test(tls-keyusage): add some comments
This commit is contained in:
William Yang
parent
4ac2f6d205
commit
64955e9083
|
|
@ -64,94 +64,119 @@ end_per_group(_, Config) ->
|
||||||
t_conn_success_verify_peer_ext_key_usage_unset(Config) ->
|
t_conn_success_verify_peer_ext_key_usage_unset(Config) ->
|
||||||
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
||||||
DataDir = ?config(data_dir, Config),
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Given listener keyusage unset
|
||||||
Options = [{ssl_options, ?config(ssl_config, Config)}],
|
Options = [{ssl_options, ?config(ssl_config, Config)}],
|
||||||
emqx_listeners:start_listener(ssl, Port, Options),
|
emqx_listeners:start_listener(ssl, Port, Options),
|
||||||
|
%% when client connect with cert without keyusage ext
|
||||||
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")},
|
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
{certfile, filename:join(DataDir, "client1.pem")}
|
{certfile, filename:join(DataDir, "client1.pem")}
|
||||||
], 1000),
|
], 1000),
|
||||||
|
%% Then connection success
|
||||||
fail_when_ssl_error(Socket),
|
fail_when_ssl_error(Socket),
|
||||||
ok = ssl:close(Socket).
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
t_conn_success_verify_peer_ext_key_usage_undefined(Config) ->
|
t_conn_success_verify_peer_ext_key_usage_undefined(Config) ->
|
||||||
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
||||||
DataDir = ?config(data_dir, Config),
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Give listener keyusage is set to undefined
|
||||||
Options = [{ssl_options, [ {verify_peer_ext_key_usage, undefined}
|
Options = [{ssl_options, [ {verify_peer_ext_key_usage, undefined}
|
||||||
| ?config(ssl_config, Config)
|
| ?config(ssl_config, Config)
|
||||||
]}],
|
]}],
|
||||||
emqx_listeners:start_listener(ssl, Port, Options),
|
emqx_listeners:start_listener(ssl, Port, Options),
|
||||||
|
%% when client connect with cert without keyusages ext
|
||||||
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")},
|
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
{certfile, filename:join(DataDir, "client1.pem")}
|
{certfile, filename:join(DataDir, "client1.pem")}
|
||||||
], 1000),
|
], 1000),
|
||||||
|
%% Then connection success
|
||||||
fail_when_ssl_error(Socket),
|
fail_when_ssl_error(Socket),
|
||||||
ok = ssl:close(Socket).
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
t_conn_success_verify_peer_ext_key_usage_matched_predefined(Config) ->
|
t_conn_success_verify_peer_ext_key_usage_matched_predefined(Config) ->
|
||||||
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
||||||
DataDir = ?config(data_dir, Config),
|
DataDir = ?config(data_dir, Config),
|
||||||
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
|
%% Give listener keyusage is set to clientAuth
|
||||||
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "clientAuth"}
|
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "clientAuth"}
|
||||||
| ?config(ssl_config, Config)
|
| ?config(ssl_config, Config)
|
||||||
]}],
|
]}],
|
||||||
|
|
||||||
|
%% When client cert has clientAuth that is matched
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
|
||||||
emqx_listeners:start_listener(ssl, Port, Options),
|
emqx_listeners:start_listener(ssl, Port, Options),
|
||||||
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
||||||
], 1000),
|
], 1000),
|
||||||
|
%% Then connection success
|
||||||
fail_when_ssl_error(Socket),
|
fail_when_ssl_error(Socket),
|
||||||
ok = ssl:close(Socket).
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
t_conn_success_verify_peer_ext_key_usage_matched_raw_oid(Config) ->
|
t_conn_success_verify_peer_ext_key_usage_matched_raw_oid(Config) ->
|
||||||
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
||||||
DataDir = ?config(data_dir, Config),
|
DataDir = ?config(data_dir, Config),
|
||||||
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
|
%% Give listener keyusage is set to raw OID
|
||||||
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "OID:1.3.6.1.5.5.7.3.2"} %% from OTP-PUB-KEY.hrl
|
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "OID:1.3.6.1.5.5.7.3.2"} %% from OTP-PUB-KEY.hrl
|
||||||
| ?config(ssl_config, Config)
|
| ?config(ssl_config, Config)
|
||||||
]}],
|
]}],
|
||||||
emqx_listeners:start_listener(ssl, Port, Options),
|
emqx_listeners:start_listener(ssl, Port, Options),
|
||||||
|
%% When client cert has keyusage and matched.
