refactor: verify_fun_peer_extKeyUsage/3

This commit is contained in:
William Yang 2023-05-05 18:08:00 +02:00
parent 5fa060a43c
commit 7346dfe510
3 changed files with 11 additions and 18 deletions

View File

@ -47,27 +47,25 @@ make_tls_root_fun(cacert_from_cacertfile, [TrustedOne, TrustedTwo]) ->
end.
make_tls_verify_fun(verify_cert_extKeyUsage, KeyUsages) ->
AllowedKeyUsages = ext_key_opts(KeyUsages),
fun(A, B, C) ->
verify_fun_peer_extKeyUsage(A, B, C, AllowedKeyUsages)
end.
AllowedKeyUsages = ext_key_opts(KeyUsages),
{fun verify_fun_peer_extKeyUsage/3, AllowedKeyUsages}.
verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState, AllowedKeyUsages) ->
verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState) ->
%% !! Override OTP verify peer default
%% OTP SSL is unhappy with the ext_key_usage but we will check on ower own.
{unknown, UserState};
verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _, AllowedKeyUsages) ->
verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _UserState) ->
%% OTP verify_peer default
{fail, Reason};
verify_fun_peer_extKeyUsage(_, {extension, _}, UserState, _AllowedKeyUsages) ->
verify_fun_peer_extKeyUsage(_, {extension, _}, UserState) ->
%% OTP verify_peer default
{unknown, UserState};
verify_fun_peer_extKeyUsage(_, valid, UserState, _AllowedKeyUsages) ->
verify_fun_peer_extKeyUsage(_, valid, UserState) ->
%% OTP verify_peer default
{valid, UserState};
verify_fun_peer_extKeyUsage(#'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{extensions = ExtL}},
valid_peer, %% valid peer cert
UserState, AllowedKeyUsages) ->
AllowedKeyUsages) ->
%% override OTP verify_peer default
%% must have id-ce-extKeyUsage
case lists:keyfind(?'id-ce-extKeyUsage', 2, ExtL) of
@ -76,7 +74,7 @@ verify_fun_peer_extKeyUsage(#'OTPCertificate'{tbsCertificate = #'OTPTBSCertifica
true ->
%% pass the check,
%% fallback to OTP verify_peer default
{valid, UserState};
{valid, AllowedKeyUsages};
false ->
{fail, extKeyUsage_unmatched}
end;

View File

@ -214,8 +214,8 @@ opt_verify_fun(SslOpts) ->
undefined ->
SslOpts;
V ->
Fun = emqx_const_v2:make_tls_verify_fun(verify_cert_extKeyUsage, V),
replace(SslOpts, verify_fun, {Fun, #{}})
VerifyFun = emqx_const_v2:make_tls_verify_fun(verify_cert_extKeyUsage, V),
replace(SslOpts, verify_fun, VerifyFun)
end.
replace(Opts, Key, Value) -> [{Key, Value} | proplists:delete(Key, Opts)].

View File

@ -44,11 +44,6 @@ groups() ->
].
init_per_suite(Config) ->
dbg:tracer(process, {fun dbg:dhandler/2,group_leader()}),
dbg:p(all,c),
dbg:tpl(emqx_tls_lib, opt_verify_fun, cx),
dbg:tpl(emqx_const_v2, verify_fun_peer_extKeyUsage, cx),
dbg:tpl(emqx_const_v2, do_verify_ext_key_usage,cx),
generate_tls_certs(Config),
application:ensure_all_started(esockd),
Config.
@ -229,6 +224,6 @@ ssl_config_verify_peer(Config) ->
, {fail_if_no_peer_cert, true}
, {keyfile, filename:join(DataDir, "server1.key")}
, {certfile, filename:join(DataDir, "server1.pem")}
, {log_level, debug}
%% , {log_level, debug}
].