Commit fd1ce385 authored by Vilmos Nebehaj's avatar Vilmos Nebehaj Committed by Nick Zitzmann
Browse files

darwinssl: Use CopyCertSubject() to check CA cert. 

SecCertificateCopyPublicKey() is not available on iPhone. Use
CopyCertSubject() instead to see if the certificate returned by
SecCertificateCreateWithData() is valid.

Reported-by: Toby Peterson
parent c6ee182b

lib/vtls/curl_darwinssl.c

+15 −4
Original line number Diff line number Diff line
@@ -1672,14 +1672,25 @@ static int append_cert_to_array(struct SessionHandle *data, 
    }



    /* Check if cacert is valid. */

    SecKeyRef key;

    OSStatus ret = SecCertificateCopyPublicKey(cacert, &key);

    if(ret != noErr) {

    CFStringRef subject = CopyCertSubject(cacert);

    if(subject) {

      char subject_cbuf[128];

      memset(subject_cbuf, 0, 128);

      if(!CFStringGetCString(subject,

                            subject_cbuf,

                            128,

                            kCFStringEncodingUTF8)) {

        CFRelease(cacert);

        failf(data, "SSL: invalid CA certificate subject");

        return CURLE_SSL_CACERT;

      }

      CFRelease(subject);

    }

    else {

      CFRelease(cacert);

      failf(data, "SSL: invalid CA certificate");

      return CURLE_SSL_CACERT;

    }

    CFRelease(key);



    CFArrayAppendValue(array, cacert);

    CFRelease(cacert);