Allow specifying certificate and key in separate files.

Our test certificate files in ssl/test/runner (which I often use out of
laziness) are not specified in a way compatible with the bssl tool.

Change-Id: I216d9555242e6d4be75b8172579186398b862394
Reviewed-on: https://boringssl-review.googlesource.com/14826
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>

tool/client.cc

@@ -90,7 +90,13 @@ static const struct argument kArguments[] = {
     },
     {
         "-key", kOptionalArgument,
-        "Private-key file to use (default is no client certificate)",
+        "PEM-encoded file containing the private key.",
+    },
+    {
+        "-cert", kOptionalArgument,
+        "PEM-encoded file containing the leaf certificate and optional "
+        "certificate chain. This is taken from the -key argument if this "
+        "argument is not provided.",
     },
     {
         "-starttls", kOptionalArgument,
@@ -376,12 +382,15 @@ bool Client(const std::vector<std::string> &args) {
 
   if (args_map.count("-key") != 0) {
     const std::string &key = args_map["-key"];
-    if (!SSL_CTX_use_PrivateKey_file(ctx.get(), key.c_str(), SSL_FILETYPE_PEM)) {
+    if (!SSL_CTX_use_PrivateKey_file(ctx.get(), key.c_str(),
+                                     SSL_FILETYPE_PEM)) {
       fprintf(stderr, "Failed to load private key: %s\n", key.c_str());
       return false;
     }
-    if (!SSL_CTX_use_certificate_chain_file(ctx.get(), key.c_str())) {
+    const std::string &cert =
-      fprintf(stderr, "Failed to load cert chain: %s\n", key.c_str());
+        args_map.count("-cert") != 0 ? args_map["-cert"] : key;
+    if (!SSL_CTX_use_certificate_chain_file(ctx.get(), cert.c_str())) {
+      fprintf(stderr, "Failed to load cert chain: %s\n", cert.c_str());
       return false;
     }
   }

tool/server.cc

@@ -44,9 +44,14 @@ static const struct argument kArguments[] = {
     },
     {
         "-key", kOptionalArgument,
-        "PEM-encoded file containing the private key, leaf certificate and "
+        "PEM-encoded file containing the private key. A self-signed "
-        "optional certificate chain. A self-signed certificate is generated "
+        "certificate is generated at runtime if this argument is not provided.",
-        "at runtime if this argument is not provided.",
+    },
+    {
+        "-cert", kOptionalArgument,
+        "PEM-encoded file containing the leaf certificate and optional "
+        "certificate chain. This is taken from the -key argument if this "
+        "argument is not provided.",
     },
     {
         "-ocsp-response", kOptionalArgument, "OCSP response file to send",
@@ -147,13 +152,16 @@ bool Server(const std::vector<std::string> &args) {
 
   // Server authentication is required.
   if (args_map.count("-key") != 0) {
-    std::string key_file = args_map["-key"];
+    std::string key = args_map["-key"];
-    if (!SSL_CTX_use_PrivateKey_file(ctx.get(), key_file.c_str(), SSL_FILETYPE_PEM)) {
+    if (!SSL_CTX_use_PrivateKey_file(ctx.get(), key.c_str(),
-      fprintf(stderr, "Failed to load private key: %s\n", key_file.c_str());
+                                     SSL_FILETYPE_PEM)) {
+      fprintf(stderr, "Failed to load private key: %s\n", key.c_str());
       return false;
     }
-    if (!SSL_CTX_use_certificate_chain_file(ctx.get(), key_file.c_str())) {
+    const std::string &cert =
-      fprintf(stderr, "Failed to load cert chain: %s\n", key_file.c_str());
+        args_map.count("-cert") != 0 ? args_map["-cert"] : key;
+    if (!SSL_CTX_use_certificate_chain_file(ctx.get(), cert.c_str())) {
+      fprintf(stderr, "Failed to load cert chain: %s\n", cert.c_str());
       return false;
     }
   } else {