From 3f761cbe6aa3979636db3c21e94e32f95e8368ad Mon Sep 17 00:00:00 2001
From: Gilbert Wong <gilbertwong96@icloud.com>
Date: Tue, 23 Oct 2018 14:37:05 +0800
Subject: [PATCH] Support use certifate as username Prior to this change, you
 can just use CN or EN field from the client certificate as username.

This change add a new option to allow user to use Certificate directly as
username.
---
 etc/emqx.conf         | 6 +++---
 priv/emqx.schema      | 6 +++---
 src/emqx_protocol.erl | 7 ++++---
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/etc/emqx.conf b/etc/emqx.conf
index 874a4c560..56fcf5ffc 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -1159,10 +1159,10 @@ listener.ssl.external.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-G
 ## Value: on | off
 ## listener.ssl.external.honor_cipher_order = on
 
-## Use the CN field from the client certificate as a username.
+## Use the CN, EN or CRT field from the client certificate as a username.
 ## Notice that 'verify' should be set as 'verify_peer'.
 ##
-## Value: cn | en
+## Value: cn | en | crt
 ## listener.ssl.external.peer_cert_as_username = cn
 
 ## TCP backlog for the SSL connection.
@@ -1522,7 +1522,7 @@ listener.wss.external.certfile = {{ platform_etc_dir }}/certs/cert.pem
 
 ## See: listener.ssl.$name.peer_cert_as_username
 ##
-## Value: cn | dn
+## Value: cn | dn | crt
 ## listener.wss.external.peer_cert_as_username = cn
 
 ## TCP backlog for the WebSocket/SSL connection.
diff --git a/priv/emqx.schema b/priv/emqx.schema
index becb4bff4..1424ab240 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -949,7 +949,7 @@ end}.
 ]}.
 
 {mapping, "listener.tcp.$name.peer_cert_as_username", "emqx.listeners", [
-  {datatype, {enum, [cn, dn]}}
+  {datatype, {enum, [cn, dn, crt]}}
 ]}.
 
 {mapping, "listener.tcp.$name.backlog", "emqx.listeners", [
@@ -1139,7 +1139,7 @@ end}.
 ]}.
 
 {mapping, "listener.ssl.$name.peer_cert_as_username", "emqx.listeners", [
-  {datatype, {enum, [cn, dn]}}
+  {datatype, {enum, [cn, dn, crt]}}
 ]}.
 
 %%--------------------------------------------------------------------
@@ -1400,7 +1400,7 @@ end}.
 ]}.
 
 {mapping, "listener.wss.$name.peer_cert_as_username", "emqx.listeners", [
-  {datatype, {enum, [cn, dn]}}
+  {datatype, {enum, [cn, dn, crt]}}
 ]}.
 
 {translation, "emqx.listeners", fun(Conf) ->
diff --git a/src/emqx_protocol.erl b/src/emqx_protocol.erl
index c3f0689fa..db239acef 100644
--- a/src/emqx_protocol.erl
+++ b/src/emqx_protocol.erl
@@ -106,9 +106,10 @@ init(#{peername := Peername, peercert := Peercert, sendfun := SendFun}, Options)
 
 init_username(Peercert, Options) ->
     case proplists:get_value(peer_cert_as_username, Options) of
-        cn -> esockd_peercert:common_name(Peercert);
-        dn -> esockd_peercert:subject(Peercert);
-        _  -> undefined
+        cn  -> esockd_peercert:common_name(Peercert);
+        dn  -> esockd_peercert:subject(Peercert);
+        crt -> Peercert;
+        _   -> undefined
     end.
 
 set_username(Username, PState = #pstate{username = undefined}) ->