year = list_to_integer([Y1, Y2, Y3, Y4]),
Month = list_to_integer([M1, M2]),
Day = list_to_integer([D1, D2]),
@@ -655,6 +680,28 @@ time_str_2_gregorian_sec({_,[Y1,Y2,Y3,Y4,M1,M2,D1,D2,H1,H2,M3,M4,S1,S2,$Z]}) ->
calendar:datetime_to_gregorian_seconds({{Year, Month, Day},
{Hour, Min, Sec}}).
+%% Sliding window algorithm to calculate the time.
+%% The value is set as taking {Y1, Y2} from the first two digits of
+%% current_date - 50 or current_date - 49.
+sliding_year_window([Y1,Y2,M1,M2,D1,D2,H1,H2,M3,M4,S1,S2,Z]) ->
+ {{CurrentYear,_, _}, _} = calendar:universal_time(),
+ LastTwoDigitYear = CurrentYear rem 100,
+ MinYear = mod(LastTwoDigitYear - 50, 100),
+ YearWindow = case list_to_integer([Y1,Y2]) of
+ N when N < MinYear -> CurrentYear + 50;
+ N when N >= MinYear -> CurrentYear - 49
+ end,
+ [Year1, Year2] = integer_to_list(YearWindow div 100),
+ [Year1,Year2,Y1,Y2,M1,M2,D1,D2,H1,H2,M3,M4,S1,S2,Z].
+
+
+%% Helper function to perform modulo calculation for integer
+-spec mod(A :: integer(), B :: non_neg_integer()) -> non_neg_integer().
+mod(A, B) when A > 0 -> A rem B;
+mod(A, B) when A < 0 -> mod(A+B, B);
+mod(0, _) -> 0.
+
+
is_dir_name([], [], _Exact) -> true;
is_dir_name([H|R1],[H|R2], Exact) -> is_dir_name(R1,R2, Exact);
is_dir_name([[{'AttributeTypeAndValue', Type, What1}]|Rest1],
diff --git a/lib/public_key/test/Makefile b/lib/public_key/test/Makefile
index aa42cf281f..57879c20e6 100644
--- a/lib/public_key/test/Makefile
+++ b/lib/public_key/test/Makefile
@@ -33,6 +33,7 @@ MODULES= \
public_key_SUITE \
pbe_SUITE \
pkits_SUITE \
+ pubkey_cert_SUITE \
pubkey_ssh_SUITE
ERL_FILES= $(MODULES:%=%.erl)
diff --git a/lib/public_key/test/pubkey_cert_SUITE.erl b/lib/public_key/test/pubkey_cert_SUITE.erl
new file mode 100644
index 0000000000..0bf7ffe313
--- /dev/null
+++ b/lib/public_key/test/pubkey_cert_SUITE.erl
@@ -0,0 +1,128 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2011-2022. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%% http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+-module(pubkey_cert_SUITE).
+
+-include_lib("common_test/include/ct.hrl").
+%% -include_lib("public_key/include/public_key.hrl").
+
+%% Note: This directive should only be used in test suites.
+-compile(export_all).
+
+%%--------------------------------------------------------------------
+%% Common Test interface functions -----------------------------------
+%%--------------------------------------------------------------------
+
+all() ->
+ [{group, time_str_2_gregorian_sec}].
+
+groups() ->
+ [{time_str_2_gregorian_sec, [], time_str_two_gregorian()}].
+
+time_str_two_gregorian() ->
+ [ time_str_2_gregorian_utc_post2000
+ , time_str_2_gregorian_utc_limit_pre2000
+ , time_str_2_gregorian_utc_limit_post2000
+ , time_str_2_gregorian_generaltime_pre2000
+ , time_str_2_gregorian_generaltime_post2000
+ ].
+
+%%--------------------------------------------------------------------
+%% Test Cases --------------------------------------------------------
+%%--------------------------------------------------------------------
+time_str_2_gregorian_utc_post2000() ->
+ [{doc, "Tests a valid gregorian Utc time"}].
