File 2241-public_key-Add-missing-macros-and-definitions.patch of Package erlang
From b50e1482ec7798fef8e2fcaba1301adde89dcc3a Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Thu, 22 May 2025 15:37:38 +0200
Subject: [PATCH] public_key: Add missing macros and definitions
closes #9857 #9880
---
.../doc/guides/public_key_records.md | 7 +-
lib/public_key/include/public_key.hrl | 1023 +++++++++++------
lib/public_key/src/pubkey_cert_records.erl | 85 +-
lib/public_key/src/public_key.erl | 79 +-
4 files changed, 824 insertions(+), 370 deletions(-)
diff --git a/lib/public_key/doc/guides/public_key_records.md b/lib/public_key/doc/guides/public_key_records.md
index b0c466b727..d3243df93e 100644
--- a/lib/public_key/doc/guides/public_key_records.md
+++ b/lib/public_key/doc/guides/public_key_records.md
@@ -166,16 +166,17 @@ where parameters in the private key will be
```erlang
#'ECPrivateKey'{
- version, % pos_integer()
+ version, % pos_integer() | ecPrivkeyVer1 (enumeration value, decode returns atom, encode accepts both)
privateKey, % binary()
- parameters, % {ecParameters, #'ECParameters'{}} |
+ parameters, % {ecParameters, #'ECParameters'{}} | - Legacy
% {namedCurve, Oid::tuple()} |
% {implicitlyCA, 'NULL'}
publicKey % bitstring()
}.
+%% Legacy no longer defined in current PKIX standard
#'ECParameters'{
- version, % pos_integer()
+ version, % pos_integer() | v1 (enumeration value)
fieldID, % #'FieldID'{}
curve, % #'Curve'{}
base, % binary()
diff --git a/lib/public_key/include/public_key.hrl b/lib/public_key/include/public_key.hrl
index 52e68282b1..7ea04c48eb 100644
--- a/lib/public_key/include/public_key.hrl
+++ b/lib/public_key/include/public_key.hrl
@@ -24,7 +24,7 @@
-define(public_key, true).
%%%
-%%% RSA
+%%% RSA PKCS-1 & PSS-OAEP
%%%
-record('RSAPublicKey',
@@ -62,6 +62,24 @@
trailerField = asn1_DEFAULT
}).
+-record('RSASSA-AlgorithmIdentifier',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('RSAES-OAEP-params', {
+ hashAlgorithm = asn1_DEFAULT,
+ maskGenAlgorithm = asn1_DEFAULT,
+ pSourceAlgorithm = asn1_DEFAULT
+}).
+
+-record('RSAES-AlgorithmIdentifier', {
+ algorithm,
+ parameters = asn1_NOVALUE
+}).
+
+
-record('HashAlgorithm',
{
algorithm,
@@ -74,6 +92,8 @@
parameters = asn1_NOVALUE
}).
+-define('id-pSpecified', {1,2,840,113549,1,1,9}).
+
%%%
%%% DSA
%%%
@@ -96,13 +116,15 @@
}).
%%%
-%%% ECDSA and EDDSA
+%%% ECDSA, EDDSA, ECDH(E)
%%%
-define('id-Ed25519', {1,3,101,112}).
-define('id-Ed448', {1,3,101,113}).
-%% Undocumented but used by test suite.
+-define('id-X25519', {1,3,101,110}).
+-define('id-X448', {1,3,101,111}).
+
-define('sect571r1', {1,3,132,0,39}).
-define('sect571k1', {1,3,132,0,38}).
-define('sect409r1', {1,3,132,0,37}).
@@ -137,6 +159,21 @@
-define('secp256r1', {1,2,840,10045,3,1,7}).
-define('secp192r1', {1,2,840,10045,3,1,1}).
+-define('brainpoolP160r1', {1,3,36,3,3,2,8,1,1,1}).
+-define('brainpoolP160t1', {1,3,36,3,3,2,8,1,1,2}).
+-define('brainpoolP192r1', {1,3,36,3,3,2,8,1,1,3}).
+-define('brainpoolP192t1', {1,3,36,3,3,2,8,1,1,4}).
+-define('brainpoolP224r1', {1,3,36,3,3,2,8,1,1,5}).
+-define('brainpoolP224t1', {1,3,36,3,3,2,8,1,1,6}).
+-define('brainpoolP256r1', {1,3,36,3,3,2,8,1,1,7}).
+-define('brainpoolP256t1', {1,3,36,3,3,2,8,1,1,8}).
+-define('brainpoolP320r1', {1,3,36,3,3,2,8,1,1,9}).
+-define('brainpoolP320t1', {1,3,36,3,3,2,8,1,1,10}).
+-define('brainpoolP384r1', {1,3,36,3,3,2,8,1,1,11}).
+-define('brainpoolP384t1', {1,3,36,3,3,2,8,1,1,12}).
+-define('brainpoolP512r1', {1,3,36,3,3,2,8,1,1,13}).
+-define('brainpoolP512t1', {1,3,36,3,3,2,8,1,1,14}).
+
-record('ECPrivateKey',
{
version,
@@ -200,54 +237,12 @@
extensions = asn1_NOVALUE
}).
-%%%
-%%% Erlang alternate representation of PKIX certificate
-%%%
-
--record('OTPCertificate',
- {
- tbsCertificate,
- signatureAlgorithm,
- signature
- }).
-
--record('OTPTBSCertificate',
- {
- version = asn1_DEFAULT,
- serialNumber,
- signature,
- issuer,
- validity,
- subject,
- subjectPublicKeyInfo,
- issuerUniqueID = asn1_NOVALUE,
- subjectUniqueID = asn1_NOVALUE,
- extensions = asn1_NOVALUE
- }).
-
--record('SignatureAlgorithm',
- {
- algorithm,
- parameters = asn1_NOVALUE
- }).
-
-
-%% Hash functions
-
--define('id-sha1', {1,3,14,3,2,26}).
--define('id-sha224', {2,16,840,1,101,3,4,2,4}).
--define('id-sha256', {2,16,840,1,101,3,4,2,1}).
--define('id-sha384', {2,16,840,1,101,3,4,2,2}).
--define('id-sha512', {2,16,840,1,101,3,4,2,3}).
-
-
-
+%% plain certificate format
+-record('TBSCertificate_signature', {
+ algorithm,
+ parameters = asn1_NOVALUE
+}).
--record('AttributeTypeAndValue',
- {
- type,
- value
- }).
-define('id-at-name', {2,5,4,41}).
-define('id-at-surname', {2,5,4,4}).
@@ -269,10 +264,6 @@
-define('id-emailAddress', {1,2,840,113549,1,9,1}).
