refactor: verify_fun_peer_extKeyUsage/3

src/emqx_const_v2.erl

@@ -48,26 +48,24 @@ make_tls_root_fun(cacert_from_cacertfile, [TrustedOne, TrustedTwo]) ->
 
 make_tls_verify_fun(verify_cert_extKeyUsage, KeyUsages) ->
   AllowedKeyUsages = ext_key_opts(KeyUsages),
-    fun(A, B, C) ->
+  {fun verify_fun_peer_extKeyUsage/3, AllowedKeyUsages}.
-        verify_fun_peer_extKeyUsage(A, B, C, AllowedKeyUsages)
-    end.
 
-verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState, AllowedKeyUsages) ->
+verify_fun_peer_extKeyUsage(_, {bad_cert, invalid_ext_key_usage}, UserState) ->
   %% !! Override OTP verify peer default
   %% OTP SSL is unhappy with the ext_key_usage but we will check on ower own.
   {unknown, UserState};
-verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _, AllowedKeyUsages) ->
+verify_fun_peer_extKeyUsage(_, {bad_cert, _} = Reason, _UserState) ->
   %% OTP verify_peer default
   {fail, Reason};
-verify_fun_peer_extKeyUsage(_, {extension, _}, UserState, _AllowedKeyUsages) ->
+verify_fun_peer_extKeyUsage(_, {extension, _}, UserState) ->
   %% OTP verify_peer default
   {unknown, UserState};
-verify_fun_peer_extKeyUsage(_, valid, UserState, _AllowedKeyUsages) ->
+verify_fun_peer_extKeyUsage(_, valid, UserState) ->
   %% OTP verify_peer default
   {valid, UserState};
 verify_fun_peer_extKeyUsage(#'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{extensions = ExtL}},
                             valid_peer,  %% valid peer cert
-                            UserState, AllowedKeyUsages) ->
+                            AllowedKeyUsages) ->
   %% override OTP verify_peer default
   %% must have id-ce-extKeyUsage
   case lists:keyfind(?'id-ce-extKeyUsage', 2, ExtL) of
@@ -76,7 +74,7 @@ verify_fun_peer_extKeyUsage(#'OTPCertificate'{tbsCertificate = #'OTPTBSCertifica
         true ->
           %% pass the check,
           %% fallback to OTP verify_peer default
-          {valid, UserState};
+          {valid, AllowedKeyUsages};
         false ->
           {fail, extKeyUsage_unmatched}
       end;

src/emqx_tls_lib.erl

@@ -214,8 +214,8 @@ opt_verify_fun(SslOpts) ->
         undefined ->
             SslOpts;
         V ->
-            Fun = emqx_const_v2:make_tls_verify_fun(verify_cert_extKeyUsage, V),
+            VerifyFun = emqx_const_v2:make_tls_verify_fun(verify_cert_extKeyUsage, V),
-            replace(SslOpts, verify_fun, {Fun, #{}})
+            replace(SslOpts, verify_fun, VerifyFun)
     end.
 
 replace(Opts, Key, Value) -> [{Key, Value} | proplists:delete(Key, Opts)].

test/emqx_listener_tls_verify_keyusage_SUITE.erl

@@ -44,11 +44,6 @@ groups() ->
     ].
 
 init_per_suite(Config) ->
-    dbg:tracer(process, {fun dbg:dhandler/2,group_leader()}),
-    dbg:p(all,c),
-    dbg:tpl(emqx_tls_lib, opt_verify_fun, cx),
-    dbg:tpl(emqx_const_v2, verify_fun_peer_extKeyUsage, cx),
-    dbg:tpl(emqx_const_v2, do_verify_ext_key_usage,cx),
     generate_tls_certs(Config),
     application:ensure_all_started(esockd),
     Config.
@@ -229,6 +224,6 @@ ssl_config_verify_peer(Config) ->
   , {fail_if_no_peer_cert, true}
   , {keyfile, filename:join(DataDir, "server1.key")}
   , {certfile, filename:join(DataDir, "server1.pem")}
-  , {log_level, debug}
+  %% , {log_level, debug}
   ].