diff options
| -rw-r--r-- | lib/public_key/src/public_key.erl | 17 | ||||
| -rw-r--r-- | lib/public_key/test/public_key_SUITE.erl | 39 |
2 files changed, 44 insertions, 12 deletions
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index 597aca35d5..8c8b5585a0 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -992,10 +992,19 @@ pkix_path_validation(TrustedCert, CertChain, Options) pkix_path_validation(#'OTPCertificate'{} = TrustedCert, CertChain, Options) when is_list(CertChain), is_list(Options) -> MaxPathDefault = length(CertChain), - ValidationState = pubkey_cert:init_validation_state(TrustedCert, - MaxPathDefault, - Options), - path_validation(CertChain, ValidationState). + {VerifyFun, Userstat0} = + proplists:get_value(verify_fun, Options, ?DEFAULT_VERIFYFUN), + try pubkey_cert:validate_time(TrustedCert, Userstat0, VerifyFun) of + Userstate1 -> + ValidationState = pubkey_cert:init_validation_state(TrustedCert, + MaxPathDefault, + [{verify_fun, {VerifyFun, Userstate1}} | + proplists:delete(verify_fun, Options)]), + path_validation(CertChain, ValidationState) + catch + throw:{bad_cert, cert_expired} = Reason -> + {error, Reason} + end. %-------------------------------------------------------------------- -spec pkix_crls_validate(OTPcertificate, DPandCRLs, Options) -> diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index 348e0daa62..cf3b5ea0c8 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -1,4 +1,3 @@ - %% %% %CopyrightBegin% %% @@ -85,6 +84,8 @@ pkix_emailaddress/1, pkix_path_validation/0, pkix_path_validation/1, + pkix_path_validation_root_expired/0, + pkix_path_validation_root_expired/1, pkix_verify_hostname_cn/1, pkix_verify_hostname_subjAltName/1, pkix_verify_hostname_options/1, @@ -126,12 +127,18 @@ suite() -> []. all() -> - [app, appup, + [app, + appup, {group, pem_decode_encode}, encrypt_decrypt, {group, sign_verify}, - pkix, pkix_countryname, pkix_emailaddress, pkix_path_validation, - pkix_iso_rsa_oid, pkix_iso_dsa_oid, + pkix, + pkix_countryname, + pkix_emailaddress, + pkix_path_validation, + pkix_path_validation_root_expired, + pkix_iso_rsa_oid, + pkix_iso_dsa_oid, pkix_dsa_sha2_oid, pkix_crl, pkix_hash_type, @@ -142,7 +149,8 @@ all() -> pkix_verify_hostname_options, pkix_test_data_all_default, pkix_test_data, - short_cert_issuer_hash, short_crl_issuer_hash + short_cert_issuer_hash, + short_crl_issuer_hash ]. groups() -> @@ -737,9 +745,24 @@ pkix_path_validation(Config) when is_list(Config) -> {error, custom_reason} = public_key:pkix_path_validation(selfsigned_peer, [Trusted], [{verify_fun, - VerifyFunAndState2}]), - ok. - + VerifyFunAndState2}]). +pkix_path_validation_root_expired() -> + [{doc, "Test root expiration so that it does not fall between chairs"}]. +pkix_path_validation_root_expired(Config) when is_list(Config) -> + {Year, Month, Day} = date(), + SRoot = public_key:pkix_test_root_cert("OTP test server ROOT", [{validity, {{Year-2, Month, Day}, + {Year-1, Month, Day}}}]), + #{server_config := Conf} = public_key:pkix_test_data(#{server_chain => #{root => SRoot, + intermediates => [], + peer => []}, + client_chain => #{root => [], + intermediates => [], + peer => []}}), + [ICA, Root] = proplists:get_value(cacerts, Conf), + true = public_key:pkix_is_self_signed(Root), + Peer = proplists:get_value(cert, Conf), + {error, {bad_cert, cert_expired}} = public_key:pkix_path_validation(Root, [ICA, Peer], []). + %%-------------------------------------------------------------------- %% To generate the PEM file contents: %% |