yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #13211 from qzhuyan/fix/william/rel57/ee-tls 

Fix/william/rel57/ee tls
This commit is contained in:
William Yang 2024-06-13 13:19:44 +02:00 committed by GitHub
parent 129bc6b013 44258204bd
commit 723144199e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
26 changed files with 2217 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
apps/emqx/include/emqx_schema.hrl
View File

@ -21,4 +21,9 @@
-define(TOMBSTONE_CONFIG_CHANGE_REQ, mark_it_for_deletion). -define(TOMBSTONE_CONFIG_CHANGE_REQ, mark_it_for_deletion).
-define(CONFIG_NOT_FOUND_MAGIC, '$0tFound'). -define(CONFIG_NOT_FOUND_MAGIC, '$0tFound').
%%--------------------------------------------------------------------
%% EE injections
%%--------------------------------------------------------------------
-define(EMQX_SSL_FUN_MFA(Name), {emqx_ssl_fun_mfa, Name}).
-endif. -endif.

23
apps/emqx/src/emqx_listeners.erl
View File

@ -611,7 +611,9 @@ esockd_opts(ListenerId, Type, Name, Opts0) ->
ssl -> ssl ->
OptsWithCRL = inject_crl_config(Opts0), OptsWithCRL = inject_crl_config(Opts0),
OptsWithSNI = inject_sni_fun(ListenerId, OptsWithCRL), OptsWithSNI = inject_sni_fun(ListenerId, OptsWithCRL),
SSLOpts = ssl_opts(OptsWithSNI), OptsWithRootFun = inject_root_fun(OptsWithSNI),
OptsWithVerifyFun = inject_verify_fun(OptsWithRootFun),
SSLOpts = ssl_opts(OptsWithVerifyFun),
Opts3#{ssl_options => SSLOpts, tcp_options => tcp_opts(Opts0)} Opts3#{ssl_options => SSLOpts, tcp_options => tcp_opts(Opts0)}
end end
). ).
@ -635,8 +637,18 @@ ranch_opts(Type, Opts = #{bind := ListenOn}) ->
MaxConnections = maps:get(max_connections, Opts, 1024), MaxConnections = maps:get(max_connections, Opts, 1024),
SocketOpts = SocketOpts =
case Type of case Type of
wss -> tcp_opts(Opts) ++ proplists:delete(handshake_timeout, ssl_opts(Opts)); wss ->
ws -> tcp_opts(Opts) tcp_opts(Opts) ++
lists:filter(
fun
({partial_chain, _}) -> false;
({handshake_timeout, _}) -> false;
(_) -> true
end,
ssl_opts(Opts)
);
ws ->
tcp_opts(Opts)
end, end,
#{ #{
num_acceptors => NumAcceptors, num_acceptors => NumAcceptors,
@ -962,6 +974,11 @@ quic_listener_optional_settings() ->
stateless_operation_expiration_ms stateless_operation_expiration_ms
]. ].
inject_root_fun(#{ssl_options := SSLOpts} = Opts) ->
Opts#{ssl_options := emqx_tls_lib:maybe_inject_ssl_fun(root_fun, SSLOpts)}.
inject_verify_fun(#{ssl_options := SSLOpts} = Opts) ->
Opts#{ssl_options := emqx_tls_lib:maybe_inject_ssl_fun(verify_fun, SSLOpts)}.
inject_sni_fun(ListenerId, Conf = #{ssl_options := #{ocsp := #{enable_ocsp_stapling := true}}}) -> inject_sni_fun(ListenerId, Conf = #{ssl_options := #{ocsp := #{enable_ocsp_stapling := true}}}) ->
emqx_ocsp_cache:inject_sni_fun(ListenerId, Conf); emqx_ocsp_cache:inject_sni_fun(ListenerId, Conf);
inject_sni_fun(_ListenerId, Conf) -> inject_sni_fun(_ListenerId, Conf) ->

4
apps/emqx/src/emqx_schema.erl
View File

@ -191,6 +191,8 @@
-define(DEFAULT_MULTIPLIER, 1.5). -define(DEFAULT_MULTIPLIER, 1.5).
-define(DEFAULT_BACKOFF, 0.75). -define(DEFAULT_BACKOFF, 0.75).
-define(INJECTING_CONFIGS, [?AUTH_EXT_SCHEMA_MODS]).
namespace() -> emqx. namespace() -> emqx.
tags() -> tags() ->
@ -2247,7 +2249,7 @@ common_ssl_opts_schema(Defaults, Type) ->
desc => ?DESC(common_ssl_opts_schema_hibernate_after) desc => ?DESC(common_ssl_opts_schema_hibernate_after)
} }
)} )}
]. ] ++ emqx_schema_hooks:injection_point('common_ssl_opts_schema').
%% @doc Make schema for SSL listener options. %% @doc Make schema for SSL listener options.
-spec server_ssl_opts_schema(map(), boolean()) -> hocon_schema:field_schema(). -spec server_ssl_opts_schema(map(), boolean()) -> hocon_schema:field_schema().

15
apps/emqx/src/emqx_tls_lib.erl
View File

@ -15,6 +15,7 @@
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
-module(emqx_tls_lib). -module(emqx_tls_lib).
-elvis([{elvis_style, atom_naming_convention, #{regex => "^([a-z][a-z0-9A-Z]*_?)*(_SUITE)?$"}}]).
%% version & cipher suites %% version & cipher suites
-export([ -export([
@ -44,10 +45,13 @@
to_client_opts/2 to_client_opts/2
]). ]).
-export([maybe_inject_ssl_fun/2]).
%% ssl:tls_version/0 is not exported. %% ssl:tls_version/0 is not exported.
-type tls_version() :: tlsv1 | 'tlsv1.1' | 'tlsv1.2' | 'tlsv1.3'. -type tls_version() :: tlsv1 | 'tlsv1.1' | 'tlsv1.2' | 'tlsv1.3'.
-include("logger.hrl"). -include("logger.hrl").
-include("emqx_schema.hrl").
-define(IS_TRUE(Val), ((Val =:= true) orelse (Val =:= <<"true">>))). -define(IS_TRUE(Val), ((Val =:= true) orelse (Val =:= <<"true">>))).
-define(IS_FALSE(Val), ((Val =:= false) orelse (Val =:= <<"false">>))). -define(IS_FALSE(Val), ((Val =:= false) orelse (Val =:= <<"false">>))).
@ -685,3 +689,14 @@ ensure_ssl_file_key(SSL, RequiredKeyPaths) ->
[] -> ok; [] -> ok;
Miss -> {error, #{reason => ssl_file_option_not_found, which_options => Miss}} Miss -> {error, #{reason => ssl_file_option_not_found, which_options => Miss}}
end. end.
-spec maybe_inject_ssl_fun(root_fun | verify_fun, map()) -> map().
maybe_inject_ssl_fun(FunName, SslOpts) ->
case persistent_term:get(?EMQX_SSL_FUN_MFA(FunName), undefined) of
undefined ->
SslOpts;
{M, F, A} ->
%% We should have one entry not a list of {M,F,A},
%% as ordering matters in validations
erlang:apply(M, F, [SslOpts | A])
end.

