yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore(TLS-chain-test): update for OTP 26

This commit is contained in:
William Yang 2024-04-30 09:01:52 +02:00
parent 9e196680de
commit abbf2ef62f
6 changed files with 44 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/emqx/src/emqx_const_v2.erl
View File

@ -1,5 +1,5 @@
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved. %% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%% %%
%% Licensed under the Apache License, Version 2.0 (the "License"); %% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License. %% you may not use this file except in compliance with the License.

23
apps/emqx/test/emqx_listener_tls_verify_chain_SUITE.erl
View File

@ -1,5 +1,5 @@
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved. %% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%% %%
%% Licensed under the Apache License, Version 2.0 (the "License"); %% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License. %% you may not use this file except in compliance with the License.
@ -58,7 +58,8 @@ t_conn_fail_with_intermediate_ca_cert(Config) ->
Port, Port,
[ [
{keyfile, filename:join(DataDir, "client1.key")}, {keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")} {certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
], ],
1000 1000
), ),
@ -83,7 +84,8 @@ t_conn_fail_with_other_intermediate_ca_cert(Config) ->
Port, Port,
[ [
{keyfile, filename:join(DataDir, "client2.key")}, {keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2.pem")} {certfile, filename:join(DataDir, "client2.pem")},
{verify, verify_none}
], ],
1000 1000
), ),
@ -110,7 +112,8 @@ t_conn_success_with_server_client_composed_complete_chain(Config) ->
Port, Port,
[ [
{keyfile, filename:join(DataDir, "client2.key")}, {keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")} {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
{verify, verify_none}
], ],
1000 1000
), ),
@ -136,7 +139,8 @@ t_conn_success_with_other_signed_client_composed_complete_chain(Config) ->
Port, Port,
[ [
{keyfile, filename:join(DataDir, "client2.key")}, {keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")} {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
{verify, verify_none}
], ],
1000 1000
), ),
@ -161,7 +165,8 @@ t_conn_success_with_renewed_intermediate_root_bundle(Config) ->
Port, Port,
[ [
{keyfile, filename:join(DataDir, "client1.key")}, {keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")} {certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
], ],
1000 1000
), ),
@ -185,7 +190,8 @@ t_conn_success_with_client_complete_cert_chain(Config) ->
Port, Port,
[ [
{keyfile, filename:join(DataDir, "client2.key")}, {keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-complete-bundle.pem")} {certfile, filename:join(DataDir, "client2-complete-bundle.pem")},
{verify, verify_none}
], ],
1000 1000
), ),
@ -237,7 +243,8 @@ t_conn_fail_without_root_cacert(Config) ->
{keyfile, filename:join(DataDir, "client2.key")}, {keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}, {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
%% stick to tlsv1.2 for consistent error message %% stick to tlsv1.2 for consistent error message
{versions, ['tlsv1.2']} {versions, ['tlsv1.2']},
{cacertfile, filename:join(DataDir, "intermediate2.pem")}
], ],
1000 1000
), ),

32
apps/emqx/test/emqx_listener_tls_verify_keyusage_SUITE.erl
View File

@ -1,5 +1,5 @@
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved. %% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%% %%
%% Licensed under the Apache License, Version 2.0 (the "License"); %% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License. %% you may not use this file except in compliance with the License.
@ -77,7 +77,8 @@ t_conn_success_verify_peer_ext_key_usage_unset(Config) ->
Port, Port,
[ [
{keyfile, filename:join(DataDir, "client1.key")}, {keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")} {certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
], ],
1000 1000
), ),
@ -102,7 +103,8 @@ t_conn_success_verify_peer_ext_key_usage_undefined(Config) ->
Port, Port,
[ [
{keyfile, filename:join(DataDir, "client1.key")}, {keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")} {certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
], ],
1000 1000
), ),
@ -129,7 +131,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_predefined(Config) ->
Port, Port,
[ [
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
], ],
1000 1000
), ),
@ -157,7 +160,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_raw_oid(Config) ->
Port, Port,
[ [
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
], ],
1000 1000
), ),
@ -184,7 +188,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_ordered_list(Config) ->
Port, Port,
[ [
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
], ],
1000 1000
), ),
@ -210,7 +215,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_unordered_list(Config) ->
Port, Port,
[ [
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
], ],
1000 1000
), ),
@ -237,7 +243,8 @@ t_conn_fail_verify_peer_ext_key_usage_unmatched_raw_oid(Config) ->
Port, Port,
[ [
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
], ],
1000 1000
), ),
@ -263,7 +270,8 @@ t_conn_fail_verify_peer_ext_key_usage_empty_str(Config) ->
Port, Port,
[ [
{keyfile, filename:join(DataDir, "client1.key")}, {keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")} {certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
], ],
1000 1000
), ),
@ -290,7 +298,8 @@ t_conn_fail_client_keyusage_unmatch(Config) ->
Port, Port,
[ [
{keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
{certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
{verify, verify_none}
], ],
1000 1000
), ),
@ -317,7 +326,8 @@ t_conn_fail_client_keyusage_incomplete(Config) ->
Port, Port,
[ [
{keyfile, filename:join(DataDir, "client1.key")}, {keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")} {certfile, filename:join(DataDir, "client1.pem")},
{verify, verify_none}
], ],
1000 1000
), ),

7
apps/emqx/test/emqx_listener_tls_verify_partial_chain_SUITE.erl
View File

@ -1,5 +1,5 @@
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved. %% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%% %%
%% Licensed under the Apache License, Version 2.0 (the "License"); %% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License. %% you may not use this file except in compliance with the License.
@ -702,4 +702,7 @@ ssl_config_verify_partial_chain() ->
]. ].
client_default_tls_opts() -> client_default_tls_opts() ->
[{versions, ['tlsv1.2']}]. [
{versions, ['tlsv1.2']},
{verify, verify_none}
].

3
apps/emqx/test/emqx_test_tls_certs_helper.erl
View File

@ -1,5 +1,5 @@
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved. %% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%% %%
%% Licensed under the Apache License, Version 2.0 (the "License"); %% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License. %% you may not use this file except in compliance with the License.
@ -40,6 +40,7 @@ emqx_start_listener(Name, Type, Port, Opts) when is_list(Opts) ->
emqx_start_listener(Name, Type, Port, maps:from_list(Opts)); emqx_start_listener(Name, Type, Port, maps:from_list(Opts));
emqx_start_listener(Name, ssl, Port, #{ssl_options := SslOptions} = Opts0) -> emqx_start_listener(Name, ssl, Port, #{ssl_options := SslOptions} = Opts0) ->
Opts = Opts0#{ Opts = Opts0#{
enable => true,
bind => {{127, 0, 0, 1}, Port}, bind => {{127, 0, 0, 1}, Port},
mountpoint => <<>>, mountpoint => <<>>,
zone => default, zone => default,

4
changes/ce/feat-11721.zh.md
View File

@ -1,4 +0,0 @@
移植 emqx 4.4 中的两项 TLS 握手验证功能
- 支持部分链 ( partial_chain )
- 证书密钥使用验证