Fwd: Fix crash when decoding commercial certificates

Simon Cornish <>
Thu Dec 3 20:33:53 CET 2009


(first sent by mistake to erlang-bugs)

The Erlang ssl application assumes that it is fully aware of all
existing extensions, that they are in its list of SSL extensions, and
it is able to decode them.

However since this is not true commercial certificates containing the
id-pe-logotype extension crash the decoder. This is only one example
of an extension that the ssl application is unaware of.

This patch improves the behaviour by returning the OID tuple and raw
extension data for extensions that cannot be decoded.

git fetch git://github.com/dotsimon/otp.git ssl_pkix_extensions

The attached bare certificate (ie. the BEGIN/END CERTIFICATE lines
have been removed) can be used to test the fault and fix as shown:

{ok, Bin} = file:read_file("server.bare").
Cert = base64:decode(binary_to_list(Bin)).
ssl_pkix:decode_cert(Cert,[ssl]).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.bare
Type: application/octet-stream
Size: 865 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-patches/attachments/20091203/67bb0ca7/attachment.obj>


More information about the erlang-patches mailing list