commit 6111e7dc751822547b3de8b23411646a6ad487c4
author Frederik Deweerdt <fdeweerdt@fastly.com> Fri Feb 12 13:53:34 2021 -0800
committer Frederik Deweerdt <fdeweerdt@fastly.com> Fri Feb 12 13:53:34 2021 -0800
tree 7dd3a2d8ab5dc1c208106c8f614688944146a364
parent 951de25d6fedf81221477a31a7cd62cdebedadc4

fix how verification of raw certs is done

t/cli.c

diff --git a/t/cli.c b/t/cli.c
index d22c4cb..ec4c353 100644
--- a/t/cli.c
+++ b/t/cli.c
@@ -402,13 +402,13 @@
         ptls_key_exchange_context_t *elements[16];
         size_t count;
     } esni_key_exchanges;
-    int is_server = 0, use_early_data = 0, request_key_update = 0, keep_sender_open = 0, ch, use_raw_public_keys = 0;
+    int is_server = 0, use_early_data = 0, request_key_update = 0, keep_sender_open = 0, ch, use_raw_public_keys = 0, verify_certificate = 0;
     struct sockaddr_storage sa;
     socklen_t salen;
     int family = 0;
     const char *cert_location = NULL;
 
-    while ((ch = getopt(argc, argv, "46abBC:c:i:Ik:nN:es:SrE:K:l:y:vV:h")) != -1) {
+    while ((ch = getopt(argc, argv, "46abBC:c:i:Ik:nN:es:SrE:K:l:y:vh")) != -1) {
         switch (ch) {
         case '4':
             family = AF_INET;
@@ -489,10 +489,7 @@
             setup_log_event(&ctx, optarg);
             break;
         case 'v':
-            setup_verify_certificate(&ctx);
-            break;
-        case 'V':
-            setup_raw_pubkey_verify_certificate(&ctx, optarg);
+            verify_certificate = 1;
             break;
         case 'N': {
             ptls_key_exchange_algorithm_t *algo = NULL;
@@ -563,6 +560,12 @@
         fprintf(stderr, "-C/-c and -k options must be used together\n");
         return 1;
     }
+    if (verify_certificate) {
+        if (ctx.cert0_is_raw_certificate)
+            setup_raw_pubkey_verify_certificate(&ctx);
+        else
+            setup_verify_certificate(&ctx);
+    }
     if (is_server) {
         if (ctx.certificates.count == 0) {
             fprintf(stderr, "-c and -k options must be set\n");

t/e2e.t

diff --git a/t/e2e.t b/t/e2e.t
index dc1a73a..342dd4f 100755
--- a/t/e2e.t
+++ b/t/e2e.t
@@ -72,7 +72,7 @@
 
 subtest "raw-certificates" => sub {
     my $guard = spawn_server(qw(-r -i t/assets/hello.txt));
-    my $resp = `$cli -r -C t/assets/server.pub 127.0.0.1 $port 2> /dev/null`;
+    my $resp = `$cli -r -v -C t/assets/server.pub 127.0.0.1 $port 2> /dev/null`;
     is $resp, "hello";
 };
 

t/util.h

diff --git a/t/util.h b/t/util.h
index 87f28a4..d73dd8e 100644
--- a/t/util.h
+++ b/t/util.h
@@ -167,11 +167,15 @@
     ctx->verify_certificate = &vc.super;
 }
 
-static inline void setup_raw_pubkey_verify_certificate(ptls_context_t *ctx, const char *fn)
+static inline void setup_raw_pubkey_verify_certificate(ptls_context_t *ctx)
 {
     static ptls_raw_pubkey_verify_certificate_t vc;
     ptls_raw_pubkey_init_verify_certificate(&vc);
-    vc.expected_pubkey = raw_cert_from_file(fn);
+    if (ctx->certificates.count == 0) {
+        fprintf(stderr, "Cannot verify raw public key: no key found\n");
+        exit(1);
+    }
+    vc.expected_pubkey = ctx->certificates.list[0];
     ctx->verify_certificate = &vc.super;
 }