verify certificate chain when receiving it, return correct errors

handshake/crypto_setup_client.go

@@ -146,7 +146,12 @@ func (h *cryptoSetupClient) handleREJMessage(cryptoData map[Tag][]byte) error {
 	if crt, ok := cryptoData[TagCERT]; ok {
 		err := h.certManager.SetData(crt)
 		if err != nil {
-			return err
+			return qerr.Error(qerr.InvalidCryptoMessageParameter, "Certificate data invalid")
+		}
+
+		err = h.certManager.Verify(h.hostname)
+		if err != nil {
+			return qerr.ProofInvalid
 		}
 	}
 

handshake/crypto_setup_client_test.go

@@ -44,6 +44,7 @@ type mockCertManager struct {
 	setDataCalledWith []byte
 	leafCert          []byte
 
+	setDataError           error
 	verifyServerProofError error
 	verifyServerProofValue bool
 
@@ -52,7 +53,7 @@ type mockCertManager struct {
 
 func (m *mockCertManager) SetData(data []byte) error {
 	m.setDataCalledWith = data
-	return nil
+	return m.setDataError
 }
 
 func (m *mockCertManager) GetLeafCert() []byte {
@@ -154,6 +155,20 @@ var _ = Describe("Crypto setup", func() {
 				Expect(certManager.setDataCalledWith).To(Equal(tagMap[TagCERT]))
 			})
 
+			It("returns an InvalidCryptoMessageParameter error if it can't parse the cert chain", func() {
+				tagMap[TagCERT] = []byte("cert")
+				certManager.setDataError = errors.New("can't parse")
+				err := cs.handleREJMessage(tagMap)
+				Expect(err).To(MatchError(qerr.Error(qerr.InvalidCryptoMessageParameter, "Certificate data invalid")))
+			})
+
+			It("returns a ProofInvalid error if the certificate chain is not valid", func() {
+				tagMap[TagCERT] = []byte("cert")
+				certManager.verifyError = errors.New("invalid")
+				err := cs.handleREJMessage(tagMap)
+				Expect(err).To(MatchError(qerr.ProofInvalid))
+			})
+
 			It("verifies the signature", func() {
 				certManager.verifyServerProofValue = true
 				certManager.verifyServerProofError = nil