From ab8fa9c0da53e321da7706c9aba2f549f95df349 Mon Sep 17 00:00:00 2001 From: Marcin Sikora Date: Sun, 3 May 2020 19:05:40 +0200 Subject: Use user returned path validation error for selfsigned cert; It allows user to trigger different TLS alerts than Bad Certificate for path validation erros --- lib/public_key/src/public_key.erl | 4 ++-- lib/public_key/test/public_key_SUITE.erl | 13 +++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index 996cf9db2c..a47b7148e7 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -928,8 +928,8 @@ pkix_path_validation(PathErr, [Cert | Chain], Options0) when is_atom(PathErr)-> Options = proplists:delete(verify_fun, Options0), pkix_path_validation(Otpcert, Chain, [{verify_fun, {VerifyFun, Userstate}}| Options]); - {fail, _} -> - {error, Reason} + {fail, UserReason} -> + {error, UserReason} catch _:_ -> {error, Reason} diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index 97a1f14de9..1fd1d2fa76 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -586,6 +586,19 @@ pkix_path_validation(Config) when is_list(Config) -> {ok, _} = public_key:pkix_path_validation(unknown_ca, [Cert1], [{verify_fun, VerifyFunAndState1}]), + + VerifyFunAndState2 = + {fun(_, {bad_cert, selfsigned_peer}, _UserState) -> + {fail, custom_reason}; + (_,{extension, _}, UserState) -> + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} + end, []}, + + {error, custom_reason} = + public_key:pkix_path_validation(selfsigned_peer, [Trusted], [{verify_fun, + VerifyFunAndState2}]), ok. %%-------------------------------------------------------------------- -- cgit v1.2.1 From 4791320f00f4727e101e5e2623bd8c106997f194 Mon Sep 17 00:00:00 2001 From: Marcin Sikora Date: Sun, 17 May 2020 20:20:22 +0200 Subject: Add documentation describing changed behavior. --- lib/public_key/doc/src/public_key.xml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml index 0633eeae8f..dc81e6764c 100644 --- a/lib/public_key/doc/src/public_key.xml +++ b/lib/public_key/doc/src/public_key.xml @@ -448,6 +448,10 @@ fun(OtpCert :: #'OTPCertificate'{}, verifying application-specific extensions. If called with an extension unknown to the user application, the return value {unknown, UserState} is to be used.

+

+ Note that user defined custom verify_fun may alter original + path validation error (e.g selfsigned_peer). Use with caution. +

{max_path_length, integer()} -- cgit v1.2.1 -- cgit v1.2.1 From b756880e6bb3c56c20e7c9ad8325ef2c75628552 Mon Sep 17 00:00:00 2001 From: Marcin Sikora Date: Tue, 19 May 2020 20:37:02 +0200 Subject: Use warning instead of note. --- lib/public_key/doc/src/public_key.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml index dc81e6764c..9c5aaa9812 100644 --- a/lib/public_key/doc/src/public_key.xml +++ b/lib/public_key/doc/src/public_key.xml @@ -448,10 +448,10 @@ fun(OtpCert :: #'OTPCertificate'{}, verifying application-specific extensions. If called with an extension unknown to the user application, the return value {unknown, UserState} is to be used.

-

- Note that user defined custom verify_fun may alter original +

+ Note that user defined custom verify_fun may alter original path validation error (e.g selfsigned_peer). Use with caution. -

+

{max_path_length, integer()} -- cgit v1.2.1