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
|
||||||
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
||||||
], 1000),
|
], 1000),
|
||||||
fail_when_ssl_error(Socket),
|
%% Then connection success
|
||||||
ok = ssl:close(Socket).
|
|
||||||
|
|
||||||
t_conn_success_verify_peer_ext_key_usage_matched_unorded_list(Config) ->
|
|
||||||
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
|
||||||
DataDir = ?config(data_dir, Config),
|
|
||||||
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth,serverAuth"),
|
|
||||||
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "clientAuth,serverAuth"}
|
|
||||||
| ?config(ssl_config, Config)
|
|
||||||
]}],
|
|
||||||
emqx_listeners:start_listener(ssl, Port, Options),
|
|
||||||
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
|
||||||
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
|
||||||
], 1000),
|
|
||||||
fail_when_ssl_error(Socket),
|
fail_when_ssl_error(Socket),
|
||||||
ok = ssl:close(Socket).
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
t_conn_success_verify_peer_ext_key_usage_matched_ordered_list(Config) ->
|
t_conn_success_verify_peer_ext_key_usage_matched_ordered_list(Config) ->
|
||||||
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
||||||
DataDir = ?config(data_dir, Config),
|
DataDir = ?config(data_dir, Config),
|
||||||
|
|
||||||
|
%% Give listener keyusage is clientAuth,serverAuth
|
||||||
|
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "clientAuth,serverAuth"}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}],
|
||||||
|
emqx_listeners:start_listener(ssl, Port, Options),
|
||||||
|
%% When client cert has the same keyusage ext list
|
||||||
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth,serverAuth"),
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth,serverAuth"),
|
||||||
|
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
||||||
|
], 1000),
|
||||||
|
%% Then connection success
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_verify_peer_ext_key_usage_matched_unordered_list(Config) ->
|
||||||
|
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Give listener keyusage is clientAuth,serverAuth
|
||||||
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "serverAuth,clientAuth"}
|
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "serverAuth,clientAuth"}
|
||||||
| ?config(ssl_config, Config)
|
| ?config(ssl_config, Config)
|
||||||
]}],
|
]}],
|
||||||
emqx_listeners:start_listener(ssl, Port, Options),
|
emqx_listeners:start_listener(ssl, Port, Options),
|
||||||
|
%% When client cert has the same keyusage ext list but different order
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth,serverAuth"),
|
||||||
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
||||||
], 1000),
|
], 1000),
|
||||||
|
%% Then connection success
|
||||||
fail_when_ssl_error(Socket),
|
fail_when_ssl_error(Socket),
|
||||||
ok = ssl:close(Socket).
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
t_conn_fail_verify_peer_ext_key_usage_unmatched_raw_oid(Config) ->
|
t_conn_fail_verify_peer_ext_key_usage_unmatched_raw_oid(Config) ->
|
||||||
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
||||||
DataDir = ?config(data_dir, Config),
|
DataDir = ?config(data_dir, Config),
|
||||||
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
|
%% Give listener keyusage is using OID
|
||||||
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "OID:1.3.6.1.5.5.7.3.1"}
|
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "OID:1.3.6.1.5.5.7.3.1"}
|
||||||
| ?config(ssl_config, Config)
|
| ?config(ssl_config, Config)
|
||||||
]}],
|
]}],
|
||||||
emqx_listeners:start_listener(ssl, Port, Options),
|
emqx_listeners:start_listener(ssl, Port, Options),
|
||||||
|
|
||||||
|
%% When client cert has the keyusage but not matching OID
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
|
||||||
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
||||||
], 1000),
|
], 1000),
|
||||||
|
|
||||||
|
%% Then connecion should fail.
|
||||||
fail_when_no_ssl_alert(Socket, handshake_failure),
|
fail_when_no_ssl_alert(Socket, handshake_failure),
|
||||||
ok = ssl:close(Socket).
