diff options
-rw-r--r-- | src/catlfish.erl | 14 | ||||
-rw-r--r-- | src/x509.erl | 24 |
2 files changed, 27 insertions, 11 deletions
diff --git a/src/catlfish.erl b/src/catlfish.erl index 5d96278..3ca190a 100644 --- a/src/catlfish.erl +++ b/src/catlfish.erl @@ -216,7 +216,9 @@ ders_from_pemfiles(Dir, Filenames) -> ders_from_pemfile(Filename) -> Pems = case (catch public_key:pem_decode(pems_from_file(Filename))) of - {'EXIT', _} -> []; + {'EXIT', Reason} -> + lager:info("badly encoded cert in ~p: ~p", [Filename, Reason]), + []; P -> P end, [der_from_pem(X) || X <- Pems]. @@ -225,13 +227,9 @@ ders_from_pemfile(Filename) -> der_from_pem(Pem) -> case Pem of {_Type, Der, not_encrypted} -> - case (catch public_key:pkix_decode_cert(Der, otp)) of - {'EXIT', _} -> - []; - #'OTPCertificate'{} -> - Der; - _Unknown -> - [] + case x509:valid_cert_p(Der) of + true -> Der; + false -> [] end; _ -> [] end. diff --git a/src/x509.erl b/src/x509.erl index a784354..5a96a29 100644 --- a/src/x509.erl +++ b/src/x509.erl @@ -2,7 +2,7 @@ %%% See LICENSE for licensing information. -module(x509). --export([normalise_chain/2, cert_string/1]). +-export([normalise_chain/2, cert_string/1, valid_cert_p/1]). -include_lib("public_key/include/public_key.hrl"). @@ -73,8 +73,9 @@ signed_by_p(Cert, IssuerCert) -> %% FIXME: Validate presence and contents (against constraints) of %% names (subject, subjectAltName, emailAddress) too? case (catch public_key:pkix_is_issuer(Cert, IssuerCert)) of - {'EXIT', _Reason} -> - %% Invalid ASN.1. + {'EXIT', Reason} -> + lager:info("invalid certificate: ~p: ~p", + [mochihex:to_hex(crypto:hash(sha, Cert)), Reason]), {false, encoding_invalid}; true -> %% Cert.issuer does match IssuerCert.subject. Now verify @@ -101,6 +102,23 @@ cert_string(Der) -> lists:flatten([io_lib:format("~2.16.0B", [X]) || X <- binary_to_list(crypto:hash(sha, Der))]). +valid_cert_p(Der) -> + %% Use the customized ASN.1 specification "OTP-PKIX.asn1" since + %% that's what's required for public_key functions we're using + %% (pkix_verify, public_key:pkix_is_issuer). + case (catch public_key:pkix_decode_cert(Der, otp)) of + #'OTPCertificate'{} -> + true; + {'EXIT', Reason} -> + lager:info("invalid certificate: ~p: ~p", + [mochihex:to_hex(crypto:hash(sha, Der)), Reason]), + false; + Unknown -> + lager:info("unknown error decoding cert: ~p: ~p", + [mochihex:to_hex(crypto:hash(sha, Der)), Unknown]), + false + end. + %%%%%%%%%%%%%%%%%%%% %% Precertificates according to draft-ietf-trans-rfc6962-bis-04. |