307
apps/emqx/test/emqx_test_tls_certs_helper.erl Normal file
View File

@ -0,0 +1,307 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%%--------------------------------------------------------------------
-module(emqx_test_tls_certs_helper).
-export([
gen_ca/2,
gen_host_cert/3,
gen_host_cert/4,
select_free_port/1,
generate_tls_certs/1,
fail_when_ssl_error/1,
fail_when_ssl_error/2,
fail_when_no_ssl_alert/2,
fail_when_no_ssl_alert/3,
emqx_start_listener/4
]).
-include_lib("common_test/include/ct.hrl").
%%-------------------------------------------------------------------------------
%% Start Listener
%%-------------------------------------------------------------------------------
emqx_start_listener(Name, Type, Port, Opts) when is_list(Opts) ->
emqx_start_listener(Name, Type, Port, maps:from_list(Opts));
emqx_start_listener(Name, ssl, Port, #{ssl_options := SslOptions} = Opts0) ->
Opts = Opts0#{
enable => true,
bind => {{127, 0, 0, 1}, Port},
mountpoint => <<>>,
zone => default,
ssl_options => maps:from_list(SslOptions)
},
ct:pal("start listener with ~p ~p", [Name, Opts]),
emqx_listeners:start_listener(ssl, Name, Opts).
%%-------------------------------------------------------------------------------
%% TLS certs
%%-------------------------------------------------------------------------------
gen_ca(Path, Name) ->
%% Generate ca.pem and ca.key which will be used to generate certs
%% for hosts server and clients
ECKeyFile = eckey_name(Path),
filelib:ensure_dir(ECKeyFile),
os:cmd("openssl ecparam -name secp256r1 > " ++ ECKeyFile),
Cmd = lists:flatten(
io_lib:format(
"openssl req -new -x509 -nodes "
"-newkey ec:~s "
"-keyout ~s -out ~s -days 3650 "
"-addext basicConstraints=CA:TRUE "
"-subj \"/C=SE/O=TEST CA\"",
[
ECKeyFile,
ca_key_name(Path, Name),
ca_cert_name(Path, Name)
]
)
),
os:cmd(Cmd).
ca_cert_name(Path, Name) ->
filename(Path, "~s.pem", [Name]).
ca_key_name(Path, Name) ->
filename(Path, "~s.key", [Name]).
eckey_name(Path) ->
filename(Path, "ec.key", []).
gen_host_cert(H, CaName, Path) ->
gen_host_cert(H, CaName, Path, #{}).
gen_host_cert(H, CaName, Path, Opts) ->
ECKeyFile = eckey_name(Path),
CN = str(H),
HKey = filename(Path, "~s.key", [H]),
HCSR = filename(Path, "~s.csr", [H]),
HCSR2 = filename(Path, "~s.csr", [H]),
HPEM = filename(Path, "~s.pem", [H]),
HPEM2 = filename(Path, "~s_renewed.pem", [H]),
HEXT = filename(Path, "~s.extfile", [H]),
PasswordArg =
case maps:get(password, Opts, undefined) of
undefined ->
" -nodes ";
Password ->
io_lib:format(" -passout pass:'~s' ", [Password])
end,
create_file(
HEXT,
"keyUsage=digitalSignature,keyAgreement,keyCertSign\n"
"basicConstraints=CA:TRUE \n"
"~s \n"
"subjectAltName=DNS:~s\n",
[maps:get(ext, Opts, ""), CN]
),
CSR_Cmd = csr_cmd(PasswordArg, ECKeyFile, HKey, HCSR, CN),
CSR_Cmd2 = csr_cmd(PasswordArg, ECKeyFile, HKey, HCSR2, CN),
CERT_Cmd = cert_sign_cmd(
HEXT, HCSR, ca_cert_name(Path, CaName), ca_key_name(Path, CaName), HPEM
),
%% 2nd cert for testing renewed cert.
CERT_Cmd2 = cert_sign_cmd(
HEXT, HCSR2, ca_cert_name(Path, CaName), ca_key_name(Path, CaName), HPEM2
),
ct:pal(os:cmd(CSR_Cmd)),
ct:pal(os:cmd(CSR_Cmd2)),
ct:pal(os:cmd(CERT_Cmd)),
ct:pal(os:cmd(CERT_Cmd2)),
file:delete(HEXT).
cert_sign_cmd(ExtFile, CSRFile, CACert, CAKey, OutputCert) ->
lists:flatten(
io_lib:format(
"openssl x509 -req "
"-extfile ~s "
"-in ~s -CA ~s -CAkey ~s -CAcreateserial "
"-out ~s -days 500",
[
ExtFile,
CSRFile,
CACert,
CAKey,
OutputCert
]
)
).
csr_cmd(PasswordArg, ECKeyFile, HKey, HCSR, CN) ->
lists:flatten(
io_lib:format(
"openssl req -new ~s -newkey ec:~s "
"-keyout ~s -out ~s "
"-addext \"subjectAltName=DNS:~s\" "
"-addext basicConstraints=CA:TRUE "
"-addext keyUsage=digitalSignature,keyAgreement,keyCertSign "
"-subj \"/C=SE/O=TEST/CN=~s\"",
[PasswordArg, ECKeyFile, HKey, HCSR, CN, CN]
)
).
filename(Path, F, A) ->
filename:join(Path, str(io_lib:format(F, A))).
str(Arg) ->
binary_to_list(iolist_to_binary(Arg)).
create_file(Filename, Fmt, Args) ->
filelib:ensure_dir(Filename),
{ok, F} = file:open(Filename, [write]),
try
io:format(F, Fmt, Args)
after
file:close(F)
end,
ok.
%% @doc get unused port from OS
-spec select_free_port(tcp | udp | ssl | quic) -> inets:port_number().
select_free_port(tcp) ->
select_free_port(gen_tcp, listen);
select_free_port(udp) ->
select_free_port(gen_udp, open);
select_free_port(ssl) ->
select_free_port(tcp);
select_free_port(quic) ->
select_free_port(udp).
select_free_port(GenModule, Fun) when
GenModule == gen_tcp orelse
GenModule == gen_udp
->
{ok, S} = GenModule:Fun(0, [{reuseaddr, true}]),
{ok, Port} = inet:port(S),
ok = GenModule:close(S),
case os:type() of
{unix, darwin} ->
%% in MacOS, still get address_in_use after close port
timer:sleep(500);
_ ->
skip
end,
ct:pal("Select free OS port: ~p", [Port]),
Port.
%% @doc fail the test if ssl_error recvd
%% post check for success conn establishment
fail_when_ssl_error(Socket) ->
fail_when_ssl_error(Socket, 1000).
fail_when_ssl_error(Socket, Timeout) ->
receive
{ssl_error, Socket, _} ->
ct:fail("Handshake failed!")
after Timeout ->
ok
end.
%% @doc fail the test if no ssl_error
fail_when_no_ssl_alert(Res, Alert) ->
fail_when_no_ssl_alert(Res, Alert, 1000).
fail_when_no_ssl_alert({error, {tls_alert, {Alert, _}}}, Alert, _Timeout) ->
ok;
fail_when_no_ssl_alert({error, _} = Other, Alert, _Timeout) ->
ct:fail("returned unexpected ssl_error: ~p, expected ~n", [Other, Alert]);
fail_when_no_ssl_alert({ok, Socket}, Alert, Timeout) ->
fail_when_no_ssl_alert(Socket, Alert, Timeout);
fail_when_no_ssl_alert(Socket, Alert, Timeout) ->
receive
{ssl_error, Socket, {tls_alert, {Alert, AlertInfo}}} ->
ct:pal("alert info: ~p~n", [AlertInfo]);
{ssl_error, Socket, Other} ->
ct:fail("recv unexpected ssl_error: ~p~n", [Other])
after Timeout ->
ct:fail("No expected alert: ~p from Socket: ~p ", [Alert, Socket])
end.
%% @doc Generate TLS cert chain for tests
generate_tls_certs(Config) ->
DataDir = ?config(data_dir, Config),
gen_ca(DataDir, "root"),
gen_host_cert("intermediate1", "root", DataDir),
gen_host_cert("intermediate2", "root", DataDir),
gen_host_cert("server1", "intermediate1", DataDir),
gen_host_cert("client1", "intermediate1", DataDir),
gen_host_cert("server2", "intermediate2", DataDir),
gen_host_cert("client2", "intermediate2", DataDir),
%% Build bundles below
os:cmd(
io_lib:format("cat ~p ~p ~p > ~p", [
filename:join(DataDir, "client2.pem"),
filename:join(DataDir, "intermediate2.pem"),
filename:join(DataDir, "root.pem"),
filename:join(DataDir, "client2-complete-bundle.pem")
])
),
os:cmd(
io_lib:format("cat ~p ~p > ~p", [
filename:join(DataDir, "client2.pem"),
filename:join(DataDir, "intermediate2.pem"),
filename:join(DataDir, "client2-intermediate2-bundle.pem")
])
),
os:cmd(
io_lib:format("cat ~p ~p > ~p", [
filename:join(DataDir, "client2.pem"),
filename:join(DataDir, "root.pem"),
filename:join(DataDir, "client2-root-bundle.pem")
])
),
os:cmd(
io_lib:format("cat ~p ~p > ~p", [
filename:join(DataDir, "server1.pem"),
filename:join(DataDir, "intermediate1.pem"),
filename:join(DataDir, "server1-intermediate1-bundle.pem")
])
),
os:cmd(
io_lib:format("cat ~p ~p > ~p", [
filename:join(DataDir, "intermediate1.pem"),
filename:join(DataDir, "server1.pem"),
filename:join(DataDir, "intermediate1-server1-bundle.pem")
])
),
os:cmd(
io_lib:format("cat ~p ~p > ~p", [
filename:join(DataDir, "intermediate1_renewed.pem"),
filename:join(DataDir, "root.pem"),
filename:join(DataDir, "intermediate1_renewed-root-bundle.pem")
])
),
os:cmd(
io_lib:format("cat ~p ~p > ~p", [
filename:join(DataDir, "intermediate2.pem"),
filename:join(DataDir, "intermediate2_renewed.pem"),
filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")
])
),
os:cmd(
io_lib:format("cat ~p ~p > ~p", [
filename:join(DataDir, "intermediate1.pem"),
filename:join(DataDir, "root.pem"),
filename:join(DataDir, "intermediate1-root-bundle.pem")
])
),
os:cmd(
io_lib:format("cat ~p ~p ~p > ~p", [
filename:join(DataDir, "root.pem"),
filename:join(DataDir, "intermediate2.pem"),
filename:join(DataDir, "intermediate1.pem"),
filename:join(DataDir, "all-CAcerts-bundle.pem")
])
),
os:cmd(
io_lib:format("cat ~p ~p > ~p", [
filename:join(DataDir, "intermediate2.pem"),
filename:join(DataDir, "intermediate1.pem"),
filename:join(DataDir, "two-intermediates-bundle.pem")
])
).

