Merge pull request #13211 from qzhuyan/fix/william/rel57/ee-tls
Fix/william/rel57/ee tls
This commit is contained in:
commit
723144199e
|
@ -21,4 +21,9 @@
|
||||||
-define(TOMBSTONE_CONFIG_CHANGE_REQ, mark_it_for_deletion).
|
-define(TOMBSTONE_CONFIG_CHANGE_REQ, mark_it_for_deletion).
|
||||||
-define(CONFIG_NOT_FOUND_MAGIC, '$0tFound').
|
-define(CONFIG_NOT_FOUND_MAGIC, '$0tFound').
|
||||||
|
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
%% EE injections
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
-define(EMQX_SSL_FUN_MFA(Name), {emqx_ssl_fun_mfa, Name}).
|
||||||
|
|
||||||
-endif.
|
-endif.
|
||||||
|
|
|
@ -611,7 +611,9 @@ esockd_opts(ListenerId, Type, Name, Opts0) ->
|
||||||
ssl ->
|
ssl ->
|
||||||
OptsWithCRL = inject_crl_config(Opts0),
|
OptsWithCRL = inject_crl_config(Opts0),
|
||||||
OptsWithSNI = inject_sni_fun(ListenerId, OptsWithCRL),
|
OptsWithSNI = inject_sni_fun(ListenerId, OptsWithCRL),
|
||||||
SSLOpts = ssl_opts(OptsWithSNI),
|
OptsWithRootFun = inject_root_fun(OptsWithSNI),
|
||||||
|
OptsWithVerifyFun = inject_verify_fun(OptsWithRootFun),
|
||||||
|
SSLOpts = ssl_opts(OptsWithVerifyFun),
|
||||||
Opts3#{ssl_options => SSLOpts, tcp_options => tcp_opts(Opts0)}
|
Opts3#{ssl_options => SSLOpts, tcp_options => tcp_opts(Opts0)}
|
||||||
end
|
end
|
||||||
).
|
).
|
||||||
|
@ -635,8 +637,18 @@ ranch_opts(Type, Opts = #{bind := ListenOn}) ->
|
||||||
MaxConnections = maps:get(max_connections, Opts, 1024),
|
MaxConnections = maps:get(max_connections, Opts, 1024),
|
||||||
SocketOpts =
|
SocketOpts =
|
||||||
case Type of
|
case Type of
|
||||||
wss -> tcp_opts(Opts) ++ proplists:delete(handshake_timeout, ssl_opts(Opts));
|
wss ->
|
||||||
ws -> tcp_opts(Opts)
|
tcp_opts(Opts) ++
|
||||||
|
lists:filter(
|
||||||
|
fun
|
||||||
|
({partial_chain, _}) -> false;
|
||||||
|
({handshake_timeout, _}) -> false;
|
||||||
|
(_) -> true
|
||||||
|
end,
|
||||||
|
ssl_opts(Opts)
|
||||||
|
);
|
||||||
|
ws ->
|
||||||
|
tcp_opts(Opts)
|
||||||
end,
|
end,
|
||||||
#{
|
#{
|
||||||
num_acceptors => NumAcceptors,
|
num_acceptors => NumAcceptors,
|
||||||
|
@ -962,6 +974,11 @@ quic_listener_optional_settings() ->
|
||||||
stateless_operation_expiration_ms
|
stateless_operation_expiration_ms
|
||||||
].
|
].
|
||||||
|
|
||||||
|
inject_root_fun(#{ssl_options := SSLOpts} = Opts) ->
|
||||||
|
Opts#{ssl_options := emqx_tls_lib:maybe_inject_ssl_fun(root_fun, SSLOpts)}.
|
||||||
|
inject_verify_fun(#{ssl_options := SSLOpts} = Opts) ->
|
||||||
|
Opts#{ssl_options := emqx_tls_lib:maybe_inject_ssl_fun(verify_fun, SSLOpts)}.
|
||||||
|
|
||||||
inject_sni_fun(ListenerId, Conf = #{ssl_options := #{ocsp := #{enable_ocsp_stapling := true}}}) ->
|
inject_sni_fun(ListenerId, Conf = #{ssl_options := #{ocsp := #{enable_ocsp_stapling := true}}}) ->
|
||||||
emqx_ocsp_cache:inject_sni_fun(ListenerId, Conf);
|
emqx_ocsp_cache:inject_sni_fun(ListenerId, Conf);
|
||||||
inject_sni_fun(_ListenerId, Conf) ->
|
inject_sni_fun(_ListenerId, Conf) ->
|
||||||
|
|
|
@ -191,6 +191,8 @@
|
||||||
-define(DEFAULT_MULTIPLIER, 1.5).
|
-define(DEFAULT_MULTIPLIER, 1.5).
|
||||||
-define(DEFAULT_BACKOFF, 0.75).
|
-define(DEFAULT_BACKOFF, 0.75).
|
||||||
|
|
||||||
|
-define(INJECTING_CONFIGS, [?AUTH_EXT_SCHEMA_MODS]).
|
||||||
|
|
||||||
namespace() -> emqx.
|
namespace() -> emqx.
|
||||||
|
|
||||||
tags() ->
|
tags() ->
|
||||||
|
@ -2247,7 +2249,7 @@ common_ssl_opts_schema(Defaults, Type) ->
|
||||||
desc => ?DESC(common_ssl_opts_schema_hibernate_after)
|
desc => ?DESC(common_ssl_opts_schema_hibernate_after)
|
||||||
}
|
}
|
||||||
)}
|
)}
|
||||||
].
|
] ++ emqx_schema_hooks:injection_point('common_ssl_opts_schema').
|
||||||
|
|
||||||
%% @doc Make schema for SSL listener options.
|
%% @doc Make schema for SSL listener options.
|
||||||
-spec server_ssl_opts_schema(map(), boolean()) -> hocon_schema:field_schema().
|
-spec server_ssl_opts_schema(map(), boolean()) -> hocon_schema:field_schema().
|
||||||
|
|
|
@ -15,6 +15,7 @@
|
||||||
%%--------------------------------------------------------------------
|
%%--------------------------------------------------------------------
|
||||||
|
|
||||||
-module(emqx_tls_lib).
|
-module(emqx_tls_lib).
|
||||||
|
-elvis([{elvis_style, atom_naming_convention, #{regex => "^([a-z][a-z0-9A-Z]*_?)*(_SUITE)?$"}}]).
|
||||||
|
|
||||||
%% version & cipher suites
|
%% version & cipher suites
|
||||||
-export([
|
-export([
|
||||||
|
@ -44,10 +45,13 @@
|
||||||
to_client_opts/2
|
to_client_opts/2
|
||||||
]).
|
]).
|
||||||
|
|
||||||
|
-export([maybe_inject_ssl_fun/2]).
|
||||||
|
|
||||||
%% ssl:tls_version/0 is not exported.
|
%% ssl:tls_version/0 is not exported.
|
||||||
-type tls_version() :: tlsv1 | 'tlsv1.1' | 'tlsv1.2' | 'tlsv1.3'.
|
-type tls_version() :: tlsv1 | 'tlsv1.1' | 'tlsv1.2' | 'tlsv1.3'.
|
||||||
|
|
||||||
-include("logger.hrl").
|
-include("logger.hrl").
|
||||||
|
-include("emqx_schema.hrl").
|
||||||
|
|
||||||
-define(IS_TRUE(Val), ((Val =:= true) orelse (Val =:= <<"true">>))).
|
-define(IS_TRUE(Val), ((Val =:= true) orelse (Val =:= <<"true">>))).
|
||||||
-define(IS_FALSE(Val), ((Val =:= false) orelse (Val =:= <<"false">>))).
|
-define(IS_FALSE(Val), ((Val =:= false) orelse (Val =:= <<"false">>))).
|
||||||
|
@ -685,3 +689,14 @@ ensure_ssl_file_key(SSL, RequiredKeyPaths) ->
|
||||||
[] -> ok;
|
[] -> ok;
|
||||||
Miss -> {error, #{reason => ssl_file_option_not_found, which_options => Miss}}
|
Miss -> {error, #{reason => ssl_file_option_not_found, which_options => Miss}}
|
||||||
end.
|
end.
|
||||||
|
|
||||||
|
-spec maybe_inject_ssl_fun(root_fun | verify_fun, map()) -> map().
|
||||||
|
maybe_inject_ssl_fun(FunName, SslOpts) ->
|
||||||
|
case persistent_term:get(?EMQX_SSL_FUN_MFA(FunName), undefined) of
|
||||||
|
undefined ->
|
||||||
|
SslOpts;
|
||||||
|
{M, F, A} ->
|
||||||
|
%% We should have one entry not a list of {M,F,A},
|
||||||
|
%% as ordering matters in validations
|
||||||
|
erlang:apply(M, F, [SslOpts | A])
|
||||||
|
end.
|
||||||
|
|
|
@ -0,0 +1,307 @@
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
|
||||||
|
-module(emqx_test_tls_certs_helper).
|
||||||
|
-export([
|
||||||
|
gen_ca/2,
|
||||||
|
gen_host_cert/3,
|
||||||
|
gen_host_cert/4,
|
||||||
|
|
||||||
|
select_free_port/1,
|
||||||
|
generate_tls_certs/1,
|
||||||
|
|
||||||
|
fail_when_ssl_error/1,
|
||||||
|
fail_when_ssl_error/2,
|
||||||
|
fail_when_no_ssl_alert/2,
|
||||||
|
fail_when_no_ssl_alert/3,
|
||||||
|
|
||||||
|
emqx_start_listener/4
|
||||||
|
]).
|
||||||
|
|
||||||
|
-include_lib("common_test/include/ct.hrl").
