zf

mint_shims.erl (8364B)

---

 %% Shims for functions introduced in recent Erlang/OTP releases,
 %% to enable use of Mint on older releases. The code in this module
 %% was taken directly from the Erlang/OTP project.
 %%
 %% File: lib/public_key/src/public_key.erl
 %% Tag: OTP-20.3.4
 %% Commit: f2c1d537dc28ffbde5d42aedec70bf4c6574c3ea
 %% Changes from original file:
 %% - extracted pkix_verify_hostname/2 and /3, and any private
 %%   functions they depend upon
 %% - replaced local calls to other public functions in the
 %%   'public_key' module with fully qualified equivalents
 %% - replaced local type references with fully qualified equivalents
 %%
 %% The original license follows:
 
 %% %CopyrightBegin%
 %%
 %% Copyright Ericsson AB 2013-2017. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
 %% You may obtain a copy of the License at
 %%
 %%     http://www.apache.org/licenses/LICENSE-2.0
 %%
 %% Unless required by applicable law or agreed to in writing, software
 %% distributed under the License is distributed on an "AS IS" BASIS,
 %% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 %% See the License for the specific language governing permissions and
 %% limitations under the License.
 %%
 %% %CopyrightEnd%
 %%
 -module(mint_shims).
 
 -include_lib("public_key/include/public_key.hrl").
 
 -export([pkix_verify_hostname/2, pkix_verify_hostname/3]).
 
 %--------------------------------------------------------------------
 -spec pkix_verify_hostname(Cert :: #'OTPCertificate'{} | binary(),
 			   ReferenceIDs :: [{uri_id | dns_id | ip | srv_id | public_key:oid(),  string()}]) -> boolean().
 
 -spec pkix_verify_hostname(Cert :: #'OTPCertificate'{} | binary(),
 			   ReferenceIDs :: [{uri_id | dns_id | ip | srv_id | public_key:oid(),  string()}],
 			   Options :: proplists:proplist()) -> boolean().
 
 %% Description: Validates a hostname to RFC 6125
 %%--------------------------------------------------------------------
 pkix_verify_hostname(Cert, ReferenceIDs) ->
     pkix_verify_hostname(Cert, ReferenceIDs, []).
 
 pkix_verify_hostname(BinCert, ReferenceIDs, Options)  when is_binary(BinCert) ->
     pkix_verify_hostname(public_key:pkix_decode_cert(BinCert,otp), ReferenceIDs, Options);
 
 pkix_verify_hostname(Cert = #'OTPCertificate'{tbsCertificate = TbsCert}, ReferenceIDs0, Opts) ->
     MatchFun = proplists:get_value(match_fun,     Opts, undefined),
     FailCB   = proplists:get_value(fail_callback, Opts, fun(_Cert) -> false end),
     FqdnFun  = proplists:get_value(fqdn_fun,      Opts, fun verify_hostname_extract_fqdn_default/1),
 
     ReferenceIDs = [{T,to_string(V)} || {T,V} <- ReferenceIDs0],
     PresentedIDs =
 	try lists:keyfind(?'id-ce-subjectAltName',
 			  #'Extension'.extnID,
 			  TbsCert#'OTPTBSCertificate'.extensions)
 	of
 	    #'Extension'{extnValue = ExtVals} ->
 		[{T,to_string(V)} || {T,V} <- ExtVals];
 	    false ->
 		[]
 	catch
 	    _:_ -> []
 	end,
     %% PresentedIDs example: [{dNSName,"ewstest.ericsson.com"}, {dNSName,"www.ericsson.com"}]}
     case PresentedIDs of
 	[] ->
 	    %% Fallback to CN-ids [rfc6125, ch6]
 	    case TbsCert#'OTPTBSCertificate'.subject of
 		{rdnSequence,RDNseq} ->
 		    PresentedCNs =
 			[{cn, to_string(V)}
 			 || ATVs <- RDNseq, % RDNseq is list-of-lists
 			    #'AttributeTypeAndValue'{type = ?'id-at-commonName',
 						     value = {_T,V}} <- ATVs
 						% _T = kind of string (teletexString etc)
 			],
 		    %% Example of PresentedCNs:  [{cn,"www.ericsson.se"}]
 		    %% match ReferenceIDs to PresentedCNs
 		    verify_hostname_match_loop(verify_hostname_fqnds(ReferenceIDs, FqdnFun),
 					       PresentedCNs,
 					       MatchFun, FailCB, Cert);
 
 		_ ->
 		    false
 	    end;
 	_ ->
 	    %% match ReferenceIDs to PresentedIDs
 	    case verify_hostname_match_loop(ReferenceIDs, PresentedIDs,
 					    MatchFun, FailCB, Cert) of
 		false ->
 		    %% Try to extract DNS-IDs from URIs etc
 		    DNS_ReferenceIDs =
 			[{dns_id,X} || X <- verify_hostname_fqnds(ReferenceIDs, FqdnFun)],
 		    verify_hostname_match_loop(DNS_ReferenceIDs, PresentedIDs,
 					       MatchFun, FailCB, Cert);
 		true ->
 		    true
 	    end
     end.
 
