[erlang-questions] public_key and ssl question

Ingela Andin ingela.andin@REDACTED
Mon Feb 28 11:16:20 CET 2011


2011/2/28 Andreas Schultz <aschultz@REDACTED>:
> Hi,
> I have been playing with the public_key, crypto and ssl apps a bit.
> What struck me as odd is that X.509 certificates are only partially
> decoded. public_key:pkix_decode_cert/2 will return many of the fields
> undecoded. This leads to my first question:
>  Is the partial decoding on purpose (maybe to simplify things or safe
>  memory/cpu cycle) or just not completed yet?

There are two ways of decoding a cert, plain and otp. Plain uses the
standard ASN1-spec and only decodes the top level (Default Asn1
application behaviour).  You may use public_key:der_decode/2 to look
at parts.  If you use otp-decoding much more will be decoded, but
there still might be non standard extensions that will not be decoded.
(Then you may need your own ASN1-spec)

> And second:
>  Since the common name (CN) of a certificate is not decoded, how will
>  a SSL client verify the identity of a SSL server?
> Looking through the SSL code i can see that the certificate chain itself
> will be verified (the verify_peer result), but the common name is not
> check as far as i can tell.

Ssl uses the otp-decoding and the public_key application to do a
path-validation according to RFC-5280. ( We have not yet  finished the
implementation of CRL handling, but except for those all mandantory
parts should be in place).

Regards Ingela Erlang/OTP team - Ericsson AB

More information about the erlang-questions mailing list