-define('id-at-organizationalUnitName', {2,5,4,11}).
-%%%
-%%% Validity, SubjectPublicKeyInfo, and SubjectPublicKeyInfoAlgorithm
-%%%
-
-record('Validity',
{
notBefore,
@@ -285,14 +276,8 @@
subjectPublicKey
}).
-%% OTP certificate format
--record('PublicKeyAlgorithm',
- {
- algorithm,
- parameters = asn1_NOVALUE
- }).
-%% plain certificate format
+%% plain certificate format used in SubjectPublicKeyInfo
-record('AlgorithmIdentifier',
{
algorithm,
@@ -300,44 +285,11 @@
}).
-%%%
-%%% Public-key algorithms
-%%%
-
-%% Digital signatures
-%% Modern
--define('id-RSASSA-PSS', {1,2,840,113549,1,1,10}).
--define('rSASSA-PSS-Default-Identifier', {'RSASSA-AlgorithmIdentifier',{1,2,840,113549,1,1,10},{'RSASSA-PSS-params',{'HashAlgorithm',{1,3,14,3,2,26},'NULL'},{'MaskGenAlgorithm',{1,2,840,113549,1,1,8},{'HashAlgorithm',{1,3,14,3,2,26},'NULL'}},20,1}}).
--define('id-mgf1', {1,2,840,113549,1,1,8}).
--define('id-ecPublicKey', {1,2,840,10045,2,1}).
--define('ecdsa-with-SHA256', {1,2,840,10045,4,3,2}).
--define('ecdsa-with-SHA384', {1,2,840,10045,4,3,3}).
--define('ecdsa-with-SHA512', {1,2,840,10045,4,3,4}).
-
-%% Legacy
--define('rsaEncryption', {1,2,840,113549,1,1,1}).
--define('md2WithRSAEncryption', {1,2,840,113549,1,1,2}).
--define('md5WithRSAEncryption', {1,2,840,113549,1,1,4}).
--define('sha1WithRSAEncryption', {1,2,840,113549,1,1,5}).
--define('sha224WithRSAEncryption', {1,2,840,113549,1,1,14}).
--define('sha256WithRSAEncryption', {1,2,840,113549,1,1,11}).
--define('sha384WithRSAEncryption', {1,2,840,113549,1,1,12}).
--define('sha512WithRSAEncryption', {1,2,840,113549,1,1,13}).
--define('sha512-224WithRSAEncryption', {1,2,840,113549,1,1,15}).
--define('sha512-256WithRSAEncryption', {1,2,840,113549,1,1,16}).
--define('sha-1WithRSAEncryption', {1,3,14,3,2,29}).
--define('id-hmacWithSHA1', {1,2,840,113549,2,7}).
--define('ecdsa-with-SHA1', {1,2,840,10045,4,1}).
--define('id-dsa', {1,2,840,10040,4,1}).
--define('id-dsaWithSHA1', {1,3,14,3,2,27}).
--define('id-dsa-with-sha1', {1,2,840,10040,4,3}).
--define('id-dsa-with-sha224', {2,16,840,1,101,3,4,3,1}).
--define('id-dsa-with-sha256', {2,16,840,1,101,3,4,3,2}).
-
-%% Key exchange
--define('dhpublicnumber', {1,2,840,10046,2,1}).
--define('id-keyExchangeAlgorithm', {2,16,840,1,101,2,1,1,22}).
-
+-record('AttributeTypeAndValue',
+ {
+ type,
+ value
+ }).
-record('Extension',
{
@@ -375,10 +327,21 @@
-define('id-ce-subjectKeyIdentifier', {2,5,29,14}).
-define('id-ce-authorityKeyIdentifier', {2,5,29,35}).
-%% Not documented but used by test suite.
+-define('id-ad-caIssuers', {1,3,6,1,5,5,7,48,2}).
+-define('id-ad-timeStamping', {1,3,6,1,5,5,7,48,3}).
+-define('id-ad-caRepository', {1,3,6,1,5,5,7,48,5}).
+
+-define('id-pe-authorityInfoAccess', {1,3,6,1,5,5,7,1,1}).
+-define('id-pe-subjectInfoAccess', {1,3,6,1,5,5,7,1,11}).
+
-define('anyExtendedKeyUsage', {2,5,29,37,0}).
-define('anyPolicy', {2,5,29,32,0}).
+-define('id-kp-timeStamping', {1,3,6,1,5,5,7,3,8}).
+-define('id-kp-emailProtection', {1,3,6,1,5,5,7,3,4}).
+-define('id-kp-codeSigning', {1,3,6,1,5,5,7,3,3}).
+-define('id-kp-clientAuth', {1,3,6,1,5,5,7,3,2}).
+-define('id-kp-serverAuth', {1,3,6,1,5,5,7,3,1}).
-record('AuthorityKeyIdentifier',
{
@@ -423,12 +386,6 @@
subjectDomainPolicy
}).
--record('Attribute',
- {
- type,
- values
- }).
-
-record('BasicConstraints',
{
cA = asn1_DEFAULT,
@@ -468,242 +425,357 @@
}).
%%%
-%%% CRL and CRL Extensions Profile
+%%% Erlang alternate representation of PKIX certificate
%%%
--record('CertificateList',
+-record('OTPCertificate',
{
- tbsCertList,
+ tbsCertificate,
signatureAlgorithm,
signature
}).
--record('TBSCertList',
+-record('OTPTBSCertificate',
{
- version = asn1_NOVALUE,
+ version = asn1_DEFAULT,
+ serialNumber,
signature,
issuer,
- thisUpdate,
- nextUpdate = asn1_NOVALUE,
- revokedCertificates = asn1_NOVALUE,
- crlExtensions = asn1_NOVALUE
- }).
-
--record('TBSCertList_revokedCertificates_SEQOF',
- {
- userCertificate,
- revocationDate,
- crlEntryExtensions = asn1_NOVALUE
- }).
-
-%%%
-%%% CRL Extensions
-%%%
-
--record('IssuingDistributionPoint',
- {
- distributionPoint = asn1_NOVALUE,
- onlyContainsUserCerts = asn1_DEFAULT,
- onlyContainsCACerts = asn1_DEFAULT,
- onlySomeReasons = asn1_NOVALUE,
- indirectCRL = asn1_DEFAULT,
- onlyContainsAttributeCerts = asn1_DEFAULT
- }).
-
-%%%
-%%% PKCS#10 Certification Request
-%%%
-
--record('CertificationRequest',
- {
- certificationRequestInfo,
- signatureAlgorithm,
- signature
- }).