|
||||||
|
|
||||||
|
%%-------------------------------------------------------------------------------
|
||||||
|
%% Start Listener
|
||||||
|
%%-------------------------------------------------------------------------------
|
||||||
|
emqx_start_listener(Name, Type, Port, Opts) when is_list(Opts) ->
|
||||||
|
emqx_start_listener(Name, Type, Port, maps:from_list(Opts));
|
||||||
|
emqx_start_listener(Name, ssl, Port, #{ssl_options := SslOptions} = Opts0) ->
|
||||||
|
Opts = Opts0#{
|
||||||
|
enable => true,
|
||||||
|
bind => {{127, 0, 0, 1}, Port},
|
||||||
|
mountpoint => <<>>,
|
||||||
|
zone => default,
|
||||||
|
ssl_options => maps:from_list(SslOptions)
|
||||||
|
},
|
||||||
|
ct:pal("start listener with ~p ~p", [Name, Opts]),
|
||||||
|
emqx_listeners:start_listener(ssl, Name, Opts).
|
||||||
|
|
||||||
|
%%-------------------------------------------------------------------------------
|
||||||
|
%% TLS certs
|
||||||
|
%%-------------------------------------------------------------------------------
|
||||||
|
gen_ca(Path, Name) ->
|
||||||
|
%% Generate ca.pem and ca.key which will be used to generate certs
|
||||||
|
%% for hosts server and clients
|
||||||
|
ECKeyFile = eckey_name(Path),
|
||||||
|
filelib:ensure_dir(ECKeyFile),
|
||||||
|
os:cmd("openssl ecparam -name secp256r1 > " ++ ECKeyFile),
|
||||||
|
Cmd = lists:flatten(
|
||||||
|
io_lib:format(
|
||||||
|
"openssl req -new -x509 -nodes "
|
||||||
|
"-newkey ec:~s "
|
||||||
|
"-keyout ~s -out ~s -days 3650 "
|
||||||
|
"-addext basicConstraints=CA:TRUE "
|
||||||
|
"-subj \"/C=SE/O=TEST CA\"",
|
||||||
|
[
|
||||||
|
ECKeyFile,
|
||||||
|
ca_key_name(Path, Name),
|
||||||
|
ca_cert_name(Path, Name)
|
||||||
|
]
|
||||||
|
)
|
||||||
|
),
|
||||||
|
os:cmd(Cmd).
|
||||||
|
|
||||||
|
ca_cert_name(Path, Name) ->
|
||||||
|
filename(Path, "~s.pem", [Name]).
|
||||||
|
ca_key_name(Path, Name) ->
|
||||||
|
filename(Path, "~s.key", [Name]).
|
||||||
|
|
||||||
|
eckey_name(Path) ->
|
||||||
|
filename(Path, "ec.key", []).
|
||||||
|
|
||||||
|
gen_host_cert(H, CaName, Path) ->
|
||||||
|
gen_host_cert(H, CaName, Path, #{}).
|
||||||
|
|
||||||
|
gen_host_cert(H, CaName, Path, Opts) ->
|
||||||
|
ECKeyFile = eckey_name(Path),
|
||||||
|
CN = str(H),
|
||||||
|
HKey = filename(Path, "~s.key", [H]),
|
||||||
|
HCSR = filename(Path, "~s.csr", [H]),
|
||||||
|
HCSR2 = filename(Path, "~s.csr", [H]),
|
||||||
|
HPEM = filename(Path, "~s.pem", [H]),
|
||||||
|
HPEM2 = filename(Path, "~s_renewed.pem", [H]),
|
||||||
|
HEXT = filename(Path, "~s.extfile", [H]),
|
||||||
|
PasswordArg =
|
||||||
|
case maps:get(password, Opts, undefined) of
|
||||||
|
undefined ->
|
||||||
|
" -nodes ";
|
||||||
|
Password ->
|
||||||
|
io_lib:format(" -passout pass:'~s' ", [Password])
|
||||||
|
end,
|
||||||
|
|
||||||
|
create_file(
|
||||||
|
HEXT,
|
||||||
|
"keyUsage=digitalSignature,keyAgreement,keyCertSign\n"
|
||||||
|
"basicConstraints=CA:TRUE \n"
|
||||||
|
"~s \n"
|
||||||
|
"subjectAltName=DNS:~s\n",
|
||||||
|
[maps:get(ext, Opts, ""), CN]
|
||||||
|
),
|
||||||
|
|
||||||
|
CSR_Cmd = csr_cmd(PasswordArg, ECKeyFile, HKey, HCSR, CN),
|
||||||
|
CSR_Cmd2 = csr_cmd(PasswordArg, ECKeyFile, HKey, HCSR2, CN),
|
||||||
|
|
||||||
|
CERT_Cmd = cert_sign_cmd(
|
||||||
|
HEXT, HCSR, ca_cert_name(Path, CaName), ca_key_name(Path, CaName), HPEM
|
||||||
|
),
|
||||||
|
%% 2nd cert for testing renewed cert.
|
||||||
|
CERT_Cmd2 = cert_sign_cmd(
|
||||||
|
HEXT, HCSR2, ca_cert_name(Path, CaName), ca_key_name(Path, CaName), HPEM2
|
||||||
|
),
|
||||||
|
ct:pal(os:cmd(CSR_Cmd)),
|
||||||
|
ct:pal(os:cmd(CSR_Cmd2)),
|
||||||
|
ct:pal(os:cmd(CERT_Cmd)),
|
||||||
|
ct:pal(os:cmd(CERT_Cmd2)),
|
||||||
|
file:delete(HEXT).
|
||||||
|
|
||||||
|
cert_sign_cmd(ExtFile, CSRFile, CACert, CAKey, OutputCert) ->
|
||||||
|
lists:flatten(
|
||||||
|
io_lib:format(
|
||||||
|
"openssl x509 -req "
|
||||||
|
"-extfile ~s "
|
||||||
|
"-in ~s -CA ~s -CAkey ~s -CAcreateserial "
|
||||||
|
"-out ~s -days 500",
|
||||||
|
[
|
||||||
|
ExtFile,
|
||||||
|
CSRFile,
|
||||||
|
CACert,
|
||||||
|
CAKey,
|
||||||
|
OutputCert
|
||||||
|
]
|
||||||
|
)
|
||||||
|
).
|
||||||
|
|
||||||
|
csr_cmd(PasswordArg, ECKeyFile, HKey, HCSR, CN) ->
|
||||||
|
lists:flatten(
|
||||||
|
io_lib:format(
|
||||||
|
"openssl req -new ~s -newkey ec:~s "
|
||||||
|
"-keyout ~s -out ~s "
|
||||||
|
"-addext \"subjectAltName=DNS:~s\" "
|
||||||
|
"-addext basicConstraints=CA:TRUE "
|
||||||
|
"-addext keyUsage=digitalSignature,keyAgreement,keyCertSign "
|
||||||
|
"-subj \"/C=SE/O=TEST/CN=~s\"",
|
||||||
|
[PasswordArg, ECKeyFile, HKey, HCSR, CN, CN]
|
||||||
|
)
|
||||||
|
).
|
||||||
|
|
||||||
|
filename(Path, F, A) ->
|
||||||
|
filename:join(Path, str(io_lib:format(F, A))).
|
||||||
|
|
||||||
|
str(Arg) ->
|
||||||
|
binary_to_list(iolist_to_binary(Arg)).
|
||||||
|
|
||||||
|
create_file(Filename, Fmt, Args) ->
|
||||||
|
filelib:ensure_dir(Filename),
|
||||||
|
{ok, F} = file:open(Filename, [write]),
|
||||||
|
try
|
||||||
|
io:format(F, Fmt, Args)
|
||||||
|
after
|
||||||
|
file:close(F)
|
||||||
|
end,
|
||||||
|
ok.
|
||||||
|
|
||||||
|
%% @doc get unused port from OS
|
||||||
|
-spec select_free_port(tcp | udp | ssl | quic) -> inets:port_number().
|
||||||
|
select_free_port(tcp) ->
|
||||||
|
select_free_port(gen_tcp, listen);
|
||||||
|
select_free_port(udp) ->
|
||||||
|
select_free_port(gen_udp, open);
|
||||||
|
select_free_port(ssl) ->
|
||||||
|
select_free_port(tcp);
|
||||||
|
select_free_port(quic) ->
|
||||||
|
select_free_port(udp).
|
||||||
|
|
||||||
|
select_free_port(GenModule, Fun) when
|
||||||
|
GenModule == gen_tcp orelse
|
||||||
|
GenModule == gen_udp
|
||||||
|
->
|
||||||
|
{ok, S} = GenModule:Fun(0, [{reuseaddr, true}]),
|
||||||
|
{ok, Port} = inet:port(S),
|
||||||
|
ok = GenModule:close(S),
|
||||||
|
case os:type() of
|
||||||
|
{unix, darwin} ->
|
||||||
|
%% in MacOS, still get address_in_use after close port
|
||||||
|
timer:sleep(500);
|
||||||
|
_ ->
|
||||||
|
skip
|
||||||
|
end,
|
||||||
|
ct:pal("Select free OS port: ~p", [Port]),
|
||||||
|
Port.
|
||||||
|
|
||||||
|
%% @doc fail the test if ssl_error recvd
|
||||||
|
%% post check for success conn establishment
|
||||||
|
fail_when_ssl_error(Socket) ->
|
||||||
|
fail_when_ssl_error(Socket, 1000).
|
||||||
|
fail_when_ssl_error(Socket, Timeout) ->
|
||||||
|
receive
|
||||||
|
{ssl_error, Socket, _} ->
|
||||||
|
ct:fail("Handshake failed!")
|
||||||
|
after Timeout ->
|
||||||
|
ok
|
||||||
|
end.