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
|
@ -161,41 +186,51 @@ t_conn_fail_verify_peer_ext_key_usage_empty_str(Config) ->
|
||||||
Options = [{ssl_options, [ {verify_peer_ext_key_usage, ""}
|
Options = [{ssl_options, [ {verify_peer_ext_key_usage, ""}
|
||||||
| ?config(ssl_config, Config)
|
| ?config(ssl_config, Config)
|
||||||
]}],
|
]}],
|
||||||
|
%% Give listener keyusage is empty string
|
||||||
emqx_listeners:start_listener(ssl, Port, Options),
|
emqx_listeners:start_listener(ssl, Port, Options),
|
||||||
|
%% When client connect with cert without keyusage
|
||||||
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")},
|
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
{certfile, filename:join(DataDir, "client1.pem")}
|
{certfile, filename:join(DataDir, "client1.pem")}
|
||||||
], 1000),
|
], 1000),
|
||||||
|
%% Then connecion should fail.
|
||||||
fail_when_no_ssl_alert(Socket, handshake_failure),
|
fail_when_no_ssl_alert(Socket, handshake_failure),
|
||||||
ok = ssl:close(Socket).
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
t_conn_fail_client_keyusage_unmatch(Config) ->
|
t_conn_fail_client_keyusage_unmatch(Config) ->
|
||||||
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
||||||
DataDir = ?config(data_dir, Config),
|
DataDir = ?config(data_dir, Config),
|
||||||
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "codeSigning"),
|
|
||||||
|
%% Give listener keyusage is clientAuth
|
||||||
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "clientAuth"}
|
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "clientAuth"}
|
||||||
| ?config(ssl_config, Config)
|
| ?config(ssl_config, Config)
|
||||||
]}],
|
]}],
|
||||||
emqx_listeners:start_listener(ssl, Port, Options),
|
emqx_listeners:start_listener(ssl, Port, Options),
|
||||||
|
%% When client connect with mismatch cert keyusage = codeSigning
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "codeSigning"),
|
||||||
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
|
||||||
], 1000),
|
], 1000),
|
||||||
|
%% Then connecion should fail.
|
||||||
fail_when_no_ssl_alert(Socket, handshake_failure),
|
fail_when_no_ssl_alert(Socket, handshake_failure),
|
||||||
ok = ssl:close(Socket).
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
t_conn_fail_client_keyusage_incomplete(Config) ->
|
t_conn_fail_client_keyusage_incomplete(Config) ->
|
||||||
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
|
||||||
DataDir = ?config(data_dir, Config),
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Give listener keyusage is codeSigning,clientAuth
|
||||||
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "codeSigning,clientAuth"}
|
Options = [{ssl_options, [ {verify_peer_ext_key_usage, "codeSigning,clientAuth"}
|
||||||
| ?config(ssl_config, Config)
|
| ?config(ssl_config, Config)
|
||||||
]}],
|
]}],
|
||||||
emqx_listeners:start_listener(ssl, Port, Options),
|
emqx_listeners:start_listener(ssl, Port, Options),
|
||||||
|
%% When client connect with cert keyusage = clientAuth
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "codeSigning"),
|
||||||
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")},
|
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
{certfile, filename:join(DataDir, "client1.pem")}
|
{certfile, filename:join(DataDir, "client1.pem")}
|
||||||
], 1000),
|
], 1000),
|
||||||
|
%% Then connection should fail
|
||||||
fail_when_no_ssl_alert(Socket, handshake_failure),
|
fail_when_no_ssl_alert(Socket, handshake_failure),
|
||||||
ok = ssl:close(Socket).
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
|
||||||
%%%
|
%%%
|
||||||
%%% Helpers
|
%%% Helpers
|
||||||
%%%
|
%%%
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue