File 4071-ssl-Fix-cert_auth-check.patch of Package erlang
From a2c991362e81c5e7ea645d07ff644162496f0ad0 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Thu, 11 Apr 2024 09:00:38 +0200
Subject: [PATCH] ssl: Fix cert_auth check
Include also end entity cert when selecting issuers for cert_auth extension check
Closes #8356
---
lib/ssl/src/ssl_certificate.erl | 8 ++++----
lib/ssl/test/ssl_cert_SUITE.erl | 24 +++++++++++++++++++++++-
2 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 2e2b43f564..91902801f5 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -315,8 +315,8 @@ handle_cert_auths(Chain, [], _, _) ->
{ok, Chain};
handle_cert_auths([Cert], CertAuths, CertDbHandle, CertDbRef) ->
case certificate_chain(Cert, CertDbHandle, CertDbRef, [], both) of
- {ok, {_, [Cert | _] = EChain}, {_, [_ | DCerts]}} ->
- case cert_auth_member(cert_issuers(DCerts), CertAuths) of
+ {ok, {_, [Cert | _] = EChain}, _} ->
+ case cert_auth_member(cert_issuers(EChain), CertAuths) of
true ->
{ok, EChain};
false ->
@@ -325,8 +325,8 @@ handle_cert_auths([Cert], CertAuths, CertDbHandle, CertDbRef) ->
_ ->
{ok, [Cert]}
end;
-handle_cert_auths([_ | Certs] = EChain, CertAuths, _, _) ->
- case cert_auth_member(cert_issuers(Certs), CertAuths) of
+handle_cert_auths([_ | _] = EChain, CertAuths, _, _) ->
+ case cert_auth_member(cert_issuers(EChain), CertAuths) of
true ->
{ok, EChain};
false ->
diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl
index 315c0e20b1..19adfb5d8d 100644
--- a/lib/ssl/test/ssl_cert_SUITE.erl
+++ b/lib/ssl/test/ssl_cert_SUITE.erl
@@ -125,7 +125,9 @@
signature_algorithms_bad_curve_secp521r1/0,
signature_algorithms_bad_curve_secp521r1/1,
server_certificate_authorities_disabled/0,
- server_certificate_authorities_disabled/1
+ server_certificate_authorities_disabled/1,
+ cert_auth_in_first_ca/0,
+ cert_auth_in_first_ca/1
]).
%%--------------------------------------------------------------------
@@ -191,6 +193,7 @@ tls_1_3_tests() ->
hello_retry_request,
custom_groups,
client_auth_no_suitable_chain,
+ cert_auth_in_first_ca,
hello_retry_client_auth,
hello_retry_client_auth_empty_cert_accepted,
hello_retry_client_auth_empty_cert_rejected,
@@ -981,6 +984,25 @@ key_auth_ext_sign_only(Config) when is_list(Config) ->
ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
%%--------------------------------------------------------------------
+cert_auth_in_first_ca() ->
+ [{doc,"Test cert auth will be available in first ca in chain, make it happen by only having one"}].
+cert_auth_in_first_ca(Config) when is_list(Config) ->
+ #{server_config := ServerOpts0,
+ client_config := ClientOpts0} =
+ public_key:pkix_test_data(#{server_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(1)}],
+ intermediates => [[]],
+ peer => [{key, ssl_test_lib:hardcode_rsa_key(5)}]},
+ client_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(3)}],
+ intermediates => [[]],
+ peer => [{key, ssl_test_lib:hardcode_rsa_key(1)}]}}),
+ ClientOpts = [{verify, verify_peer} | ssl_test_lib:ssl_options(extra_client, client_cert_opts, Config)],
+ ServerOpts = [{verify, verify_peer} | ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config)],
+
+ ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
+
+%%--------------------------------------------------------------------
+
+
longer_chain() ->
[{doc,"Test depth option"}].
longer_chain(Config) when is_list(Config) ->
--
2.35.3