 %%%----------------------------------------------------------------
 %%% pkix_verify_hostname help functions
 verify_hostname_extract_fqdn_default({dns_id,S}) ->
     S;
 verify_hostname_extract_fqdn_default({uri_id,URI}) ->
     % Modified from original to remove dependency on http_uri:parse/1 from inets
     #{scheme := <<"https">>, host := Host} = 'Elixir.URI':parse(list_to_binary(URI)),
     binary_to_list(Host).
 
 
 verify_hostname_fqnds(L, FqdnFun) ->
     [E || E0 <- L,
 	  E <- [try case FqdnFun(E0) of
 			default -> verify_hostname_extract_fqdn_default(E0);
                         undefined -> undefined; % will make the "is_list(E)" test fail
 			Other -> Other
 		    end
 		catch _:_-> undefined % will make the "is_list(E)" test fail
 		end],
 	  is_list(E),
 	  E =/= "",
 	  {error,einval} == inet:parse_address(E)
     ].
 
 
 -define(srvName_OID, {1,3,6,1,4,1,434,2,2,1,37,0}).
 
 verify_hostname_match_default(Ref, Pres) ->
     verify_hostname_match_default0(to_lower_ascii(Ref), to_lower_ascii(Pres)).
 
 verify_hostname_match_default0(FQDN=[_|_], {cn,FQDN}) ->
     not lists:member($*, FQDN);
 verify_hostname_match_default0(FQDN=[_|_], {cn,Name=[_|_]}) ->
     [F1|Fs] = string:tokens(FQDN, "."),
     [N1|Ns] = string:tokens(Name, "."),
     match_wild(F1,N1) andalso Fs==Ns;
 verify_hostname_match_default0({dns_id,R}, {dNSName,P}) ->
     R==P;
 verify_hostname_match_default0({uri_id,R}, {uniformResourceIdentifier,P}) ->
     R==P;
 verify_hostname_match_default0({ip,R}, {iPAddress,P}) when length(P) == 4 ->
     %% IPv4
     try
         list_to_tuple(P)
             == if is_tuple(R), size(R)==4 -> R;
                   is_list(R) -> ok(inet:parse_ipv4strict_address(R))
                end
     catch
         _:_ ->
             false
     end;
 
 verify_hostname_match_default0({ip,R}, {iPAddress,P}) when length(P) == 16 ->
     %% IPv6. The length 16 is due to the certificate specification.
     try
         l16_to_tup(P)
             == if is_tuple(R), size(R)==8 -> R;
                   is_list(R) -> ok(inet:parse_ipv6strict_address(R))
                end
     catch
         _:_ ->
             false
     end;
 verify_hostname_match_default0({srv_id,R}, {srvName,P}) ->
     R==P;
 verify_hostname_match_default0({srv_id,R}, {?srvName_OID,P}) ->
     R==P;
 verify_hostname_match_default0(_, _) ->
     false.
 
 ok({ok,X}) -> X.
 
 l16_to_tup(L) -> list_to_tuple(l16_to_tup(L, [])).
 %%
 l16_to_tup([A,B|T], Acc) -> l16_to_tup(T, [(A bsl 8) bor B | Acc]);
 l16_to_tup([], Acc) -> lists:reverse(Acc).
 
 match_wild(A,     [$*|B]) -> match_wild_suffixes(A, B);
 match_wild([C|A], [ C|B]) -> match_wild(A, B);
 match_wild([],        []) -> true;
 match_wild(_,          _) -> false.
 
 %% Match the parts after the only wildcard by comparing them from the end
 match_wild_suffixes(A, B) -> match_wild_sfx(lists:reverse(A), lists:reverse(B)).
 
 match_wild_sfx([$*|_],      _) -> false; % Bad name (no wildcards allowed)
 match_wild_sfx(_,      [$*|_]) -> false; % Bad pattern (no more wildcards allowed)
 match_wild_sfx([A|Ar], [A|Br]) -> match_wild_sfx(Ar, Br);
 match_wild_sfx(Ar,         []) -> not lists:member($*, Ar); % Chk for bad name (= wildcards)
 match_wild_sfx(_,           _) -> false.
 
 
 verify_hostname_match_loop(Refs0, Pres0, undefined, FailCB, Cert) ->
     Pres = lists:map(fun to_lower_ascii/1, Pres0),
     Refs = lists:map(fun to_lower_ascii/1, Refs0),
     lists:any(
       fun(R) ->
 	      lists:any(fun(P) ->
                                 verify_hostname_match_default(R,P) orelse FailCB(Cert)
 			end, Pres)
       end, Refs);
 verify_hostname_match_loop(Refs, Pres, MatchFun, FailCB, Cert) ->
     lists:any(
       fun(R) ->
 	      lists:any(fun(P) ->
 				(case MatchFun(R,P) of
 				     default -> verify_hostname_match_default(R,P);
 				     Bool -> Bool
 				 end) orelse FailCB(Cert)
 			end,
 			Pres)
       end,
       Refs).
 
 
 to_lower_ascii({ip,_}=X) -> X;
 to_lower_ascii({iPAddress,_}=X) -> X;
 to_lower_ascii(S) when is_list(S) -> lists:map(fun to_lower_ascii/1, S);
 to_lower_ascii({T,S}) -> {T, to_lower_ascii(S)};
 to_lower_ascii(C) when $A =< C,C =< $Z -> C + ($a-$A);
 to_lower_ascii(C) -> C.
 
 to_string(S) when is_list(S) -> S;
 to_string(B) when is_binary(B) -> binary_to_list(B);
 to_string(X) -> X.