Merge branch 'maint'

erlang · Nov 4, 2023 · c55dc0d · c55dc0d
2 parents f5a10c6 + 7891cd1
commit c55dc0d
Show file tree

Hide file tree

Showing 12 changed files with 3,269 additions and 955 deletions.
diff --git a/lib/public_key/asn1/Makefile b/lib/public_key/asn1/Makefile
@@ -90,7 +90,7 @@ $(ESRC)/%.erl $(ESRC)/%.hrl: %.set.asn
 	$(asn_verbose)erlc $(ASN_FLAGS) -o $(ESRC) $<
 
 $(INCLUDE)/%.hrl: $(ESRC)/%.hrl
-	$(gen_verbose)cp -p $<  $@
+	$(gen_verbose)cp -p $< $@
 
 # ----------------------------------------------------
 # Release Target
@@ -114,20 +114,20 @@ release_docs_spec:
 # Dependencies
 
 $(EBIN)/OTP-PUB-KEY.beam: 	$(ESRC)/OTP-PUB-KEY.erl $(INCLUDE)/OTP-PUB-KEY.hrl
-OTP-PUB-KEY.erl OTP-PUB-KEY.hrl:	OTP-PUB-KEY.asn1db
-OTP-PUB-KEY.asn1db:		PKIX1Algorithms88.asn1 \
-				PKIX1Explicit88.asn1 \
-				PKIX1Implicit88.asn1 \
-				PKIXAttributeCertificate.asn1 \
-				PKCS-1.asn1\
-				PKCS-3.asn1\
-		                PKCS-7.asn1\
-				PKCS-10.asn1\
-				InformationFramework.asn1\
-				OTP-PKIX.asn1 \
-				RFC5639.asn1
-
-$(EBIN)/PKCS-FRAME.beam: 	        $(ESRC)/PKCS-FRAME.erl $(INCLUDE)/PKCS-FRAME.hrl
-PKCS-FRAME.erl PKCS-FRAME.hrl:		PKCS-FRAME.asn1db
-PKCS-FRAME.asn1db:			PKCS5v2-0.asn1\
-					PKCS-8.asn1\
+$(ESRC)/OTP-PUB-KEY.asn1db $(ESRC)/OTP-PUB-KEY.erl $(INCLUDE)/OTP-PUB-KEY.hrl: \
+	PKIX1Algorithms88.asn1 \
+	PKIX1Explicit88.asn1 \
+	PKIX1Implicit88.asn1 \
+	PKIXAttributeCertificate.asn1 \
+	PKCS-1.asn1 \
+	PKCS-3.asn1 \
+	PKCS-7.asn1 \
+	PKCS-10.asn1 \
+	InformationFramework.asn1 \
+	OTP-PKIX.asn1 \
+	RFC5639.asn1
+
+$(EBIN)/PKCS-FRAME.beam: 	$(ESRC)/PKCS-FRAME.erl $(INCLUDE)/PKCS-FRAME.hrl
+$(ESRC)/PKCS-FRAME.erl $(INCLUDE)/PKCS-FRAME.hrl $(ESRC)/PKCS-FRAME.asn1db: \
+	PKCS5v2-0.asn1 \
+	PKCS-8.asn1
diff --git a/lib/public_key/asn1/OTP-PKIX.asn1 b/lib/public_key/asn1/OTP-PKIX.asn1
@@ -834,4 +834,20 @@ invalidityDate EXTENSION-CLASS ::= {
 	ID id-ce-invalidityDate 
 	TYPE InvalidityDate }
 
+-- Used to workaround that some CAs create too long User Notices
+
+OTPUserNotice ::= SEQUENCE {
+     noticeRef        OTPNoticeReference OPTIONAL,
+     explicitText     OTPDisplayText OPTIONAL}
+
+OTPNoticeReference ::= SEQUENCE {
+     organization     OTPDisplayText,
+     noticeNumbers    SEQUENCE OF INTEGER }
+
+OTPDisplayText ::= CHOICE {
+     ia5String        IA5String      (SIZE (1..350)),
+     visibleString    VisibleString  (SIZE (1..350)),
+     bmpString        BMPString      (SIZE (1..350)),
+     utf8String       UTF8String     (SIZE (1..350)) }
+
 END
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
@@ -44,7 +44,6 @@
     <title>Common Records and ASN.1 Types</title> 
 
     <note><p>All records used in this Reference Manual 
-    <!--     except #policy_tree_node{}  -->
     are generated from ASN.1 specifications
     and are documented in the User's Guide. See <seeguide 
     marker="public_key_records">Public-key Records</seeguide>.
@@ -215,6 +214,12 @@
       </desc>
     </datatype>
 
+     <datatype>
+      <name name="policy_node"/>
+      <desc>
+      </desc>
+    </datatype>
+
     <datatype>
       <name name="bad_cert_reason"/>
       <desc>
@@ -534,12 +539,20 @@
     <fsummary>Performs a basic path validation according to RFC 5280.</fsummary>
      <desc>
        <p>
-	 Performs a basic path validation according to
-	 <url href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280.</url>
+	 Performs a basic path validation according to <url
+	 href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280.</url>
 	 However, CRL validation is done separately by <seemfa
-	 marker="#pkix_crls_validate/3">pkix_crls_validate/3 </seemfa> and is to be called
-	 from the supplied <c>verify_fun</c>. The optional policy tree check is currently not implemented
-	 but an empty place holder list is returned instead.
+	 marker="#pkix_crls_validate/3">pkix_crls_validate/3 </seemfa>
+	 and is to be called from the supplied <c>verify_fun</c>. The
+	 policy tree check was added in OTP-26.2 and if the
+	 certificates include policies the constrained policy set with
+	 potential qualifiers will be returned, these values are
+	 derived from the policy tree created as part of the path
+	 validation algorithm. The constrained set can be constrained
+	 only by the Certificate Authorities or also by the user when
+	 the option <c>policy_set</c> is provided to this
+	 function. The qualifiers convey information about the valid
+	 policy and is intended as information to end users.
        </p>
 