|
||||||
|
|
||||||
|
%% @doc fail the test if no ssl_error
|
||||||
|
fail_when_no_ssl_alert(Res, Alert) ->
|
||||||
|
fail_when_no_ssl_alert(Res, Alert, 1000).
|
||||||
|
|
||||||
|
fail_when_no_ssl_alert({error, {tls_alert, {Alert, _}}}, Alert, _Timeout) ->
|
||||||
|
ok;
|
||||||
|
fail_when_no_ssl_alert({error, _} = Other, Alert, _Timeout) ->
|
||||||
|
ct:fail("returned unexpected ssl_error: ~p, expected ~n", [Other, Alert]);
|
||||||
|
fail_when_no_ssl_alert({ok, Socket}, Alert, Timeout) ->
|
||||||
|
fail_when_no_ssl_alert(Socket, Alert, Timeout);
|
||||||
|
fail_when_no_ssl_alert(Socket, Alert, Timeout) ->
|
||||||
|
receive
|
||||||
|
{ssl_error, Socket, {tls_alert, {Alert, AlertInfo}}} ->
|
||||||
|
ct:pal("alert info: ~p~n", [AlertInfo]);
|
||||||
|
{ssl_error, Socket, Other} ->
|
||||||
|
ct:fail("recv unexpected ssl_error: ~p~n", [Other])
|
||||||
|
after Timeout ->
|
||||||
|
ct:fail("No expected alert: ~p from Socket: ~p ", [Alert, Socket])
|
||||||
|
end.
|
||||||
|
|
||||||
|
%% @doc Generate TLS cert chain for tests
|
||||||
|
generate_tls_certs(Config) ->
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
gen_ca(DataDir, "root"),
|
||||||
|
gen_host_cert("intermediate1", "root", DataDir),
|
||||||
|
gen_host_cert("intermediate2", "root", DataDir),
|
||||||
|
gen_host_cert("server1", "intermediate1", DataDir),
|
||||||
|
gen_host_cert("client1", "intermediate1", DataDir),
|
||||||
|
gen_host_cert("server2", "intermediate2", DataDir),
|
||||||
|
gen_host_cert("client2", "intermediate2", DataDir),
|
||||||
|
|
||||||
|
%% Build bundles below
|
||||||
|
os:cmd(
|
||||||
|
io_lib:format("cat ~p ~p ~p > ~p", [
|
||||||
|
filename:join(DataDir, "client2.pem"),
|
||||||
|
filename:join(DataDir, "intermediate2.pem"),
|
||||||
|
filename:join(DataDir, "root.pem"),
|
||||||
|
filename:join(DataDir, "client2-complete-bundle.pem")
|
||||||
|
])
|
||||||
|
),
|
||||||
|
os:cmd(
|
||||||
|
io_lib:format("cat ~p ~p > ~p", [
|
||||||
|
filename:join(DataDir, "client2.pem"),
|
||||||
|
filename:join(DataDir, "intermediate2.pem"),
|
||||||
|
filename:join(DataDir, "client2-intermediate2-bundle.pem")
|
||||||
|
])
|
||||||
|
),
|
||||||
|
os:cmd(
|
||||||
|
io_lib:format("cat ~p ~p > ~p", [
|
||||||
|
filename:join(DataDir, "client2.pem"),
|
||||||
|
filename:join(DataDir, "root.pem"),
|
||||||
|
filename:join(DataDir, "client2-root-bundle.pem")
|
||||||
|
])
|
||||||
|
),
|
||||||
|
os:cmd(
|
||||||
|
io_lib:format("cat ~p ~p > ~p", [
|
||||||
|
filename:join(DataDir, "server1.pem"),
|
||||||
|
filename:join(DataDir, "intermediate1.pem"),
|
||||||
|
filename:join(DataDir, "server1-intermediate1-bundle.pem")
|
||||||
|
])
|
||||||
|
),
|
||||||
|
os:cmd(
|
||||||
|
io_lib:format("cat ~p ~p > ~p", [
|
||||||
|
filename:join(DataDir, "intermediate1.pem"),
|
||||||
|
filename:join(DataDir, "server1.pem"),
|
||||||
|
filename:join(DataDir, "intermediate1-server1-bundle.pem")
|
||||||
|
])
|
||||||
|
),
|
||||||
|
os:cmd(
|
||||||
|
io_lib:format("cat ~p ~p > ~p", [
|
||||||
|
filename:join(DataDir, "intermediate1_renewed.pem"),
|
||||||
|
filename:join(DataDir, "root.pem"),
|
||||||
|
filename:join(DataDir, "intermediate1_renewed-root-bundle.pem")
|
||||||
|
])
|
||||||
|
),
|
||||||
|
os:cmd(
|
||||||
|
io_lib:format("cat ~p ~p > ~p", [
|
||||||
|
filename:join(DataDir, "intermediate2.pem"),
|
||||||
|
filename:join(DataDir, "intermediate2_renewed.pem"),
|
||||||
|
filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")
|
||||||
|
])
|
||||||
|
),
|
||||||
|
os:cmd(
|
||||||
|
io_lib:format("cat ~p ~p > ~p", [
|
||||||
|
filename:join(DataDir, "intermediate1.pem"),
|
||||||
|
filename:join(DataDir, "root.pem"),
|
||||||
|
filename:join(DataDir, "intermediate1-root-bundle.pem")
|
||||||
|
])
|
||||||
|
),
|
||||||
|
os:cmd(
|
||||||
|
io_lib:format("cat ~p ~p ~p > ~p", [
|
||||||
|
filename:join(DataDir, "root.pem"),
|
||||||
|
filename:join(DataDir, "intermediate2.pem"),
|
||||||
|
filename:join(DataDir, "intermediate1.pem"),
|
||||||
|
filename:join(DataDir, "all-CAcerts-bundle.pem")
|
||||||
|
])
|
||||||
|
),
|
||||||
|
os:cmd(
|
||||||
|
io_lib:format("cat ~p ~p > ~p", [
|
||||||
|
filename:join(DataDir, "intermediate2.pem"),
|
||||||
|
filename:join(DataDir, "intermediate1.pem"),
|
||||||
|
filename:join(DataDir, "two-intermediates-bundle.pem")
|
||||||
|
])
|
||||||
|
).
|
|
@ -0,0 +1,20 @@
|
||||||
|
.rebar3
|
||||||
|
_build
|
||||||
|
_checkouts
|
||||||
|
_vendor
|
||||||
|
.eunit
|
||||||
|
*.o
|
||||||
|
*.beam
|
||||||
|
*.plt
|
||||||
|
*.swp
|
||||||
|
*.swo
|
||||||
|
.erlang.cookie
|
||||||
|
ebin
|
||||||
|
log
|
||||||
|
erl_crash.dump
|
||||||
|
.rebar
|
||||||
|
logs
|
||||||
|
.idea
|
||||||
|
*.iml
|
||||||
|
rebar3.crashdump
|
||||||
|
*~
|
|
@ -0,0 +1,94 @@
|
||||||
|
Business Source License 1.1
|
||||||
|
|
||||||
|
Licensor: Hangzhou EMQ Technologies Co., Ltd.
|
||||||
|
Licensed Work: EMQX Enterprise Edition
|
||||||
|
The Licensed Work is (c) 2023
|
||||||
|
Hangzhou EMQ Technologies Co., Ltd.
|
||||||
|
Additional Use Grant: Students and educators are granted right to copy,
|
||||||
|
modify, and create derivative work for research
|
||||||
|
or education.
|
||||||
|
Change Date: 2028-01-26
|
||||||
|
Change License: Apache License, Version 2.0
|
||||||
|
|
||||||
|
For information about alternative licensing arrangements for the Software,
|
||||||
|
please contact Licensor: https://www.emqx.com/en/contact
|
||||||
|
|
||||||
|
Notice
|
||||||
|
|
||||||
|
The Business Source License (this document, or the “License”) is not an Open
|
||||||
|
Source license. However, the Licensed Work will eventually be made available
|
||||||
|
under an Open Source License, as stated in this License.
|
||||||
|
|
||||||
|
License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
|
||||||
|
“Business Source License” is a trademark of MariaDB Corporation Ab.
|
||||||
|
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Business Source License 1.1
|
||||||
|
|
||||||
|
Terms
|
||||||
|
|
||||||
|
The Licensor hereby grants you the right to copy, modify, create derivative
|
||||||
|
works, redistribute, and make non-production use of the Licensed Work. The
|
||||||
|
Licensor may make an Additional Use Grant, above, permitting limited
|
||||||
|
production use.
|
||||||
|
|
||||||
|
Effective on the Change Date, or the fourth anniversary of the first publicly
|
||||||
|
available distribution of a specific version of the Licensed Work under this
|
||||||
|
License, whichever comes first, the Licensor hereby grants you rights under
|
||||||
|
the terms of the Change License, and the rights granted in the paragraph
|
||||||
|
above terminate.
|
||||||
|
|
||||||
|
If your use of the Licensed Work does not comply with the requirements
|
||||||
|
currently in effect as described in this License, you must purchase a
|
||||||
|
commercial license from the Licensor, its affiliated entities, or authorized
|
||||||
|
resellers, or you must refrain from using the Licensed Work.
|
||||||
|
|
||||||
|
All copies of the original and modified Licensed Work, and derivative works
|
||||||
|
of the Licensed Work, are subject to this License. This License applies
|
||||||
|
separately for each version of the Licensed Work and the Change Date may vary
|
||||||
|
for each version of the Licensed Work released by Licensor.
|
||||||
|
|
||||||
|
You must conspicuously display this License on each original or modified copy
|
||||||
|
of the Licensed Work. If you receive the Licensed Work in original or
|
||||||
|
modified form from a third party, the terms and conditions set forth in this
|
||||||
|
License apply to your use of that work.
