chore: fix nit
This commit is contained in:
William Yang
parent
fb30207ef3
commit
1a4a4bb3a5
|
|
@ -49,8 +49,8 @@ make_tls_root_fun(cacert_from_cacertfile, [TrustedOne, TrustedTwo]) ->
|
||||||
end.
|
end.
|
||||||
|
|
||||||
make_tls_verify_fun(verify_cert_extKeyUsage, KeyUsages) ->
|
make_tls_verify_fun(verify_cert_extKeyUsage, KeyUsages) ->
|
||||||
AllowedKeyUsages = ext_key_opts(KeyUsages),
|
RequiredKeyUsages = ext_key_opts(KeyUsages),
|
||||||
{fun verify_fun_peer_extKeyUsage/3, AllowedKeyUsages}.
|
{fun verify_fun_peer_extKeyUsage/3, RequiredKeyUsages}.
|
||||||
|
|
||||||
verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState) ->
|
verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState) ->
|
||||||
%% !! Override OTP verify peer default
|
%% !! Override OTP verify peer default
|
||||||
|
|
@ -69,17 +69,17 @@ verify_fun_peer_extKeyUsage(
|
||||||
#'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{extensions = ExtL}},
|
#'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{extensions = ExtL}},
|
||||||
%% valid peer cert
|
%% valid peer cert
|
||||||
valid_peer,
|
valid_peer,
|
||||||
AllowedKeyUsages
|
RequiredKeyUsages
|
||||||
) ->
|
) ->
|
||||||
%% override OTP verify_peer default
|
%% override OTP verify_peer default
|
||||||
%% must have id-ce-extKeyUsage
|
%% must have id-ce-extKeyUsage
|
||||||
case lists:keyfind(?'id-ce-extKeyUsage', 2, ExtL) of
|
case lists:keyfind(?'id-ce-extKeyUsage', 2, ExtL) of
|
||||||
#'Extension'{extnID = ?'id-ce-extKeyUsage', extnValue = VL} ->
|
#'Extension'{extnID = ?'id-ce-extKeyUsage', extnValue = VL} ->
|
||||||
case do_verify_ext_key_usage(VL, AllowedKeyUsages) of
|
case do_verify_ext_key_usage(VL, RequiredKeyUsages) of
|
||||||
true ->
|
true ->
|
||||||
%% pass the check,
|
%% pass the check,
|
||||||
%% fallback to OTP verify_peer default
|
%% fallback to OTP verify_peer default
|
||||||
{valid, AllowedKeyUsages};
|
{valid, RequiredKeyUsages};
|
||||||
false ->
|
false ->
|
||||||
{fail, extKeyUsage_unmatched}
|
{fail, extKeyUsage_unmatched}
|
||||||
end;
|
end;
|
||||||
|
|
@ -100,9 +100,7 @@ do_verify_ext_key_usage(CertExtL, [Usage | T] = _Required) ->
|
||||||
end.
|
end.
|
||||||
|
|
||||||
%% @doc Helper tls cert extension
|
%% @doc Helper tls cert extension
|
||||||
-spec ext_key_opts
|
-spec ext_key_opts(string()) -> [OidString :: string() | public_key:oid()].
|
||||||
(string()) -> [OidString :: string() | public_key:oid()];
|
|
||||||
(undefined) -> undefined.
|
|
||||||
ext_key_opts(Str) ->
|
ext_key_opts(Str) ->
|
||||||
Usages = string:tokens(Str, ","),
|
Usages = string:tokens(Str, ","),
|
||||||
lists:map(
|
lists:map(
|
||||||
|
|
@ -119,7 +117,7 @@ ext_key_opts(Str) ->
|
||||||
?'id-kp-timeStamping';
|
?'id-kp-timeStamping';
|
||||||
("ocspSigning") ->
|
("ocspSigning") ->
|
||||||
?'id-kp-OCSPSigning';
|
?'id-kp-OCSPSigning';
|
||||||
([$O, $I, $D, $: | OidStr]) ->
|
("OID:" ++ OidStr) ->
|
||||||
OidList = string:tokens(OidStr, "."),
|
OidList = string:tokens(OidStr, "."),
|
||||||
list_to_tuple(lists:map(fun list_to_integer/1, OidList))
|
list_to_tuple(lists:map(fun list_to_integer/1, OidList))
|
||||||
end,
|
end,
|
||||||
|
|
|
||||||
|
|
@ -46,7 +46,7 @@ emqx_start_listener(Name, ssl, Port, #{ssl_options := SslOptions} = Opts0) ->
|
||||||
zone => default,
|
zone => default,
|
||||||
ssl_options => maps:from_list(SslOptions)
|
ssl_options => maps:from_list(SslOptions)
|
||||||
},
|
},
|
||||||
ct:pal("start listsner with ~p ~p", [Name, Opts]),
|
ct:pal("start listener with ~p ~p", [Name, Opts]),
|
||||||
emqx_listeners:start_listener(ssl, Name, Opts).
|
emqx_listeners:start_listener(ssl, Name, Opts).
|
||||||
|
|
||||||
%%-------------------------------------------------------------------------------
|
%%-------------------------------------------------------------------------------
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue