- rename `st_ptls_raw_pubkey_verify_certificate_t` to `st_ptls_openssl_raw_pubkey_verify_certificate_t`
- store EVP_PKEY in the verify structure
diff --git a/include/picotls/openssl.h b/include/picotls/openssl.h
index 60fb69f..1f27a27 100644
--- a/include/picotls/openssl.h
+++ b/include/picotls/openssl.h
@@ -104,10 +104,10 @@
void ptls_openssl_dispose_sign_certificate(ptls_openssl_sign_certificate_t *self);
int ptls_openssl_load_certificates(ptls_context_t *ctx, X509 *cert, STACK_OF(X509) * chain);
-typedef struct st_ptls_raw_pubkey_verify_certificate_t {
+typedef struct st_ptls_openssl_raw_pubkey_verify_certificate_t {
ptls_verify_certificate_t super;
- ptls_iovec_t expected_pubkey;
-} ptls_raw_pubkey_verify_certificate_t;
+ EVP_PKEY *expected_pubkey;
+} ptls_openssl_raw_pubkey_verify_certificate_t;
typedef struct st_ptls_openssl_verify_certificate_t {
ptls_verify_certificate_t super;
@@ -118,7 +118,7 @@
void ptls_openssl_dispose_verify_certificate(ptls_openssl_verify_certificate_t *self);
X509_STORE *ptls_openssl_create_default_certificate_store(void);
-int ptls_raw_pubkey_init_verify_certificate(ptls_raw_pubkey_verify_certificate_t *self);
+int ptls_openssl_raw_pubkey_init_verify_certificate(ptls_openssl_raw_pubkey_verify_certificate_t *self, EVP_PKEY *pubkey);
int ptls_openssl_encrypt_ticket(ptls_buffer_t *dst, ptls_iovec_t src,
int (*cb)(unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int));
diff --git a/lib/openssl.c b/lib/openssl.c
index 7d1bb19..0bc52cb 100644
--- a/lib/openssl.c
+++ b/lib/openssl.c
@@ -1289,34 +1289,39 @@
static int verify_raw_cert(ptls_verify_certificate_t *_self, ptls_t *tls, int (**verifier)(void *, ptls_iovec_t, ptls_iovec_t),
void **verify_data, ptls_iovec_t *certs, size_t num_certs)
{
- ptls_raw_pubkey_verify_certificate_t *self = (ptls_raw_pubkey_verify_certificate_t *)_self;
+ ptls_openssl_raw_pubkey_verify_certificate_t *self = (ptls_openssl_raw_pubkey_verify_certificate_t *)_self;
int ret = PTLS_ALERT_BAD_CERTIFICATE;
+ ptls_iovec_t expected_pubkey = {};
assert(num_certs != 0);
if (num_certs != 1)
goto Exit;
- if (certs[0].len != self->expected_pubkey.len)
- goto Exit;
-
- if (!ptls_mem_equal(self->expected_pubkey.base, certs[0].base, certs[0].len))
- goto Exit;
-
- const unsigned char *p = self->expected_pubkey.base;
- if ((*verify_data = d2i_PUBKEY(NULL, &p, self->expected_pubkey.len)) == NULL) {
+ int r = i2d_PUBKEY(self->expected_pubkey, &expected_pubkey.base);
+ if (r <= 0) {
ret = PTLS_ALERT_BAD_CERTIFICATE;
goto Exit;
}
+
+ expected_pubkey.len = r;
+ if (certs[0].len != expected_pubkey.len)
+ goto Exit;
+
+ if (!ptls_mem_equal(expected_pubkey.base, certs[0].base, certs[0].len))
+ goto Exit;
+
+ *verify_data = self->expected_pubkey;
*verifier = verify_sign;
ret = 0;
Exit:
+ free(expected_pubkey.base);
return ret;
}
-int ptls_raw_pubkey_init_verify_certificate(ptls_raw_pubkey_verify_certificate_t *self)
+int ptls_openssl_raw_pubkey_init_verify_certificate(ptls_openssl_raw_pubkey_verify_certificate_t *self, EVP_PKEY *expected_pubkey)
{
- *self = (ptls_raw_pubkey_verify_certificate_t){{verify_raw_cert}};
+ *self = (ptls_openssl_raw_pubkey_verify_certificate_t){{verify_raw_cert}, expected_pubkey};
return 0;
}
diff --git a/t/cli.c b/t/cli.c
index 04d0625..c3cf2b9 100644
--- a/t/cli.c
+++ b/t/cli.c
@@ -555,8 +555,14 @@
ctx.certificates.count = 1;
} else if (!is_dash) {
ptls_iovec_t raw_pub_key;
+ EVP_PKEY *pubkey;
load_raw_public_key(&raw_pub_key, raw_pub_key_file);
- setup_raw_pubkey_verify_certificate(&ctx, raw_pub_key);
+ pubkey = d2i_PUBKEY(NULL, (const unsigned char **)&raw_pub_key.base, raw_pub_key.len);
+ if (pubkey == NULL) {
+ fprintf(stderr, "Failed to create an EVP_PKEY from the key found in %s\n", raw_pub_key_file);
+ return 1;
+ }
+ setup_raw_pubkey_verify_certificate(&ctx, pubkey);
}
ctx.use_raw_public_keys = 1;
} else {
diff --git a/t/util.h b/t/util.h
index 74d61fb..3890737 100644
--- a/t/util.h
+++ b/t/util.h
@@ -131,11 +131,10 @@
ctx->verify_certificate = &vc.super;
}
-static inline void setup_raw_pubkey_verify_certificate(ptls_context_t *ctx, ptls_iovec_t raw_pub_key)
+static inline void setup_raw_pubkey_verify_certificate(ptls_context_t *ctx, EVP_PKEY *pubkey)
{
- static ptls_raw_pubkey_verify_certificate_t vc;
- ptls_raw_pubkey_init_verify_certificate(&vc);
- vc.expected_pubkey = raw_pub_key;
+ static ptls_openssl_raw_pubkey_verify_certificate_t vc;
+ ptls_openssl_raw_pubkey_init_verify_certificate(&vc, pubkey);
ctx->verify_certificate = &vc.super;
}