|
||||||
|
|
||||||
|
Any use of the Licensed Work in violation of this License will automatically
|
||||||
|
terminate your rights under this License for the current and all other
|
||||||
|
versions of the Licensed Work.
|
||||||
|
|
||||||
|
This License does not grant you any right in any trademark or logo of
|
||||||
|
Licensor or its affiliates (provided that you may use a trademark or logo of
|
||||||
|
Licensor as expressly required by this License).
|
||||||
|
|
||||||
|
TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
|
||||||
|
AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
|
||||||
|
EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
|
||||||
|
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
|
||||||
|
TITLE.
|
||||||
|
|
||||||
|
MariaDB hereby grants you permission to use this License’s text to license
|
||||||
|
your works, and to refer to it using the trademark “Business Source License”,
|
||||||
|
as long as you comply with the Covenants of Licensor below.
|
||||||
|
|
||||||
|
Covenants of Licensor
|
||||||
|
|
||||||
|
In consideration of the right to use this License’s text and the “Business
|
||||||
|
Source License” name and trademark, Licensor covenants to MariaDB, and to all
|
||||||
|
other recipients of the licensed work to be provided by Licensor:
|
||||||
|
|
||||||
|
1. To specify as the Change License the GPL Version 2.0 or any later version,
|
||||||
|
or a license that is compatible with GPL Version 2.0 or a later version,
|
||||||
|
where “compatible” means that software provided under the Change License can
|
||||||
|
be included in a program with software provided under GPL Version 2.0 or a
|
||||||
|
later version. Licensor may specify additional Change Licenses without
|
||||||
|
limitation.
|
||||||
|
|
||||||
|
2. To either: (a) specify an additional grant of rights to use that does not
|
||||||
|
impose any additional restriction on the right granted in this License, as
|
||||||
|
the Additional Use Grant; or (b) insert the text “None”.
|
||||||
|
|
||||||
|
3. To specify a Change Date.
|
||||||
|
|
||||||
|
4. Not to modify this License in any other way.
|
|
@ -0,0 +1,7 @@
|
||||||
|
# EMQX Extended Auth Library
|
||||||
|
|
||||||
|
Library that extends EMQX authentication capbility for enterprise.
|
||||||
|
|
||||||
|
# License
|
||||||
|
|
||||||
|
EMQ Business Source License 1.1, refer to [LICENSE](BSL.txt).
|
|
@ -0,0 +1,2 @@
|
||||||
|
{erl_opts, [debug_info]}.
|
||||||
|
{deps, [{emqx, {path, "../emqx"}}]}.
|
|
@ -0,0 +1,21 @@
|
||||||
|
{application, emqx_auth_ext, [
|
||||||
|
{description, "EMQX Extended Auth Library"},
|
||||||
|
{vsn, "0.1.0"},
|
||||||
|
{registered, []},
|
||||||
|
{applications, [
|
||||||
|
kernel,
|
||||||
|
stdlib,
|
||||||
|
ssl,
|
||||||
|
emqx
|
||||||
|
]},
|
||||||
|
{env, []},
|
||||||
|
{modules, [
|
||||||
|
emqx_auth_ext,
|
||||||
|
emqx_auth_ext_schema,
|
||||||
|
emqx_auth_ext_tls_lib,
|
||||||
|
emqx_auth_ext_tls_const_v1
|
||||||
|
]},
|
||||||
|
|
||||||
|
{licenses, ["Apache-2.0"]},
|
||||||
|
{links, []}
|
||||||
|
]}.
|
|
@ -0,0 +1,28 @@
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
%% Copyright (c) 2022-2024 EMQ Technologies Co., Ltd. All Rights Reserved.
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
-module(emqx_auth_ext).
|
||||||
|
|
||||||
|
-include_lib("emqx/include/emqx_schema.hrl").
|
||||||
|
|
||||||
|
-on_load(on_load/0).
|
||||||
|
|
||||||
|
-export([]).
|
||||||
|
|
||||||
|
-spec on_load() -> ok.
|
||||||
|
on_load() ->
|
||||||
|
init_ssl_fun_cb().
|
||||||
|
|
||||||
|
init_ssl_fun_cb() ->
|
||||||
|
lists:foreach(
|
||||||
|
fun({FunName, {_, _, _} = MFA}) ->
|
||||||
|
persistent_term:put(
|
||||||
|
?EMQX_SSL_FUN_MFA(FunName),
|
||||||
|
MFA
|
||||||
|
)
|
||||||
|
end,
|
||||||
|
[
|
||||||
|
{root_fun, {emqx_auth_ext_tls_lib, opt_partial_chain, []}},
|
||||||
|
{verify_fun, {emqx_auth_ext_tls_lib, opt_verify_fun, []}}
|
||||||
|
]
|
||||||
|
).
|
|
@ -0,0 +1,42 @@
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
%% Copyright (c) 2022-2024 EMQ Technologies Co., Ltd. All Rights Reserved.
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
|
||||||
|
-module(emqx_auth_ext_schema).
|
||||||
|
-behaviour(emqx_schema_hooks).
|
||||||
|
|
||||||
|
-include_lib("typerefl/include/types.hrl").
|
||||||
|
-include_lib("hocon/include/hoconsc.hrl").
|
||||||
|
|
||||||
|
%%------------------------------------------------------------------------------
|
||||||
|
%% emqx_schema_hooks callbacks
|
||||||
|
%%------------------------------------------------------------------------------
|
||||||
|
-export([injected_fields/0]).
|
||||||
|
|
||||||
|
-spec injected_fields() -> #{emqx_schema_hooks:hookpoint() => [hocon_schema:field()]}.
|
||||||
|
injected_fields() ->
|
||||||
|
#{
|
||||||
|
'common_ssl_opts_schema' => fields(auth_ext)
|
||||||
|
}.
|
||||||
|
|
||||||
|
fields(auth_ext) ->
|
||||||
|
[
|
||||||
|
{"partial_chain",
|
||||||
|
sc(
|
||||||
|
hoconsc:enum([true, false, two_cacerts_from_cacertfile, cacert_from_cacertfile]),
|
||||||
|
#{
|
||||||
|
required => false,
|
||||||
|
desc => ?DESC(common_ssl_opts_schema_partial_chain)
|
||||||
|
}
|
||||||
|
)},
|
||||||
|
{"verify_peer_ext_key_usage",
|
||||||
|
sc(
|
||||||
|
string(),
|
||||||
|
#{
|
||||||
|
required => false,
|
||||||
|
desc => ?DESC(common_ssl_opts_verify_peer_ext_key_usage)
|
||||||
|
}
|
||||||
|
)}
|
||||||
|
].
|
||||||
|
|
||||||
|
sc(Type, Meta) -> hoconsc:mk(Type, Meta).
|
|
@ -0,0 +1,111 @@
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
|
||||||
|
-module(emqx_auth_ext_tls_const_v1).
|
||||||
|
-elvis([{elvis_style, atom_naming_convention, #{regex => "^([a-z][a-z0-9A-Z]*_?)*(_SUITE)?$"}}]).
|
||||||
|
|
||||||
|
-export([
|
||||||
|
make_tls_root_fun/2,
|
||||||
|
make_tls_verify_fun/2
|
||||||
|
]).
|
||||||
|
|
||||||
|
-include_lib("public_key/include/public_key.hrl").
|
||||||
|
%% @doc Build a root fun for verify TLS partial_chain.
|
||||||
|
%% The `InputChain' is composed by OTP SSL with local cert store
|
||||||
|
%% AND the cert (chain if any) from the client.
|
||||||
|
%% @end
|
||||||
|
make_tls_root_fun(cacert_from_cacertfile, [Trusted]) ->
|
||||||
|
%% Allow only one trusted ca cert, and just return the defined trusted CA cert,
|
||||||
|
fun(_InputChain) ->
|
||||||
|
%% Note, returing `trusted_ca` doesn't really mean it accepts the connection
|
||||||
|
%% OTP SSL app will do the path validation, signature validation subsequently.
|
||||||
|
{trusted_ca, Trusted}
|
||||||
|
end;
|
||||||
|
make_tls_root_fun(cacert_from_cacertfile, [TrustedOne, TrustedTwo]) ->
|
||||||
|
%% Allow two trusted CA certs in case of CA cert renewal
|
||||||
|
%% This is a little expensive call as it compares the binaries.
|
||||||
|
fun(InputChain) ->
|
||||||
|
case lists:member(TrustedOne, InputChain) of
|
||||||
|
true ->
|
||||||
|
{trusted_ca, TrustedOne};
|
||||||
|
false ->
|
||||||
|
{trusted_ca, TrustedTwo}
|
||||||
|
end
|
||||||
|
end.
|
||||||
|
|
||||||
|
make_tls_verify_fun(verify_cert_extKeyUsage, KeyUsages) ->
|
||||||
|
RequiredKeyUsages = ext_key_opts(KeyUsages),
|
||||||
|
{fun verify_fun_peer_extKeyUsage/3, RequiredKeyUsages}.
|
||||||
|
|
||||||
|
verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState) ->
|
||||||
|
%% !! Override OTP verify peer default
|
||||||
|
%% OTP SSL is unhappy with the ext_key_usage but we will check on our own.