20
apps/emqx_auth_ext/.gitignore vendored Normal file
View File

@ -0,0 +1,20 @@
.rebar3
_build
_checkouts
_vendor
.eunit
*.o
*.beam
*.plt
*.swp
*.swo
.erlang.cookie
ebin
log
erl_crash.dump
.rebar
logs
.idea
*.iml
rebar3.crashdump
*~

94
apps/emqx_auth_ext/BSL.txt Normal file
View File

@ -0,0 +1,94 @@
Business Source License 1.1
Licensor: Hangzhou EMQ Technologies Co., Ltd.
Licensed Work: EMQX Enterprise Edition
The Licensed Work is (c) 2023
Hangzhou EMQ Technologies Co., Ltd.
Additional Use Grant: Students and educators are granted right to copy,
modify, and create derivative work for research
or education.
Change Date: 2028-01-26
Change License: Apache License, Version 2.0
For information about alternative licensing arrangements for the Software,
please contact Licensor: https://www.emqx.com/en/contact
Notice
The Business Source License (this document, or the “License”) is not an Open
Source license. However, the Licensed Work will eventually be made available
under an Open Source License, as stated in this License.
License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
“Business Source License” is a trademark of MariaDB Corporation Ab.
-----------------------------------------------------------------------------
Business Source License 1.1
Terms
The Licensor hereby grants you the right to copy, modify, create derivative
works, redistribute, and make non-production use of the Licensed Work. The
Licensor may make an Additional Use Grant, above, permitting limited
production use.
Effective on the Change Date, or the fourth anniversary of the first publicly
available distribution of a specific version of the Licensed Work under this
License, whichever comes first, the Licensor hereby grants you rights under
the terms of the Change License, and the rights granted in the paragraph
above terminate.
If your use of the Licensed Work does not comply with the requirements
currently in effect as described in this License, you must purchase a
commercial license from the Licensor, its affiliated entities, or authorized
resellers, or you must refrain from using the Licensed Work.
All copies of the original and modified Licensed Work, and derivative works
of the Licensed Work, are subject to this License. This License applies
separately for each version of the Licensed Work and the Change Date may vary
for each version of the Licensed Work released by Licensor.
You must conspicuously display this License on each original or modified copy
of the Licensed Work. If you receive the Licensed Work in original or
modified form from a third party, the terms and conditions set forth in this
License apply to your use of that work.
Any use of the Licensed Work in violation of this License will automatically
terminate your rights under this License for the current and all other
versions of the Licensed Work.
This License does not grant you any right in any trademark or logo of
Licensor or its affiliates (provided that you may use a trademark or logo of
Licensor as expressly required by this License).
TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
TITLE.
MariaDB hereby grants you permission to use this Licenses text to license
your works, and to refer to it using the trademark “Business Source License”,
as long as you comply with the Covenants of Licensor below.
Covenants of Licensor
In consideration of the right to use this Licenses text and the “Business
Source License” name and trademark, Licensor covenants to MariaDB, and to all
other recipients of the licensed work to be provided by Licensor:
1. To specify as the Change License the GPL Version 2.0 or any later version,
or a license that is compatible with GPL Version 2.0 or a later version,
where “compatible” means that software provided under the Change License can
be included in a program with software provided under GPL Version 2.0 or a
later version. Licensor may specify additional Change Licenses without
limitation.
2. To either: (a) specify an additional grant of rights to use that does not
impose any additional restriction on the right granted in this License, as
the Additional Use Grant; or (b) insert the text “None”.
3. To specify a Change Date.
4. Not to modify this License in any other way.

