summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordberg.se>2014-11-05 13:02:16 +0100
committerLinus Nordberg <linus@nordberg.se>2014-11-05 13:02:52 +0100
commit3ef550cb6f1e8ac7e4142cc1620eb36be747b30d (patch)
tree2784673f9180b20dcc281a4be0fb96f1aa8ba7d1 /src
parentf7939d1a4cf928440c5db3443283d4f149d30936 (diff)
Log some info about certs that don't parse and why.
Also move x509 specific code to the x509 module.
Diffstat (limited to 'src')
-rw-r--r--src/catlfish.erl14
-rw-r--r--src/x509.erl24
2 files changed, 27 insertions, 11 deletions
diff --git a/src/catlfish.erl b/src/catlfish.erl
index 5d96278..3ca190a 100644
--- a/src/catlfish.erl
+++ b/src/catlfish.erl
@@ -216,7 +216,9 @@ ders_from_pemfiles(Dir, Filenames) ->
ders_from_pemfile(Filename) ->
Pems = case (catch public_key:pem_decode(pems_from_file(Filename))) of
- {'EXIT', _} -> [];
+ {'EXIT', Reason} ->
+ lager:info("badly encoded cert in ~p: ~p", [Filename, Reason]),
+ [];
P -> P
end,
[der_from_pem(X) || X <- Pems].
@@ -225,13 +227,9 @@ ders_from_pemfile(Filename) ->
der_from_pem(Pem) ->
case Pem of
{_Type, Der, not_encrypted} ->
- case (catch public_key:pkix_decode_cert(Der, otp)) of
- {'EXIT', _} ->
- [];
- #'OTPCertificate'{} ->
- Der;
- _Unknown ->
- []
+ case x509:valid_cert_p(Der) of
+ true -> Der;
+ false -> []
end;
_ -> []
end.
diff --git a/src/x509.erl b/src/x509.erl
index a784354..5a96a29 100644
--- a/src/x509.erl
+++ b/src/x509.erl
@@ -2,7 +2,7 @@
%%% See LICENSE for licensing information.
-module(x509).
--export([normalise_chain/2, cert_string/1]).
+-export([normalise_chain/2, cert_string/1, valid_cert_p/1]).
-include_lib("public_key/include/public_key.hrl").
@@ -73,8 +73,9 @@ signed_by_p(Cert, IssuerCert) ->
%% FIXME: Validate presence and contents (against constraints) of
%% names (subject, subjectAltName, emailAddress) too?
case (catch public_key:pkix_is_issuer(Cert, IssuerCert)) of
- {'EXIT', _Reason} ->
- %% Invalid ASN.1.
+ {'EXIT', Reason} ->
+ lager:info("invalid certificate: ~p: ~p",
+ [mochihex:to_hex(crypto:hash(sha, Cert)), Reason]),
{false, encoding_invalid};
true ->
%% Cert.issuer does match IssuerCert.subject. Now verify
@@ -101,6 +102,23 @@ cert_string(Der) ->
lists:flatten([io_lib:format("~2.16.0B", [X]) ||
X <- binary_to_list(crypto:hash(sha, Der))]).
+valid_cert_p(Der) ->
+ %% Use the customized ASN.1 specification "OTP-PKIX.asn1" since
+ %% that's what's required for public_key functions we're using
+ %% (pkix_verify, public_key:pkix_is_issuer).
+ case (catch public_key:pkix_decode_cert(Der, otp)) of
+ #'OTPCertificate'{} ->
+ true;
+ {'EXIT', Reason} ->
+ lager:info("invalid certificate: ~p: ~p",
+ [mochihex:to_hex(crypto:hash(sha, Der)), Reason]),
+ false;
+ Unknown ->
+ lager:info("unknown error decoding cert: ~p: ~p",
+ [mochihex:to_hex(crypto:hash(sha, Der)), Unknown]),
+ false
+ end.
+
%%%%%%%%%%%%%%%%%%%%
%% Precertificates according to draft-ietf-trans-rfc6962-bis-04.