|
||||||
|
{unknown, UserState};
|
||||||
|
verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _UserState) ->
|
||||||
|
%% OTP verify_peer default
|
||||||
|
{fail, Reason};
|
||||||
|
verify_fun_peer_extKeyUsage(_, {extension, _}, UserState) ->
|
||||||
|
%% OTP verify_peer default
|
||||||
|
{unknown, UserState};
|
||||||
|
verify_fun_peer_extKeyUsage(_, valid, UserState) ->
|
||||||
|
%% OTP verify_peer default
|
||||||
|
{valid, UserState};
|
||||||
|
verify_fun_peer_extKeyUsage(
|
||||||
|
#'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{extensions = ExtL}},
|
||||||
|
%% valid peer cert
|
||||||
|
valid_peer,
|
||||||
|
RequiredKeyUsages
|
||||||
|
) ->
|
||||||
|
%% override OTP verify_peer default
|
||||||
|
%% must have id-ce-extKeyUsage
|
||||||
|
case lists:keyfind(?'id-ce-extKeyUsage', 2, ExtL) of
|
||||||
|
#'Extension'{extnID = ?'id-ce-extKeyUsage', extnValue = VL} ->
|
||||||
|
case do_verify_ext_key_usage(VL, RequiredKeyUsages) of
|
||||||
|
true ->
|
||||||
|
%% pass the check,
|
||||||
|
%% fallback to OTP verify_peer default
|
||||||
|
{valid, RequiredKeyUsages};
|
||||||
|
false ->
|
||||||
|
{fail, extKeyUsage_unmatched}
|
||||||
|
end;
|
||||||
|
_ ->
|
||||||
|
{fail, extKeyUsage_not_set}
|
||||||
|
end.
|
||||||
|
|
||||||
|
%% @doc check required extkeyUsages are presented in the cert
|
||||||
|
do_verify_ext_key_usage(_, []) ->
|
||||||
|
%% Verify finished
|
||||||
|
true;
|
||||||
|
do_verify_ext_key_usage(CertExtL, [Usage | T] = _Required) ->
|
||||||
|
case lists:member(Usage, CertExtL) of
|
||||||
|
true ->
|
||||||
|
do_verify_ext_key_usage(CertExtL, T);
|
||||||
|
false ->
|
||||||
|
false
|
||||||
|
end.
|
||||||
|
|
||||||
|
%% @doc Helper tls cert extension
|
||||||
|
-spec ext_key_opts(string()) -> [OidString :: string() | public_key:oid()].
|
||||||
|
ext_key_opts(Str) ->
|
||||||
|
Usages = string:tokens(Str, ","),
|
||||||
|
lists:map(
|
||||||
|
fun
|
||||||
|
("clientAuth") ->
|
||||||
|
?'id-kp-clientAuth';
|
||||||
|
("serverAuth") ->
|
||||||
|
?'id-kp-serverAuth';
|
||||||
|
("codeSigning") ->
|
||||||
|
?'id-kp-codeSigning';
|
||||||
|
("emailProtection") ->
|
||||||
|
?'id-kp-emailProtection';
|
||||||
|
("timeStamping") ->
|
||||||
|
?'id-kp-timeStamping';
|
||||||
|
("ocspSigning") ->
|
||||||
|
?'id-kp-OCSPSigning';
|
||||||
|
("OID:" ++ OidStr) ->
|
||||||
|
OidList = string:tokens(OidStr, "."),
|
||||||
|
list_to_tuple(lists:map(fun list_to_integer/1, OidList))
|
||||||
|
end,
|
||||||
|
Usages
|
||||||
|
).
|
|
@ -0,0 +1,66 @@
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
|
||||||
|
-module(emqx_auth_ext_tls_lib).
|
||||||
|
-elvis([{elvis_style, atom_naming_convention, #{regex => "^([a-z][a-z0-9A-Z]*_?)*(_SUITE)?$"}}]).
|
||||||
|
|
||||||
|
-export([
|
||||||
|
opt_partial_chain/1,
|
||||||
|
opt_verify_fun/1
|
||||||
|
]).
|
||||||
|
|
||||||
|
-include_lib("emqx/include/logger.hrl").
|
||||||
|
|
||||||
|
-define(CONST_MOD_V1, emqx_auth_ext_tls_const_v1).
|
||||||
|
%% @doc enable TLS partial_chain validation if set.
|
||||||
|
-spec opt_partial_chain(SslOpts :: map()) -> NewSslOpts :: map().
|
||||||
|
opt_partial_chain(#{partial_chain := false} = SslOpts) ->
|
||||||
|
maps:remove(partial_chain, SslOpts);
|
||||||
|
opt_partial_chain(#{partial_chain := true} = SslOpts) ->
|
||||||
|
SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(1, SslOpts)};
|
||||||
|
opt_partial_chain(#{partial_chain := cacert_from_cacertfile} = SslOpts) ->
|
||||||
|
SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(1, SslOpts)};
|
||||||
|
opt_partial_chain(#{partial_chain := two_cacerts_from_cacertfile} = SslOpts) ->
|
||||||
|
SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(2, SslOpts)};
|
||||||
|
opt_partial_chain(SslOpts) ->
|
||||||
|
SslOpts.
|
||||||
|
|
||||||
|
%% @doc make verify_fun if set.
|
||||||
|
-spec opt_verify_fun(SslOpts :: map()) -> NewSslOpts :: map().
|
||||||
|
opt_verify_fun(#{verify_peer_ext_key_usage := V} = SslOpts) when V =/= undefined ->
|
||||||
|
SslOpts#{verify_fun => ?CONST_MOD_V1:make_tls_verify_fun(verify_cert_extKeyUsage, V)};
|
||||||
|
opt_verify_fun(SslOpts) ->
|
||||||
|
SslOpts.
|
||||||
|
|
||||||
|
%% @doc Helper, make TLS root_fun
|
||||||
|
rootfun_trusted_ca_from_cacertfile(NumOfCerts, #{cacertfile := Cacertfile}) ->
|
||||||
|
case file:read_file(emqx_schema:naive_env_interpolation(Cacertfile)) of
|
||||||
|
{ok, PemBin} ->
|
||||||
|
try
|
||||||
|
do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, PemBin)
|
||||||
|
catch
|
||||||
|
_Error:_Info:ST ->
|
||||||
|
%% The cacertfile will be checked by OTP SSL as well and OTP choice to be silent on this.
|
||||||
|
%% We are touching security sutffs, don't leak extra info..
|
||||||
|
?SLOG(error, #{
|
||||||
|
msg => "trusted_cacert_not_found_in_cacertfile", stacktrace => ST
|
||||||
|
}),
|
||||||
|
throw({error, ?FUNCTION_NAME})
|
||||||
|
end;
|
||||||
|
{error, Reason} ->
|
||||||
|
throw({error, {read_cacertfile_error, Cacertfile, Reason}})
|
||||||
|
end;
|
||||||
|
rootfun_trusted_ca_from_cacertfile(_NumOfCerts, _SslOpts) ->
|
||||||
|
throw({error, cacertfile_unset}).
|
||||||
|
|
||||||
|
do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, PemBin) ->
|
||||||
|
%% The last one or two should be the top parent in the chain if it is a chain
|
||||||
|
Certs = public_key:pem_decode(PemBin),
|
||||||
|
Pos = length(Certs) - NumOfCerts + 1,
|
||||||
|
Trusted = [
|
||||||
|
CADer
|
||||||
|
|| {'Certificate', CADer, _} <-
|
||||||
|
lists:sublist(public_key:pem_decode(PemBin), Pos, NumOfCerts)
|
||||||
|
],
|
||||||
|
?CONST_MOD_V1:make_tls_root_fun(cacert_from_cacertfile, Trusted).
|
|
@ -0,0 +1,247 @@
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
|
||||||
|
-module(emqx_auth_ext_listener_tls_verify_chain_SUITE).
|
||||||
|
|
||||||
|
-compile(export_all).
|
||||||
|
-compile(nowarn_export_all).
|
||||||
|
|
||||||
|
-include_lib("eunit/include/eunit.hrl").
|
||||||
|
-include_lib("common_test/include/ct.hrl").
|
||||||
|
|
||||||
|
-import(
|
||||||
|
emqx_test_tls_certs_helper,
|
||||||
|
[
|
||||||
|
emqx_start_listener/4,
|
||||||
|
fail_when_ssl_error/1,
|
||||||
|
fail_when_no_ssl_alert/2,
|
||||||
|
generate_tls_certs/1,
|
||||||
|
select_free_port/1
|
||||||
|
]
|
||||||
|
).
|
||||||
|
|
||||||
|
all() -> emqx_common_test_helpers:all(?MODULE).
|
||||||
|
|
||||||
|
init_per_suite(Config) ->
|
||||||
|
generate_tls_certs(Config),
|
||||||
|
application:ensure_all_started(esockd),
|
||||||
|
[{ssl_config, ssl_config_verify_peer()} | Config].
|
||||||
|
|
||||||
|
end_per_suite(_Config) ->
|
||||||
|
application:stop(esockd).
|
||||||
|
|
||||||
|
t_conn_fail_with_intermediate_ca_cert(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client1.pem")},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
|
||||||
|
fail_when_no_ssl_alert(Socket, unknown_ca),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_fail_with_other_intermediate_ca_cert(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2.pem")},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
|
||||||
|
fail_when_no_ssl_alert(Socket, unknown_ca),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_with_server_client_composed_complete_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Server has root ca cert
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{cacertfile, filename:join(DataDir, "root.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
%% Client has complete chain
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_with_other_signed_client_composed_complete_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Server has root ca cert
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{cacertfile, filename:join(DataDir, "root.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
%% Client has partial_chain
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_with_renewed_intermediate_root_bundle(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Server has root ca cert
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1_renewed-root-bundle.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client1.pem")},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_with_client_complete_cert_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{cacertfile, filename:join(DataDir, "root.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_fail_with_server_partial_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% imcomplete at server side
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")},
|
||||||
|
{versions, ['tlsv1.2']},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_conn_fail_without_root_cacert(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
|
||||||
|
%% stick to tlsv1.2 for consistent error message
|
||||||
|
{versions, ['tlsv1.2']},
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2.pem")}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
ssl_config_verify_peer() ->
|
||||||
|
[
|
||||||
|
{verify, verify_peer},
|
||||||
|
{fail_if_no_peer_cert, true}
|
||||||
|
].
