File 3172-ssl-public_key-Adjust-handling-of-extended-key-usage.patch of Package erlang

From 4c8c99b74bd84cc4460c50be982c22607d456e0b Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Tue, 29 Aug 2023 08:26:28 +0200
Subject: [PATCH 2/2] ssl, public_key: Adjust handling of extended key usage
 certificate extension

This extension is in general found in end entity certificates, but can apper
in CA certificates. See RFC 5280.

ssl application will validate id-kp-serverAuth and id-kp-clientAuth
in end entity certificates.
---
 lib/public_key/src/pubkey_cert.erl | 11 ++-------
 lib/ssl/src/ssl_certificate.erl    | 24 +++++++++----------
 lib/ssl/src/ssl_handshake.erl      |  4 +++-
 lib/ssl/src/tls_handshake_1_3.erl  | 38 ++++++++++++++++--------------
 4 files changed, 37 insertions(+), 40 deletions(-)

diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index 39084f3e76..7fbf8dfe06 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -908,24 +908,17 @@ validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-policyConstraints',
 validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-extKeyUsage',
                                            critical = true,
                                            extnValue = KeyUse} = Extension | Rest],
-		    ValidationState#path_validation_state{last_cert = false}, ExistBasicCon,
+		    #path_validation_state{last_cert = false} = ValidationState, ExistBasicCon,
 		    SelfSigned, UserState0, VerifyFun) ->
     UserState =
         case ext_keyusage_includes_any(KeyUse) of
             true -> %% CA cert that specifies ?anyExtendedKeyUsage should not be marked critical
                 verify_fun(OtpCert, {bad_cert, invalid_ext_key_usage}, UserState0, VerifyFun);
             false ->
-                verify_fun(OtpCert, {extension, Extension}, UserState0, VerifyFun);
+                verify_fun(OtpCert, {extension, Extension}, UserState0, VerifyFun)
         end,
     validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, SelfSigned,
 			UserState, VerifyFun);
-validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-extKeyUsage',
-                                           extnValue = KeyUse} = Extension | Rest],
-		    ValidationState, ExistBasicCon,
-		    SelfSigned, UserState0, VerifyFun) ->
-    UserState = verify_fun(OtpCert, {extension, Ext}, UserState0, VerifyFun),
-    validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, SelfSigned,
-                        UserState, VerifyFun);
 validate_extensions(OtpCert, [#'Extension'{} = Extension | Rest],
 		    ValidationState, ExistBasicCon,
 		    SelfSigned, UserState0, VerifyFun) ->
-- 
2.35.3
Places

File 3172-ssl-public_key-Adjust-handling-of-extended-key-usage.patch of Package erlang

Places
