yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

test(partial_chain): update tcs for OTP-25

This commit is contained in:
William Yang 2023-10-11 21:15:37 +02:00
parent 43ad665dcf
commit 650cf4b27e
3 changed files with 71 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
apps/emqx/test/emqx_listener_tls_verify_chain_SUITE.erl
View File

@ -205,17 +205,18 @@ t_conn_fail_with_server_partial_chain(Config) ->
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")},
{versions, ['tlsv1.2']},
{verify, verify_none}
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ok = ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_without_root_cacert(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
@ -229,17 +230,18 @@ t_conn_fail_without_root_cacert(Config) ->
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
%% stick to tlsv1.2 for consistent error message
{versions, ['tlsv1.2']}
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ok = ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
ssl_config_verify_peer() ->
[

87
apps/emqx/test/emqx_listener_tls_verify_partial_chain_SUITE.erl
View File

@ -60,6 +60,7 @@ t_conn_success_with_server_intermediate_cacert_and_client_cert(Config) ->
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
| client_default_tls_opts()
],
1000
),
@ -85,6 +86,7 @@ t_conn_success_with_intermediate_cacert_bundle(Config) ->
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
| client_default_tls_opts()
],
1000
),
@ -110,6 +112,7 @@ t_conn_success_with_renewed_intermediate_cacert(Config) ->
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
| client_default_tls_opts()
],
1000
),
@ -129,17 +132,17 @@ t_conn_fail_with_renewed_intermediate_cacert_and_client_using_old_complete_bundl
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_renewed_intermediate_cacert_and_client_using_old_bundle(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
@ -154,17 +157,17 @@ t_conn_fail_with_renewed_intermediate_cacert_and_client_using_old_bundle(Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_success_with_old_and_renewed_intermediate_cacert_and_client_provides_renewed_client_cert(
Config
@ -188,6 +191,7 @@ t_conn_success_with_old_and_renewed_intermediate_cacert_and_client_provides_rene
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2_renewed.pem")}
| client_default_tls_opts()
],
1000
),
@ -216,6 +220,7 @@ t_conn_success_with_new_intermediate_cacert_and_client_provides_renewed_client_c
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2_renewed.pem")}
| client_default_tls_opts()
],
1000
),
@ -243,6 +248,7 @@ t_conn_success_with_old_and_renewed_intermediate_cacert_and_client_provides_clie
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2.pem")}
| client_default_tls_opts()
],
1000
),
@ -263,17 +269,17 @@ t_conn_fail_with_renewed_and_old_intermediate_cacert_and_client_using_old_bundle
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
%% @doc verify when config (two_cacerts_from_cacertfile) allows two versions of certs from same trusted CA.
t_001_conn_success_with_old_and_renewed_intermediate_cacert_bundle_and_client_using_old_bundle(
@ -298,6 +304,7 @@ t_001_conn_success_with_old_and_renewed_intermediate_cacert_bundle_and_client_us
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
| client_default_tls_opts()
],
1000
),
@ -324,17 +331,17 @@ t_conn_fail_with_old_and_renewed_intermediate_cacert_bundle_and_client_using_all
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "all-CAcerts-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_renewed_intermediate_cacert_other_client(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
@ -349,17 +356,17 @@ t_conn_fail_with_renewed_intermediate_cacert_other_client(Config) ->
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_intermediate_cacert_bundle_but_incorrect_order(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
@ -374,17 +381,17 @@ t_conn_fail_with_intermediate_cacert_bundle_but_incorrect_order(Config) ->
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_when_singed_by_other_intermediate_ca(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
@ -399,17 +406,17 @@ t_conn_fail_when_singed_by_other_intermediate_ca(Config) ->
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ok = ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_success_with_complete_chain_that_server_root_cacert_and_client_complete_cert_chain(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
@ -430,6 +437,7 @@ t_conn_success_with_complete_chain_that_server_root_cacert_and_client_complete_c
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
| client_default_tls_opts()
],
1000
),
@ -449,17 +457,17 @@ t_conn_fail_with_other_client_complete_cert_chain(Config) ->
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ok = ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_server_intermediate_and_other_client_complete_cert_chain(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
@ -480,6 +488,7 @@ t_conn_fail_with_server_intermediate_and_other_client_complete_cert_chain(Config
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
| client_default_tls_opts()
],
1000
),
@ -505,6 +514,7 @@ t_conn_success_with_server_intermediate_cacert_and_client_complete_chain(Config)
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
| client_default_tls_opts()
],
1000
),
@ -524,17 +534,17 @@ t_conn_fail_with_server_intermediate_chain_and_client_other_incomplete_cert_chai
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ok = ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_server_intermediate_and_other_client_root_chain(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
@ -549,17 +559,17 @@ t_conn_fail_with_server_intermediate_and_other_client_root_chain(Config) ->
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ok = ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_success_with_server_intermediate_and_client_root_chain(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
@ -580,6 +590,7 @@ t_conn_success_with_server_intermediate_and_client_root_chain(Config) ->
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
| client_default_tls_opts()
],
1000
),
@ -606,6 +617,7 @@ t_conn_success_with_server_all_CA_bundle_and_client_root_chain(Config) ->
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
| client_default_tls_opts()
],
1000
),
@ -625,17 +637,17 @@ t_conn_fail_with_server_two_IA_bundle_and_client_root_chain(Config) ->
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ok = ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_server_partial_chain_false_intermediate_cacert_and_client_cert(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
@ -651,17 +663,17 @@ t_conn_fail_with_server_partial_chain_false_intermediate_cacert_and_client_cert(
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ssl:close(Socket).
fail_when_no_ssl_alert(Res, unknown_ca).
t_error_handling_invalid_cacertfile(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
@ -688,3 +700,6 @@ ssl_config_verify_partial_chain() ->
{fail_if_no_peer_cert, true},
{partial_chain, true}
].
client_default_tls_opts() ->
[{versions, ['tlsv1.2']}].

13
apps/emqx/test/emqx_test_tls_certs_helper.erl
View File

@ -212,9 +212,16 @@ fail_when_ssl_error(Socket, Timeout) ->
ok
end.
%% @doc fail the test if no ssl_error recvd
fail_when_no_ssl_alert(Socket, Alert) ->
fail_when_no_ssl_alert(Socket, Alert, 1000).
%% @doc fail the test if no ssl_error
fail_when_no_ssl_alert(Res, Alert) ->
fail_when_no_ssl_alert(Res, Alert, 1000).
fail_when_no_ssl_alert({error, {tls_alert, {Alert, _}}}, Alert, _Timeout) ->
ok;
fail_when_no_ssl_alert({error, _} = Other, Alert, _Timeout) ->
ct:fail("returned unexpected ssl_error: ~p, expected ~n", [Other, Alert]);
fail_when_no_ssl_alert({ok, Socket}, Alert, Timeout) ->
fail_when_no_ssl_alert(Socket, Alert, Timeout);
fail_when_no_ssl_alert(Socket, Alert, Timeout) ->
receive
{ssl_error, Socket, {tls_alert, {Alert, AlertInfo}}} ->