rename cert0_is_raw_certificate as use_raw_public_keys
diff --git a/include/picotls.h b/include/picotls.h
index 5dc3563..8c179c5 100644
--- a/include/picotls.h
+++ b/include/picotls.h
@@ -712,9 +712,18 @@
*/
unsigned omit_end_of_early_data : 1;
/**
+ * This option turns on support for Raw Public Keys (RFC 7250).
*
+ * When running as a client, this option instructs the client to request the server to send raw public keys in place of X.509
+ * certificate chain. The client should set its `certificate_verify` callback to one that is capable of validating the raw
+ * public key that will be sent by the server.
+ *
+ * When running as a server, this option instructs the server to only handle clients requesting the use of raw public keys. If
+ * the client does not, the handshake is rejected. Note however that the rejection happens only after the `on_client_hello`
+ * callback is being called. Therefore, applications can support both X.509 and raw public keys by swapping `ptls_context_t` to
+ * the correct one when that callback is being called (like handling swapping the contexts based on the value of SNI).
*/
- unsigned cert0_is_raw_certificate : 1;
+ unsigned use_raw_public_keys : 1;
/**
*
*/
diff --git a/lib/picotls.c b/lib/picotls.c
index d1c9523..0df82f2 100644
--- a/lib/picotls.c
+++ b/lib/picotls.c
@@ -2069,7 +2069,7 @@
ptls_buffer_push_block(sendbuf, 2, { ptls_buffer_pushv(sendbuf, cookie->base, cookie->len); });
});
}
- if (tls->ctx->cert0_is_raw_certificate) {
+ if (tls->ctx->use_raw_public_keys) {
buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE, {
ptls_buffer_push_block(sendbuf, 1, { ptls_buffer_push(sendbuf, PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY); });
});
@@ -2493,7 +2493,7 @@
ret = PTLS_ALERT_DECODE_ERROR;
goto Exit;
}
- if ((tls->ctx->cert0_is_raw_certificate && *src != PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY) &&
+ if ((tls->ctx->use_raw_public_keys && *src != PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY) &&
*src != PTLS_CERTIFICATE_TYPE_X509) {
ret = PTLS_ALERT_UNSUPPORTED_CERTIFICATE;
goto Exit;
@@ -3311,8 +3311,8 @@
ptls_decode_block(src, end, 1, {
int found = 0;
for (size_t i = 0; i < end - src; i++) {
- if ((*src == PTLS_CERTIFICATE_TYPE_X509 && !tls->ctx->cert0_is_raw_certificate) ||
- (*src == PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY && tls->ctx->cert0_is_raw_certificate)) {
+ if ((*src == PTLS_CERTIFICATE_TYPE_X509 && !tls->ctx->use_raw_public_keys) ||
+ (*src == PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY && tls->ctx->use_raw_public_keys)) {
found = 1;
break;
}
@@ -4033,7 +4033,7 @@
* The "extension_data" field of this extension SHALL be empty. (RFC 6066 section 3) */
buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_NAME, {});
}
- if (tls->ctx->cert0_is_raw_certificate) {
+ if (tls->ctx->use_raw_public_keys) {
buffer_push_extension(sendbuf, PTLS_EXTENSION_TYPE_SERVER_CERTIFICATE_TYPE,
{ ptls_buffer_push(sendbuf, PTLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY); });
}
diff --git a/t/cli.c b/t/cli.c
index ff60590..6b2dd92 100644
--- a/t/cli.c
+++ b/t/cli.c
@@ -553,16 +553,16 @@
load_certificate_chain(&ctx, cert_location);
} else {
load_raw_public_key(&ctx, cert_location);
- ctx.cert0_is_raw_certificate = 1;
+ ctx.use_raw_public_keys = 1;
}
}
- if (!ctx.cert0_is_raw_certificate && (ctx.certificates.count == 0) != (ctx.sign_certificate == NULL)) {
+ if (!ctx.use_raw_public_keys && (ctx.certificates.count == 0) != (ctx.sign_certificate == NULL)) {
fprintf(stderr, "-C/-c and -k options must be used together\n");
return 1;
}
if (verify_certificate) {
- if (ctx.cert0_is_raw_certificate)
+ if (ctx.use_raw_public_keys)
setup_raw_pubkey_verify_certificate(&ctx);
else
setup_verify_certificate(&ctx);