From 62fe6a0b49cc1d6b318817a31bf95a4815a67ef3 Mon Sep 17 00:00:00 2001
From: Jun Kurihara <junkurihara@users.noreply.github.com>
Date: Tue, 11 Oct 2022 15:35:46 +0900
Subject: [PATCH] deps and refactor

---
 h3                             |  2 +-
 src/backend/mod.rs             |  2 +-
 src/proxy/proxy_client_cert.rs | 59 ++++++++++++++++++++--------------
 3 files changed, 37 insertions(+), 26 deletions(-)

diff --git a/h3 b/h3
index 90ef1f7..720da6d 160000
--- a/h3
+++ b/h3
@@ -1 +1 @@
-Subproject commit 90ef1f7183640f3bc0779fd598e4dd0b621d0753
+Subproject commit 720da6d652c41a5ac2b56c9bf602b756bd0032d3
diff --git a/src/backend/mod.rs b/src/backend/mod.rs
index 83b47ce..c62b27a 100644
--- a/src/backend/mod.rs
+++ b/src/backend/mod.rs
@@ -110,7 +110,7 @@ impl Backend {
   }
 
   fn read_client_ca_certs(&self) -> io::Result<(Vec<OwnedTrustAnchor>, HashSet<Vec<u8>>)> {
-    debug!("Read CA certificate for client authentication");
+    debug!("Read CA certificates for client authentication");
     // Reads client certificate and returns client
     let client_ca_cert_path = {
       if let Some(c) = self.client_ca_cert_path.as_ref() {
diff --git a/src/proxy/proxy_client_cert.rs b/src/proxy/proxy_client_cert.rs
index 14459f5..a0f5faf 100644
--- a/src/proxy/proxy_client_cert.rs
+++ b/src/proxy/proxy_client_cert.rs
@@ -9,37 +9,48 @@ pub(super) fn check_client_authentication(
   client_certs: Option<&[Certificate]>,
   client_certs_setting_for_sni: Option<&HashSet<Vec<u8>>>,
 ) -> Result<()> {
-  if let Some(client_ca_keyids_set) = client_certs_setting_for_sni {
-    if let Some(client_certs) = client_certs {
+  let client_ca_keyids_set = match client_certs_setting_for_sni {
+    Some(c) => c,
+    None => {
+      // No client cert settings for given server name
+      return Ok(());
+    }
+  };
+
+  let client_certs = match client_certs {
+    Some(c) => {
       debug!("Incoming TLS client is (temporarily) authenticated via client cert");
-      // Check client certificate key ids
-
-      let mut client_certs_parsed_iter = client_certs.iter().filter_map(|d| parse_x509_certificate(&d.0).ok());
-      let match_server_crypto_and_client_cert = client_certs_parsed_iter.any(|c| {
-        let mut filtered = c.1.iter_extensions().filter_map(|e| {
-          if let ParsedExtension::AuthorityKeyIdentifier(key_id) = e.parsed_extension() {
-            key_id.key_identifier.as_ref()
-          } else {
-            None
-          }
-        });
-
-        filtered.any(|id| client_ca_keyids_set.contains(id.0))
-      });
-      if !match_server_crypto_and_client_cert {
-        // TODO: return 403 here
-        error!("Inconsistent client certificate for given server name");
-        return Err(RpxyError::Proxy(
-          "Inconsistent client certificate for given server name".to_string(),
-        ));
-      }
-    } else {
+      c
+    }
+    None => {
       // TODO: return 403 here
       error!("Client certificate is needed for given server name");
       return Err(RpxyError::Proxy(
         "Client certificate is needed for given server name".to_string(),
       ));
     }
+  };
+
+  // Check client certificate key ids
+  let mut client_certs_parsed_iter = client_certs.iter().filter_map(|d| parse_x509_certificate(&d.0).ok());
+  let match_server_crypto_and_client_cert = client_certs_parsed_iter.any(|c| {
+    let mut filtered = c.1.iter_extensions().filter_map(|e| {
+      if let ParsedExtension::AuthorityKeyIdentifier(key_id) = e.parsed_extension() {
+        key_id.key_identifier.as_ref()
+      } else {
+        None
+      }
+    });
+    filtered.any(|id| client_ca_keyids_set.contains(id.0))
+  });
+
+  if !match_server_crypto_and_client_cert {
+    // TODO: return 403 here
+    error!("Inconsistent client certificate for given server name");
+    return Err(RpxyError::Proxy(
+      "Inconsistent client certificate for given server name".to_string(),
+    ));
   }
+
   Ok(())
 }