|
|
@ -0,0 +1,362 @@
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
|
||||||
|
-module(emqx_auth_ext_listener_tls_verify_keyusage_SUITE).
|
||||||
|
|
||||||
|
-compile(export_all).
|
||||||
|
-compile(nowarn_export_all).
|
||||||
|
|
||||||
|
-include_lib("eunit/include/eunit.hrl").
|
||||||
|
-include_lib("common_test/include/ct.hrl").
|
||||||
|
|
||||||
|
-import(
|
||||||
|
emqx_test_tls_certs_helper,
|
||||||
|
[
|
||||||
|
fail_when_ssl_error/1,
|
||||||
|
fail_when_no_ssl_alert/2,
|
||||||
|
generate_tls_certs/1,
|
||||||
|
gen_host_cert/4,
|
||||||
|
emqx_start_listener/4,
|
||||||
|
select_free_port/1
|
||||||
|
]
|
||||||
|
).
|
||||||
|
|
||||||
|
all() ->
|
||||||
|
[
|
||||||
|
{group, full_chain},
|
||||||
|
{group, partial_chain}
|
||||||
|
].
|
||||||
|
|
||||||
|
all_tc() ->
|
||||||
|
emqx_common_test_helpers:all(?MODULE).
|
||||||
|
|
||||||
|
groups() ->
|
||||||
|
[
|
||||||
|
{partial_chain, [], all_tc()},
|
||||||
|
{full_chain, [], all_tc()}
|
||||||
|
].
|
||||||
|
|
||||||
|
init_per_suite(Config) ->
|
||||||
|
generate_tls_certs(Config),
|
||||||
|
application:ensure_all_started(esockd),
|
||||||
|
Config.
|
||||||
|
|
||||||
|
end_per_suite(_Config) ->
|
||||||
|
application:stop(esockd).
|
||||||
|
|
||||||
|
init_per_group(full_chain, Config) ->
|
||||||
|
[{ssl_config, ssl_config_verify_peer_full_chain(Config)} | Config];
|
||||||
|
init_per_group(partial_chain, Config) ->
|
||||||
|
[{ssl_config, ssl_config_verify_peer_partial_chain(Config)} | Config];
|
||||||
|
init_per_group(_, Config) ->
|
||||||
|
Config.
|
||||||
|
|
||||||
|
end_per_group(_, Config) ->
|
||||||
|
Config.
|
||||||
|
|
||||||
|
t_conn_success_verify_peer_ext_key_usage_unset(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Given listener keyusage unset
|
||||||
|
Options = [{ssl_options, ?config(ssl_config, Config)}],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
%% when client connect with cert without keyusage ext
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client1.pem")},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
%% Then connection success
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_verify_peer_ext_key_usage_undefined(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Give listener keyusage is set to undefined
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{verify_peer_ext_key_usage, undefined}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
%% when client connect with cert without keyusages ext
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client1.pem")},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
%% Then connection success
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_verify_peer_ext_key_usage_matched_predefined(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Give listener keyusage is set to clientAuth
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{verify_peer_ext_key_usage, "clientAuth"}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
|
||||||
|
%% When client cert has clientAuth that is matched
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
%% Then connection success
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_verify_peer_ext_key_usage_matched_raw_oid(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Give listener keyusage is set to raw OID
|
||||||
|
|
||||||
|
%% from OTP-PUB-KEY.hrl
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{verify_peer_ext_key_usage, "OID:1.3.6.1.5.5.7.3.2"}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
%% When client cert has keyusage and matched.
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
%% Then connection success
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_verify_peer_ext_key_usage_matched_ordered_list(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
|
||||||
|
%% Give listener keyusage is clientAuth,serverAuth
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{verify_peer_ext_key_usage, "clientAuth,serverAuth"}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
%% When client cert has the same keyusage ext list
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth,serverAuth"),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
%% Then connection success
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_verify_peer_ext_key_usage_matched_unordered_list(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Give listener keyusage is clientAuth,serverAuth
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{verify_peer_ext_key_usage, "serverAuth,clientAuth"}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
%% When client cert has the same keyusage ext list but different order
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth,serverAuth"),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
%% Then connection success
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_fail_verify_peer_ext_key_usage_unmatched_raw_oid(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Give listener keyusage is using OID
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{verify_peer_ext_key_usage, "OID:1.3.6.1.5.5.7.3.1"}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
|
||||||
|
%% When client cert has the keyusage but not matching OID
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "clientAuth"),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
|
||||||
|
%% Then connecion should fail.
|
||||||
|
fail_when_no_ssl_alert(Socket, handshake_failure),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_fail_verify_peer_ext_key_usage_empty_str(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{verify_peer_ext_key_usage, ""}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
%% Give listener keyusage is empty string
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
%% When client connect with cert without keyusage
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client1.pem")},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
%% Then connecion should fail.
|
||||||
|
fail_when_no_ssl_alert(Socket, handshake_failure),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_fail_client_keyusage_unmatch(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
|
||||||
|
%% Give listener keyusage is clientAuth
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{verify_peer_ext_key_usage, "clientAuth"}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
%% When client connect with mismatch cert keyusage = codeSigning
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "codeSigning"),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
%% Then connecion should fail.
|
||||||
|
fail_when_no_ssl_alert(Socket, handshake_failure),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_fail_client_keyusage_incomplete(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% Give listener keyusage is codeSigning,clientAuth
|
||||||
|
Options = [
|
||||||
|
{ssl_options, [
|
||||||
|
{verify_peer_ext_key_usage,
|
||||||
|
"serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,ocspSigning"}
|
||||||
|
| ?config(ssl_config, Config)
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
%% When client connect with cert keyusage = clientAuth
|
||||||
|
gen_client_cert_ext_keyusage(?FUNCTION_NAME, "intermediate1", DataDir, "codeSigning"),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client1.pem")},
|
||||||
|
{verify, verify_none}
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
%% Then connection should fail
|
||||||
|
fail_when_no_ssl_alert(Socket, handshake_failure),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
%%%
|
||||||
|
%%% Helpers
|
||||||
|
%%%
|
||||||
|
gen_client_cert_ext_keyusage(Name, CA, DataDir, Usage) when is_atom(Name) ->
|
||||||
|
gen_client_cert_ext_keyusage(atom_to_list(Name), CA, DataDir, Usage);
|
||||||
|
gen_client_cert_ext_keyusage(Name, CA, DataDir, Usage) ->
|
||||||
|
gen_host_cert(Name, CA, DataDir, #{ext => "extendedKeyUsage=" ++ Usage}).
|
||||||
|
|
||||||
|
client_key_file(DataDir, Name) ->
|
||||||
|
filename:join(DataDir, Name) ++ ".key".
|
||||||
|
|
||||||
|
client_pem_file(DataDir, Name) ->
|
||||||
|
filename:join(DataDir, Name) ++ ".pem".
|
||||||
|
|
||||||
|
ssl_config_verify_peer_full_chain(Config) ->
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(?config(data_dir, Config), "intermediate1-root-bundle.pem")}
|
||||||
|
| ssl_config_verify_peer(Config)
|
||||||
|
].
|
||||||
|
ssl_config_verify_peer_partial_chain(Config) ->
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(?config(data_dir, Config), "intermediate1.pem")},
|
||||||
|
{partial_chain, true}
|
||||||
|
| ssl_config_verify_peer(Config)
|
||||||
|
].
|
||||||
|
|
||||||
|
ssl_config_verify_peer(Config) ->
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
[
|
||||||
|
{verify, verify_peer},
|
||||||
|
{fail_if_no_peer_cert, true},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")}
|
||||||
|
%% , {log_level, debug}
|
||||||
|
].
|
|
@ -0,0 +1,709 @@
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
|
||||||
|
%%
|
||||||
|
%% Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
%% you may not use this file except in compliance with the License.
|
||||||
|
%% You may obtain a copy of the License at
|
||||||
|
%%
|
||||||
|
%% http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
%%
|
||||||
|
%% Unless required by applicable law or agreed to in writing, software
|
||||||
|
%% distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
%% See the License for the specific language governing permissions and
|
||||||
|
%% limitations under the License.
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
-module(emqx_auth_ext_listener_tls_verify_partial_chain_SUITE).
|
||||||
|
|
||||||
|
-compile(export_all).
|
||||||
|
-compile(nowarn_export_all).
|
||||||
|
|
||||||
|
-include_lib("eunit/include/eunit.hrl").
|
||||||
|
-include_lib("common_test/include/ct.hrl").
|
||||||
|
|
||||||
|
-import(
|
||||||
|
emqx_test_tls_certs_helper,
|
||||||
|
[
|
||||||
|
emqx_start_listener/4,
|
||||||
|
fail_when_ssl_error/1,
|
||||||
|
fail_when_no_ssl_alert/2,
|
||||||
|
generate_tls_certs/1,
|
||||||
|
select_free_port/1
|
||||||
|
]
|
||||||
|
).
|
||||||
|
|
||||||
|
all() -> emqx_common_test_helpers:all(?MODULE).
|
||||||
|
|
||||||
|
init_per_suite(Config) ->
|
||||||
|
generate_tls_certs(Config),
|
||||||
|
application:ensure_all_started(esockd),
|
||||||
|
[{ssl_config, ssl_config_verify_partial_chain()} | Config].
|
||||||
|
|
||||||
|
end_per_suite(_Config) ->
|
||||||
|
application:stop(esockd).
