From e6ae98dd407d8af1568987acc1924644aab6acb4 Mon Sep 17 00:00:00 2001 From: Shawn <506895667@qq.com> Date: Tue, 20 Jun 2023 20:47:44 +0800 Subject: [PATCH] chore: sync code from ee --- src/emqx_tls_lib.erl | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/src/emqx_tls_lib.erl b/src/emqx_tls_lib.erl index 2e330992a..9a05bd64d 100644 --- a/src/emqx_tls_lib.erl +++ b/src/emqx_tls_lib.erl @@ -224,15 +224,20 @@ replace(Opts, Key, Value) -> [{Key, Value} | proplists:delete(Key, Opts)]. %% @doc Helper, make TLS root_fun rootfun_trusted_ca_from_cacertfile(NumOfCerts, SslOpts) -> Cacertfile = proplists:get_value(cacertfile, SslOpts, undefined), - try do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, Cacertfile) - catch _Error:_Info:ST -> - %% The cacertfile will be checked by OTP SSL as well and OTP choice to be silent on this. - %% We are touching security sutffs, don't leak extra info.. - ?LOG(error, "Failed to look for trusted cacert from cacertfile. Stacktrace: ~p", [ST]), - throw({error, ?FUNCTION_NAME}) + case file:read_file(Cacertfile) of + {ok, PemBin} -> + try do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, PemBin) + catch _Error:_Info:ST -> + %% The cacertfile will be checked by OTP SSL as well and OTP choice to be silent on this. + %% We are touching security sutffs, don't leak extra info.. + ?LOG(error, "Failed to look for trusted cacert from cacertfile. Stacktrace: ~p", [ST]), + throw({error, ?FUNCTION_NAME}) + end; + {error, Reason} -> + throw({error, {read_cacertfile_error, Cacertfile, Reason}}) end. -do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, Cacertfile) -> - {ok, PemBin} = file:read_file(Cacertfile), + +do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, PemBin) -> %% The last one or two should be the top parent in the chain if it is a chain Certs = public_key:pem_decode(PemBin), Pos = length(Certs) - NumOfCerts + 1,