7
apps/emqx_auth_ext/README.md Normal file
View File

@ -0,0 +1,7 @@
# EMQX Extended Auth Library
Library that extends EMQX authentication capbility for enterprise.
# License
EMQ Business Source License 1.1, refer to [LICENSE](BSL.txt).

2
apps/emqx_auth_ext/rebar.config Normal file
View File

@ -0,0 +1,2 @@
{erl_opts, [debug_info]}.
{deps, [{emqx, {path, "../emqx"}}]}.

21
apps/emqx_auth_ext/src/emqx_auth_ext.app.src Normal file
View File

@ -0,0 +1,21 @@
{application, emqx_auth_ext, [
{description, "EMQX Extended Auth Library"},
{vsn, "0.1.0"},
{registered, []},
{applications, [
kernel,
stdlib,
ssl,
emqx
]},
{env, []},
{modules, [
emqx_auth_ext,
emqx_auth_ext_schema,
emqx_auth_ext_tls_lib,
emqx_auth_ext_tls_const_v1
]},
{licenses, ["Apache-2.0"]},
{links, []}
]}.

28
apps/emqx_auth_ext/src/emqx_auth_ext.erl Normal file
View File

@ -0,0 +1,28 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2022-2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%%--------------------------------------------------------------------
-module(emqx_auth_ext).
-include_lib("emqx/include/emqx_schema.hrl").
-on_load(on_load/0).
-export([]).
-spec on_load() -> ok.
on_load() ->
init_ssl_fun_cb().
init_ssl_fun_cb() ->
lists:foreach(
fun({FunName, {_, _, _} = MFA}) ->
persistent_term:put(
?EMQX_SSL_FUN_MFA(FunName),
MFA
)
end,
[
{root_fun, {emqx_auth_ext_tls_lib, opt_partial_chain, []}},
{verify_fun, {emqx_auth_ext_tls_lib, opt_verify_fun, []}}
]
).

42
apps/emqx_auth_ext/src/emqx_auth_ext_schema.erl Normal file
View File

@ -0,0 +1,42 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2022-2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%%--------------------------------------------------------------------
-module(emqx_auth_ext_schema).
-behaviour(emqx_schema_hooks).
-include_lib("typerefl/include/types.hrl").
-include_lib("hocon/include/hoconsc.hrl").
%%------------------------------------------------------------------------------
%% emqx_schema_hooks callbacks
%%------------------------------------------------------------------------------
-export([injected_fields/0]).
-spec injected_fields() -> #{emqx_schema_hooks:hookpoint() => [hocon_schema:field()]}.
injected_fields() ->
#{
'common_ssl_opts_schema' => fields(auth_ext)
}.
fields(auth_ext) ->
[
{"partial_chain",
sc(
hoconsc:enum([true, false, two_cacerts_from_cacertfile, cacert_from_cacertfile]),
#{
required => false,
desc => ?DESC(common_ssl_opts_schema_partial_chain)
}
)},
{"verify_peer_ext_key_usage",
sc(
string(),
#{
required => false,
desc => ?DESC(common_ssl_opts_verify_peer_ext_key_usage)
}
)}
].
sc(Type, Meta) -> hoconsc:mk(Type, Meta).

111
apps/emqx_auth_ext/src/emqx_auth_ext_tls_const_v1.erl Normal file
View File

@ -0,0 +1,111 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%%--------------------------------------------------------------------
-module(emqx_auth_ext_tls_const_v1).
-elvis([{elvis_style, atom_naming_convention, #{regex => "^([a-z][a-z0-9A-Z]*_?)*(_SUITE)?$"}}]).
-export([
make_tls_root_fun/2,
make_tls_verify_fun/2
]).
-include_lib("public_key/include/public_key.hrl").
%% @doc Build a root fun for verify TLS partial_chain.
%% The `InputChain' is composed by OTP SSL with local cert store
%% AND the cert (chain if any) from the client.
%% @end
make_tls_root_fun(cacert_from_cacertfile, [Trusted]) ->
%% Allow only one trusted ca cert, and just return the defined trusted CA cert,
fun(_InputChain) ->
%% Note, returing `trusted_ca` doesn't really mean it accepts the connection
%% OTP SSL app will do the path validation, signature validation subsequently.
{trusted_ca, Trusted}
end;
make_tls_root_fun(cacert_from_cacertfile, [TrustedOne, TrustedTwo]) ->
%% Allow two trusted CA certs in case of CA cert renewal
%% This is a little expensive call as it compares the binaries.
fun(InputChain) ->
case lists:member(TrustedOne, InputChain) of
true ->
{trusted_ca, TrustedOne};
false ->
{trusted_ca, TrustedTwo}
end
end.
make_tls_verify_fun(verify_cert_extKeyUsage, KeyUsages) ->
RequiredKeyUsages = ext_key_opts(KeyUsages),
{fun verify_fun_peer_extKeyUsage/3, RequiredKeyUsages}.
verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState) ->
%% !! Override OTP verify peer default
%% OTP SSL is unhappy with the ext_key_usage but we will check on our own.
{unknown, UserState};
verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _UserState) ->
%% OTP verify_peer default
{fail, Reason};
verify_fun_peer_extKeyUsage(_, {extension, _}, UserState) ->
%% OTP verify_peer default
{unknown, UserState};
verify_fun_peer_extKeyUsage(_, valid, UserState) ->
%% OTP verify_peer default
{valid, UserState};
verify_fun_peer_extKeyUsage(
#'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{extensions = ExtL}},
%% valid peer cert
valid_peer,
RequiredKeyUsages
) ->
%% override OTP verify_peer default
%% must have id-ce-extKeyUsage
case lists:keyfind(?'id-ce-extKeyUsage', 2, ExtL) of
#'Extension'{extnID = ?'id-ce-extKeyUsage', extnValue = VL} ->
case do_verify_ext_key_usage(VL, RequiredKeyUsages) of
true ->
%% pass the check,
%% fallback to OTP verify_peer default
{valid, RequiredKeyUsages};
false ->
{fail, extKeyUsage_unmatched}
end;
_ ->
{fail, extKeyUsage_not_set}
end.
%% @doc check required extkeyUsages are presented in the cert
do_verify_ext_key_usage(_, []) ->
%% Verify finished
true;
do_verify_ext_key_usage(CertExtL, [Usage | T] = _Required) ->
case lists:member(Usage, CertExtL) of
true ->
do_verify_ext_key_usage(CertExtL, T);
false ->
false
end.
%% @doc Helper tls cert extension
-spec ext_key_opts(string()) -> [OidString :: string() | public_key:oid()].
ext_key_opts(Str) ->
Usages = string:tokens(Str, ","),
lists:map(
fun
("clientAuth") ->
?'id-kp-clientAuth';
("serverAuth") ->
?'id-kp-serverAuth';
("codeSigning") ->
?'id-kp-codeSigning';
("emailProtection") ->
?'id-kp-emailProtection';
("timeStamping") ->
?'id-kp-timeStamping';
("ocspSigning") ->
?'id-kp-OCSPSigning';
("OID:" ++ OidStr) ->
OidList = string:tokens(OidStr, "."),
list_to_tuple(lists:map(fun list_to_integer/1, OidList))
end,
Usages
).

