public_key: Verify policy trees and fix handling of any policy extension

Closes #6198
erlang · Aug 22, 2023 · 2d99975 · 2d99975
1 parent a241c95
commit 2d99975
Show file tree

Hide file tree

Showing 2 changed files with 608 additions and 155 deletions.
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
@@ -941,18 +941,31 @@ policy_children(Parents, Critical, Policy, Qualifiers) ->
 
 %% Step 2
 handle_any_policy_ext(Critical, Qualifiers, Parents, Children) ->
-    handle_any_policy_ext(Critical, Qualifiers, Parents, Children, []).
+    SamLen = maybe_add_empty_children(Parents, Children),
+    NewChildren = handle_any_policy_ext(Critical, Qualifiers, Parents, SamLen, []),
+    merge_children(Children, NewChildren, []).
 
-handle_any_policy_ext(_, _, [], Children0, AccChildren) ->
-    merge_children(Children0, lists:reverse(AccChildren), []);
+handle_any_policy_ext(_, _, [], [], AccChildren) ->
+    AccChildren;
 handle_any_policy_ext(Critical, Qualifiers,
-                      [#{expected_policy_set := ExpPolicySet} | ParentsRest],
-                      Children0, Acc) ->
+                      [#{expected_policy_set := ExpPolicySet,
+                         valid_policy:= ValidPolicy} | ParentsRest],
+                      [Children | RestChildren], AccChildren) ->
     Nodes = [policy_node(Critical, Policy, Qualifiers,
-                         [Policy])
+                         [ValidPolicy])
              || Policy <- ExpPolicySet,
-                not has_policy_node(Policy, Children0 ++ Acc)],
-    handle_any_policy_ext(Critical, Qualifiers, ParentsRest, Children0, [Nodes | Acc]).
+                not has_policy_node(Policy, Children)],
+    handle_any_policy_ext(Critical, Qualifiers, ParentsRest, RestChildren, [Nodes | AccChildren]).
+
+maybe_add_empty_children(Parents, Children) ->
+    maybe_add_empty_children(Parents, Children, []).
+
+maybe_add_empty_children([], _, AccChildren) ->
+    lists:reverse(AccChildren);
+maybe_add_empty_children([_ | RestParents], [Children | RestChildren], AccChildren) ->
+    maybe_add_empty_children(RestParents, RestChildren, [Children | AccChildren]);
+maybe_add_empty_children([_ | RestParents], [] = RestChildren, AccChildren) ->
+    maybe_add_empty_children(RestParents, RestChildren, [[] | AccChildren]).
 
 
 %% Step 1 i: