From 64955e9083611792e88c307c8e5361f35157636a Mon Sep 17 00:00:00 2001 From: William Yang Date: Fri, 12 May 2023 11:33:04 +0200 Subject: [PATCH] test(tls-keyusage): add some comments --- ...mqx_listener_tls_verify_keyusage_SUITE.erl | 73 ++++++++++++++----- 1 file changed, 54 insertions(+), 19 deletions(-) diff --git a/test/emqx_listener_tls_verify_keyusage_SUITE.erl b/test/emqx_listener_tls_verify_keyusage_SUITE.erl index 3ba089aae..197373e8d 100644 --- a/test/emqx_listener_tls_verify_keyusage_SUITE.erl +++ b/test/emqx_listener_tls_verify_keyusage_SUITE.erl @@ -64,94 +64,119 @@ end_per_group(_, Config) -> t_conn_success_verify_peer_ext_key_usage_unset(Config) -> Port = emqx_test_tls_certs_helper:select_free_port(ssl), DataDir = ?config(data_dir, Config), + %% Given listener keyusage unset Options = [{ssl_options, ?config(ssl_config, Config)}], emqx_listeners:start_listener(ssl, Port, Options), + %% when client connect with cert without keyusage ext {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")}, {certfile, filename:join(DataDir, "client1.pem")} ], 1000), + %% Then connection success fail_when_ssl_error(Socket), ok = ssl:close(Socket). t_conn_success_verify_peer_ext_key_usage_undefined(Config) -> Port = emqx_test_tls_certs_helper:select_free_port(ssl), DataDir = ?config(data_dir, Config), + %% Give listener keyusage is set to undefined Options = [{ssl_options, [ {verify_peer_ext_key_usage, undefined} | ?config(ssl_config, Config) ]}], emqx_listeners:start_listener(ssl, Port, Options), + %% when client connect with cert without keyusages ext {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")}, {certfile, filename:join(DataDir, "client1.pem")} ], 1000), + %% Then connection success fail_when_ssl_error(Socket), ok = ssl:close(Socket). t_conn_success_verify_peer_ext_key_usage_matched_predefined(Config) -> Port = emqx_test_tls_certs_helper:select_free_port(ssl), DataDir = ?config(data_dir, Config), - gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"), + %% Give listener keyusage is set to clientAuth Options = [{ssl_options, [ {verify_peer_ext_key_usage, "clientAuth"} | ?config(ssl_config, Config) ]}], + + %% When client cert has clientAuth that is matched + gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"), emqx_listeners:start_listener(ssl, Port, Options), {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} ], 1000), + %% Then connection success fail_when_ssl_error(Socket), ok = ssl:close(Socket). t_conn_success_verify_peer_ext_key_usage_matched_raw_oid(Config) -> Port = emqx_test_tls_certs_helper:select_free_port(ssl), DataDir = ?config(data_dir, Config), - gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"), + %% Give listener keyusage is set to raw OID Options = [{ssl_options, [ {verify_peer_ext_key_usage, "OID:1.3.6.1.5.5.7.3.2"} %% from OTP-PUB-KEY.hrl | ?config(ssl_config, Config) ]}], emqx_listeners:start_listener(ssl, Port, Options), + %% When client cert has keyusage and matched. + gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"), {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} ], 1000), - fail_when_ssl_error(Socket), - ok = ssl:close(Socket). - -t_conn_success_verify_peer_ext_key_usage_matched_unorded_list(Config) -> - Port = emqx_test_tls_certs_helper:select_free_port(ssl), - DataDir = ?config(data_dir, Config), - gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth,serverAuth"), - Options = [{ssl_options, [ {verify_peer_ext_key_usage, "clientAuth,serverAuth"} - | ?config(ssl_config, Config) - ]}], - emqx_listeners:start_listener(ssl, Port, Options), - {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, - {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} - ], 1000), + %% Then connection success fail_when_ssl_error(Socket), ok = ssl:close(Socket). t_conn_success_verify_peer_ext_key_usage_matched_ordered_list(Config) -> Port = emqx_test_tls_certs_helper:select_free_port(ssl), DataDir = ?config(data_dir, Config), + + %% Give listener