tests/server: add optional required client cert auth.

This commit updates the `tests/server.c` program so that if an
`AUTH_CERT` env var is provided the server will be configured to require
clients provide a client certificate issued that chains to the
`AUTH_CERT` certificate authority. If no `AUTH_CERT` env var is set the
server works as it did before, ignoring client certificate
authentication.

tests/server.c

@@ -255,6 +255,8 @@ main(int argc, const char **argv)
   struct rustls_connection *rconn = NULL;
   const struct rustls_certified_key *certified_key = NULL;
   struct rustls_slice_bytes alpn_http11;
+  const struct rustls_client_cert_verifier *client_cert_verifier = NULL;
+  struct rustls_root_cert_store *client_cert_root_store = NULL;
 
   alpn_http11.data = (unsigned char*)"http/1.1";
   alpn_http11.len = 8;
@@ -285,6 +287,22 @@ main(int argc, const char **argv)
     config_builder, &certified_key, 1);
   rustls_server_config_builder_set_alpn_protocols(config_builder, &alpn_http11, 1);
 
+  char* auth_cert = getenv("AUTH_CERT");
+  if(auth_cert) {
+    char certbuf[10000];
+    size_t certbuf_len;
+    int result = read_file(argv[0], auth_cert, certbuf, sizeof(certbuf), &certbuf_len);
+    if(result != DEMO_OK) {
+      goto cleanup;
+    }
+
+    client_cert_root_store = rustls_root_cert_store_new();
+    rustls_root_cert_store_add_pem(client_cert_root_store, (uint8_t *)certbuf, certbuf_len, true);
+
+    client_cert_verifier = rustls_client_cert_verifier_new(client_cert_root_store);
+    rustls_server_config_builder_set_client_verifier(config_builder, client_cert_verifier);
+  }
+
   server_config = rustls_server_config_builder_build(config_builder);
 
 #ifdef _WIN32
@@ -360,6 +378,8 @@ main(int argc, const char **argv)
 
 cleanup:
   rustls_certified_key_free(certified_key);
+  rustls_root_cert_store_free(client_cert_root_store);
+  rustls_client_cert_verifier_free(client_cert_verifier);
   rustls_server_config_free(server_config);
   rustls_connection_free(rconn);
   if(sockfd>0) {