|
||||||
|
|
||||||
|
t_conn_success_with_server_intermediate_cacert_and_client_cert(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client1.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_with_intermediate_cacert_bundle(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "server1-intermediate1-bundle.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client1.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_with_renewed_intermediate_cacert(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1_renewed.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client1.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_fail_with_renewed_intermediate_cacert_and_client_using_old_complete_bundle(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2_renewed.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_conn_fail_with_renewed_intermediate_cacert_and_client_using_old_bundle(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2_renewed.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_conn_success_with_old_and_renewed_intermediate_cacert_and_client_provides_renewed_client_cert(
|
||||||
|
Config
|
||||||
|
) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")},
|
||||||
|
{partial_chain, two_cacerts_from_cacertfile}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2_renewed.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ssl:close(Socket).
|
||||||
|
|
||||||
|
%% Note, this is good to have for usecase coverage
|
||||||
|
t_conn_success_with_new_intermediate_cacert_and_client_provides_renewed_client_cert_signed_by_old_intermediate(
|
||||||
|
Config
|
||||||
|
) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2_renewed.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2_renewed.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ssl:close(Socket).
|
||||||
|
|
||||||
|
%% @doc server should build a partial_chain with old version of ca cert.
|
||||||
|
t_conn_success_with_old_and_renewed_intermediate_cacert_and_client_provides_client_cert(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")},
|
||||||
|
{partial_chain, two_cacerts_from_cacertfile}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ssl:close(Socket).
|
||||||
|
|
||||||
|
%% @doc verify when config does not allow two versions of certs from same trusted CA.
|
||||||
|
t_conn_fail_with_renewed_and_old_intermediate_cacert_and_client_using_old_bundle(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
%% @doc verify when config (two_cacerts_from_cacertfile) allows two versions of certs from same trusted CA.
|
||||||
|
t_001_conn_success_with_old_and_renewed_intermediate_cacert_bundle_and_client_using_old_bundle(
|
||||||
|
Config
|
||||||
|
) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")},
|
||||||
|
{partial_chain, two_cacerts_from_cacertfile}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ssl:close(Socket).
|
||||||
|
|
||||||
|
%% @doc: verify even if listener has old/new intermediate2 certs,
|
||||||
|
%% client1 should not able to connect with old intermediate2 cert.
|
||||||
|
%% In this case, listener verify_fun returns {trusted_ca, Oldintermediate2Cert} but
|
||||||
|
%% OTP should still fail the validation since the client1 cert is not signed by
|
||||||
|
%% Oldintermediate2Cert (trusted CA cert).
|
||||||
|
%% @end
|
||||||
|
t_conn_fail_with_old_and_renewed_intermediate_cacert_bundle_and_client_using_all_CAcerts(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")},
|
||||||
|
{partial_chain, two_cacerts_from_cacertfile}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "all-CAcerts-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_conn_fail_with_renewed_intermediate_cacert_other_client(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1_renewed.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_conn_fail_with_intermediate_cacert_bundle_but_incorrect_order(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1-server1-bundle.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client1.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_conn_fail_when_singed_by_other_intermediate_ca(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_conn_success_with_complete_chain_that_server_root_cacert_and_client_complete_cert_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "root.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_fail_with_other_client_complete_cert_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_conn_fail_with_server_intermediate_and_other_client_complete_cert_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1-root-bundle.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_success_with_server_intermediate_cacert_and_client_complete_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_fail_with_server_intermediate_chain_and_client_other_incomplete_cert_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_conn_fail_with_server_intermediate_and_other_client_root_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_conn_success_with_server_intermediate_and_client_root_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate2.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
%% @doc once rootCA cert present in cacertfile, sibling CA signed Client cert could connect.
|
||||||
|
t_conn_success_with_server_all_CA_bundle_and_client_root_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "all-CAcerts-bundle.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
{ok, Socket} = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_ssl_error(Socket),
|
||||||
|
ok = ssl:close(Socket).
|
||||||
|
|
||||||
|
t_conn_fail_with_server_two_IA_bundle_and_client_root_chain(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "two-intermediates-bundle.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client2-root-bundle.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_conn_fail_with_server_partial_chain_false_intermediate_cacert_and_client_cert(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "intermediate1.pem")},
|
||||||
|
{certfile, filename:join(DataDir, "server1.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server1.key")},
|
||||||
|
{partial_chain, false}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options),
|
||||||
|
Res = ssl:connect(
|
||||||
|
{127, 0, 0, 1},
|
||||||
|
Port,
|
||||||
|
[
|
||||||
|
{keyfile, filename:join(DataDir, "client1.key")},
|
||||||
|
{certfile, filename:join(DataDir, "client1.pem")}
|
||||||
|
| client_default_tls_opts()
|
||||||
|
],
|
||||||
|
1000
|
||||||
|
),
|
||||||
|
fail_when_no_ssl_alert(Res, unknown_ca).
|
||||||
|
|
||||||
|
t_error_handling_invalid_cacertfile(Config) ->
|
||||||
|
Port = select_free_port(ssl),
|
||||||
|
DataDir = ?config(data_dir, Config),
|
||||||
|
%% trigger error
|
||||||
|
Options = [
|
||||||
|
{ssl_options,
|
||||||
|
?config(ssl_config, Config) ++
|
||||||
|
[
|
||||||
|
{cacertfile, filename:join(DataDir, "server2.key")},
|
||||||
|
{certfile, filename:join(DataDir, "server2.pem")},
|
||||||
|
{keyfile, filename:join(DataDir, "server2.key")}
|
||||||
|
]}
|
||||||
|
],
|
||||||
|
?assertException(
|
||||||
|
throw,
|
||||||
|
{error, rootfun_trusted_ca_from_cacertfile},
|
||||||
|
emqx_start_listener(?FUNCTION_NAME, ssl, Port, Options)
|
||||||
|
).
|
||||||
|
|
||||||
|
ssl_config_verify_partial_chain() ->
|
||||||
|
[
|
||||||
|
{verify, verify_peer},
|
||||||
|
{fail_if_no_peer_cert, true},
|
||||||
|
{partial_chain, true}
|
||||||
|
].
|
||||||
|
|
||||||
|
client_default_tls_opts() ->
|
||||||
|
[
|
||||||
|
{versions, ['tlsv1.2']},
|
||||||
|
{verify, verify_none}
|
||||||
|
].
|
|
@ -0,0 +1,66 @@
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
|
||||||
|
%%
|
||||||
|
%% Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
%% you may not use this file except in compliance with the License.
|
||||||
|
%% You may obtain a copy of the License at
|
||||||
|
%%
|
||||||
|
%% http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
%%
|
||||||
|
%% Unless required by applicable law or agreed to in writing, software
|
||||||
|
%% distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
%% See the License for the specific language governing permissions and
|
||||||
|
%% limitations under the License.
|
||||||
|
%%--------------------------------------------------------------------
|
||||||
|
-module(emqx_auth_ext_schema_SUITE).
|
||||||
|
-compile(nowarn_export_all).
|
||||||
|
-compile(export_all).
|
||||||
|
|
||||||
|
-include_lib("eunit/include/eunit.hrl").
|
||||||
|
-include_lib("common_test/include/ct.hrl").
|
||||||
|
|
||||||
|
-define(BASE_CONF,
|
||||||
|
"\n"
|
||||||
|
" listeners.ssl.auth_ext.bind = 28883\n"
|
||||||
|
" listeners.ssl.auth_ext.enable = true\n"
|
||||||
|
" listeners.ssl.auth_ext.ssl_options.partial_chain = true\n"
|
||||||
|
" listeners.ssl.auth_ext.ssl_options.verify = verify_peer\n"
|
||||||
|
" listeners.ssl.auth_ext.ssl_options.verify_peer_ext_key_usage = \"clientAuth\"\n"
|
||||||
|
" "
|
||||||
|
).
|
||||||
|
|
||||||
|
all() ->
|
||||||
|
emqx_common_test_helpers:all(?MODULE).
|
||||||
|
|
||||||
|
init_per_suite(Config) ->
|
||||||
|
%% injection happens when module is loaded.
|
||||||
|
code:load_file(emqx_auth_ext),
|
||||||
|
Apps = emqx_cth_suite:start(
|
||||||
|
[
|
||||||
|
emqx,
|
||||||
|
{emqx_conf, ?BASE_CONF}
|
||||||
|
],
|
||||||
|
#{work_dir => emqx_cth_suite:work_dir(Config)}
|
||||||
|
),
|
||||||
|
emqx_listeners:restart(),
|
||||||
|
[{apps, Apps} | Config].
|
||||||
|
|
||||||
|
end_per_suite(Config) ->
|
||||||
|
Apps = ?config(apps, Config),
|
||||||
|
ok = emqx_cth_suite:stop(Apps),
|
||||||
|
code:delete(emqx_auth_ext),
|
||||||
|
code:purge(emqx_auth_ext),
|
||||||
|
ok.
|
||||||
|
|
||||||
|
t_conf_check_default(_Config) ->
|
||||||
|
Opts = esockd:get_options({'ssl:default', {{0, 0, 0, 0}, 8883}}),
|
||||||
|
SSLOpts = proplists:get_value(ssl_options, Opts),
|
||||||
|
?assertEqual(none, proplists:lookup(partial_chain, SSLOpts)),
|
||||||
|
?assertEqual(none, proplists:lookup(verify_fun, SSLOpts)).
|
||||||
|
|
||||||
|
t_conf_check_auth_ext(_Config) ->
|
||||||
|
Opts = esockd:get_options({'ssl:auth_ext', 28883}),
|
||||||
|
SSLOpts = proplists:get_value(ssl_options, Opts),
|
||||||
|
?assertMatch(Fun when is_function(Fun), proplists:get_value(partial_chain, SSLOpts)),
|
||||||
|
?assertMatch({Fun, _} when is_function(Fun), proplists:get_value(verify_fun, SSLOpts)).
