forked from quic-go/quic-go
simplify server proof verification function signature
This commit is contained in:
Marten Seemann
@@ -11,7 +11,7 @@ import (
|
||||
type CertManager interface {
|
||||
SetData([]byte) error
|
||||
GetLeafCert() []byte
|
||||
VerifyServerProof(proof, chlo, serverConfigData []byte) (bool, error)
|
||||
VerifyServerProof(proof, chlo, serverConfigData []byte) bool
|
||||
Verify(hostname string) error
|
||||
}
|
||||
|
||||
@@ -57,12 +57,14 @@ func (c *certManager) GetLeafCert() []byte {
|
||||
return c.chain[0].Raw
|
||||
}
|
||||
|
||||
func (c *certManager) VerifyServerProof(proof, chlo, serverConfigData []byte) (bool, error) {
|
||||
// VerifyServerProof verifies the signature of the server config
|
||||
// it should only be called after the certificate chain has been set, otherwise it returns false
|
||||
func (c *certManager) VerifyServerProof(proof, chlo, serverConfigData []byte) bool {
|
||||
if len(c.chain) == 0 {
|
||||
return false, errNoCertificateChain
|
||||
return false
|
||||
}
|
||||
|
||||
return verifyServerProof(proof, c.chain[0], chlo, serverConfigData), nil
|
||||
return verifyServerProof(proof, c.chain[0], chlo, serverConfigData)
|
||||
}
|
||||
|
||||
// Verify verifies the certificate chain
|
||||
|
||||
@@ -3,6 +3,7 @@ package crypto
|
||||
import (
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"encoding/asn1"
|
||||
@@ -19,13 +20,15 @@ import (
|
||||
|
||||
var _ = Describe("Cert Manager", func() {
|
||||
var cm *certManager
|
||||
var key1, key2 *rsa.PrivateKey
|
||||
var cert1, cert2 []byte
|
||||
|
||||
BeforeEach(func() {
|
||||
var err error
|
||||
cm = NewCertManager().(*certManager)
|
||||
key1, err := rsa.GenerateKey(rand.Reader, 512)
|
||||
key1, err = rsa.GenerateKey(rand.Reader, 768)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
key2, err := rsa.GenerateKey(rand.Reader, 512)
|
||||
key2, err = rsa.GenerateKey(rand.Reader, 768)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
template := &x509.Certificate{SerialNumber: big.NewInt(1)}
|
||||
cert1, err = x509.CreateCertificate(rand.Reader, template, template, &key1.PublicKey, key1)
|
||||
@@ -82,10 +85,29 @@ var _ = Describe("Cert Manager", func() {
|
||||
})
|
||||
})
|
||||
|
||||
Context("verifying the server signature", func() {
|
||||
It("errors when the chain hasn't been set yet", func() {
|
||||
valid, err := cm.VerifyServerProof([]byte("proof"), []byte("chlo"), []byte("scfg"))
|
||||
Expect(err).To(MatchError(errNoCertificateChain))
|
||||
Context("verifying the server config signature", func() {
|
||||
It("returns false when the chain hasn't been set yet", func() {
|
||||
valid := cm.VerifyServerProof([]byte("proof"), []byte("chlo"), []byte("scfg"))
|
||||
Expect(valid).To(BeFalse())
|
||||
})
|
||||
|
||||
It("verifies the signature", func() {
|
||||
chlo := []byte("client hello")
|
||||
scfg := []byte("server config data")
|
||||
xcert1, err := x509.ParseCertificate(cert1)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
cm.chain = []*x509.Certificate{xcert1}
|
||||
proof, err := signServerProof(&tls.Certificate{PrivateKey: key1}, chlo, scfg)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
valid := cm.VerifyServerProof(proof, chlo, scfg)
|
||||
Expect(valid).To(BeTrue())
|
||||
})
|
||||
|
||||
It("rejects an invalid signature", func() {
|
||||
xcert1, err := x509.ParseCertificate(cert1)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
cm.chain = []*x509.Certificate{xcert1}
|
||||
valid := cm.VerifyServerProof([]byte("invalid proof"), []byte("chlo"), []byte("scfg"))
|
||||
Expect(valid).To(BeFalse())
|
||||
})
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user