-
--record('CertificationRequestInfo',
- {
- version,
+ validity,
subject,
- subjectPKInfo,
- attributes
+ subjectPublicKeyInfo,
+ issuerUniqueID = asn1_NOVALUE,
+ subjectUniqueID = asn1_NOVALUE,
+ extensions = asn1_NOVALUE
}).
--record('CertificationRequestInfo_subjectPKInfo',
+%% backwards compatibility
+-record('OTPSubjectPublicKeyInfo',
{
algorithm,
subjectPublicKey
}).
--record('CertificationRequestInfo_subjectPKInfo_algorithm',
+-record('SignatureAlgorithm',
{
algorithm,
parameters = asn1_NOVALUE
}).
--record('CertificationRequest_signatureAlgorithm',
+%% OTP certificate format used in SubjectPublicKeyInfo
+-record('PublicKeyAlgorithm',
{
algorithm,
parameters = asn1_NOVALUE
}).
--record('AttributePKCS-10',
- {
- type,
- values
- }).
-
--define(DEFAULT_VERIFYFUN,
- {fun(_,{bad_cert, _} = Reason, _) ->
- {fail, Reason};
- (_,{extension, _}, UserState) ->
- {unknown, UserState};
- (_, valid, UserState) ->
- {valid, UserState};
- (_, valid_peer, UserState) ->
- {valid, UserState}
- end, []}).
-
--record(path_validation_state,
- {
- valid_policy_tree,
- user_initial_policy_set,
- explicit_policy,
- inhibit_any_policy,
- inhibit_policy_mapping,
- policy_mapping_ext,
- policy_constraint_ext,
- policy_inhibitany_ext,
- policy_ext_present,
- policy_ext_any,
- current_any_policy_qualifiers,
- cert_num,
- last_cert = false,
- permitted_subtrees = no_constraints, %% Name constraints
- excluded_subtrees = [], %% Name constraints
- working_public_key_algorithm,
- working_public_key,
- working_public_key_parameters,
- working_issuer_name,
- max_path_length,
- verify_fun,
- user_state
- }).
-
--record(revoke_state,
- {
- reasons_mask,
- cert_status,
- interim_reasons_mask,
- valid_ext,
- details
- }).
-
-record(cert,
{
der :: public_key:der_encoded(),
otp :: #'OTPCertificate'{}
}).
--define(unspecified, 0).
--define(keyCompromise, 1).
--define(cACompromise, 2).
--define(affiliationChanged, 3).
--define(superseded, 4).
--define(cessationOfOperation, 5).
--define(certificateHold, 6).
--define(removeFromCRL, 8).
--define(privilegeWithdrawn, 9).
--define(aACompromise, 10).
+%% Hash functions
+
+-define('id-sha1', {1,3,14,3,2,26}).
+-define('id-sha224', {2,16,840,1,101,3,4,2,4}).
+-define('id-sha256', {2,16,840,1,101,3,4,2,1}).
+-define('id-sha384', {2,16,840,1,101,3,4,2,2}).
+-define('id-sha512', {2,16,840,1,101,3,4,2,3}).
%%%
-%%% OCSP, undocumented, but used by test suite.
+%%% Public-key algorithms
%%%
--record('BasicOCSPResponse',
- {
- tbsResponseData,
- signatureAlgorithm,
- signature,
- certs = asn1_NOVALUE
- }).
-
--record('SingleResponse',
- {
- certID,
- certStatus,
- thisUpdate,
- nextUpdate = asn1_NOVALUE,
- singleExtensions = asn1_NOVALUE
- }).
+%% Digital signatures
+%% Modern
+-define('id-RSASSA-PSS', {1,2,840,113549,1,1,10}).
+-define('rSASSA-PSS-Default-Identifier',
+ {'RSASSA-AlgorithmIdentifier',{1,2,840,113549,1,1,10},
+ {'RSASSA-PSS-params',{'HashAlgorithm',{1,3,14,3,2,26},'NULL'},
+ {'MaskGenAlgorithm',{1,2,840,113549,1,1,8},
+ {'HashAlgorithm',{1,3,14,3,2,26},'NULL'}},20,1}}).
+-define('id-mgf1', {1,2,840,113549,1,1,8}).
+-define('id-ecPublicKey', {1,2,840,10045,2,1}).
+-define('ecdsa-with-SHA224', {1,2,840,10045,4,3,1}).
+-define('ecdsa-with-SHA256', {1,2,840,10045,4,3,2}).
+-define('ecdsa-with-SHA384', {1,2,840,10045,4,3,3}).
+-define('ecdsa-with-SHA512', {1,2,840,10045,4,3,4}).
--record('CertID',
- {
- hashAlgorithm,
- issuerNameHash,
- issuerKeyHash,
- serialNumber
+%% Legacy
+-define('ecdsa-with-SHA2', {1,2,840,10045,4,3}).
+-define('rsaEncryption', {1,2,840,113549,1,1,1}).
+-define('md2WithRSAEncryption', {1,2,840,113549,1,1,2}).
+-define('md5WithRSAEncryption', {1,2,840,113549,1,1,4}).
+-define('sha1WithRSAEncryption', {1,2,840,113549,1,1,5}).
+-define('sha224WithRSAEncryption', {1,2,840,113549,1,1,14}).
+-define('sha256WithRSAEncryption', {1,2,840,113549,1,1,11}).
+-define('sha384WithRSAEncryption', {1,2,840,113549,1,1,12}).
+-define('sha512WithRSAEncryption', {1,2,840,113549,1,1,13}).
+-define('sha512-224WithRSAEncryption', {1,2,840,113549,1,1,15}).
+-define('sha512-256WithRSAEncryption', {1,2,840,113549,1,1,16}).
+-define('sha-1WithRSAEncryption', {1,3,14,3,2,29}).
+-define('id-hmacWithSHA1', {1,2,840,113549,2,7}).
+-define('ecdsa-with-SHA1', {1,2,840,10045,4,1}).
+-define('id-dsa', {1,2,840,10040,4,1}).
+-define('id-dsaWithSHA1', {1,3,14,3,2,27}).
+-define('id-dsa-with-sha1', {1,2,840,10040,4,3}).
+-define('id-dsa-with-sha224', {2,16,840,1,101,3,4,3,1}).
+-define('id-dsa-with-sha256', {2,16,840,1,101,3,4,3,2}).
+
+%% Undocumented but used by SSH.
+-record('ECDSA-Sig-Value',
+ {
+ r,
+ s
}).
--record('ResponseData',
+-record('Dss-Sig-Value',
{
- version = asn1_DEFAULT,
- responderID,
- producedAt,
- responses,
- responseExtensions = asn1_NOVALUE
+ r,
+ s
}).
