From c3430b8883ec9f1385079fe8f847b19f7d3af69c Mon Sep 17 00:00:00 2001 From: William Yang Date: Thu, 4 May 2023 17:54:59 +0200 Subject: [PATCH] feat(tls-partial-chain): just return trusted CA. --- src/emqx_const_v2.erl | 7 ++--- test/emqx_listener_tls_verify_chain_SUITE.erl | 18 ++++++++++- ...istener_tls_verify_partial_chain_SUITE.erl | 31 +++++++++++++++++++ test/emqx_test_tls_certs_helper.erl | 8 +++++ 4 files changed, 58 insertions(+), 6 deletions(-) diff --git a/src/emqx_const_v2.erl b/src/emqx_const_v2.erl index 536b0215a..0c211ec5f 100644 --- a/src/emqx_const_v2.erl +++ b/src/emqx_const_v2.erl @@ -22,9 +22,6 @@ ]). make_tls_root_fun(cacert_from_cacertfile, CADer) -> - fun(InputChain) -> - case lists:member(CADer, InputChain) of - true -> {trusted_ca, CADer}; - _ -> unknown_ca - end + fun(_InputChain) -> + {trusted_ca, CADer} end. diff --git a/test/emqx_listener_tls_verify_chain_SUITE.erl b/test/emqx_listener_tls_verify_chain_SUITE.erl index 65f6a55b5..b5eca0e62 100644 --- a/test/emqx_listener_tls_verify_chain_SUITE.erl +++ b/test/emqx_listener_tls_verify_chain_SUITE.erl @@ -98,7 +98,7 @@ t_conn_success_with_other_signed_client_composed_complete_chain(Config) -> , {keyfile, filename:join(DataDir, "server1.key")} | ?config(ssl_config, Config) ]}], - %% Client has complete chain + %% Client has partial_chain emqx_listeners:start_listener(ssl, Port, Options), {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client2.key")}, {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")} @@ -106,6 +106,22 @@ t_conn_success_with_other_signed_client_composed_complete_chain(Config) -> fail_when_ssl_error(Socket), ok = ssl:close(Socket). +t_conn_success_with_renewed_intermediate_root_bundle(Config) -> + Port = emqx_test_tls_certs_helper:select_free_port(ssl), + DataDir = ?config(data_dir, Config), + %% Server has root ca cert + Options = [{ssl_options, [ {cacertfile, filename:join(DataDir, "intermediate1_renewed-root-bundle.pem")} + , {certfile, filename:join(DataDir, "server1.pem")} + , {keyfile, filename:join(DataDir, "server1.key")} + | ?config(ssl_config, Config) + ]}], + emqx_listeners:start_listener(ssl, Port, Options), + {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")}, + {certfile, filename:join(DataDir, "client1.pem")} + ], 1000), + fail_when_ssl_error(Socket), + ok = ssl:close(Socket). + t_conn_success_with_client_complete_cert_chain(Config) -> Port = emqx_test_tls_certs_helper:select_free_port(ssl), DataDir = ?config(data_dir, Config), diff --git a/test/emqx_listener_tls_verify_partial_chain_SUITE.erl b/test/emqx_listener_tls_verify_partial_chain_SUITE.erl index 615709a44..c38039cf1 100644 --- a/test/emqx_listener_tls_verify_partial_chain_SUITE.erl +++ b/test/emqx_listener_tls_verify_partial_chain_SUITE.erl @@ -100,6 +100,37 @@ t_conn_fail_with_renewed_intermediate_cacert_and_client_using_old_complete_bundl fail_when_no_ssl_alert(Socket, unknown_ca), ssl:close(Socket). +t_conn_fail_with_renewed_intermediate_cacert_and_client_using_old_bundle(Config) -> + Port = emqx_test_tls_certs_helper:select_free_port(ssl), + DataDir = ?config(data_dir, Config), + Options = [{ssl_options, [ {cacertfile, filename:join(DataDir, "intermediate2_renewed.pem")} + , {certfile, filename:join(DataDir, "server2.pem")} + , {keyfile, filename:join(DataDir, "server2.key")} + | ?config(ssl_config, Config) + ]}], + emqx_listeners:start_listener(ssl, Port, Options), + {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client2.key")}, + {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")} + ], 1000), + fail_when_no_ssl_alert(Socket, unknown_ca), + ssl:close(Socket). + +%%@TODO limitation: EMQX is not able to check if the trusted CAcert and the old CAcert belongs to same CA. +t_conn_fail_with_renewed_and_old_intermediate_cacert_and_client_using_old_bundle(Config) -> + Port = emqx_test_tls_certs_helper:select_free_port(ssl), + DataDir = ?config(data_dir, Config), + Options = [{ssl_options, [ {cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")} + , {certfile, filename:join(DataDir, "server2.pem")} + , {keyfile, filename:join(DataDir, "server2.key")} + | ?config(ssl_config, Config) + ]}], + emqx_listeners:start_listener(ssl, Port, Options), + {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client2.key")}, + {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")} + ], 1000), + fail_when_no_ssl_alert(Socket, unknown_ca), + ssl:close(Socket). + t_conn_fail_with_renewed_intermediate_cacert_other_client(Config) -> Port = emqx_test_tls_certs_helper:select_free_port(ssl), DataDir = ?config(data_dir, Config), diff --git a/test/emqx_test_tls_certs_helper.erl b/test/emqx_test_tls_certs_helper.erl index e51875272..d95a1a4f9 100644 --- a/test/emqx_test_tls_certs_helper.erl +++ b/test/emqx_test_tls_certs_helper.erl @@ -235,6 +235,14 @@ generate_tls_certs(Config) -> filename:join(DataDir, "server1.pem"), filename:join(DataDir, "intermediate1-server1-bundle.pem") ])), + os:cmd(io_lib:format("cat ~p ~p > ~p", [filename:join(DataDir, "intermediate1_renewed.pem"), + filename:join(DataDir, "root.pem"), + filename:join(DataDir, "intermediate1_renewed-root-bundle.pem") + ])), + os:cmd(io_lib:format("cat ~p ~p > ~p", [filename:join(DataDir, "intermediate2.pem"), + filename:join(DataDir, "intermediate2_renewed.pem"), + filename:join(DataDir, "intermediate2_renewed_old-bundle.pem") + ])), os:cmd(io_lib:format("cat ~p ~p > ~p", [filename:join(DataDir, "intermediate1.pem"), filename:join(DataDir, "root.pem"), filename:join(DataDir, "intermediate1-root-bundle.pem")