Usage of new verify_fun ssl option

Ingela Anderton Andin ingela@REDACTED
Mon Sep 27 09:29:09 CEST 2010

Hi Paul!

Paul Guyot wrote:
> Hello,
> I am trying to port our previous code that used verify_fun and validate_extensions_fun SSL options. Our previous code simply checked that the peer certificate has a given extension (and this extension is both critical and under our own OID). The local (server) certificate does not have this extension.
> I thought I could note that the extension is present in the user state and then check the user state at the end (when Event is 'valid'), like this:
> -spec verify_fun(#'OTPCertificate'{}, {bad_cert, any()} | {extension, #'Extension'{}} | valid, [atom()]) -> {valid, [atom()]} | {fail, any()} | {unknown, [atom()]}.
> verify_fun(_Certificate, {bad_cert, _} = Reason, _State) ->
>     {fail, Reason};
> verify_fun(_Certificate, {extension, #'Extension'{extnID = ?MY_OID, critical = true}}, State) ->
>     {valid, [critical_extension_found | State]};
> verify_fun(_Certificate, {extension, #'Extension'{}}, State) ->
>     {unknown, State};
> verify_fun(_Certificate, valid, State) ->
>     case lists:member(critical_extension_found, State) of
>         true -> {valid, State};
>         false -> {fail, {bad_cert, extension_missing}}
>     end.
> However, I ended up having two issues with this approach:
> - the verify_fun function is also passed the local (server) certificate, which does not have the critical extension. How can I distinguish the two certificates?
Good question, there are extensions that could be used  if they are 
present ...  maybe we should change
the verify fun to be called  with {valid, peer} for the peer certificate!?

> - there is a badmatch when I return a state different from the initial state.
> This is the match with UserState0 public_key:validate/2:
> UserState0 is also in the second parameter of validate/2. Is this match really intended?
No this looks really wrong. It  ought to be
UserState6 = pubkey_cert:validate_signature(OtpCert, DerCert,
                        Key, KeyParams, UserState5, VerifyFun),
UserState = pubkey_cert:verify_fun(OtpCert, valid, UserState6, VerifyFun),

> BTW, there is a small typo in the documentation for the type of the verify function. The record is spelled there #'OtpCertificate' instead of #'OTPCertificate'.
> Paul
Thank you for noticing we will fix it.

Regards Ingela Erlang/OTP-team - Ericsson AB

More information about the erlang-questions mailing list