refactor: verify_fun_peer_extKeyUsage/3
This commit is contained in:
parent
5fa060a43c
commit
7346dfe510
|
@ -47,27 +47,25 @@ make_tls_root_fun(cacert_from_cacertfile, [TrustedOne, TrustedTwo]) ->
|
|||
end.
|
||||
|
||||
make_tls_verify_fun(verify_cert_extKeyUsage, KeyUsages) ->
|
||||
AllowedKeyUsages = ext_key_opts(KeyUsages),
|
||||
fun(A, B, C) ->
|
||||
verify_fun_peer_extKeyUsage(A, B, C, AllowedKeyUsages)
|
||||
end.
|
||||
AllowedKeyUsages = ext_key_opts(KeyUsages),
|
||||
{fun verify_fun_peer_extKeyUsage/3, AllowedKeyUsages}.
|
||||
|
||||
verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState, AllowedKeyUsages) ->
|
||||
verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState) ->
|
||||
%% !! Override OTP verify peer default
|
||||
%% OTP SSL is unhappy with the ext_key_usage but we will check on ower own.
|
||||
{unknown, UserState};
|
||||
verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _, AllowedKeyUsages) ->
|
||||
verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _UserState) ->
|
||||
%% OTP verify_peer default
|
||||
{fail, Reason};
|
||||
verify_fun_peer_extKeyUsage(_, {extension, _}, UserState, _AllowedKeyUsages) ->
|
||||
verify_fun_peer_extKeyUsage(_, {extension, _}, UserState) ->
|
||||
%% OTP verify_peer default
|
||||
{unknown, UserState};
|
||||
verify_fun_peer_extKeyUsage(_, valid, UserState, _AllowedKeyUsages) ->
|
||||
verify_fun_peer_extKeyUsage(_, valid, UserState) ->
|
||||
%% OTP verify_peer default
|
||||
{valid, UserState};
|
||||
verify_fun_peer_extKeyUsage(#'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{extensions = ExtL}},
|
||||
valid_peer, %% valid peer cert
|
||||
UserState, AllowedKeyUsages) ->
|
||||
AllowedKeyUsages) ->
|
||||
%% override OTP verify_peer default
|
||||
%% must have id-ce-extKeyUsage
|
||||
case lists:keyfind(?'id-ce-extKeyUsage', 2, ExtL) of
|
||||
|
@ -76,7 +74,7 @@ verify_fun_peer_extKeyUsage(#'OTPCertificate'{tbsCertificate = #'OTPTBSCertifica
|
|||
true ->
|
||||
%% pass the check,
|
||||
%% fallback to OTP verify_peer default
|
||||
{valid, UserState};
|
||||
{valid, AllowedKeyUsages};
|
||||
false ->
|
||||
{fail, extKeyUsage_unmatched}
|
||||
end;
|
||||
|
|
|
@ -214,8 +214,8 @@ opt_verify_fun(SslOpts) ->
|
|||
undefined ->
|
||||
SslOpts;
|
||||
V ->
|
||||
Fun = emqx_const_v2:make_tls_verify_fun(verify_cert_extKeyUsage, V),
|
||||
replace(SslOpts, verify_fun, {Fun, #{}})
|
||||
VerifyFun = emqx_const_v2:make_tls_verify_fun(verify_cert_extKeyUsage, V),
|
||||
replace(SslOpts, verify_fun, VerifyFun)
|
||||
end.
|
||||
|
||||
replace(Opts, Key, Value) -> [{Key, Value} | proplists:delete(Key, Opts)].
|
||||
|
|
|
@ -44,11 +44,6 @@ groups() ->
|
|||
].
|
||||
|
||||
init_per_suite(Config) ->
|
||||
dbg:tracer(process, {fun dbg:dhandler/2,group_leader()}),
|
||||
dbg:p(all,c),
|
||||
dbg:tpl(emqx_tls_lib, opt_verify_fun, cx),
|
||||
dbg:tpl(emqx_const_v2, verify_fun_peer_extKeyUsage, cx),
|
||||
dbg:tpl(emqx_const_v2, do_verify_ext_key_usage,cx),
|
||||
generate_tls_certs(Config),
|
||||
application:ensure_all_started(esockd),
|
||||
Config.
|
||||
|
@ -229,6 +224,6 @@ ssl_config_verify_peer(Config) ->
|
|||
, {fail_if_no_peer_cert, true}
|
||||
, {keyfile, filename:join(DataDir, "server1.key")}
|
||||
, {certfile, filename:join(DataDir, "server1.pem")}
|
||||
, {log_level, debug}
|
||||
%% , {log_level, debug}
|
||||
].
|
||||
|
||||
|
|
Loading…
Reference in New Issue