yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(ocsp): URL encode request path 

Fixes https://emqx.atlassian.net/browse/EMQX-10624
This commit is contained in:
Thales Macedo Garitezi 2023-07-25 17:36:47 -03:00
parent 90e60acabd
commit d0deaca00d
3 changed files with 40 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apps/emqx/src/emqx_ocsp_cache.erl
View File

@ -542,7 +542,8 @@ build_ocsp_request(IssuerPem, ServerCert) ->
} }
}, },
ReqDer = public_key:der_encode('OCSPRequest', Req), ReqDer = public_key:der_encode('OCSPRequest', Req),
base64:encode_to_string(ReqDer). B64Encoded = base64:encode_to_string(ReqDer),
uri_string:quote(B64Encoded).
to_bin(Str) when is_list(Str) -> list_to_binary(Str); to_bin(Str) when is_list(Str) -> list_to_binary(Str);
to_bin(Bin) when is_binary(Bin) -> Bin. to_bin(Bin) when is_binary(Bin) -> Bin.

39
apps/emqx/test/emqx_ocsp_cache_SUITE.erl
View File

@ -175,13 +175,14 @@ init_per_testcase(_TestCase, Config) ->
DataDir = ?config(data_dir, Config), DataDir = ?config(data_dir, Config),
Type = ssl, Type = ssl,
Name = test_ocsp, Name = test_ocsp,
ResponderURL = <<"http://localhost:9877/">>,
ListenerOpts = #{ ListenerOpts = #{
ssl_options => ssl_options =>
#{ #{
certfile => filename:join(DataDir, "server.pem"), certfile => filename:join(DataDir, "server.pem"),
ocsp => #{ ocsp => #{
enable_ocsp_stapling => true, enable_ocsp_stapling => true,
responder_url => <<"http://localhost:9877/">>, responder_url => ResponderURL,
issuer_pem => filename:join(DataDir, "ocsp-issuer.pem"), issuer_pem => filename:join(DataDir, "ocsp-issuer.pem"),
refresh_http_timeout => <<"15s">>, refresh_http_timeout => <<"15s">>,
refresh_interval => <<"1s">> refresh_interval => <<"1s">>
@ -197,7 +198,8 @@ init_per_testcase(_TestCase, Config) ->
ListenerOpts2 = emqx_utils_maps:deep_get([listeners, Type, Name], Conf2), ListenerOpts2 = emqx_utils_maps:deep_get([listeners, Type, Name], Conf2),
emqx_config:put_listener_conf(Type, Name, [], ListenerOpts2), emqx_config:put_listener_conf(Type, Name, [], ListenerOpts2),
[ [
{cache_pid, CachePid} {cache_pid, CachePid},
{responder_url, ResponderURL}
| Config | Config
]. ].
@ -997,6 +999,39 @@ t_unknown_error_fetching_ocsp_response(_Config) ->
end, end,
ok. ok.
t_path_encoding(Config) ->
ResponderURL = ?config(responder_url, Config),
ListenerID = <<"ssl:test_ocsp">>,
TestPid = self(),
ok = meck:expect(
emqx_ocsp_cache,
http_get,
fun(RequestURI, _HTTPTimeout) ->
TestPid ! {request_uri, RequestURI},
{ok, {{"HTTP/1.0", 200, 'OK'}, [], <<"ocsp response">>}}
end
),
?check_trace(
begin
?assertMatch({ok, _}, emqx_ocsp_cache:fetch_response(ListenerID)),
receive
{request_uri, <<RequestURI/binary>>} ->
<<ResponderURL:(size(ResponderURL))/binary, Path/binary>> = RequestURI,
?assertEqual(nomatch, binary:match(Path, <<"/">>), #{path => Path}),
ok
after 100 ->
ct:pal(
"responder url: ~p\nmailbox: ~p",
[ResponderURL, process_info(self(), messages)]
),
ct:fail("request not made")
end,
ok
end,
[]
),
ok.
t_openssl_client(Config) -> t_openssl_client(Config) ->
TLSVsn = ?config(tls_vsn, Config), TLSVsn = ?config(tls_vsn, Config),
WithStatusRequest = ?config(status_request, Config), WithStatusRequest = ?config(status_request, Config),

1
changes/ce/fix-11347.en.md Normal file
View File

@ -0,0 +1 @@
Ensure that OCSP request path is properly URL encoded.