--define('id-kp-OCSPSigning', {1,3,6,1,5,5,7,3,9}).
--define('id-kp-timeStamping', {1,3,6,1,5,5,7,3,8}).
--define('id-kp-emailProtection', {1,3,6,1,5,5,7,3,4}).
--define('id-kp-codeSigning', {1,3,6,1,5,5,7,3,3}).
--define('id-kp-clientAuth', {1,3,6,1,5,5,7,3,2}).
--define('id-kp-serverAuth', {1,3,6,1,5,5,7,3,1}).
+%% Key exchange
+-define('dhpublicnumber', {1,2,840,10046,2,1}).
+-define('id-keyExchangeAlgorithm', {2,16,840,1,101,2,1,1,22}).
+
+-record('DHParameter',
+ {
+ prime,
+ base,
+ privateValueLength = asn1_NOVALUE
+ }).
+
+%% PKCS-9
+-define('pkcs-9-at-extensionRequest', {1,2,840,113549,1,9,14}).
+
+
+%%% CRL and CRL Extensions Profile
%%%
-%%% OTP-PKIX.
+
+-define(unspecified, 0).
+-define(keyCompromise, 1).
+-define(cACompromise, 2).
+-define(affiliationChanged, 3).
+-define(superseded, 4).
+-define(cessationOfOperation, 5).
+-define(certificateHold, 6).
+-define(removeFromCRL, 8).
+-define(privilegeWithdrawn, 9).
+-define(aACompromise, 10).
+
+-record('CertificateList',
+ {
+ tbsCertList,
+ signatureAlgorithm,
+ signature
+ }).
+
+-record('TBSCertList',
+ {
+ version = asn1_NOVALUE,
+ signature,
+ issuer,
+ thisUpdate,
+ nextUpdate = asn1_NOVALUE,
+ revokedCertificates = asn1_NOVALUE,
+ crlExtensions = asn1_NOVALUE
+ }).
+
+-record('TBSCertList_signature', {
+ algorithm,
+ parameters = asn1_NOVALUE
+}).
+
+-record('CertificateList_algorithmIdentifier', {
+ algorithm,
+ parameters = asn1_NOVALUE
+}).
+
+-record('TBSCertList_revokedCertificates_SEQOF',
+ {
+ userCertificate,
+ revocationDate,
+ crlEntryExtensions = asn1_NOVALUE
+ }).
+
%%%
-%%% Undocumented but used but used in many places.
+%%% CRL Extensions
%%%
--record('OTPSubjectPublicKeyInfo',
+-record('IssuingDistributionPoint',
{
- algorithm,
- subjectPublicKey
+ distributionPoint = asn1_NOVALUE,
+ onlyContainsUserCerts = asn1_DEFAULT,
+ onlyContainsCACerts = asn1_DEFAULT,
+ onlySomeReasons = asn1_NOVALUE,
+ indirectCRL = asn1_DEFAULT,
+ onlyContainsAttributeCerts = asn1_DEFAULT
}).
%%%
-%%% Undocumented but used by test suite.
+%%% PKCS#10 Certification Request
%%%
--record('DHParameter',
+-record('CertificationRequest',
{
- prime,
- base,
- privateValueLength = asn1_NOVALUE
+ certificationRequestInfo,
+ signatureAlgorithm,
+ signature
}).
--record('RSASSA-AlgorithmIdentifier',
+-record('CertificationRequestInfo',
+ {
+ version,
+ subject,
+ subjectPKInfo,
+ attributes
+ }).
+
+-record('CertificationRequestInfo_subjectPKInfo',
+ {
+ algorithm,
+ subjectPublicKey
+ }).
+
+-record('CertificationRequestInfo_subjectPKInfo_algorithm',
{
algorithm,
parameters = asn1_NOVALUE
}).
+-record('CertificationRequest_signatureAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('AttributePKCS-10',
+ {
+ type,
+ values
+ }).
+
+%%%
+%%% OCSP
+%%%
+-define('id-kp-OCSPSigning', {1,3,6,1,5,5,7,3,9}).
+-define('id-pkix-ocsp', {1,3,6,1,5,5,7,48,1}).
+-define('id-pkix-ocsp-basic', {1,3,6,1,5,5,7,48,1,1}).
-define('id-pkix-ocsp-nonce', {1,3,6,1,5,5,7,48,1,2}).
+-define('id-pkix-ocsp-crl', {1,3,6,1,5,5,7,48,1,3}).
+-define('id-pkix-ocsp-response', {1,3,6,1,5,5,7,48,1,4}).
+-define('id-pkix-ocsp-nocheck', {1,3,6,1,5,5,7,48,1,5}).
+-define('id-pkix-ocsp-archive-cutoff', {1,3,6,1,5,5,7,48,1,6}).
+-define('id-pkix-ocsp-service-locator', {1,3,6,1,5,5,7,48,1,7}).
+-define('id-pkix-ocsp-pref-sig-algs', {1,3,6,1,5,5,7,48,1,8}).
+-define('id-pkix-ocsp-extended-revoke', {1,3,6,1,5,5,7,48,1,9}).
+
-define('id-ad-ocsp', {1,3,6,1,5,5,7,48,1}).
--define('id-pe-authorityInfoAccess', {1,3,6,1,5,5,7,1,1}).
+
+-record('OCSPRequest',
+ {
+ tbsRequest,
+ optionalSignature = asn1_NOVALUE
+ }).
+
+-record('TBSRequest',
+ {
+ version = asn1_DEFAULT,
+ requestorName = asn1_NOVALUE,
+ requestList,
+ requestExtensions = asn1_NOVALUE
+ }).
+
+-record('Signature',
+ {
+ signatureAlgorithm,
+ signature,
+ certs = asn1_NOVALUE
+ }).
+-record('Request',
+ {
+ reqCert,
+ singleRequestExtensions = asn1_NOVALUE
+ }).
+
+-record('CertID',
+ {
+ hashAlgorithm,
+ issuerNameHash,
+ issuerKeyHash,
+ serialNumber
+ }).
+
+-record('OCSPResponse',
+ {
+ responseStatus,
+ responseBytes = asn1_NOVALUE
+ }).
+
+-record('ResponseBytes',
+ {
+ responseType,
+ response
+ }).
+
+-record('BasicOCSPResponse',
+ {
+ tbsResponseData,
+ signatureAlgorithm,
+ signature,
+ certs = asn1_NOVALUE
+ }).
+
+-record('ResponseData',
+ {
+ version = asn1_DEFAULT,
+ responderID,
+ producedAt,
+ responses,
+ responseExtensions = asn1_NOVALUE
+ }).
