fix first test

n0-computer · Nov 15, 2024 · ed3d590 · ed3d590
1 parent f77d714
commit ed3d590
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 6 deletions.
diff --git a/iroh-net/src/tls/resolver.rs b/iroh-net/src/tls/resolver.rs
@@ -1,7 +1,7 @@
 use std::sync::Arc;
 
 use iroh_base::key::SecretKey;
-use webpki::types::{pem::PemObject, CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
+use webpki::types::{pem::PemObject, CertificateDer, PrivatePkcs8KeyDer};
 
 use super::{certificate, CreateConfigError};
 use crate::tls::Authentication;
@@ -29,27 +29,25 @@ impl AlwaysResolvesCert {
             Authentication::RawPublicKey => {
                 // Directly use the key
                 let client_private_key = secret_key.serialize_secret_pem();
-                dbg!(&client_private_key);
                 let client_private_key =
                     PrivatePkcs8KeyDer::from_pem_slice(client_private_key.as_bytes())
                         .expect("cannot open private key file");
-                dbg!(&client_private_key);
                 let client_private_key =
                     rustls::crypto::ring::sign::any_eddsa_type(&client_private_key)?;
-                dbg!(&client_private_key);
+
                 let client_public_key = client_private_key
                     .public_key()
                     .ok_or(rustls::Error::InconsistentKeys(
                         rustls::InconsistentKeys::Unknown,
                     ))
                     .expect("cannot load public key");
-                dbg!(&client_public_key);
                 let client_public_key_as_cert = CertificateDer::from(client_public_key.to_vec());
+
                 let certified_key = rustls::sign::CertifiedKey::new(
                     vec![client_public_key_as_cert],
                     client_private_key,
                 );
-                dbg!(&certified_key);
+
                 Arc::new(certified_key)
             }
         };

diff --git a/iroh-net/src/tls/verifier.rs b/iroh-net/src/tls/verifier.rs
@@ -122,7 +122,16 @@ impl ServerCertVerifier for CertificateVerifier {
                 Ok(ServerCertVerified::assertion())
             }
             Authentication::RawPublicKey => {
+                if !intermediates.is_empty() {
+                    return Err(rustls::Error::InvalidCertificate(
+                        CertificateError::UnknownIssuer,
+                    ));
+                }
+                if self.trusted_spki.is_empty() {
+                    return Ok(ServerCertVerified::assertion());
+                }
                 let end_entity_as_spki = SubjectPublicKeyInfoDer::from(end_entity.as_ref());
+
                 match self.trusted_spki.contains(&end_entity_as_spki) {
                     false => Err(rustls::Error::InvalidCertificate(
                         CertificateError::UnknownIssuer,
@@ -198,6 +207,14 @@ impl ClientCertVerifier for CertificateVerifier {
                 Ok(ClientCertVerified::assertion())
             }
             Authentication::RawPublicKey => {
+                if !intermediates.is_empty() {
+                    return Err(rustls::Error::InvalidCertificate(
+                        CertificateError::UnknownIssuer,
+                    ));
+                }
+                if self.trusted_spki.is_empty() {
+                    return Ok(ClientCertVerified::assertion());
+                }
                 let end_entity_as_spki = SubjectPublicKeyInfoDer::from(end_entity.as_ref());
                 match self.trusted_spki.contains(&end_entity_as_spki) {
                     false => Err(rustls::Error::InvalidCertificate(