66
apps/emqx_auth_ext/src/emqx_auth_ext_tls_lib.erl Normal file
View File

@ -0,0 +1,66 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%%--------------------------------------------------------------------
-module(emqx_auth_ext_tls_lib).
-elvis([{elvis_style, atom_naming_convention, #{regex => "^([a-z][a-z0-9A-Z]*_?)*(_SUITE)?$"}}]).
-export([
opt_partial_chain/1,
opt_verify_fun/1
]).
-include_lib("emqx/include/logger.hrl").
-define(CONST_MOD_V1, emqx_auth_ext_tls_const_v1).
%% @doc enable TLS partial_chain validation if set.
-spec opt_partial_chain(SslOpts :: map()) -> NewSslOpts :: map().
opt_partial_chain(#{partial_chain := false} = SslOpts) ->
maps:remove(partial_chain, SslOpts);
opt_partial_chain(#{partial_chain := true} = SslOpts) ->
SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(1, SslOpts)};
opt_partial_chain(#{partial_chain := cacert_from_cacertfile} = SslOpts) ->
SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(1, SslOpts)};
opt_partial_chain(#{partial_chain := two_cacerts_from_cacertfile} = SslOpts) ->
SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(2, SslOpts)};
opt_partial_chain(SslOpts) ->
SslOpts.
%% @doc make verify_fun if set.
-spec opt_verify_fun(SslOpts :: map()) -> NewSslOpts :: map().
opt_verify_fun(#{verify_peer_ext_key_usage := V} = SslOpts) when V =/= undefined ->
SslOpts#{verify_fun => ?CONST_MOD_V1:make_tls_verify_fun(verify_cert_extKeyUsage, V)};
opt_verify_fun(SslOpts) ->
SslOpts.
%% @doc Helper, make TLS root_fun
rootfun_trusted_ca_from_cacertfile(NumOfCerts, #{cacertfile := Cacertfile}) ->
case file:read_file(emqx_schema:naive_env_interpolation(Cacertfile)) of
{ok, PemBin} ->
try
do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, PemBin)
catch
_Error:_Info:ST ->
%% The cacertfile will be checked by OTP SSL as well and OTP choice to be silent on this.
%% We are touching security sutffs, don't leak extra info..
?SLOG(error, #{
msg => "trusted_cacert_not_found_in_cacertfile", stacktrace => ST
}),
throw({error, ?FUNCTION_NAME})
end;
{error, Reason} ->
throw({error, {read_cacertfile_error, Cacertfile, Reason}})
end;
rootfun_trusted_ca_from_cacertfile(_NumOfCerts, _SslOpts) ->
throw({error, cacertfile_unset}).
do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, PemBin) ->
%% The last one or two should be the top parent in the chain if it is a chain
Certs = public_key:pem_decode(PemBin),
Pos = length(Certs) - NumOfCerts + 1,
Trusted = [
CADer
|| {'Certificate', CADer, _} <-
lists:sublist(public_key:pem_decode(PemBin), Pos, NumOfCerts)
],
?CONST_MOD_V1:make_tls_root_fun(cacert_from_cacertfile, Trusted).

247
apps/emqx_auth_ext/test/emqx_auth_ext_listener_tls_verify_chain_SUITE.erl Normal file
View File

@ -0,0 +1,247 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%%--------------------------------------------------------------------
-module(emqx_auth_ext_listener_tls_verify_chain_SUITE).
-compile(export_all).
-compile(nowarn_export_all).
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-import(
emqx_test_tls_certs_helper,
[
emqx_start_listener/4,
fail_when_ssl_error/1,
fail_when_no_ssl_alert/2,
generate_tls_certs/1,
select_free_port/1
]
).
all() -> emqx_common_test_helpers:all(?MODULE).
init_per_suite(Config) ->
generate_tls_certs(Config),
application:ensure_all_started(esockd),
[{ssl_config, ssl_config_verify_peer()} | Config].
end_per_suite(_Config) ->
application:stop(esockd).
t_conn_fail_with_intermediate_ca_cert(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options, [
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ok = ssl:close(Socket).
t_conn_fail_with_other_intermediate_ca_cert(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options, [
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2.pem")},
{verify, verify_none}
],
1000
),
fail_when_no_ssl_alert(Socket, unknown_ca),
ok = ssl:close(Socket).
t_conn_success_with_server_client_composed_complete_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Server has root ca cert
Options = [
{ssl_options, [
{cacertfile, filename:join(DataDir, "root.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
| ?config(ssl_config, Config)
]}
],
%% Client has complete chain
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
{verify, verify_none}
],
1000
),
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_success_with_other_signed_client_composed_complete_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Server has root ca cert
Options = [
{ssl_options, [
{cacertfile, filename:join(DataDir, "root.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
| ?config(ssl_config, Config)
]}
],
%% Client has partial_chain
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
{verify, verify_none}
],
1000
),
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_success_with_renewed_intermediate_root_bundle(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Server has root ca cert
Options = [
{ssl_options, [
{cacertfile, filename:join(DataDir, "intermediate1_renewed-root-bundle.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
],
1000
),
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_success_with_client_complete_cert_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options, [
{cacertfile, filename:join(DataDir, "root.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")},
{verify, verify_none}
],
1000
),
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_fail_with_server_partial_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% imcomplete at server side
Options = [
{ssl_options, [
{cacertfile, filename:join(DataDir, "intermediate2.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")},
{versions, ['tlsv1.2']},
{verify, verify_none}
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_without_root_cacert(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options, [
{cacertfile, filename:join(DataDir, "intermediate2.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
%% stick to tlsv1.2 for consistent error message
{versions, ['tlsv1.2']},
{cacertfile, filename:join(DataDir, "intermediate2.pem")}
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
ssl_config_verify_peer() ->
[
{verify, verify_peer},
{fail_if_no_peer_cert, true}
].