+
+-record('SingleResponse',
+ {
+ certID,
+ certStatus,
+ thisUpdate,
+ nextUpdate = asn1_NOVALUE,
+ singleExtensions = asn1_NOVALUE
+ }).
+
+-record('RevokedInfo',
+ {
+ revocationTime,
+ revocationReason = asn1_NOVALUE
+ }).
+
+-record('ServiceLocator',
+ {
+ issuer,
+ locator
+ }).
+
+-record('CrlID',
+ {
+ crlUrl = asn1_NOVALUE,
+ crlNum = asn1_NOVALUE,
+ crlTime = asn1_NOVALUE
+ }).
+
+-record('PreferredSignatureAlgorithm',
+ {
+ sigIdentifier,
+ certIdentifier = asn1_NOVALUE
+ }).
%%%
-%%% Undocumented but used by SSL.
+%%% PKCS-8
%%%
--define('id-X25519', {1,3,101,110}).
--define('id-X448', {1,3,101,111}).
--define('brainpoolP512r1', {1,3,36,3,3,2,8,1,1,13}).
--define('brainpoolP384r1', {1,3,36,3,3,2,8,1,1,11}).
--define('brainpoolP256r1', {1,3,36,3,3,2,8,1,1,7}).
-
-record('PrivateKeyInfo',
{ %% OneAsymmetricKey
version,
@@ -720,7 +792,7 @@
parameters = asn1_NOVALUE
}).
--record('EncryptedPrivateKeyInfo',
+-record('EncryptedPrivateKeyInfo',
{
encryptionAlgorithm,
encryptedData
@@ -731,17 +803,21 @@
parameters
}).
--record('OneAsymmetricKey', {
- version,
- privateKeyAlgorithm,
- privateKey,
- attributes = asn1_NOVALUE,
- %% with extensions
- publicKey = asn1_NOVALUE
- %% end of extensions
-}).
+-record('OneAsymmetricKey',
+ {
+ version,
+ privateKeyAlgorithm,
+ privateKey,
+ attributes = asn1_NOVALUE,
+ %% with extensions
+ publicKey = asn1_NOVALUE
+ %% end of extensions
+ }).
+
+%%%
+%%% Password based encryption
+%%%
-%% Password based encryption
-define('id-PBES2', {1,2,840,113549,1,5,13}).
-define('id-PBKDF2', {1,2,840,113549,1,5,12}).
@@ -755,63 +831,360 @@
-define('id-aes256-CBC', {2,16,840,1,101,3,4,1,42}).
-define('rc2CBC', {1,2,840,113549,3,2}).
--record('RC2-CBC-Parameter', {
- rc2ParameterVersion = asn1_NOVALUE,
- iv
-}).
+-record('RC2-CBC-Parameter',
+ {
+ rc2ParameterVersion = asn1_NOVALUE,
+ iv
+ }).
--record('PBES2-params', {
- keyDerivationFunc,
- encryptionScheme
-}).
+-record('PBES2-params',
+ {
+ keyDerivationFunc,
+ encryptionScheme
+ }).
--record('PBES2-params_keyDerivationFunc', {
- algorithm,
- parameters = asn1_NOVALUE
-}).
+-record('PBES2-params_keyDerivationFunc',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
--record('PBES2-params_encryptionScheme', {
- algorithm,
- parameters = asn1_NOVALUE
-}).
+-record('PBES2-params_encryptionScheme',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
--record('PBEParameter', {
- salt,
- iterationCount
-}).
+-record('PBEParameter',
+ {
+ salt,
+ iterationCount
+ }).
--record('PBKDF2-params', {
- salt,
- iterationCount,
- keyLength = asn1_NOVALUE,
- prf = asn1_DEFAULT
-}).
+-record('PBKDF2-params',
+ {
+ salt,
+ iterationCount,
+ keyLength = asn1_NOVALUE,
+ prf = asn1_DEFAULT
+ }).
--record('PBKDF2-params_prf', {
- algorithm,
- parameters = asn1_NOVALUE
+-record('PBKDF2-params_prf',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('EncryptionAlgorithmIdentifier',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+%%%
+%%% CryptographicMessageSyntax
+%%%
+
+-define('id-ct-contentInfo', {1,2,840,113549,1,9,16,1,6}).
+-define('id-data', {1,2,840,113549,1,7,1}).
+-define('id-signedData', {1,2,840,113549,1,7,2}).
+-define('id-envelopedData', {1,2,840,113549,1,7,3}).
+-define('id-digestedData', {1,2,840,113549,1,7,5}).
+-define('id-encryptedData', {1,2,840,113549,1,7,6}).
+-define('id-ct-authData', {1,2,840,113549,1,9,16,1,2}).
+-define('id-contentType', {1,2,840,113549,1,9,3}).
+-define('id-messageDigest', {1,2,840,113549,1,9,4}).
+-define('id-signingTime', {1,2,840,113549,1,9,5}).
+-define('id-countersignature', {1,2,840,113549,1,9,6}).
+
+%% Legacy names for backwards compatibility
+-define('encryptedData', {1,2,840,113549,1,7,6}).
+-define('digestedData', {1,2,840,113549,1,7,5}).
+-define('envelopedData', {1,2,840,113549,1,7,3}).
+-define('signedData', {1,2,840,113549,1,7,2}).
+-define('data', {1,2,840,113549,1,7,1}).
+
+-record('Attribute',
+ {
+ type,
+ values
+ }).
+
+-record('ContentInfo',
+ {
+ contentType,
+ content
+ }).
+
+-record('SignedData',
+ {
+ version,
+ digestAlgorithms,
+ encapContentInfo,
+ certificates = asn1_NOVALUE,
+ crls = asn1_NOVALUE,
+ signerInfos
+ }).
+
+-record('EncapsulatedContentInfo',
+ {
+ eContentType,
+ eContent = asn1_NOVALUE
+ }).
+
+-record('SignerInfo',
+ {
+ version,
+ sid,
+ digestAlgorithm,
+ signedAttrs = asn1_NOVALUE,
+ signatureAlgorithm,
+ signature,
+ unsignedAttrs = asn1_NOVALUE
+ }).
+
+-record('SignerInfo_unsignedAttrs_SETOF',
+ {
+ attrType,
+ attrValues
+ }).
+
+-record('SignedAttributes_SETOF',
+ {
+ attrType,
+ attrValues
+ }).
+
+-record('EnvelopedData',
+ {
+ version,
+ originatorInfo = asn1_NOVALUE,
+ recipientInfos,
+ encryptedContentInfo,
+ %% with extensions
+ unprotectedAttrs = asn1_NOVALUE
+ }).
