summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/x509.erl35
1 files changed, 21 insertions, 14 deletions
diff --git a/src/x509.erl b/src/x509.erl
index d088624..5abd853 100644
--- a/src/x509.erl
+++ b/src/x509.erl
@@ -296,22 +296,29 @@ set_issuer_and_authkeyid(TBSCert,
-spec is_precert_signer(#'Certificate'{}) -> boolean().
is_precert_signer(#'Certificate'{tbsCertificate = TBSCert}) ->
Extensions = pubkey_cert:extensions_list(TBSCert#'TBSCertificate'.extensions),
+ %% NOTE: It's OK to look at only the first extension found since
+ %% "A certificate MUST NOT include more than one instance of a
+ %% particular extension." --RFC5280 Sect 4.2
case pubkey_cert:select_extension(?'id-ce-extKeyUsage', Extensions) of
- #'Extension'{extnValue = [_|?CA_POISON_OID]} ->
- case pubkey_cert:select_extension(?'id-ce-basicConstraints',
- Extensions) of
- #'Extension'{critical = true,
- extnValue = #'BasicConstraints'{cA = true}} ->
- lager:debug("found precert signer", []),
- true;
- E ->
- lager:debug("found poisonous ca oid but cA != true: ~p",
- [E]),
- false
+ #'Extension'{extnValue = Val} ->
+ case 'OTP-PUB-KEY':decode('ExtKeyUsageSyntax', Val) of
+ %% NOTE: We require that the poisoned OID is the
+ %% _only_ extkeyusage present. RFC6962 Sect 3.1 is not
+ %% really clear.
+ {ok, [?CA_POISON_OID]} -> is_ca(TBSCert);
+ _ -> false
end;
- E ->
- lager:debug("didn't find poisonous ca oid, only ~p", [E]),
- false
+ _ -> false
+ end.
+
+is_ca(#'TBSCertificate'{extensions = Extensions}) ->
+ case pubkey_cert:select_extension(?'id-ce-basicConstraints', Extensions) of
+ #'Extension'{critical = true, extnValue = Val} ->
+ case 'OTP-PUB-KEY':decode('BasicConstraints', Val) of
+ {ok, {'BasicConstraints', true, _}} -> true;
+ _ -> false
+ end;
+ _ -> false
end.
-spec remove_poison_ext(#'Certificate'{}) -> #'TBSCertificate'{}.