        <p>Available options:</p>
@@ -583,6 +596,25 @@ fun(OtpCert :: #'OTPCertificate'{},
 	  be PEER, CA, ROOT-CA, if it is 2, the path can
 	  be PEER, CA, CA, ROOT-CA, and so on.
 	</item>
+
+	<tag since="OTP 26.2" >{policy_set, [oid()]}</tag>
+	<item> The set of policies that will be accepted, defaults to the special
+	value <c>[?anyPolicy]</c> that will accept all policies.
+	</item>
+
+	<tag since="OTP 26.2">{explicit_policy, boolean()}</tag>
+	<item>Explicitly require that each certificate in the path must include
+        at least one of the certificate policies in the
+        <c>policy_set</c>.
+	</item>
+	<tag since="OTP 26.2">{inhibit_policy_mapping, boolean()}</tag>
+	<item>Prevent policies to be mapped to other policies.
+	</item>
+	<tag since="OTP 26.2">{inhibit_any_policy, boolean()}</tag>
+	<item>Prevent the special policy <c>?anyPolicy</c> from being
+	accepted.
+	</item>
+
       </taglist>
 
       <p>Explanations of reasons for a bad certificate: </p>

diff --git a/lib/public_key/doc/src/public_key_app.xml b/lib/public_key/doc/src/public_key_app.xml
@@ -41,7 +41,7 @@
     <list type="bulleted">
       <item>Supports <url href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280 </url> -
       Internet X.509 Public-Key Infrastructure Certificate and Certificate Revocation List 
-      (CRL) Profile. Certificate policies are currently not supported. </item>
+      (CRL) Profile. Certificate policies supported since OTP-26.2 </item>
       <item>Supports <url href="http://www.ietf.org/rfc/rfc3447.txt"> PKCS-1 </url> - 
       RSA Cryptography Standard </item>
       <item>Supports <url href="http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf"> DSS</url> - 

diff --git a/lib/public_key/include/public_key.hrl b/lib/public_key/include/public_key.hrl
@@ -41,47 +41,51 @@
 		 {valid, UserState}
 	 end, []}).
 
--record(path_validation_state, {
-	  valid_policy_tree,
-	  explicit_policy,
-	  inhibit_any_policy,
-	  policy_mapping,
-	  cert_num,
-	  last_cert = false,
-	  permitted_subtrees = no_constraints, %% Name constraints
-	  excluded_subtrees = [],      %% Name constraints   
-	  working_public_key_algorithm,
-	  working_public_key,
-	  working_public_key_parameters,
-	  working_issuer_name,
-	  max_path_length,
-	  verify_fun,
-	  user_state
-	 }).
+-record(path_validation_state,
+        {
+         valid_policy_tree,
+         user_initial_policy_set,
+         explicit_policy,
+         inhibit_any_policy,
+         inhibit_policy_mapping,
+         policy_mapping_ext,
+         policy_constraint_ext,
+         policy_inhibitany_ext,
+         policy_ext_present,
+         policy_ext_any,
+         current_any_policy_qualifiers,
+         cert_num,
+         last_cert = false,
+         permitted_subtrees = no_constraints, %% Name constraints
+         excluded_subtrees = [],      %% Name constraints
+         working_public_key_algorithm,
+         working_public_key,
+         working_public_key_parameters,
+         working_issuer_name,
+         max_path_length,
+         verify_fun,
+         user_state
+        }).
 
--record(policy_tree_node, {
-	  valid_policy,
-	  qualifier_set,
-	  criticality_indicator,
-	  expected_policy_set
-	 }).
+-record(revoke_state,
+        {
+         reasons_mask,
+         cert_status,
+         interim_reasons_mask,
+         valid_ext,
+         details
+        }).
 
--record(revoke_state, {
-	  reasons_mask,
-	  cert_status,
-	  interim_reasons_mask,
-	  valid_ext,
-          details
-	 }).
+-record('ECPoint',
+        {
+         point
+        }).
 
--record('ECPoint', {
-	  point
-	 }).
-
--record(cert, {
-               der :: public_key:der_encoded(),
-               otp :: #'OTPCertificate'{}
-              }).
+-record(cert,
+        {
+         der :: public_key:der_encoded(),
+         otp :: #'OTPCertificate'{}
+        }).
 
 -define(unspecified, 0).
 -define(keyCompromise, 1).

diff --git a/lib/public_key/src/Makefile b/lib/public_key/src/Makefile
@@ -45,6 +45,7 @@ MODULES = \
 	pubkey_ssh \
 	pubkey_pbe \
 	pubkey_cert \
+	pubkey_policy_tree \
         pubkey_cert_records \
 	pubkey_crl\
 	pubkey_ocsp \