[erlang-questions] public_key and ssl question
Mon Feb 28 11:16:20 CET 2011
2011/2/28 Andreas Schultz <aschultz@REDACTED>:
> I have been playing with the public_key, crypto and ssl apps a bit.
> What struck me as odd is that X.509 certificates are only partially
> decoded. public_key:pkix_decode_cert/2 will return many of the fields
> undecoded. This leads to my first question:
> Is the partial decoding on purpose (maybe to simplify things or safe
> memory/cpu cycle) or just not completed yet?
There are two ways of decoding a cert, plain and otp. Plain uses the
standard ASN1-spec and only decodes the top level (Default Asn1
application behaviour). You may use public_key:der_decode/2 to look
at parts. If you use otp-decoding much more will be decoded, but
there still might be non standard extensions that will not be decoded.
(Then you may need your own ASN1-spec)
> And second:
> Since the common name (CN) of a certificate is not decoded, how will
> a SSL client verify the identity of a SSL server?
> Looking through the SSL code i can see that the certificate chain itself
> will be verified (the verify_peer result), but the common name is not
> check as far as i can tell.
Ssl uses the otp-decoding and the public_key application to do a
path-validation according to RFC-5280. ( We have not yet finished the
implementation of CRL handling, but except for those all mandantory
parts should be in place).
Regards Ingela Erlang/OTP team - Ericsson AB
More information about the erlang-questions