+
+-record('EnvelopedData_unprotectedAttrs_SETOF',
+ {
+ attrType,
+ attrValues
+ }).
+
+-record('OriginatorInfo',
+ {
+ certs = asn1_NOVALUE,
+ crls = asn1_NOVALUE
+ }).
+
+-record('EncryptedContentInfo',
+ {
+ contentType,
+ contentEncryptionAlgorithm,
+ encryptedContent = asn1_NOVALUE
+ }).
+
+-record('KeyTransRecipientInfo',
+ {
+ version,
+ rid,
+ keyEncryptionAlgorithm,
+ encryptedKey
+ }).
+
+-record('KeyTransRecipientInfo_keyEncryptionAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('KeyAgreeRecipientInfo',
+ {
+ version,
+ originator,
+ ukm = asn1_NOVALUE,
+ keyEncryptionAlgorithm,
+ recipientEncryptedKeys
+ }).
+
+-record('KeyAgreeRecipientInfo_keyEncryptionAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('OriginatorPublicKey',
+ {
+ algorithm,
+ publicKey
+ }).
+
+-record('OriginatorPublicKey_algorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('RecipientEncryptedKey',
+ {
+ rid,
+ encryptedKey
+ }).
+
+-record('RecipientKeyIdentifier',
+ {
+ subjectKeyIdentifier,
+ date = asn1_NOVALUE,
+ other = asn1_NOVALUE
+ }).
+
+-record('KEKRecipientInfo',
+ {
+ version,
+ kekid,
+ keyEncryptionAlgorithm,
+ encryptedKey
+ }).
+
+-record('KEKIdentifier',
+ {
+ keyIdentifier,
+ date = asn1_NOVALUE,
+ other = asn1_NOVALUE
+ }).
+
+-record('PasswordRecipientInfo',
+ {
+ version,
+ keyDerivationAlgorithm = asn1_NOVALUE,
+ keyEncryptionAlgorithm,
+ encryptedKey
+ }).
+
+-record('OtherRecipientInfo',
+ {
+ oriType,
+ oriValue
+ }).
+
+-record('DigestedData',
+ {
+ version,
+ digestAlgorithm,
+ encapContentInfo,
+ digest
+ %% with extension mark
+ }).
+
+-record('EncryptedData',
+ {
+ version,
+ encryptedContentInfo,
+ %% with extensions
+ unprotectedAttrs = asn1_NOVALUE
+ }).
+-record('EncryptedData_unprotectedAttrs_SETOF', {
+ attrType,
+ attrValues
}).
--record('EncryptionAlgorithmIdentifier', {
- algorithm,
- parameters = asn1_NOVALUE
+-record('AuthenticatedData',
+ {
+ version,
+ originatorInfo = asn1_NOVALUE,
+ recipientInfos,
+ macAlgorithm,
+ digestAlgorithm = asn1_NOVALUE,
+ encapContentInfo,
+ authAttrs = asn1_NOVALUE,
+ mac,
+ unauthAttrs = asn1_NOVALUE
+ }).
+
+-record('AuthAttributes_SETOF',
+ {
+ attrType,
+ attrValues
+ }).
+
+-record('UnauthAttributes_SETOF',
+ {
+ attrType,
+ attrValues
+ }).
+
+-record('DigestAlgorithmIdentifier',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('SignatureAlgorithmIdentifier',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('KeyEncryptionAlgorithmIdentifier',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('ContentEncryptionAlgorithmIdentifier',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('MessageAuthenticationCodeAlgorithm',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('KeyDerivationAlgorithmIdentifier',
+ {
+ algorithm,
+ parameters = asn1_NOVALUE
+ }).
+
+-record('OtherRevocationInfoFormat',
+ {
+ otherRevInfoFormat,
+ otherRevInfo
+ }).
+
+-record('OtherCertificateFormat',
+ {
+ otherCertFormat,
+ otherCert
}).
+-record('IssuerAndSerialNumber',
+ {
+ issuer,
+ serialNumber
+ }).
-%%%
-%%% Undocumented but used by SSH.
-%%%
+-record('OtherKeyAttribute',
+ {
+ keyAttrId,
+ keyAttr
+ }).
--record('ECDSA-Sig-Value',
+-record('ExtendedCertificate',
{
- r,
- s
+ extendedCertificateInfo,
+ signatureAlgorithm,
+ signature
}).
--record('Dss-Sig-Value',
+-record('ExtendedCertificateInfo',
{
- r,
- s
+ version,
+ certificate,
+ attributes
}).
+
-endif. % -ifdef(public_key).
diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl
index 5a47623bf1..f11e2fc01e 100644
--- a/lib/public_key/src/pubkey_cert_records.erl
+++ b/lib/public_key/src/pubkey_cert_records.erl
@@ -27,8 +27,15 @@
-include("public_key_internal.hrl").
--export([decode_cert/1, transform/2, supportedPublicKeyAlgorithms/1,
- supportedCurvesTypes/1, namedCurves/1]).
+-export([decode_cert/1,
+ transform/2,
+ supportedPublicKeyAlgorithms/1,
+ supportedCurvesTypes/1,
+ namedCurves/1,
+ encode_extensions/1,
+ decode_extensions/1,
+ ext_oid/1
+ ]).
%%====================================================================
%% Internal application API
@@ -120,7 +127,7 @@ dec_transform(#'OTPTBSCertificate'{signature=Signature0,
Issuer = dec_transform(Issuer0),
Subject = dec_transform(Subject0),
Spki = decode_supportedPublicKey(Spki0),
- Exts = decode_extensions(Exts0),
+ Exts = decode_extensions(Exts0, crl_later),
TBS#'OTPTBSCertificate'{issuer=Issuer, subject=Subject,
signature=setelement(1, Signature, 'SignatureAlgorithm'),
subjectPublicKeyInfo=Spki,extensions=Exts};
@@ -362,14 +369,48 @@ extension_id(?'id-ce-cRLReasons') -> 'CRLReason';
extension_id(?'id-ce-certificateIssuer') -> 'CertificateIssuer';
extension_id(?'id-ce-holdInstructionCode') -> 'HoldInstructionCode';
extension_id(?'id-ce-invalidityDate') -> 'InvalidityDate';
+extension_id(?'id-ce-cRLDistributionPoints') -> 'CRLDistributionPoints';
extension_id(_) ->
undefined.