362
apps/emqx_auth_ext/test/emqx_auth_ext_listener_tls_verify_keyusage_SUITE.erl Normal file
View File

@ -0,0 +1,362 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%%--------------------------------------------------------------------
-module(emqx_auth_ext_listener_tls_verify_keyusage_SUITE).
-compile(export_all).
-compile(nowarn_export_all).
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-import(
emqx_test_tls_certs_helper,
[
fail_when_ssl_error/1,
fail_when_no_ssl_alert/2,
generate_tls_certs/1,
gen_host_cert/4,
emqx_start_listener/4,
select_free_port/1
]
).
all() ->
[
{group, full_chain},
{group, partial_chain}
].
all_tc() ->
emqx_common_test_helpers:all(?MODULE).
groups() ->
[
{partial_chain, [], all_tc()},
{full_chain, [], all_tc()}
].
init_per_suite(Config) ->
generate_tls_certs(Config),
application:ensure_all_started(esockd),
Config.
end_per_suite(_Config) ->
application:stop(esockd).
init_per_group(full_chain, Config) ->
[{ssl_config, ssl_config_verify_peer_full_chain(Config)} | Config];
init_per_group(partial_chain, Config) ->
[{ssl_config, ssl_config_verify_peer_partial_chain(Config)} | Config];
init_per_group(_, Config) ->
Config.
end_per_group(_, Config) ->
Config.
t_conn_success_verify_peer_ext_key_usage_unset(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Given listener keyusage unset
Options = [{ssl_options, ?config(ssl_config, Config)}],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
%% when client connect with cert without keyusage ext
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
],
1000
),
%% Then connection success
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_success_verify_peer_ext_key_usage_undefined(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Give listener keyusage is set to undefined
Options = [
{ssl_options, [
{verify_peer_ext_key_usage, undefined}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
%% when client connect with cert without keyusages ext
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
],
1000
),
%% Then connection success
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_success_verify_peer_ext_key_usage_matched_predefined(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Give listener keyusage is set to clientAuth
Options = [
{ssl_options, [
{verify_peer_ext_key_usage, "clientAuth"}
| ?config(ssl_config, Config)
]}
],
%% When client cert has clientAuth that is matched
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
],
1000
),
%% Then connection success
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_success_verify_peer_ext_key_usage_matched_raw_oid(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Give listener keyusage is set to raw OID
%% from OTP-PUB-KEY.hrl
Options = [
{ssl_options, [
{verify_peer_ext_key_usage, "OID:1.3.6.1.5.5.7.3.2"}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
%% When client cert has keyusage and matched.
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
],
1000
),
%% Then connection success
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_success_verify_peer_ext_key_usage_matched_ordered_list(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Give listener keyusage is clientAuth,serverAuth
Options = [
{ssl_options, [
{verify_peer_ext_key_usage, "clientAuth,serverAuth"}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
%% When client cert has the same keyusage ext list
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth,serverAuth"),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
],
1000
),
%% Then connection success
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_success_verify_peer_ext_key_usage_matched_unordered_list(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Give listener keyusage is clientAuth,serverAuth
Options = [
{ssl_options, [
{verify_peer_ext_key_usage, "serverAuth,clientAuth"}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
%% When client cert has the same keyusage ext list but different order
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth,serverAuth"),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
],
1000
),
%% Then connection success
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_fail_verify_peer_ext_key_usage_unmatched_raw_oid(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Give listener keyusage is using OID
Options = [
{ssl_options, [
{verify_peer_ext_key_usage, "OID:1.3.6.1.5.5.7.3.1"}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
%% When client cert has the keyusage but not matching OID
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
],
1000
),
%% Then connecion should fail.
fail_when_no_ssl_alert(Socket, handshake_failure),
ok = ssl:close(Socket).
t_conn_fail_verify_peer_ext_key_usage_empty_str(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options, [
{verify_peer_ext_key_usage, ""}
| ?config(ssl_config, Config)
]}
],
%% Give listener keyusage is empty string
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
%% When client connect with cert without keyusage
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
],
1000
),
%% Then connecion should fail.
fail_when_no_ssl_alert(Socket, handshake_failure),
ok = ssl:close(Socket).
t_conn_fail_client_keyusage_unmatch(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Give listener keyusage is clientAuth
Options = [
{ssl_options, [
{verify_peer_ext_key_usage, "clientAuth"}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
%% When client connect with mismatch cert keyusage = codeSigning
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "codeSigning"),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
],
1000
),
%% Then connecion should fail.
fail_when_no_ssl_alert(Socket, handshake_failure),
ok = ssl:close(Socket).
t_conn_fail_client_keyusage_incomplete(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Give listener keyusage is codeSigning,clientAuth
Options = [
{ssl_options, [
{verify_peer_ext_key_usage,
"serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,ocspSigning"}
| ?config(ssl_config, Config)
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
%% When client connect with cert keyusage = clientAuth
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "codeSigning"),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
],
1000
),
%% Then connection should fail
fail_when_no_ssl_alert(Socket, handshake_failure),
ok = ssl:close(Socket).
%%%
%%% Helpers
%%%
gen_client_cert_ext_keyusage(Name, CA, DataDir, Usage) when is_atom(Name) ->
gen_client_cert_ext_keyusage(atom_to_list(Name), CA, DataDir, Usage);
gen_client_cert_ext_keyusage(Name, CA, DataDir, Usage) ->
gen_host_cert(Name, CA, DataDir, #{ext => "extendedKeyUsage=" ++ Usage}).
client_key_file(DataDir, Name) ->
filename:join(DataDir, Name) ++ ".key".
client_pem_file(DataDir, Name) ->
filename:join(DataDir, Name) ++ ".pem".
ssl_config_verify_peer_full_chain(Config) ->
[
{cacertfile, filename:join(?config(data_dir, Config), "intermediate1-root-bundle.pem")}
| ssl_config_verify_peer(Config)
].
ssl_config_verify_peer_partial_chain(Config) ->
[
{cacertfile, filename:join(?config(data_dir, Config), "intermediate1.pem")},
{partial_chain, true}
| ssl_config_verify_peer(Config)
].
ssl_config_verify_peer(Config) ->
DataDir = ?config(data_dir, Config),
[
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{keyfile, filename:join(DataDir, "server1.key")},
{certfile, filename:join(DataDir, "server1.pem")}
%% , {log_level, debug}
].

