Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:24
erlang
4071-ssl-Fix-cert_auth-check.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 4071-ssl-Fix-cert_auth-check.patch of Package erlang
From a2c991362e81c5e7ea645d07ff644162496f0ad0 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin <ingela@erlang.org> Date: Thu, 11 Apr 2024 09:00:38 +0200 Subject: [PATCH] ssl: Fix cert_auth check Include also end entity cert when selecting issuers for cert_auth extension check Closes #8356 --- lib/ssl/src/ssl_certificate.erl | 8 ++++---- lib/ssl/test/ssl_cert_SUITE.erl | 24 +++++++++++++++++++++++- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index 2e2b43f564..91902801f5 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -315,8 +315,8 @@ handle_cert_auths(Chain, [], _, _) -> {ok, Chain}; handle_cert_auths([Cert], CertAuths, CertDbHandle, CertDbRef) -> case certificate_chain(Cert, CertDbHandle, CertDbRef, [], both) of - {ok, {_, [Cert | _] = EChain}, {_, [_ | DCerts]}} -> - case cert_auth_member(cert_issuers(DCerts), CertAuths) of + {ok, {_, [Cert | _] = EChain}, _} -> + case cert_auth_member(cert_issuers(EChain), CertAuths) of true -> {ok, EChain}; false -> @@ -325,8 +325,8 @@ handle_cert_auths([Cert], CertAuths, CertDbHandle, CertDbRef) -> _ -> {ok, [Cert]} end; -handle_cert_auths([_ | Certs] = EChain, CertAuths, _, _) -> - case cert_auth_member(cert_issuers(Certs), CertAuths) of +handle_cert_auths([_ | _] = EChain, CertAuths, _, _) -> + case cert_auth_member(cert_issuers(EChain), CertAuths) of true -> {ok, EChain}; false -> diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl index 315c0e20b1..19adfb5d8d 100644 --- a/lib/ssl/test/ssl_cert_SUITE.erl +++ b/lib/ssl/test/ssl_cert_SUITE.erl @@ -125,7 +125,9 @@ signature_algorithms_bad_curve_secp521r1/0, signature_algorithms_bad_curve_secp521r1/1, server_certificate_authorities_disabled/0, - server_certificate_authorities_disabled/1 + server_certificate_authorities_disabled/1, + cert_auth_in_first_ca/0, + cert_auth_in_first_ca/1 ]). %%-------------------------------------------------------------------- @@ -191,6 +193,7 @@ tls_1_3_tests() -> hello_retry_request, custom_groups, client_auth_no_suitable_chain, + cert_auth_in_first_ca, hello_retry_client_auth, hello_retry_client_auth_empty_cert_accepted, hello_retry_client_auth_empty_cert_rejected, @@ -981,6 +984,25 @@ key_auth_ext_sign_only(Config) when is_list(Config) -> ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). %%-------------------------------------------------------------------- +cert_auth_in_first_ca() -> + [{doc,"Test cert auth will be available in first ca in chain, make it happen by only having one"}]. +cert_auth_in_first_ca(Config) when is_list(Config) -> + #{server_config := ServerOpts0, + client_config := ClientOpts0} = + public_key:pkix_test_data(#{server_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(1)}], + intermediates => [[]], + peer => [{key, ssl_test_lib:hardcode_rsa_key(5)}]}, + client_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(3)}], + intermediates => [[]], + peer => [{key, ssl_test_lib:hardcode_rsa_key(1)}]}}), + ClientOpts = [{verify, verify_peer} | ssl_test_lib:ssl_options(extra_client, client_cert_opts, Config)], + ServerOpts = [{verify, verify_peer} | ssl_test_lib:ssl_options(extra_server, server_cert_opts, Config)], + + ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). + +%%-------------------------------------------------------------------- + + longer_chain() -> [{doc,"Test depth option"}]. longer_chain(Config) when is_list(Config) -> -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
