diff mbox series

OpenSSL: Allow ca_cert_blob in PEM format

Message ID 20190520074744.16824-1-santtu.lakkala@jolla.com
State Superseded
Headers show
Series OpenSSL: Allow ca_cert_blob in PEM format | expand

Commit Message

Santtu Lakkala May 20, 2019, 7:47 a.m. UTC 
GnuTLS backend already accepts CA cert blobs in both DER and PEM formats.
Implement similar trial-and-error handling in OpenSSL backend.
---
 src/crypto/tls_openssl.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

Comments

Santtu Lakkala May 22, 2019, 6:50 a.m. UTC | #1 
On 20.5.2019 10.47, Santtu Lakkala wrote:
> GnuTLS backend already accepts CA cert blobs in both DER and PEM formats.
> Implement similar trial-and-error handling in OpenSSL backend.

Please ignore, sent a new one with a NULL check just in case.
diff mbox series

Patch

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index bf2407421..9112f20b0 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2577,9 +2577,19 @@  static int tls_connection_ca_cert(struct tls_data *data,
 				      (const unsigned char **) &ca_cert_blob,
 				      ca_cert_blob_len);
 		if (cert == NULL) {
-			tls_show_errors(MSG_WARNING, __func__,
-					"Failed to parse ca_cert_blob");
-			return -1;
+			BIO *bio = BIO_new_mem_buf(ca_cert_blob, ca_cert_blob_len);
+			cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+			BIO_free(bio);
+
+			if (cert == NULL) {
+				tls_show_errors(MSG_WARNING, __func__,
+						"Failed to parse ca_cert_blob");
+				return -1;
+			}
+
+			while (ERR_get_error()) {
+				/* Ignore errors from DER conversion. */
+			}
 		}
 
 		if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),