summaryrefslogtreecommitdiff
path: root/src/x509.erl
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordberg.se>2014-11-05 13:02:16 +0100
committerLinus Nordberg <linus@nordberg.se>2014-11-05 13:02:52 +0100
commit3ef550cb6f1e8ac7e4142cc1620eb36be747b30d (patch)
tree2784673f9180b20dcc281a4be0fb96f1aa8ba7d1 /src/x509.erl
parentf7939d1a4cf928440c5db3443283d4f149d30936 (diff)
Log some info about certs that don't parse and why.
Also move x509 specific code to the x509 module.
Diffstat (limited to 'src/x509.erl')
-rw-r--r--src/x509.erl24
1 files changed, 21 insertions, 3 deletions
diff --git a/src/x509.erl b/src/x509.erl
index a784354..5a96a29 100644
--- a/src/x509.erl
+++ b/src/x509.erl
@@ -2,7 +2,7 @@
%%% See LICENSE for licensing information.
-module(x509).
--export([normalise_chain/2, cert_string/1]).
+-export([normalise_chain/2, cert_string/1, valid_cert_p/1]).
-include_lib("public_key/include/public_key.hrl").
@@ -73,8 +73,9 @@ signed_by_p(Cert, IssuerCert) ->
%% FIXME: Validate presence and contents (against constraints) of
%% names (subject, subjectAltName, emailAddress) too?
case (catch public_key:pkix_is_issuer(Cert, IssuerCert)) of
- {'EXIT', _Reason} ->
- %% Invalid ASN.1.
+ {'EXIT', Reason} ->
+ lager:info("invalid certificate: ~p: ~p",
+ [mochihex:to_hex(crypto:hash(sha, Cert)), Reason]),
{false, encoding_invalid};
true ->
%% Cert.issuer does match IssuerCert.subject. Now verify
@@ -101,6 +102,23 @@ cert_string(Der) ->
lists:flatten([io_lib:format("~2.16.0B", [X]) ||
X <- binary_to_list(crypto:hash(sha, Der))]).
+valid_cert_p(Der) ->
+ %% Use the customized ASN.1 specification "OTP-PKIX.asn1" since
+ %% that's what's required for public_key functions we're using
+ %% (pkix_verify, public_key:pkix_is_issuer).
+ case (catch public_key:pkix_decode_cert(Der, otp)) of
+ #'OTPCertificate'{} ->
+ true;
+ {'EXIT', Reason} ->
+ lager:info("invalid certificate: ~p: ~p",
+ [mochihex:to_hex(crypto:hash(sha, Der)), Reason]),
+ false;
+ Unknown ->
+ lager:info("unknown error decoding cert: ~p: ~p",
+ [mochihex:to_hex(crypto:hash(sha, Der)), Unknown]),
+ false
+ end.
+
%%%%%%%%%%%%%%%%%%%%
%% Precertificates according to draft-ietf-trans-rfc6962-bis-04.