keyusage is clientAuth,serverAuth + Options = [{ssl_options, [ {verify_peer_ext_key_usage, "clientAuth,serverAuth"} + | ?config(ssl_config, Config) + ]}], + emqx_listeners:start_listener(ssl, Port, Options), + %% When client cert has the same keyusage ext list gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth,serverAuth"), + {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, + {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} + ], 1000), + %% Then connection success + fail_when_ssl_error(Socket), + ok = ssl:close(Socket). + +t_conn_success_verify_peer_ext_key_usage_matched_unordered_list(Config) -> + Port = emqx_test_tls_certs_helper:select_free_port(ssl), + DataDir = ?config(data_dir, Config), + %% Give listener keyusage is clientAuth,serverAuth Options = [{ssl_options, [ {verify_peer_ext_key_usage, "serverAuth,clientAuth"} | ?config(ssl_config, Config) ]}], emqx_listeners:start_listener(ssl, Port, Options), + %% When client cert has the same keyusage ext list but different order + gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth,serverAuth"), {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} ], 1000), + %% Then connection success fail_when_ssl_error(Socket), ok = ssl:close(Socket). t_conn_fail_verify_peer_ext_key_usage_unmatched_raw_oid(Config) -> Port = emqx_test_tls_certs_helper:select_free_port(ssl), DataDir = ?config(data_dir, Config), - gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"), + %% Give listener keyusage is using OID Options = [{ssl_options, [ {verify_peer_ext_key_usage, "OID:1.3.6.1.5.5.7.3.1"} | ?config(ssl_config, Config) ]}], emqx_listeners:start_listener(ssl, Port, Options), + + %% When client cert has the keyusage but not matching OID + gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"), {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} ], 1000), + + %% Then connecion should fail. fail_when_no_ssl_alert(Socket, handshake_failure), ok = ssl:close(Socket). @@ -161,41 +186,51 @@ t_conn_fail_verify_peer_ext_key_usage_empty_str(Config) -> Options = [{ssl_options, [ {verify_peer_ext_key_usage, ""} | ?config(ssl_config, Config) ]}], + %% Give listener keyusage is empty string emqx_listeners:start_listener(ssl, Port, Options), + %% When client connect with cert without keyusage {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")}, {certfile, filename:join(DataDir, "client1.pem")} ], 1000), + %% Then connecion should fail. fail_when_no_ssl_alert(Socket, handshake_failure), ok = ssl:close(Socket). t_conn_fail_client_keyusage_unmatch(Config) -> Port = emqx_test_tls_certs_helper:select_free_port(ssl), DataDir = ?config(data_dir, Config), - gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "codeSigning"), + + %% Give listener keyusage is clientAuth Options = [{ssl_options, [ {verify_peer_ext_key_usage, "clientAuth"} | ?config(ssl_config, Config) ]}], emqx_listeners:start_listener(ssl, Port, Options), + %% When client connect with mismatch cert keyusage = codeSigning + gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "codeSigning"), {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} ], 1000), + %% Then connecion should fail. fail_when_no_ssl_alert(Socket, handshake_failure), ok = ssl:close(Socket). t_conn_fail_client_keyusage_incomplete(Config) -> Port = emqx_test_tls_certs_helper:select_free_port(ssl), DataDir = ?config(data_dir, Config), + %% Give listener keyusage is codeSigning,clientAuth Options = [{ssl_options, [ {verify_peer_ext_key_usage, "codeSigning,clientAuth"} | ?config(ssl_config, Config) ]}], emqx_listeners:start_listener(ssl, Port, Options), + %% When client connect with cert keyusage = clientAuth + gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "codeSigning"), {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")}, {certfile, filename:join(DataDir, "client1.pem")} ], 1000), + %% Then connection should fail fail_when_no_ssl_alert(Socket, handshake_failure), ok = ssl:close(Socket). - %%% %%% Helpers %%%