[erlang-questions] Decoding certificates using public_key:pkix_decode_cert/2 (and a bug in public_key_SUITE?)

Roger Lipscombe roger@REDACTED
Fri Feb 21 17:14:07 CET 2014

I'm attempting to verify the CN of a certificate, and I can't find any
examples of how to do it. I think I've figured it out, and I'd like
confirmation that I'm doing it right. Also, if I _am_ doing it right,
I think I've found a bug in public_key_SUITE in the OTP sources, or
I've found a mistake in the documentation.

So, starting with a raw, DER-encoded certificate (I'm using the one
from incorrect_countryname_pkix_cert/0, in
otp/lib/public_key/test/public_key_SUITE.erl, if you want to follow

1> rr(public_key).
2> RawCert = <<48, 130, 5, 186, ...>>.
3> OTPCert = public_key:pkix_decode_cert(RawCert, otp).
4> Subj = OTPCert#'OTPCertificate'.tbsCertificate#'OTPTBSCertificate'.subject.
{rdnSequence,[[#'AttributeTypeAndValue'{type = {2,5,4,6},
                                          value = "US"}],
[#'AttributeTypeAndValue'{type = {2,5,4,8},
                    value = {utf8String,<<"AZ">>}}],
[#'AttributeTypeAndValue'{type = {2,5,4,7},
                    value = {utf8String,<<"Scottsdale">>}}],
[#'AttributeTypeAndValue'{type = {2,5,4,10},
                     value = {utf8String,<<"Special Domain Services, Inc.">>}}],
[#'AttributeTypeAndValue'{type = {2,5,4,3},
                    value = {utf8String,<<"*.login.secureserver.net">>}}]]}

Note that we've got a list of lists: {rdnSequence, [[A1], [A2], [A3]]}.

This doesn't appear to agree with the documentation at
http://erlang.org/doc/apps/public_key/cert_records.html, where (if I'm
reading it correctly), we should be seeing {rdnSequence, [A1, A2,

Now, this ought to have been caught by the tests in
public_key_SUITE.erl, because do_check_countryname/1 expects [A1, A2,
A3], except that it silently passes if it fails to match
?'id-at-countryName'. And it does fail to match, because it never
correctly matches _any_ of the items in the list.

So, my questions:

0. (the most important) how do I get the CN out of a certificate?
1. Should rdnSequence be as described in the documentation (a list of
#'AttributeTypeAndValue' records), or should it be as it is (a list of
lists of #'AttributeTypeAndValue' records)? If the second, are they
guaranteed to be single-item lists, or is there something more complex
happening here?
2. Is my understanding correct?
3. Is there a bug in the test?
4. Or is there a bug in pkix_cert_decode?

>From my reading of the ASN.1 specification of
http://www.in2eps.com/fo-pkix/tk-fo-pkix-asn1.html#naming -- and I'm
not very good at reading ASN.1 specs, to be honest -- it looks like
the code's correct(*), but the documentation isn't.

(*) It looks like a Name comprises a sequence of
RelativeDistinguishedName; each of the RelativeDistinguishedName items
in the example certificate is a singleton set.

Or am I barking up completely the wrong tree here?


More information about the erlang-questions mailing list