From f98f39ea2e9ae9d701f79de1b45e21fa0e5fd995 Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Fri, 20 Mar 2015 16:54:30 +0100 Subject: WIP, actually working too --- src/x509.erl | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/src/x509.erl b/src/x509.erl index d088624..5abd853 100644 --- a/src/x509.erl +++ b/src/x509.erl @@ -296,22 +296,29 @@ set_issuer_and_authkeyid(TBSCert, -spec is_precert_signer(#'Certificate'{}) -> boolean(). is_precert_signer(#'Certificate'{tbsCertificate = TBSCert}) -> Extensions = pubkey_cert:extensions_list(TBSCert#'TBSCertificate'.extensions), + %% NOTE: It's OK to look at only the first extension found since + %% "A certificate MUST NOT include more than one instance of a + %% particular extension." --RFC5280 Sect 4.2 case pubkey_cert:select_extension(?'id-ce-extKeyUsage', Extensions) of - #'Extension'{extnValue = [_|?CA_POISON_OID]} -> - case pubkey_cert:select_extension(?'id-ce-basicConstraints', - Extensions) of - #'Extension'{critical = true, - extnValue = #'BasicConstraints'{cA = true}} -> - lager:debug("found precert signer", []), - true; - E -> - lager:debug("found poisonous ca oid but cA != true: ~p", - [E]), - false + #'Extension'{extnValue = Val} -> + case 'OTP-PUB-KEY':decode('ExtKeyUsageSyntax', Val) of + %% NOTE: We require that the poisoned OID is the + %% _only_ extkeyusage present. RFC6962 Sect 3.1 is not + %% really clear. + {ok, [?CA_POISON_OID]} -> is_ca(TBSCert); + _ -> false end; - E -> - lager:debug("didn't find poisonous ca oid, only ~p", [E]), - false + _ -> false + end. + +is_ca(#'TBSCertificate'{extensions = Extensions}) -> + case pubkey_cert:select_extension(?'id-ce-basicConstraints', Extensions) of + #'Extension'{critical = true, extnValue = Val} -> + case 'OTP-PUB-KEY':decode('BasicConstraints', Val) of + {ok, {'BasicConstraints', true, _}} -> true; + _ -> false + end; + _ -> false end. -spec remove_poison_ext(#'Certificate'{}) -> #'TBSCertificate'{}. -- cgit v1.1