Follow overflow.site/questions/1679467 / ...
:-use_module(library(http/http_client)).
:-use_module(library(http/http_open)).
:-use_module(library(clpfd)).
url2('https://s3.amazonaws.com/echo.api/echo-api-cert-4.pem').
get_pem(Url,Certs):-
setup_call_cleanup(
http_open(Url,Stream,[]),
ssl_peer_certificate_chain(Stream,Certs),
close(Stream)
).
test(Key):-
url2(U),
get_pem(U,[A|Certs]),
checkcertvalid_time(A),
checkchain([A|Certs]),
memberchk(key(Key),A).
checkcertvalid_time(Acert):-
%what about The domain echo-api.amazon.com is present in the Subject Alternative Names (SANs) section of the signing certificate
memberchk(notbefore(NotBefore),Acert),
memberchk(notafter(NotAfter),Acert),
get_time(NowA),
Now is round(NowA),
Now
Now
checkchain(Chain):-
length(Chain,L),
L
checkchain_h(Chain).
checkchain_h([_]). %Reached the root.
checkchain_h([C1,C2|Rest]):-
memberchk(signature(Sig),C1),
memberchk(to_be_signed(Signed),C1),
memberchk(key(Key),C2),
hex_bytes(Signed,Bytes),
crypto_data_hash(Bytes,Hash,[algorithm(sha256),encoding(octet)]),
rsa_verify(Key,Hash,Sig,[type(sha256)]),
checkchain_h([C2|Rest]).
If I call test/1, then this code works in 7.5.3-1-g647ce9a, but it breaks in 7.5.9. 7.5.9 is checkchain_h/1not executed when called memberchk(to_be_signed(Signed),C1).
This is tested on two separate computers, not on one computer. Is there any external software that can cause this difference?
In addition, as far as I know, there should also be a "subject_alternative_name" field that I never see.
Update: In 7.5.9:
OpenSSL 1.0.1t 3 May 2016
?- use_module(library(ssl)), current_prolog_flag(ssl_library_version, V).
V = 'OpenSSL 1.0.1t 3 May 2016'.
In 7.5.3-1-g647ce9a:
OpenSSL 1.0.2g 1 Mar 2016
?- use_module(library(ssl)), current_prolog_flag(ssl_library_version, V).
V = 'OpenSSL 1.0.2g 1 Mar 2016'.