ssl: Enhance alert handling

Make it easier to distinguish between a invalid signature and unsupported signature Closes #8466
erlang · May 14, 2024 · d5b65fb · d5b65fb
1 parent 412bff5
commit d5b65fb
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
@@ -222,7 +222,7 @@ validate(Issuer, {bad_cert, cert_expired}, #{issuer := Issuer}) ->
 validate(_, {bad_cert, _} = Reason, _) ->
     {fail, Reason};
 validate(Cert, valid, #{path_len := N} = UserState) ->
-    case verify_sign(Cert, UserState) of
+    case verify_sign_support(Cert, UserState) of
         true ->
             case maps:get(cert_ext, UserState, undefined) of
                 undefined ->
@@ -231,7 +231,7 @@ validate(Cert, valid, #{path_len := N} = UserState) ->
                     verify_cert_extensions(Cert, UserState#{path_len => N-1})
             end;
         false ->
-            {fail, {bad_cert, invalid_signature}}
+            {fail, {bad_cert, unsupported_signature}}
     end;
 validate(Cert, valid_peer, UserState = #{role := client, server_name := Hostname, 
                                          customize_hostname_check := Customize}) when Hostname =/= disable ->
@@ -592,22 +592,22 @@ verify_cert_extensions(Cert, UserState, [_|Exts], Context) ->
     %% Skip unknown extensions!
     verify_cert_extensions(Cert, UserState, Exts, Context).
 
-verify_sign(_, #{version := Version})
+verify_sign_support(_, #{version := Version})
             when ?TLS_LT(Version, ?TLS_1_2) ->
     %% This verification is not applicable pre TLS-1.2 
     true; 
-verify_sign(Cert, #{version := ?TLS_1_2,
+verify_sign_support(Cert, #{version := ?TLS_1_2,
                     signature_algs := SignAlgs,
                     signature_algs_cert := undefined}) ->
     is_supported_signature_algorithm_1_2(Cert, SignAlgs);
-verify_sign(Cert, #{version := ?TLS_1_2,
+verify_sign_support(Cert, #{version := ?TLS_1_2,
                     signature_algs_cert := SignAlgs}) ->
     is_supported_signature_algorithm_1_2(Cert, SignAlgs);
-verify_sign(Cert, #{version := ?TLS_1_3,
+verify_sign_support(Cert, #{version := ?TLS_1_3,
                     signature_algs := SignAlgs,
                     signature_algs_cert := undefined}) ->
     is_supported_signature_algorithm_1_3(Cert, SignAlgs);
-verify_sign(Cert, #{version := ?TLS_1_3,
+verify_sign_support(Cert, #{version := ?TLS_1_3,
                     signature_algs_cert := SignAlgs}) ->
     is_supported_signature_algorithm_1_3(Cert, SignAlgs).
 

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
@@ -2111,6 +2111,8 @@ path_validation_alert({bad_cert, invalid_issuer}) ->
     ?ALERT_REC(?FATAL, ?BAD_CERTIFICATE);
 path_validation_alert({bad_cert, invalid_signature}) ->
     ?ALERT_REC(?FATAL, ?BAD_CERTIFICATE);
+path_validation_alert({bad_cert, unsupported_signature}) ->
+    ?ALERT_REC(?FATAL, ?UNSUPPORTED_CERTIFICATE);
 path_validation_alert({bad_cert, name_not_permitted}) ->
     ?ALERT_REC(?FATAL, ?BAD_CERTIFICATE);
 path_validation_alert({bad_cert, unknown_critical_extension}) ->

diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl
@@ -1216,7 +1216,7 @@ unsupported_sign_algo_cert_client_auth(Config) ->
         'tlsv1.3' ->
             ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required);
         _  ->
-            ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, bad_certificate)
+            ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, unsupported_certificate)
     end.
 
 %%--------------------------------------------------------------------