709
apps/emqx_auth_ext/test/emqx_auth_ext_listener_tls_verify_partial_chain_SUITE.erl Normal file
View File

@ -0,0 +1,709 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_ext_listener_tls_verify_partial_chain_SUITE).
-compile(export_all).
-compile(nowarn_export_all).
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-import(
emqx_test_tls_certs_helper,
[
emqx_start_listener/4,
fail_when_ssl_error/1,
fail_when_no_ssl_alert/2,
generate_tls_certs/1,
select_free_port/1
]
).
all() -> emqx_common_test_helpers:all(?MODULE).
init_per_suite(Config) ->
generate_tls_certs(Config),
application:ensure_all_started(esockd),
[{ssl_config, ssl_config_verify_partial_chain()} | Config].
end_per_suite(_Config) ->
application:stop(esockd).
t_conn_success_with_server_intermediate_cacert_and_client_cert(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ssl:close(Socket).
t_conn_success_with_intermediate_cacert_bundle(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "server1-intermediate1-bundle.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ssl:close(Socket).
t_conn_success_with_renewed_intermediate_cacert(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate1_renewed.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ssl:close(Socket).
t_conn_fail_with_renewed_intermediate_cacert_and_client_using_old_complete_bundle(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate2_renewed.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_renewed_intermediate_cacert_and_client_using_old_bundle(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate2_renewed.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_success_with_old_and_renewed_intermediate_cacert_and_client_provides_renewed_client_cert(
Config
) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")},
{partial_chain, two_cacerts_from_cacertfile}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2_renewed.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ssl:close(Socket).
%% Note, this is good to have for usecase coverage
t_conn_success_with_new_intermediate_cacert_and_client_provides_renewed_client_cert_signed_by_old_intermediate(
Config
) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate2_renewed.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2_renewed.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ssl:close(Socket).
%% @doc server should build a partial_chain with old version of ca cert.
t_conn_success_with_old_and_renewed_intermediate_cacert_and_client_provides_client_cert(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")},
{partial_chain, two_cacerts_from_cacertfile}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ssl:close(Socket).
%% @doc verify when config does not allow two versions of certs from same trusted CA.
t_conn_fail_with_renewed_and_old_intermediate_cacert_and_client_using_old_bundle(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
%% @doc verify when config (two_cacerts_from_cacertfile) allows two versions of certs from same trusted CA.
t_001_conn_success_with_old_and_renewed_intermediate_cacert_bundle_and_client_using_old_bundle(
Config
) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")},
{partial_chain, two_cacerts_from_cacertfile}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ssl:close(Socket).
%% @doc: verify even if listener has old/new intermediate2 certs,
%% client1 should not able to connect with old intermediate2 cert.
%% In this case, listener verify_fun returns {trusted_ca, Oldintermediate2Cert} but
%% OTP should still fail the validation since the client1 cert is not signed by
%% Oldintermediate2Cert (trusted CA cert).
%% @end
t_conn_fail_with_old_and_renewed_intermediate_cacert_bundle_and_client_using_all_CAcerts(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")},
{partial_chain, two_cacerts_from_cacertfile}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "all-CAcerts-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_renewed_intermediate_cacert_other_client(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate1_renewed.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_intermediate_cacert_bundle_but_incorrect_order(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate1-server1-bundle.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_when_singed_by_other_intermediate_ca(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_success_with_complete_chain_that_server_root_cacert_and_client_complete_cert_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "root.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_fail_with_other_client_complete_cert_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_server_intermediate_and_other_client_complete_cert_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate1-root-bundle.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_success_with_server_intermediate_cacert_and_client_complete_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate2.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_fail_with_server_intermediate_chain_and_client_other_incomplete_cert_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_server_intermediate_and_other_client_root_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_success_with_server_intermediate_and_client_root_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate2.pem")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
%% @doc once rootCA cert present in cacertfile, sibling CA signed Client cert could connect.
t_conn_success_with_server_all_CA_bundle_and_client_root_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "all-CAcerts-bundle.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
{ok, Socket} = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_fail_with_server_two_IA_bundle_and_client_root_chain(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "two-intermediates-bundle.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_conn_fail_with_server_partial_chain_false_intermediate_cacert_and_client_cert(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
{certfile, filename:join(DataDir, "server1.pem")},
{keyfile, filename:join(DataDir, "server1.key")},
{partial_chain, false}
]}
],
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
Res = ssl:connect(
{127, 0, 0, 1},
Port,
[
{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
| client_default_tls_opts()
],
1000
),
fail_when_no_ssl_alert(Res, unknown_ca).
t_error_handling_invalid_cacertfile(Config) ->
Port = select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% trigger error
Options = [
{ssl_options,
?config(ssl_config, Config) ++
[
{cacertfile, filename:join(DataDir, "server2.key")},
{certfile, filename:join(DataDir, "server2.pem")},
{keyfile, filename:join(DataDir, "server2.key")}
]}
],
?assertException(
throw,
{error, rootfun_trusted_ca_from_cacertfile},
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options)
).
ssl_config_verify_partial_chain() ->
[
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{partial_chain, true}
].
client_default_tls_opts() ->
[
{versions, ['tlsv1.2']},
{verify, verify_none}
].

66
apps/emqx_auth_ext/test/emqx_auth_ext_schema_SUITE.erl Normal file
View File

@ -0,0 +1,66 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_ext_schema_SUITE).
-compile(nowarn_export_all).
-compile(export_all).
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-define(BASE_CONF,
"\n"
" listeners.ssl.auth_ext.bind = 28883\n"
" listeners.ssl.auth_ext.enable = true\n"
" listeners.ssl.auth_ext.ssl_options.partial_chain = true\n"
" listeners.ssl.auth_ext.ssl_options.verify = verify_peer\n"
" listeners.ssl.auth_ext.ssl_options.verify_peer_ext_key_usage = \"clientAuth\"\n"
" "
).
all() ->
emqx_common_test_helpers:all(?MODULE).
init_per_suite(Config) ->
%% injection happens when module is loaded.
code:load_file(emqx_auth_ext),
Apps = emqx_cth_suite:start(
[
emqx,
{emqx_conf, ?BASE_CONF}
],
#{work_dir => emqx_cth_suite:work_dir(Config)}
),
emqx_listeners:restart(),
[{apps, Apps} | Config].
end_per_suite(Config) ->
Apps = ?config(apps, Config),
ok = emqx_cth_suite:stop(Apps),
code:delete(emqx_auth_ext),
code:purge(emqx_auth_ext),
ok.
t_conf_check_default(_Config) ->
Opts = esockd:get_options({'ssl:default', {{0, 0, 0, 0}, 8883}}),
SSLOpts = proplists:get_value(ssl_options, Opts),
?assertEqual(none, proplists:lookup(partial_chain, SSLOpts)),
?assertEqual(none, proplists:lookup(verify_fun, SSLOpts)).
t_conf_check_auth_ext(_Config) ->
Opts = esockd:get_options({'ssl:auth_ext', 28883}),
SSLOpts = proplists:get_value(ssl_options, Opts),
?assertMatch(Fun when is_function(Fun), proplists:get_value(partial_chain, SSLOpts)),
?assertMatch({Fun, _} when is_function(Fun), proplists:get_value(verify_fun, SSLOpts)).

