emqx/rel/i18n/emqx_auth_ext_schema.hocon

emqx_auth_ext_schema {

common_ssl_opts_schema_partial_chain.desc:
"""Enable or disable peer verification with partial_chain.
When local verifies a peer certificate during the x509 path validation
process, it constructs a certificate chain that starts with the peer
certificate and ends with a trust anchor.
By default, if it is set to `false`, the trust anchor is the
Root CA, and the certificate chain must be complete.
However, if the setting is set to `true` or `cacert_from_cacertfile`,
the last certificate in `cacertfile` will be used as the trust anchor
certificate (intermediate CA). This creates a partial chain
in the path validation.
Alternatively, if it is configured with `two_cacerts_from_cacertfile`,
one of the last two certificates in `cacertfile` will be used as the
trust anchor certificate, forming a partial chain. This option is
particularly useful for intermediate CA certificate rotation.
However, please note that it incurs some additional overhead, so it
should only be used for certificate rotation purposes."""

common_ssl_opts_schema_partial_chain.label:
"""Partial chain"""

common_ssl_opts_verify_peer_ext_key_usage.desc:
"""Verify extended key usage in peer's certificate
For additional peer certificate validation, the value defined here must present in the
'Extended Key Usage' of peer certificate defined in
[rfc5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.12).

Allowed values are
- `clientAuth`
- `serverAuth`
- `codeSigning`
- `emailProtection`
- `timeStamping`
- `ocspSigning`
- raw OID, for example: "OID:1.3.6.1.5.5.7.3.2" means `id-pk 2` which is equivalent to `clientAuth`

Comma-separated string is also supported for validating more than one key usages.

For example, `"serverAuth,OID:1.3.6.1.5.5.7.3.2"`"""

common_ssl_opts_verify_peer_ext_key_usage.label:
"""Verify KeyUsage in cert"""

}