First successful connection

pohlm01 · Oct 3, 2024 · d8461a3 · d8461a3
1 parent 174186d
commit d8461a3
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 17 deletions.
diff --git a/examples/src/bin/simpleserver_merkle_tree_certs.rs b/examples/src/bin/simpleserver_merkle_tree_certs.rs
@@ -48,7 +48,7 @@ fn main() -> Result<(), Box<dyn StdError>> {
 
     let config = rustls::ServerConfig::builder()
         .with_no_client_auth()
-        .with_single_mtc_cert("62253.12.15", cert, private_key)?;
+        .with_single_mtc_cert("62253.12.15.1", cert, private_key)?;
 
     let listener = TcpListener::bind(format!("[::]:{}", 4443)).unwrap();
     let (mut stream, _) = listener.accept()?;

diff --git a/rustls/src/client/tls13.rs b/rustls/src/client/tls13.rs
@@ -501,6 +501,11 @@ impl State<ClientConnectionData> for ExpectEncryptedExtensions {
             }
         }
 
+
+        cx.common.certificate_type = exts
+            .selected_server_certificate_type()
+            .unwrap_or(CertificateType::X509);
+
         if let Some(resuming_session) = self.resuming_session {
             let was_early_traffic = cx.common.early_traffic;
             if was_early_traffic {
@@ -1057,43 +1062,47 @@ impl State<ClientConnectionData> for ExpectCertificate {
         if !self.message_already_in_transcript {
             self.transcript.add_message(&m);
         }
-        let cert_chain = require_handshake_msg_move!(
+        let cert_payload = require_handshake_msg_move!(
             m,
             HandshakeType::Certificate,
             HandshakePayload::CertificateTls13
         )?;
 
         // This is only non-empty for client auth.
-        if !cert_chain.context.0.is_empty() {
+        if !cert_payload.context.0.is_empty() {
             return Err(cx.common.send_fatal_alert(
                 AlertDescription::DecodeError,
                 InvalidMessage::InvalidCertRequest,
             ));
         }
 
-        if cert_chain.any_entry_has_duplicate_extension()
-            || cert_chain.any_entry_has_unknown_extension()
+        if cert_payload.any_entry_has_duplicate_extension()
+            || cert_payload.any_entry_has_unknown_extension()
         {
             return Err(cx.common.send_fatal_alert(
                 AlertDescription::UnsupportedExtension,
                 PeerMisbehaved::BadCertChainExtensions,
             ));
         }
 
-        match cx.common.certificate_type {
-            CertificateType::X509 => {}
+        let server_cert = match cx.common.certificate_type {
+            CertificateType::X509 => {
+                let end_entity_ocsp = cert_payload.end_entity_ocsp();
+                ServerCertDetails::from_x509(
+                    cert_payload
+                        .into_certificate_chain()
+                        .into_owned(),
+                    end_entity_ocsp,
+                )
+            }
             CertificateType::RawPublicKey => unimplemented!(),
-            CertificateType::Bikeshed => {}
+            CertificateType::Bikeshed => {
+                ServerCertDetails::from_bikeshed(
+                    cert_payload.into_bikeshed_certificate()
+                )
+            }
             CertificateType::Unknown(_) => unimplemented!(),
-        }
-
-        let end_entity_ocsp = cert_chain.end_entity_ocsp();
-        let server_cert = ServerCertDetails::from_x509(
-            cert_chain
-                .into_certificate_chain()
-                .into_owned(),
-            end_entity_ocsp,
-        );
+        };
 
         Ok(Box::new(ExpectCertificateVerify {
             config: self.config,

diff --git a/rustls/src/msgs/handshake.rs b/rustls/src/msgs/handshake.rs
@@ -8,6 +8,7 @@ use core::num::ParseIntError;
 use core::ops::Deref;
 use core::str::FromStr;
 use core::{fmt, iter};
+use log::trace;
 use pki_types::{CertificateDer, DnsName};
 
 #[cfg(feature = "tls12")]
@@ -1899,6 +1900,11 @@ impl<'a> CertificatePayloadTls13<'a> {
                 .collect(),
         )
     }
+
+    pub(crate) fn into_bikeshed_certificate(mut self) -> BikeshedCertificate<'a> {
+        assert_eq!(self.entries.len(), 1);
+        BikeshedCertificate(self.entries.remove(0).cert)
+    }
 }
 
 /// Describes supported key exchange mechanisms.
@@ -2264,6 +2270,23 @@ pub(crate) trait HasServerExtensions {
         self.find_extension(ExtensionType::EarlyData)
             .is_some()
     }
+
+
+    fn selected_server_certificate_type(&self) -> Option<CertificateType> {
+        let ext = self.find_extension(ExtensionType::ServerCertificateType)?;
+        match *ext {
+            ServerExtension::ServerCertificateType(c) => Some(c),
+            _ => None,
+        }
+    }
+
+    fn selected_client_certificate_type(&self) -> Option<CertificateType> {
+        let ext = self.find_extension(ExtensionType::ClientCertificateType)?;
+        match *ext {
+            ServerExtension::ClientCertificateType(c) => Some(c),
+            _ => None,
+        }
+    }
 }
 
 impl HasServerExtensions for Vec<ServerExtension> {