-decode_extensions(asn1_NOVALUE) ->
- asn1_NOVALUE;
+ext_oid('AuthorityKeyIdentifier') -> ?'id-ce-authorityKeyIdentifier';
+ext_oid('SubjectKeyIdentifier') -> ?'id-ce-subjectKeyIdentifier';
+ext_oid('KeyUsage') -> ?'id-ce-keyUsage';
+ext_oid('PrivateKeyUsagePeriod') -> ?'id-ce-privateKeyUsagePeriod';
+ext_oid('CertificatePolicies') -> ?'id-ce-certificatePolicies';
+ext_oid('PolicyMappings') -> ?'id-ce-policyMappings';
+ext_oid('SubjectAltName') -> ?'id-ce-subjectAltName';
+ext_oid('IssuerAltName') -> ?'id-ce-issuerAltName';
+ext_oid('SubjectDirectoryAttributes') -> ?'id-ce-subjectDirectoryAttributes';
+ext_oid('BasicConstraints') -> ?'id-ce-basicConstraints';
+ext_oid('NameConstraints') -> ?'id-ce-nameConstraints';
+ext_oid('PolicyConstraints') -> ?'id-ce-policyConstraints';
+ext_oid('ExtKeyUsageSyntax') -> ?'id-ce-extKeyUsage';
+ext_oid('InhibitAnyPolicy') -> ?'id-ce-inhibitAnyPolicy';
+ext_oid('FreshestCRL') -> ?'id-ce-freshestCRL';
+ext_oid('IssuingDistributionPoint') -> ?'id-ce-issuingDistributionPoint';
+ext_oid('AuthorityInfoAccessSyntax') -> ?'id-pe-authorityInfoAccess';
+ext_oid('SubjectInfoAccessSyntax') -> ?'id-pe-subjectInfoAccess';
+ext_oid('CRLNumber') -> ?'id-ce-cRLNumber';
+ext_oid('BaseCRLNumber') -> ?'id-ce-deltaCRLIndicator';
+ext_oid('CRLReason') -> ?'id-ce-cRLReasons';
+ext_oid('CertificateIssuer') -> ?'id-ce-certificateIssuer';
+ext_oid('HoldInstructionCode') -> ?'id-ce-holdInstructionCode';
+ext_oid('InvalidityDate') -> ?'id-ce-invalidityDate';
+ext_oid('CRLDistributionPoints') -> ?'id-ce-cRLDistributionPoints';
+ext_oid(_) ->
+ undefined.
decode_extensions(Exts) ->
+ decode_extensions(Exts, crl_now).
+
+decode_extensions(asn1_NOVALUE, _) ->
+ asn1_NOVALUE;
+
+decode_extensions(Exts, WhenCRL) ->
lists:map(fun(Ext = #'Extension'{extnID=Id, extnValue=Value0}) ->
+ %% Some Extensions only has special decoding functions
+ %% with other naming-convention
ExtId = extension_id(Id),
case ExtId =/= undefined andalso
'PKIX1Implicit-2009':getdec_CertExtensions(Id)
@@ -386,12 +427,16 @@ decode_extensions(Exts) ->
decode_otp_cert_polices(Ext, iolist_to_binary(Value0))
end;
DecodeExt when is_function(DecodeExt, 3) ->
- %% Undocumented asn1 usage, but
- %% currently the only way to decode
- %% extensions.
- Value = DecodeExt('ExtnType', iolist_to_binary(Value0), dummy),
- Ext#'Extension'{extnValue=transform(Value,decode)}
- end
+ case (ExtId == 'CRLDistributionPoints') andalso (WhenCRL == crl_later) of
+ true ->
+ %% Work around for certs that do not use CRL's but
+ %% wrongly decode the extension as NULL
+ Ext;
+ false ->
+ Value = DecodeExt('ExtnType', iolist_to_binary(Value0), dummy),
+ Ext#'Extension'{extnValue=transform(Value,decode)}
+ end
+ end
end, Exts).
decode_otp_cert_polices(Ext, Value) ->
@@ -417,17 +462,23 @@ encode_extensions(asn1_NOVALUE) ->
asn1_NOVALUE;
encode_extensions(Exts) ->
+ %% Some Extensions only has special decoding functions
+ %% with other naming-convention
lists:map(fun(Ext = #'Extension'{extnID=Id, extnValue=Value0}) ->
- case extension_id(Id) =/= undefined andalso
+ ExtId = extension_id(Id),
+ case ExtId =/= undefined andalso
'PKIX1Implicit-2009':getenc_CertExtensions(Id)
of
false ->
Ext;
EncodeExt when is_function(EncodeExt, 3) ->
- %% Undocumented asn1 usage, but currently the only way
- %% to decode extensions.
- Value1 = pubkey_translation:encode(Value0),
- Value = element(1,EncodeExt('ExtnType', Value1, dummy)),
- Ext#'Extension'{extnValue= iolist_to_binary(Value)}
+ case (ExtId == 'CRLDistributionPoints') andalso is_binary(Value0) of
+ true ->
+ Ext; %% Already encoded
+ false ->
+ Value1 = pubkey_translation:encode(Value0),
+ Value = element(1,EncodeExt('ExtnType', Value1, dummy)),
+ Ext#'Extension'{extnValue= iolist_to_binary(Value)}
+ end
end
end, Exts).
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index f2b33ffa97..ad0920a1f5 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -563,6 +563,20 @@ der_decode('Dss-Sig-Value', Der) ->
error:{badmatch, {error, _}} = Error ->
erlang:error(Error)
end;
+der_decode(Asn1ExtType, Der) when Asn1ExtType == 'SubjectAltName';
+ Asn1ExtType == 'IssuerAltName';
+ Asn1ExtType == 'ExtKeyUsage';
+ Asn1ExtType == 'InhibitAnyPolicy';
+ Asn1ExtType == 'FreshestCRL';
+ Asn1ExtType == 'AuthorityInfoAccess';
+ Asn1ExtType == 'DeltaCRLIndicator';
+ Asn1ExtType == 'CertificateIssuer';
+ Asn1ExtType == 'HoldInstructionCode';
+ Asn1ExtType == 'InvalidityDate' ->
+ Oid = pubkey_cert_records:ext_oid(Asn1ExtType),
+ [#'Extension'{extnValue = Value}]
+ = pubkey_cert_records:decode_extensions([#'Extension'{extnID = Oid, extnValue = Der}]),
+ Value;
der_decode(Asn1Type, Der) when is_atom(Asn1Type), is_binary(Der) ->
Asn1Module = get_asn1_module(Asn1Type),
try
@@ -573,45 +587,46 @@ der_decode(Asn1Type, Der) when is_atom(Asn1Type), is_binary(Der) ->
erlang:error(Error)
end.