|
|
@ -70,9 +70,19 @@
|
||||||
emqx_otel_schema,
|
emqx_otel_schema,
|
||||||
emqx_mgmt_api_key_schema
|
emqx_mgmt_api_key_schema
|
||||||
]).
|
]).
|
||||||
|
|
||||||
|
-define(AUTH_EXT_SCHEMA_MODS, [emqx_auth_ext_schema]).
|
||||||
|
|
||||||
|
-if(defined(EMQX_RELEASE_EDITION) andalso ?EMQX_RELEASE_EDITION == ee).
|
||||||
|
-define(OTHER_INJECTING_CONFIGS, ?AUTH_EXT_SCHEMA_MODS).
|
||||||
|
-else.
|
||||||
|
-define(OTHER_INJECTING_CONFIGS, []).
|
||||||
|
-endif.
|
||||||
|
|
||||||
-define(INJECTING_CONFIGS, [
|
-define(INJECTING_CONFIGS, [
|
||||||
{emqx_authn_schema, ?AUTHN_PROVIDER_SCHEMA_MODS},
|
{emqx_authn_schema, ?AUTHN_PROVIDER_SCHEMA_MODS},
|
||||||
{emqx_authz_schema, ?AUTHZ_SOURCE_SCHEMA_MODS}
|
{emqx_authz_schema, ?AUTHZ_SOURCE_SCHEMA_MODS}
|
||||||
|
| ?OTHER_INJECTING_CONFIGS
|
||||||
]).
|
]).
|
||||||
|
|
||||||
%% 1 million default ports counter
|
%% 1 million default ports counter
|
||||||
|
|
|
@ -559,6 +559,8 @@ ssl_opts(Name, Opts) ->
|
||||||
[
|
[
|
||||||
fun ssl_opts_crl_config/2,
|
fun ssl_opts_crl_config/2,
|
||||||
fun ssl_opts_drop_unsupported/2,
|
fun ssl_opts_drop_unsupported/2,
|
||||||
|
fun ssl_partial_chain/2,
|
||||||
|
fun ssl_verify_fun/2,
|
||||||
fun ssl_server_opts/2
|
fun ssl_server_opts/2
|
||||||
],
|
],
|
||||||
SSLOpts,
|
SSLOpts,
|
||||||
|
@ -586,6 +588,12 @@ ssl_server_opts(SSLOpts, ssl_options) ->
|
||||||
ssl_server_opts(SSLOpts, dtls_options) ->
|
ssl_server_opts(SSLOpts, dtls_options) ->
|
||||||
emqx_tls_lib:to_server_opts(dtls, SSLOpts).
|
emqx_tls_lib:to_server_opts(dtls, SSLOpts).
|
||||||
|
|
||||||
|
ssl_partial_chain(SSLOpts, _Options) ->
|
||||||
|
emqx_tls_lib:maybe_inject_ssl_fun(root_fun, SSLOpts).
|
||||||
|
|
||||||
|
ssl_verify_fun(SSLOpts, _Options) ->
|
||||||
|
emqx_tls_lib:maybe_inject_ssl_fun(verify_fun, SSLOpts).
|
||||||
|
|
||||||
ranch_opts(Type, ListenOn, Opts) ->
|
ranch_opts(Type, ListenOn, Opts) ->
|
||||||
NumAcceptors = maps:get(acceptors, Opts, 4),
|
NumAcceptors = maps:get(acceptors, Opts, 4),
|
||||||
MaxConnections = maps:get(max_connections, Opts, 1024),
|
MaxConnections = maps:get(max_connections, Opts, 1024),
|
||||||
|
|
|
@ -130,7 +130,8 @@
|
||||||
emqx_gateway_ocpp,
|
emqx_gateway_ocpp,
|
||||||
emqx_gateway_jt808,
|
emqx_gateway_jt808,
|
||||||
emqx_bridge_syskeeper,
|
emqx_bridge_syskeeper,
|
||||||
emqx_bridge_confluent
|
emqx_bridge_confluent,
|
||||||
|
emqx_auth_ext
|
||||||
],
|
],
|
||||||
%% must always be of type `load'
|
%% must always be of type `load'
|
||||||
ce_business_apps =>
|
ce_business_apps =>
|
||||||
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
Enhance TLS listener to support more flexible TLS verifications.
|
||||||
|
|
||||||
|
- partial_chain support
|
||||||
|
|
||||||
|
If the option `partial_chain` is set to `true`, allow connections with incomplete certificate chains.
|
||||||
|
|
||||||
|
Check the configuration manual document for more details.
|
||||||
|
|
||||||
|
- Certificate KeyUsage Validation
|
||||||
|
|
||||||
|
Added support for required Extended Key Usage defined in
|
||||||
|
[rfc5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.12).
|
||||||
|
|
||||||
|
Introduced a new option (`verify_peer_ext_key_usage`) to require specific key usages (like "serverAuth")
|
||||||
|
in peer certificates during the TLS handshake.
|
||||||
|
This strengthens security by ensuring certificates are used for their intended purposes.
|
||||||
|
|
||||||
|
example:
|
||||||
|
"serverAuth,OID:1.3.6.1.5.5.7.3.2"
|
||||||
|
|
||||||
|
Check the configuration manual document for more details.
|
||||||
|
|
3
mix.exs
3
mix.exs
|
@ -201,7 +201,8 @@ defmodule EMQXUmbrella.MixProject do
|
||||||
:emqx_gateway_gbt32960,
|
:emqx_gateway_gbt32960,
|
||||||
:emqx_gateway_ocpp,
|
:emqx_gateway_ocpp,
|
||||||
:emqx_gateway_jt808,
|
:emqx_gateway_jt808,
|
||||||
:emqx_bridge_syskeeper
|
:emqx_bridge_syskeeper,
|
||||||
|
:emqx_auth_ext
|
||||||
])
|
])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -120,6 +120,7 @@ is_community_umbrella_app("apps/emqx_schema_validation") -> false;
|
||||||
is_community_umbrella_app("apps/emqx_message_transformation") -> false;
|
is_community_umbrella_app("apps/emqx_message_transformation") -> false;
|
||||||
is_community_umbrella_app("apps/emqx_eviction_agent") -> false;
|
is_community_umbrella_app("apps/emqx_eviction_agent") -> false;
|
||||||
is_community_umbrella_app("apps/emqx_node_rebalance") -> false;
|
is_community_umbrella_app("apps/emqx_node_rebalance") -> false;
|
||||||
|
is_community_umbrella_app("apps/emqx_auth_ext") -> false;
|
||||||
is_community_umbrella_app(_) -> true.
|
is_community_umbrella_app(_) -> true.
|
||||||
|
|
||||||
%% BUILD_WITHOUT_JQ
|
%% BUILD_WITHOUT_JQ
|
||||||
|
|
|
@ -0,0 +1,46 @@
|
||||||
|
emqx_auth_ext_schema {
|
||||||
|
|
||||||
|
common_ssl_opts_schema_partial_chain.desc:
|
||||||
|
"""Enable or disable peer verification with partial_chain.
|
||||||
|
When local verifies a peer certificate during the x509 path validation
|
||||||
|
process, it constructs a certificate chain that starts with the peer
|
||||||
|
certificate and ends with a trust anchor.
|
||||||
|
By default, if it is set to `false`, the trust anchor is the
|
||||||
|
Root CA, and the certificate chain must be complete.
|
||||||
|
However, if the setting is set to `true` or `cacert_from_cacertfile`,
|
||||||
|
the last certificate in `cacertfile` will be used as the trust anchor
|
||||||
|
certificate (intermediate CA). This creates a partial chain
|
||||||
|
in the path validation.
|
||||||
|
Alternatively, if it is configured with `two_cacerts_from_cacertfile`,
|
||||||
|
one of the last two certificates in `cacertfile` will be used as the
|
||||||
|
trust anchor certificate, forming a partial chain. This option is
|
||||||
|
particularly useful for intermediate CA certificate rotation.
|
||||||
|
However, please note that it incurs some additional overhead, so it
|
||||||
|
should only be used for certificate rotation purposes."""
|
||||||
|
|
||||||
|
common_ssl_opts_schema_partial_chain.label:
|
||||||
|
"""Partial chain"""
|
||||||
|
|
||||||
|
common_ssl_opts_verify_peer_ext_key_usage.desc:
|
||||||
|
"""Verify extended key usage in peer's certificate
|
||||||
|
For additional peer certificate validation, the value defined here must present in the
|
||||||
|
'Extended Key Usage' of peer certificate defined in
|
||||||
|
[rfc5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.12).
|
||||||
|
|
||||||
|
Allowed values are
|
||||||
|
- `clientAuth`
|
||||||
|
- `serverAuth`
|
||||||
|
- `codeSigning`
|
||||||
|
- `emailProtection`
|
||||||
|
- `timeStamping`
|
||||||
|
- `ocspSigning`
|
||||||
|
- raw OID, for example: "OID:1.3.6.1.5.5.7.3.2" means `id-pk 2` which is equivalent to `clientAuth`
|
||||||
|
|
||||||
|
Comma-separated string is also supported for validating more than one key usages.
|
||||||
|
|
||||||
|
For example, `"serverAuth,OID:1.3.6.1.5.5.7.3.2"`"""
|
||||||
|
|
||||||
|
common_ssl_opts_verify_peer_ext_key_usage.label:
|
||||||
|
"""Verify KeyUsage in cert"""
|
||||||
|
|
||||||
|
}
|
|
@ -310,3 +310,4 @@ ElasticSearch
|
||||||
doc_as_upsert
|
doc_as_upsert
|
||||||
upsert
|
upsert
|
||||||
aliyun
|
aliyun
|
||||||
|
OID
|
||||||
|
|
Loading…
Reference in New Issue