refactor: verify_fun_peer_extKeyUsage/3

2023-05-05 18:08:00 +02:00 · 2023-05-05 18:08:00 +02:00 · 7346dfe510
parent 5fa060a43c
commit 7346dfe510
3 changed files with 11 additions and 18 deletions
--- a/src/emqx_const_v2.erl
+++ b/src/emqx_const_v2.erl
@ -47,27 +47,25 @@ make_tls_root_fun(cacert_from_cacertfile, [TrustedOne, TrustedTwo]) ->
  end.

 make_tls_verify_fun(verify_cert_extKeyUsage, KeyUsages) ->
-    AllowedKeyUsages = ext_key_opts(KeyUsages),
-    fun(A, B, C) ->
-        verify_fun_peer_extKeyUsage(A, B, C, AllowedKeyUsages)
-    end.
+  AllowedKeyUsages = ext_key_opts(KeyUsages),
+  {fun verify_fun_peer_extKeyUsage/3, AllowedKeyUsages}.

-verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState, AllowedKeyUsages) ->
+verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState) ->
  %% !! Override OTP verify peer default
  %% OTP SSL is unhappy with the ext_key_usage but we will check on ower own.
  {unknown, UserState};
-verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _, AllowedKeyUsages) ->
+verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _UserState) ->
  %% OTP verify_peer default
  {fail, Reason};
-verify_fun_peer_extKeyUsage(_, {extension, _}, UserState, _AllowedKeyUsages) ->
+verify_fun_peer_extKeyUsage(_, {extension, _}, UserState) ->
  %% OTP verify_peer default
  {unknown, UserState};
-verify_fun_peer_extKeyUsage(_, valid, UserState, _AllowedKeyUsages) ->
+verify_fun_peer_extKeyUsage(_, valid, UserState) ->
  %% OTP verify_peer default
  {valid, UserState};
 verify_fun_peer_extKeyUsage(#'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{extensions = ExtL}},
                            valid_peer,  %% valid peer cert
-                            UserState, AllowedKeyUsages) ->
+                            AllowedKeyUsages) ->
  %% override OTP verify_peer default
  %% must have id-ce-extKeyUsage
  case lists:keyfind(?'id-ce-extKeyUsage', 2, ExtL) of
@ -76,7 +74,7 @@ verify_fun_peer_extKeyUsage(#'OTPCertificate'{tbsCertificate = #'OTPTBSCertifica
        true ->
          %% pass the check,
          %% fallback to OTP verify_peer default
-          {valid, UserState};
+          {valid, AllowedKeyUsages};
        false ->
          {fail, extKeyUsage_unmatched}
      end;
--- a/src/emqx_tls_lib.erl
+++ b/src/emqx_tls_lib.erl
@ -214,8 +214,8 @@ opt_verify_fun(SslOpts) ->
        undefined ->
            SslOpts;
        V ->
-            Fun = emqx_const_v2:make_tls_verify_fun(verify_cert_extKeyUsage, V),
-            replace(SslOpts, verify_fun, {Fun, #{}})
+            VerifyFun = emqx_const_v2:make_tls_verify_fun(verify_cert_extKeyUsage, V),
+            replace(SslOpts, verify_fun, VerifyFun)
    end.

 replace(Opts, Key, Value) -> [{Key, Value} | proplists:delete(Key, Opts)].
--- a/test/emqx_listener_tls_verify_keyusage_SUITE.erl
+++ b/test/emqx_listener_tls_verify_keyusage_SUITE.erl
@ -44,11 +44,6 @@ groups() ->
    ].

 init_per_suite(Config) ->
-    dbg:tracer(process, {fun dbg:dhandler/2,group_leader()}),
-    dbg:p(all,c),
-    dbg:tpl(emqx_tls_lib, opt_verify_fun, cx),
-    dbg:tpl(emqx_const_v2, verify_fun_peer_extKeyUsage, cx),
-    dbg:tpl(emqx_const_v2, do_verify_ext_key_usage,cx),
    generate_tls_certs(Config),
    application:ensure_all_started(esockd),
    Config.
@ -229,6 +224,6 @@ ssl_config_verify_peer(Config) ->
  , {fail_if_no_peer_cert, true}
  , {keyfile, filename:join(DataDir, "server1.key")}
  , {certfile, filename:join(DataDir, "server1.pem")}
-  , {log_level, debug}
+  %% , {log_level, debug}
  ].