Skip to content

Commit

Permalink
Merge branch 'ingela/ssl/unsupported_cert/OTP-19091' into maint
Browse files Browse the repository at this point in the history 
* ingela/ssl/unsupported_cert/OTP-19091:
  ssl: Enhance alert handling
  • Loading branch information
@IngelaAndin
IngelaAndin committed May 21, 2024
2 parents d3cdc29 + d5b65fb commit dff05a8
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 8 deletions.
14 changes: 7 additions & 7 deletions lib/ssl/src/ssl_certificate.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ validate(Issuer, {bad_cert, cert_expired}, #{issuer := Issuer}, _LogLevel) ->
validate(_, {bad_cert, _} = Reason, _, _LogLevel) ->
{fail, Reason};
validate(Cert, valid, #{path_len := N} = UserState, LogLevel) ->
case verify_sign(Cert, UserState) of
case verify_sign_support(Cert, UserState) of
true ->
case maps:get(cert_ext, UserState, undefined) of
undefined ->
Expand All @@ -230,7 +230,7 @@ validate(Cert, valid, #{path_len := N} = UserState, LogLevel) ->
LogLevel)
end;
false ->
{fail, {bad_cert, invalid_signature}}
{fail, {bad_cert, unsupported_signature}}
end;
validate(Cert, valid_peer, UserState = #{role := client, server_name := Hostname,
customize_hostname_check := Customize},
Expand Down Expand Up @@ -637,22 +637,22 @@ verify_cert_extensions(Cert, UserState, [_|Exts], Context, LogLevel) ->
%% Skip unknown extensions!
verify_cert_extensions(Cert, UserState, Exts, Context, LogLevel).

verify_sign(_, #{version := Version})
verify_sign_support(_, #{version := Version})
when ?TLS_LT(Version, ?TLS_1_2) ->
%% This verification is not applicable pre TLS-1.2
true;
verify_sign(Cert, #{version := ?TLS_1_2,
verify_sign_support(Cert, #{version := ?TLS_1_2,
signature_algs := SignAlgs,
signature_algs_cert := undefined}) ->
is_supported_signature_algorithm_1_2(Cert, SignAlgs);
verify_sign(Cert, #{version := ?TLS_1_2,
verify_sign_support(Cert, #{version := ?TLS_1_2,
signature_algs_cert := SignAlgs}) ->
is_supported_signature_algorithm_1_2(Cert, SignAlgs);
verify_sign(Cert, #{version := ?TLS_1_3,
verify_sign_support(Cert, #{version := ?TLS_1_3,
signature_algs := SignAlgs,
signature_algs_cert := undefined}) ->
is_supported_signature_algorithm_1_3(Cert, SignAlgs);
verify_sign(Cert, #{version := ?TLS_1_3,
verify_sign_support(Cert, #{version := ?TLS_1_3,
signature_algs_cert := SignAlgs}) ->
is_supported_signature_algorithm_1_3(Cert, SignAlgs).

Expand Down
2 changes: 2 additions & 0 deletions lib/ssl/src/ssl_handshake.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2160,6 +2160,8 @@ path_validation_alert({bad_cert, invalid_issuer}) ->
?ALERT_REC(?FATAL, ?BAD_CERTIFICATE);
path_validation_alert({bad_cert, invalid_signature}) ->
?ALERT_REC(?FATAL, ?BAD_CERTIFICATE);
path_validation_alert({bad_cert, unsupported_signature}) ->
?ALERT_REC(?FATAL, ?UNSUPPORTED_CERTIFICATE);
path_validation_alert({bad_cert, name_not_permitted}) ->
?ALERT_REC(?FATAL, ?BAD_CERTIFICATE);
path_validation_alert({bad_cert, unknown_critical_extension}) ->
Expand Down
2 changes: 1 addition & 1 deletion lib/ssl/test/ssl_cert_SUITE.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1224,7 +1224,7 @@ unsupported_sign_algo_cert_client_auth(Config) ->
'tlsv1.3' ->
ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required);
_ ->
ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, bad_certificate)
ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, unsupported_certificate)
end.

%%--------------------------------------------------------------------
Expand Down

0 comments on commit dff05a8

Please sign in to comment.