yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(tls-partial-chain): just return trusted CA.

This commit is contained in:
William Yang 2023-05-04 17:54:59 +02:00
parent 8503d3c6dd
commit c3430b8883
4 changed files with 58 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/emqx_const_v2.erl
View File

@ -22,9 +22,6 @@
]). ]).
make_tls_root_fun(cacert_from_cacertfile, CADer) -> make_tls_root_fun(cacert_from_cacertfile, CADer) ->
fun(InputChain) -> fun(_InputChain) ->
case lists:member(CADer, InputChain) of {trusted_ca, CADer}
true -> {trusted_ca, CADer};
_ -> unknown_ca
end
end. end.

18
test/emqx_listener_tls_verify_chain_SUITE.erl
View File

@ -98,7 +98,7 @@ t_conn_success_with_other_signed_client_composed_complete_chain(Config) ->
, {keyfile, filename:join(DataDir, "server1.key")} , {keyfile, filename:join(DataDir, "server1.key")}
| ?config(ssl_config, Config) | ?config(ssl_config, Config)
]}], ]}],
%% Client has complete chain %% Client has partial_chain
emqx_listeners:start_listener(ssl, Port, Options), emqx_listeners:start_listener(ssl, Port, Options),
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client2.key")}, {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")} {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
@ -106,6 +106,22 @@ t_conn_success_with_other_signed_client_composed_complete_chain(Config) ->
fail_when_ssl_error(Socket), fail_when_ssl_error(Socket),
ok = ssl:close(Socket). ok = ssl:close(Socket).
t_conn_success_with_renewed_intermediate_root_bundle(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
DataDir = ?config(data_dir, Config),
%% Server has root ca cert
Options = [{ssl_options, [ {cacertfile, filename:join(DataDir, "intermediate1_renewed-root-bundle.pem")}
, {certfile, filename:join(DataDir, "server1.pem")}
, {keyfile, filename:join(DataDir, "server1.key")}
| ?config(ssl_config, Config)
]}],
emqx_listeners:start_listener(ssl, Port, Options),
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
], 1000),
fail_when_ssl_error(Socket),
ok = ssl:close(Socket).
t_conn_success_with_client_complete_cert_chain(Config) -> t_conn_success_with_client_complete_cert_chain(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl), Port = emqx_test_tls_certs_helper:select_free_port(ssl),
DataDir = ?config(data_dir, Config), DataDir = ?config(data_dir, Config),

31
test/emqx_listener_tls_verify_partial_chain_SUITE.erl
View File

@ -100,6 +100,37 @@ t_conn_fail_with_renewed_intermediate_cacert_and_client_using_old_complete_bundl
fail_when_no_ssl_alert(Socket, unknown_ca), fail_when_no_ssl_alert(Socket, unknown_ca),
ssl:close(Socket). ssl:close(Socket).
t_conn_fail_with_renewed_intermediate_cacert_and_client_using_old_bundle(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [{ssl_options, [ {cacertfile, filename:join(DataDir, "intermediate2_renewed.pem")}
, {certfile, filename:join(DataDir, "server2.pem")}
, {keyfile, filename:join(DataDir, "server2.key")}
| ?config(ssl_config, Config)
]}],
emqx_listeners:start_listener(ssl, Port, Options),
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
], 1000),
fail_when_no_ssl_alert(Socket, unknown_ca),
ssl:close(Socket).
%%@TODO limitation: EMQX is not able to check if the trusted CAcert and the old CAcert belongs to same CA.
t_conn_fail_with_renewed_and_old_intermediate_cacert_and_client_using_old_bundle(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [{ssl_options, [ {cacertfile, filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")}
, {certfile, filename:join(DataDir, "server2.pem")}
, {keyfile, filename:join(DataDir, "server2.key")}
| ?config(ssl_config, Config)
]}],
emqx_listeners:start_listener(ssl, Port, Options),
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client2.key")},
{certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
], 1000),
fail_when_no_ssl_alert(Socket, unknown_ca),
ssl:close(Socket).
t_conn_fail_with_renewed_intermediate_cacert_other_client(Config) -> t_conn_fail_with_renewed_intermediate_cacert_other_client(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl), Port = emqx_test_tls_certs_helper:select_free_port(ssl),
DataDir = ?config(data_dir, Config), DataDir = ?config(data_dir, Config),

8
test/emqx_test_tls_certs_helper.erl
View File

@ -235,6 +235,14 @@ generate_tls_certs(Config) ->
filename:join(DataDir, "server1.pem"), filename:join(DataDir, "server1.pem"),
filename:join(DataDir, "intermediate1-server1-bundle.pem") filename:join(DataDir, "intermediate1-server1-bundle.pem")
])), ])),
os:cmd(io_lib:format("cat ~p ~p > ~p", [filename:join(DataDir, "intermediate1_renewed.pem"),
filename:join(DataDir, "root.pem"),
filename:join(DataDir, "intermediate1_renewed-root-bundle.pem")
])),
os:cmd(io_lib:format("cat ~p ~p > ~p", [filename:join(DataDir, "intermediate2.pem"),
filename:join(DataDir, "intermediate2_renewed.pem"),
filename:join(DataDir, "intermediate2_renewed_old-bundle.pem")
])),
os:cmd(io_lib:format("cat ~p ~p > ~p", [filename:join(DataDir, "intermediate1.pem"), os:cmd(io_lib:format("cat ~p ~p > ~p", [filename:join(DataDir, "intermediate1.pem"),
filename:join(DataDir, "root.pem"), filename:join(DataDir, "root.pem"),
filename:join(DataDir, "intermediate1-root-bundle.pem") filename:join(DataDir, "intermediate1-root-bundle.pem")