From 7346dfe51007253888bd78fcfa705f63308731f4 Mon Sep 17 00:00:00 2001 From: William Yang Date: Fri, 5 May 2023 18:08:00 +0200 Subject: [PATCH] refactor: verify_fun_peer_extKeyUsage/3 --- src/emqx_const_v2.erl | 18 ++++++++---------- src/emqx_tls_lib.erl | 4 ++-- ...emqx_listener_tls_verify_keyusage_SUITE.erl | 7 +------ 3 files changed, 11 insertions(+), 18 deletions(-) diff --git a/src/emqx_const_v2.erl b/src/emqx_const_v2.erl index f122e6d52..9efeb6dde 100644 --- a/src/emqx_const_v2.erl +++ b/src/emqx_const_v2.erl @@ -47,27 +47,25 @@ make_tls_root_fun(cacert_from_cacertfile, [TrustedOne, TrustedTwo]) -> end. make_tls_verify_fun(verify_cert_extKeyUsage, KeyUsages) -> - AllowedKeyUsages = ext_key_opts(KeyUsages), - fun(A, B, C) -> - verify_fun_peer_extKeyUsage(A, B, C, AllowedKeyUsages) - end. + AllowedKeyUsages = ext_key_opts(KeyUsages), + {fun verify_fun_peer_extKeyUsage/3, AllowedKeyUsages}. -verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState, AllowedKeyUsages) -> +verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState) -> %% !! Override OTP verify peer default %% OTP SSL is unhappy with the ext_key_usage but we will check on ower own. {unknown, UserState}; -verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _, AllowedKeyUsages) -> +verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _UserState) -> %% OTP verify_peer default {fail, Reason}; -verify_fun_peer_extKeyUsage(_, {extension, _}, UserState, _AllowedKeyUsages) -> +verify_fun_peer_extKeyUsage(_, {extension, _}, UserState) -> %% OTP verify_peer default {unknown, UserState}; -verify_fun_peer_extKeyUsage(_, valid, UserState, _AllowedKeyUsages) -> +verify_fun_peer_extKeyUsage(_, valid, UserState) -> %% OTP verify_peer default {valid, UserState}; verify_fun_peer_extKeyUsage(#'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{extensions = ExtL}}, valid_peer, %% valid peer cert - UserState, AllowedKeyUsages) -> + AllowedKeyUsages) -> %% override OTP verify_peer default %% must have id-ce-extKeyUsage case lists:keyfind(?'id-ce-extKeyUsage', 2, ExtL) of @@ -76,7 +74,7 @@ verify_fun_peer_extKeyUsage(#'OTPCertificate'{tbsCertificate = #'OTPTBSCertifica true -> %% pass the check, %% fallback to OTP verify_peer default - {valid, UserState}; + {valid, AllowedKeyUsages}; false -> {fail, extKeyUsage_unmatched} end; diff --git a/src/emqx_tls_lib.erl b/src/emqx_tls_lib.erl index 92682cebf..bebc891d6 100644 --- a/src/emqx_tls_lib.erl +++ b/src/emqx_tls_lib.erl @@ -214,8 +214,8 @@ opt_verify_fun(SslOpts) -> undefined -> SslOpts; V -> - Fun = emqx_const_v2:make_tls_verify_fun(verify_cert_extKeyUsage, V), - replace(SslOpts, verify_fun, {Fun, #{}}) + VerifyFun = emqx_const_v2:make_tls_verify_fun(verify_cert_extKeyUsage, V), + replace(SslOpts, verify_fun, VerifyFun) end. replace(Opts, Key, Value) -> [{Key, Value} | proplists:delete(Key, Opts)]. diff --git a/test/emqx_listener_tls_verify_keyusage_SUITE.erl b/test/emqx_listener_tls_verify_keyusage_SUITE.erl index e3134bb99..3ba089aae 100644 --- a/test/emqx_listener_tls_verify_keyusage_SUITE.erl +++ b/test/emqx_listener_tls_verify_keyusage_SUITE.erl @@ -44,11 +44,6 @@ groups() -> ]. init_per_suite(Config) -> - dbg:tracer(process, {fun dbg:dhandler/2,group_leader()}), - dbg:p(all,c), - dbg:tpl(emqx_tls_lib, opt_verify_fun, cx), - dbg:tpl(emqx_const_v2, verify_fun_peer_extKeyUsage, cx), - dbg:tpl(emqx_const_v2, do_verify_ext_key_usage,cx), generate_tls_certs(Config), application:ensure_all_started(esockd), Config. @@ -229,6 +224,6 @@ ssl_config_verify_peer(Config) -> , {fail_if_no_peer_cert, true} , {keyfile, filename:join(DataDir, "server1.key")} , {certfile, filename:join(DataDir, "server1.pem")} - , {log_level, debug} + %% , {log_level, debug} ].