fix how verification of raw certs is done
diff --git a/t/cli.c b/t/cli.c
index d22c4cb..ec4c353 100644
--- a/t/cli.c
+++ b/t/cli.c
@@ -402,13 +402,13 @@
ptls_key_exchange_context_t *elements[16];
size_t count;
} esni_key_exchanges;
- int is_server = 0, use_early_data = 0, request_key_update = 0, keep_sender_open = 0, ch, use_raw_public_keys = 0;
+ int is_server = 0, use_early_data = 0, request_key_update = 0, keep_sender_open = 0, ch, use_raw_public_keys = 0, verify_certificate = 0;
struct sockaddr_storage sa;
socklen_t salen;
int family = 0;
const char *cert_location = NULL;
- while ((ch = getopt(argc, argv, "46abBC:c:i:Ik:nN:es:SrE:K:l:y:vV:h")) != -1) {
+ while ((ch = getopt(argc, argv, "46abBC:c:i:Ik:nN:es:SrE:K:l:y:vh")) != -1) {
switch (ch) {
case '4':
family = AF_INET;
@@ -489,10 +489,7 @@
setup_log_event(&ctx, optarg);
break;
case 'v':
- setup_verify_certificate(&ctx);
- break;
- case 'V':
- setup_raw_pubkey_verify_certificate(&ctx, optarg);
+ verify_certificate = 1;
break;
case 'N': {
ptls_key_exchange_algorithm_t *algo = NULL;
@@ -563,6 +560,12 @@
fprintf(stderr, "-C/-c and -k options must be used together\n");
return 1;
}
+ if (verify_certificate) {
+ if (ctx.cert0_is_raw_certificate)
+ setup_raw_pubkey_verify_certificate(&ctx);
+ else
+ setup_verify_certificate(&ctx);
+ }
if (is_server) {
if (ctx.certificates.count == 0) {
fprintf(stderr, "-c and -k options must be set\n");
diff --git a/t/e2e.t b/t/e2e.t
index dc1a73a..342dd4f 100755
--- a/t/e2e.t
+++ b/t/e2e.t
@@ -72,7 +72,7 @@
subtest "raw-certificates" => sub {
my $guard = spawn_server(qw(-r -i t/assets/hello.txt));
- my $resp = `$cli -r -C t/assets/server.pub 127.0.0.1 $port 2> /dev/null`;
+ my $resp = `$cli -r -v -C t/assets/server.pub 127.0.0.1 $port 2> /dev/null`;
is $resp, "hello";
};
diff --git a/t/util.h b/t/util.h
index 87f28a4..d73dd8e 100644
--- a/t/util.h
+++ b/t/util.h
@@ -167,11 +167,15 @@
ctx->verify_certificate = &vc.super;
}
-static inline void setup_raw_pubkey_verify_certificate(ptls_context_t *ctx, const char *fn)
+static inline void setup_raw_pubkey_verify_certificate(ptls_context_t *ctx)
{
static ptls_raw_pubkey_verify_certificate_t vc;
ptls_raw_pubkey_init_verify_certificate(&vc);
- vc.expected_pubkey = raw_cert_from_file(fn);
+ if (ctx->certificates.count == 0) {
+ fprintf(stderr, "Cannot verify raw public key: no key found\n");
+ exit(1);
+ }
+ vc.expected_pubkey = ctx->certificates.list[0];
ctx->verify_certificate = &vc.super;
}