+time_str_2_gregorian_utc_post2000(_) ->
+ YYMMDD = "450101",
+ HHMMSSZ = "000000Z",
+ ExpectedYear = 2045,
+ UtcTime = {utcTime, YYMMDD ++ HHMMSSZ},
+ {ExpectedDate, _} = convert_to_datetime_format(UtcTime, ExpectedYear),
+
+ Result = pubkey_cert:time_str_2_gregorian_sec(UtcTime),
+ {ExpectedDate, _} = calendar:gregorian_seconds_to_datetime(Result).
+
+
+time_str_2_gregorian_utc_limit_pre2000() ->
+ [{doc, "Tests a valid gregorian Utc time"}].
+time_str_2_gregorian_utc_limit_pre2000(_) ->
+ YYMMDD = "720101",
+ HHMMSSZ = "000000Z",
+ ExpectedYear = 1972,
+ UtcTime = {utcTime, YYMMDD ++ HHMMSSZ},
+ {ExpectedDate, _} = convert_to_datetime_format(UtcTime, ExpectedYear),
+
+ Result = pubkey_cert:time_str_2_gregorian_sec(UtcTime),
+ {ExpectedDate, _} = calendar:gregorian_seconds_to_datetime(Result).
+
+
+time_str_2_gregorian_utc_limit_post2000() ->
+ [{doc, "Tests a valid gregorian Utc time"}].
+time_str_2_gregorian_utc_limit_post2000(_) ->
+ YYMMDD = "710101",
+ HHMMSSZ = "000000Z",
+ ExpectedYear = 2071,
+ UtcTime = {utcTime, YYMMDD ++ HHMMSSZ},
+ {ExpectedDate, _} = convert_to_datetime_format(UtcTime, ExpectedYear),
+
+ Result = pubkey_cert:time_str_2_gregorian_sec(UtcTime),
+ {ExpectedDate, _} = calendar:gregorian_seconds_to_datetime(Result).
+
+
+time_str_2_gregorian_generaltime_pre2000() ->
+ [{doc, "Tests a valid gregorian Utc time"}].
+time_str_2_gregorian_generaltime_pre2000(_) ->
+ [Year | _]=YYMMDD = ["1972", "01", "01"],
+ HHMMSSZ = "000000Z",
+ GeneralTime = {generalTime, lists:flatten(YYMMDD) ++ HHMMSSZ},
+ {ExpectedYear, _} = convert_to_datetime_format(GeneralTime
+ , erlang:list_to_integer(Year)),
+
+ Result = pubkey_cert:time_str_2_gregorian_sec(GeneralTime),
+ {ExpectedYear, _} = calendar:gregorian_seconds_to_datetime(Result).
+
+
+time_str_2_gregorian_generaltime_post2000() ->
+ [{doc, "Tests a valid gregorian Utc time"}].
+time_str_2_gregorian_generaltime_post2000(_) ->
+ [Year | _]=YYMMDD = ["2045", "01", "01"],
+ HHMMSSZ = "000000Z",
+ GeneralTime = {generalTime, lists:flatten(YYMMDD) ++ HHMMSSZ},
+ {ExpectedYear, _} = convert_to_datetime_format(GeneralTime
+ , erlang:list_to_integer(Year)),
+
+ Result = pubkey_cert:time_str_2_gregorian_sec(GeneralTime),
+ {ExpectedYear, _} = calendar:gregorian_seconds_to_datetime(Result).
+
+
+convert_to_datetime_format({utcTime, [Y1, Y2, M1, M2, D1, D2 | _]}, ExpectedYear) ->
+ YYMMDD = [[Y1, Y2], [M1, M2], [D1, D2]],
+ [Y, M, D] = lists:map(fun (Str) -> erlang:list_to_integer(Str) end
+ , YYMMDD),
+ case (ExpectedYear rem 100) =:= Y of
+ true -> {{ExpectedYear, M, D}, {0, 0, 0}};
+ false -> error
+ end;
+
+convert_to_datetime_format({generalTime, [Y1, Y2, Y3, Y4, M1, M2, D1, D2 | _]}, ExpectedYear) ->
+ YYMMDD = [[Y1, Y2, Y3, Y4], [M1, M2], [D1, D2]],
+ [ExpectedYear, M, D] = lists:map(fun (Str) -> erlang:list_to_integer(Str) end
+ , YYMMDD),
+ {{ExpectedYear, M, D}, {0, 0, 0}}.
--
2.35.3
