From ab8fa9c0da53e321da7706c9aba2f549f95df349 Mon Sep 17 00:00:00 2001
From: Marcin Sikora
Date: Sun, 3 May 2020 19:05:40 +0200
Subject: Use user returned path validation error for selfsigned cert; It
allows user to trigger different TLS alerts than Bad Certificate for path
validation erros
---
lib/public_key/src/public_key.erl | 4 ++--
lib/public_key/test/public_key_SUITE.erl | 13 +++++++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 996cf9db2c..a47b7148e7 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -928,8 +928,8 @@ pkix_path_validation(PathErr, [Cert | Chain], Options0) when is_atom(PathErr)->
Options = proplists:delete(verify_fun, Options0),
pkix_path_validation(Otpcert, Chain, [{verify_fun,
{VerifyFun, Userstate}}| Options]);
- {fail, _} ->
- {error, Reason}
+ {fail, UserReason} ->
+ {error, UserReason}
catch
_:_ ->
{error, Reason}
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index 97a1f14de9..1fd1d2fa76 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -586,6 +586,19 @@ pkix_path_validation(Config) when is_list(Config) ->
{ok, _} =
public_key:pkix_path_validation(unknown_ca, [Cert1], [{verify_fun,
VerifyFunAndState1}]),
+
+ VerifyFunAndState2 =
+ {fun(_, {bad_cert, selfsigned_peer}, _UserState) ->
+ {fail, custom_reason};
+ (_,{extension, _}, UserState) ->
+ {unknown, UserState};
+ (_, valid, UserState) ->
+ {valid, UserState}
+ end, []},
+
+ {error, custom_reason} =
+ public_key:pkix_path_validation(selfsigned_peer, [Trusted], [{verify_fun,
+ VerifyFunAndState2}]),
ok.
%%--------------------------------------------------------------------
--
cgit v1.2.1
From 4791320f00f4727e101e5e2623bd8c106997f194 Mon Sep 17 00:00:00 2001
From: Marcin Sikora
Date: Sun, 17 May 2020 20:20:22 +0200
Subject: Add documentation describing changed behavior.
---
lib/public_key/doc/src/public_key.xml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index 0633eeae8f..dc81e6764c 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -448,6 +448,10 @@ fun(OtpCert :: #'OTPCertificate'{},
verifying application-specific extensions. If called with an
extension unknown to the user application, the return value
{unknown, UserState} is to be used.
+
+ Note that user defined custom verify_fun may alter original
+ path validation error (e.g selfsigned_peer). Use with caution.
+
{max_path_length, integer()}
--
cgit v1.2.1
--
cgit v1.2.1
From b756880e6bb3c56c20e7c9ad8325ef2c75628552 Mon Sep 17 00:00:00 2001
From: Marcin Sikora
Date: Tue, 19 May 2020 20:37:02 +0200
Subject: Use warning instead of note.
---
lib/public_key/doc/src/public_key.xml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index dc81e6764c..9c5aaa9812 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -448,10 +448,10 @@ fun(OtpCert :: #'OTPCertificate'{},
verifying application-specific extensions. If called with an
extension unknown to the user application, the return value
{unknown, UserState} is to be used.
-
- Note that user defined custom verify_fun may alter original
+
+ Note that user defined custom verify_fun may alter original
path validation error (e.g selfsigned_peer). Use with caution.
-
+
{max_path_length, integer()}
--
cgit v1.2.1