-get_asn1_module('BasicOCSPResponse') -> 'OCSP-2024-08';
-get_asn1_module('Nonce') -> 'OCSP-2024-08';
-get_asn1_module('OCSPResponse') -> 'OCSP-2024-08';
-get_asn1_module('ResponseData') -> 'OCSP-2024-08';
-get_asn1_module('Name') -> 'PKIX1Explicit-2009';
-get_asn1_module('Extensions') -> 'OTP-PKIX';
-
get_asn1_module('AuthorityInfoAccessSyntax') -> 'PKIX1Implicit-2009';
get_asn1_module('AuthorityKeyIdentifier') -> 'PKIX1Implicit-2009';
get_asn1_module('BasicConstraints') -> 'PKIX1Implicit-2009';
get_asn1_module('ExtKeyUsageSyntax') -> 'PKIX1Implicit-2009';
get_asn1_module('KeyUsage') -> 'PKIX1Implicit-2009';
-get_asn1_module('RSAPublicKey') -> 'PKIXAlgs-2009';
-get_asn1_module('SubjectKeyIdentifier') -> 'CryptographicMessageSyntax-2009';
-
get_asn1_module('Certificate') -> 'PKIX1Explicit-2009';
+get_asn1_module('SubjectAltName') -> 'PKIX1Implicit-2009';
+get_asn1_module('CRLDistributionPoints') -> 'PKIX1Implicit-2009';
+get_asn1_module('CRLReason') -> 'PKIX1Implicit-2009';
+get_asn1_module('CRLNumber') -> 'PKIX1Implicit-2009';
+get_asn1_module('FreshestCRL') -> 'PKIX1Implicit-2009';
+get_asn1_module('IssuingDistributionPoint') -> 'PKIX1Implicit-2009';
+get_asn1_module('GeneralNames') -> 'PKIX1Implicit-2009';
+get_asn1_module('SubjectPublicKeyInfo') -> 'PKIX1Explicit-2009';
get_asn1_module('CertificateList') -> 'PKIX1Explicit-2009';
-get_asn1_module('CertificationRequest') -> 'PKCS-10';
+get_asn1_module('TBSCertList') -> 'PKIX1Explicit-2009';
+get_asn1_module('Name') -> 'PKIX1Explicit-2009';
+get_asn1_module('Validity') -> 'PKIX1Explicit-2009';
+get_asn1_module('RSAPublicKey') -> 'PKIXAlgs-2009';
+get_asn1_module('DSA-Params') -> 'PKIXAlgs-2009';
+get_asn1_module('BasicOCSPResponse') -> 'OCSP-2024-08';
+get_asn1_module('Nonce') -> 'OCSP-2024-08';
+get_asn1_module('OCSPResponse') -> 'OCSP-2024-08';
+get_asn1_module('ResponseData') -> 'OCSP-2024-08';
+get_asn1_module('SubjectKeyIdentifier') -> 'CryptographicMessageSyntax-2009';
get_asn1_module('ContentInfo') -> 'CryptographicMessageSyntax-2009';
+get_asn1_module('CertificationRequest') -> 'PKCS-10';
+get_asn1_module('CertificationRequestInfo') -> 'PKCS-10';
get_asn1_module('CurvePrivateKey') -> 'Safecurves-pkix-18';
-get_asn1_module('DHParameter') -> 'PKCS-3';
get_asn1_module('ECPrivateKey') -> 'ECPrivateKey';
get_asn1_module('ECParameters') -> 'PKIXAlgs-2009';
-get_asn1_module('DSA-Params') -> 'PKIXAlgs-2009';
-get_asn1_module('DSAPrivateKey') -> 'DSS';
get_asn1_module('DSAPublicKey') -> 'PKIXAlgs-2009';
get_asn1_module('ECDSA-Sig-Value') -> 'PKIXAlgs-2009';
-get_asn1_module('RSAPrivateKey') -> 'PKCS-1';
get_asn1_module('RSASSA-PSS-params') -> 'PKIX1-PSS-OAEP-Algorithms-2009';
-get_asn1_module('SubjectPublicKeyInfo') -> 'PKIX1Explicit-2009';
+get_asn1_module('RSAPrivateKey') -> 'PKCS-1';
+get_asn1_module('DHParameter') -> 'PKCS-3';
+get_asn1_module('DSAPrivateKey') -> 'DSS';
+get_asn1_module('Extensions') -> 'OTP-PKIX';
get_asn1_module('OTPTBSCertificate') -> 'OTP-PKIX';
-get_asn1_module('OTPCertificate') -> 'OTP-PKIX';
-get_asn1_module('CRLDistributionPoints') -> 'PKIX1Implicit-2009';
-get_asn1_module('CRLReason') -> 'PKIX1Implicit-2009';
-get_asn1_module('CRLNumber') -> 'PKIX1Implicit-2009';
-get_asn1_module('FreshestCRL') -> 'PKIX1Implicit-2009';
-get_asn1_module('IssuingDistributionPoint') -> 'PKIX1Implicit-2009';
-get_asn1_module('GeneralNames') -> 'PKIX1Implicit-2009'.
-
+get_asn1_module('OTPCertificate') -> 'OTP-PKIX'.
handle_pkcs_frame_error('PrivateKeyInfo', Der, _) ->
try
@@ -800,6 +815,20 @@ der_encode('Dss-Sig-Value', Entity) ->
error:{badmatch, {error, _}} = Error ->
erlang:error(Error)
end;
+der_encode(Asn1ExtType, Value) when Asn1ExtType == 'SubjectAltName';
+ Asn1ExtType == 'IssuerAltName';
+ Asn1ExtType == 'ExtKeyUsage';
+ Asn1ExtType == 'InhibitAnyPolicy';
+ Asn1ExtType == 'FreshestCRL';
+ Asn1ExtType == 'AuthorityInfoAccess';
+ Asn1ExtType == 'DeltaCRLIndicator';
+ Asn1ExtType == 'CertificateIssuer';
+ Asn1ExtType == 'HoldInstructionCode';
+ Asn1ExtType == 'InvalidityDate' ->
+ Oid = pubkey_cert_records:ext_oid(Asn1ExtType),
+ [#'Extension'{extnValue = Encoded}] =
+ pubkey_cert_records:encode_extensions([#'Extension'{extnID = Oid, extnValue = Value}]),
+ Encoded;
der_encode(Asn1Type, Entity0) when is_atom(Asn1Type) ->
Asn1Module = get_asn1_module(Asn1Type),
try
@@ -2753,7 +2782,7 @@ format_field(prime_field, Params0) ->
{prime_field, Prime}.
ec_key({PubKey, PrivateKey}, Params) ->
- #'ECPrivateKey'{version = 1,
+ #'ECPrivateKey'{version = ecPrivkeyVer1,
privateKey = PrivateKey,
parameters = Params,
publicKey = PubKey}.
--
2.43.0