10
apps/emqx_conf/src/emqx_conf_schema.erl
View File

@ -70,9 +70,19 @@
emqx_otel_schema, emqx_otel_schema,
emqx_mgmt_api_key_schema emqx_mgmt_api_key_schema
]). ]).
-define(AUTH_EXT_SCHEMA_MODS, [emqx_auth_ext_schema]).
-if(defined(EMQX_RELEASE_EDITION) andalso ?EMQX_RELEASE_EDITION == ee).
-define(OTHER_INJECTING_CONFIGS, ?AUTH_EXT_SCHEMA_MODS).
-else.
-define(OTHER_INJECTING_CONFIGS, []).
-endif.
-define(INJECTING_CONFIGS, [ -define(INJECTING_CONFIGS, [
{emqx_authn_schema, ?AUTHN_PROVIDER_SCHEMA_MODS}, {emqx_authn_schema, ?AUTHN_PROVIDER_SCHEMA_MODS},
{emqx_authz_schema, ?AUTHZ_SOURCE_SCHEMA_MODS} {emqx_authz_schema, ?AUTHZ_SOURCE_SCHEMA_MODS}
| ?OTHER_INJECTING_CONFIGS
]). ]).
%% 1 million default ports counter %% 1 million default ports counter

8
apps/emqx_gateway/src/emqx_gateway_utils.erl
View File

@ -559,6 +559,8 @@ ssl_opts(Name, Opts) ->
[ [
fun ssl_opts_crl_config/2, fun ssl_opts_crl_config/2,
fun ssl_opts_drop_unsupported/2, fun ssl_opts_drop_unsupported/2,
fun ssl_partial_chain/2,
fun ssl_verify_fun/2,
fun ssl_server_opts/2 fun ssl_server_opts/2
], ],
SSLOpts, SSLOpts,
@ -586,6 +588,12 @@ ssl_server_opts(SSLOpts, ssl_options) ->
ssl_server_opts(SSLOpts, dtls_options) -> ssl_server_opts(SSLOpts, dtls_options) ->
emqx_tls_lib:to_server_opts(dtls, SSLOpts). emqx_tls_lib:to_server_opts(dtls, SSLOpts).
ssl_partial_chain(SSLOpts, _Options) ->
emqx_tls_lib:maybe_inject_ssl_fun(root_fun, SSLOpts).
ssl_verify_fun(SSLOpts, _Options) ->
emqx_tls_lib:maybe_inject_ssl_fun(verify_fun, SSLOpts).
ranch_opts(Type, ListenOn, Opts) -> ranch_opts(Type, ListenOn, Opts) ->
NumAcceptors = maps:get(acceptors, Opts, 4), NumAcceptors = maps:get(acceptors, Opts, 4),
MaxConnections = maps:get(max_connections, Opts, 1024), MaxConnections = maps:get(max_connections, Opts, 1024),

3
apps/emqx_machine/priv/reboot_lists.eterm
View File

@ -130,7 +130,8 @@
emqx_gateway_ocpp, emqx_gateway_ocpp,
emqx_gateway_jt808, emqx_gateway_jt808,
emqx_bridge_syskeeper, emqx_bridge_syskeeper,
emqx_bridge_confluent emqx_bridge_confluent,
emqx_auth_ext
], ],
%% must always be of type `load' %% must always be of type `load'
ce_business_apps => ce_business_apps =>

22
changes/ee/feat-13211.en.md Normal file
View File

@ -0,0 +1,22 @@
Enhance TLS listener to support more flexible TLS verifications.
- partial_chain support
If the option `partial_chain` is set to `true`, allow connections with incomplete certificate chains.
Check the configuration manual document for more details.
- Certificate KeyUsage Validation
Added support for required Extended Key Usage defined in
[rfc5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.12).
Introduced a new option (`verify_peer_ext_key_usage`) to require specific key usages (like "serverAuth")
in peer certificates during the TLS handshake.
This strengthens security by ensuring certificates are used for their intended purposes.
example:
"serverAuth,OID:1.3.6.1.5.5.7.3.2"
Check the configuration manual document for more details.

3
mix.exs
View File

@ -201,7 +201,8 @@ defmodule EMQXUmbrella.MixProject do
:emqx_gateway_gbt32960, :emqx_gateway_gbt32960,
:emqx_gateway_ocpp, :emqx_gateway_ocpp,
:emqx_gateway_jt808, :emqx_gateway_jt808,
:emqx_bridge_syskeeper :emqx_bridge_syskeeper,
:emqx_auth_ext
]) ])
end end

1
rebar.config.erl
View File

@ -120,6 +120,7 @@ is_community_umbrella_app("apps/emqx_schema_validation") -> false;
is_community_umbrella_app("apps/emqx_message_transformation") -> false; is_community_umbrella_app("apps/emqx_message_transformation") -> false;
is_community_umbrella_app("apps/emqx_eviction_agent") -> false; is_community_umbrella_app("apps/emqx_eviction_agent") -> false;
is_community_umbrella_app("apps/emqx_node_rebalance") -> false; is_community_umbrella_app("apps/emqx_node_rebalance") -> false;
is_community_umbrella_app("apps/emqx_auth_ext") -> false;
is_community_umbrella_app(_) -> true. is_community_umbrella_app(_) -> true.
%% BUILD_WITHOUT_JQ %% BUILD_WITHOUT_JQ

46
rel/i18n/emqx_auth_ext_schema.hocon Normal file
View File

@ -0,0 +1,46 @@
emqx_auth_ext_schema {
common_ssl_opts_schema_partial_chain.desc:
"""Enable or disable peer verification with partial_chain.
When local verifies a peer certificate during the x509 path validation
process, it constructs a certificate chain that starts with the peer
certificate and ends with a trust anchor.
By default, if it is set to `false`, the trust anchor is the
Root CA, and the certificate chain must be complete.
However, if the setting is set to `true` or `cacert_from_cacertfile`,
the last certificate in `cacertfile` will be used as the trust anchor
certificate (intermediate CA). This creates a partial chain
in the path validation.
Alternatively, if it is configured with `two_cacerts_from_cacertfile`,
one of the last two certificates in `cacertfile` will be used as the
trust anchor certificate, forming a partial chain. This option is
particularly useful for intermediate CA certificate rotation.
However, please note that it incurs some additional overhead, so it
should only be used for certificate rotation purposes."""
common_ssl_opts_schema_partial_chain.label:
"""Partial chain"""
common_ssl_opts_verify_peer_ext_key_usage.desc:
"""Verify extended key usage in peer's certificate
For additional peer certificate validation, the value defined here must present in the
'Extended Key Usage' of peer certificate defined in
[rfc5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.12).
Allowed values are
- `clientAuth`
- `serverAuth`
- `codeSigning`
- `emailProtection`
- `timeStamping`
- `ocspSigning`
- raw OID, for example: "OID:1.3.6.1.5.5.7.3.2" means `id-pk 2` which is equivalent to `clientAuth`
Comma-separated string is also supported for validating more than one key usages.
For example, `"serverAuth,OID:1.3.6.1.5.5.7.3.2"`"""
common_ssl_opts_verify_peer_ext_key_usage.label:
"""Verify KeyUsage in cert"""
}

1
scripts/spellcheck/dicts/emqx.txt
View File

@ -310,3 +310,4 @@ ElasticSearch
doc_as_upsert doc_as_upsert
upsert upsert
aliyun aliyun
OID