diff --git a/src/dtls12/client.rs b/src/dtls12/client.rs index 78f6575..9357a7e 100644 --- a/src/dtls12/client.rs +++ b/src/dtls12/client.rs @@ -128,6 +128,10 @@ impl Client { certificate: DtlsCertificate, now: Instant, ) -> Result { + assert!( + !certificate.certificate.is_empty(), + "Client certificate cannot be empty" + ); // unwrap: malformed private_key bytes are a programmer error from the // caller who constructed DtlsCertificate; panic matches the prior // CryptoContext::new behavior which also panicked on empty/invalid diff --git a/src/dtls12/server.rs b/src/dtls12/server.rs index 9eac727..8d3d335 100644 --- a/src/dtls12/server.rs +++ b/src/dtls12/server.rs @@ -126,6 +126,10 @@ enum State { impl Server { /// Create a new DTLS server pub fn new(config: Arc, certificate: crate::DtlsCertificate, now: Instant) -> Server { + assert!( + !certificate.certificate.is_empty(), + "Server certificate cannot be empty" + ); // unwrap: malformed private_key bytes are a programmer error from the // caller who constructed DtlsCertificate; panic matches the prior // CryptoContext::new behavior which also panicked on empty/invalid diff --git a/src/lib.rs b/src/lib.rs index fc446ca..f6dc043 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -876,6 +876,18 @@ mod test { let _ = Dtls::new_12_psk(config, Instant::now()); } + #[test] + #[should_panic(expected = "Server certificate cannot be empty")] + fn new_12_panics_on_empty_certificate() { + let cert = generate_self_signed_certificate().expect("Failed to generate cert"); + let config = Arc::new(Config::default()); + let empty = DtlsCertificate { + certificate: vec![], + private_key: cert.private_key, + }; + let _ = Dtls::new_12(config, empty, Instant::now()); + } + #[test] fn test_auto_server_send_application_data_pending() { let mut dtls = new_instance_auto();