From ed3d590e7944ddb8286af500c41520d694ab62da Mon Sep 17 00:00:00 2001
From: dignifiedquire <me@dignifiedquire.com>
Date: Fri, 15 Nov 2024 21:17:09 +0100
Subject: [PATCH] fix first test

---
 iroh-net/src/tls/resolver.rs | 10 ++++------
 iroh-net/src/tls/verifier.rs | 17 +++++++++++++++++
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/iroh-net/src/tls/resolver.rs b/iroh-net/src/tls/resolver.rs
index 12710cfcbc..6dbda5e0a8 100644
--- a/iroh-net/src/tls/resolver.rs
+++ b/iroh-net/src/tls/resolver.rs
@@ -1,7 +1,7 @@
 use std::sync::Arc;
 
 use iroh_base::key::SecretKey;
-use webpki::types::{pem::PemObject, CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
+use webpki::types::{pem::PemObject, CertificateDer, PrivatePkcs8KeyDer};
 
 use super::{certificate, CreateConfigError};
 use crate::tls::Authentication;
@@ -29,27 +29,25 @@ impl AlwaysResolvesCert {
             Authentication::RawPublicKey => {
                 // Directly use the key
                 let client_private_key = secret_key.serialize_secret_pem();
-                dbg!(&client_private_key);
                 let client_private_key =
                     PrivatePkcs8KeyDer::from_pem_slice(client_private_key.as_bytes())
                         .expect("cannot open private key file");
-                dbg!(&client_private_key);
                 let client_private_key =
                     rustls::crypto::ring::sign::any_eddsa_type(&client_private_key)?;
-                dbg!(&client_private_key);
+
                 let client_public_key = client_private_key
                     .public_key()
                     .ok_or(rustls::Error::InconsistentKeys(
                         rustls::InconsistentKeys::Unknown,
                     ))
                     .expect("cannot load public key");
-                dbg!(&client_public_key);
                 let client_public_key_as_cert = CertificateDer::from(client_public_key.to_vec());
+
                 let certified_key = rustls::sign::CertifiedKey::new(
                     vec![client_public_key_as_cert],
                     client_private_key,
                 );
-                dbg!(&certified_key);
+
                 Arc::new(certified_key)
             }
         };
diff --git a/iroh-net/src/tls/verifier.rs b/iroh-net/src/tls/verifier.rs
index 6869c1fb25..0dd0d5c110 100644
--- a/iroh-net/src/tls/verifier.rs
+++ b/iroh-net/src/tls/verifier.rs
@@ -122,7 +122,16 @@ impl ServerCertVerifier for CertificateVerifier {
                 Ok(ServerCertVerified::assertion())
             }
             Authentication::RawPublicKey => {
+                if !intermediates.is_empty() {
+                    return Err(rustls::Error::InvalidCertificate(
+                        CertificateError::UnknownIssuer,
+                    ));
+                }
+                if self.trusted_spki.is_empty() {
+                    return Ok(ServerCertVerified::assertion());
+                }
                 let end_entity_as_spki = SubjectPublicKeyInfoDer::from(end_entity.as_ref());
+
                 match self.trusted_spki.contains(&end_entity_as_spki) {
                     false => Err(rustls::Error::InvalidCertificate(
                         CertificateError::UnknownIssuer,
@@ -198,6 +207,14 @@ impl ClientCertVerifier for CertificateVerifier {
                 Ok(ClientCertVerified::assertion())
             }
             Authentication::RawPublicKey => {
+                if !intermediates.is_empty() {
+                    return Err(rustls::Error::InvalidCertificate(
+                        CertificateError::UnknownIssuer,
+                    ));
+                }
+                if self.trusted_spki.is_empty() {
+                    return Ok(ClientCertVerified::assertion());
+                }
                 let end_entity_as_spki = SubjectPublicKeyInfoDer::from(end_entity.as_ref());
                 match self.trusted_spki.contains(&end_entity_as_spki) {
                     false => Err(rustls::Error::InvalidCertificate(