diff options
Diffstat (limited to 'net/cert')
-rw-r--r-- | net/cert/cert_verify_proc_openssl.cc | 6 | ||||
-rw-r--r-- | net/cert/x509_certificate_openssl.cc | 27 |
2 files changed, 20 insertions, 13 deletions
diff --git a/net/cert/cert_verify_proc_openssl.cc b/net/cert/cert_verify_proc_openssl.cc index 7643240..0122fac 100644 --- a/net/cert/cert_verify_proc_openssl.cc +++ b/net/cert/cert_verify_proc_openssl.cc @@ -101,7 +101,7 @@ void GetCertChainInfo(X509_STORE_CTX* store_ctx, STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); X509* verified_cert = NULL; std::vector<X509*> verified_chain; - for (size_t i = 0; i < sk_X509_num(chain); ++i) { + for (int i = 0; i < sk_X509_num(chain); ++i) { X509* cert = sk_X509_value(chain, i); if (i == 0) { verified_cert = cert; @@ -111,7 +111,7 @@ void GetCertChainInfo(X509_STORE_CTX* store_ctx, // Only check the algorithm status for certificates that are not in the // trust store. - if (i < static_cast<size_t>(store_ctx->last_untrusted)) { + if (i < store_ctx->last_untrusted) { int sig_alg = OBJ_obj2nid(cert->sig_alg->algorithm); if (sig_alg == NID_md2WithRSAEncryption) { verify_result->has_md2 = true; @@ -151,7 +151,7 @@ void GetCertChainInfo(X509_STORE_CTX* store_ctx, void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx, HashValueVector* hashes) { STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); - for (size_t i = 0; i < sk_X509_num(chain); ++i) { + for (int i = 0; i < sk_X509_num(chain); ++i) { X509* cert = sk_X509_value(chain, i); std::string der_data; diff --git a/net/cert/x509_certificate_openssl.cc b/net/cert/x509_certificate_openssl.cc index 504f3ae..005423ba 100644 --- a/net/cert/x509_certificate_openssl.cc +++ b/net/cert/x509_certificate_openssl.cc @@ -5,10 +5,10 @@ #include "net/cert/x509_certificate.h" #include <openssl/asn1.h> -#include <openssl/bytestring.h> #include <openssl/crypto.h> #include <openssl/obj_mac.h> #include <openssl/pem.h> +#include <openssl/pkcs7.h> #include <openssl/sha.h> #include <openssl/ssl.h> #include <openssl/x509v3.h> @@ -40,20 +40,27 @@ void CreateOSCertHandlesFromPKCS7Bytes( const char* data, int length, X509Certificate::OSCertHandles* handles) { crypto::EnsureOpenSSLInit(); - crypto::OpenSSLErrStackTracer err_cleaner(FROM_HERE); + const unsigned char* der_data = reinterpret_cast<const unsigned char*>(data); + crypto::ScopedOpenSSL<PKCS7, PKCS7_free>::Type pkcs7_cert( + d2i_PKCS7(NULL, &der_data, length)); + if (!pkcs7_cert.get()) + return; - CBS der_data; - CBS_init(&der_data, reinterpret_cast<const uint8_t*>(data), length); - STACK_OF(X509)* certs = sk_X509_new_null(); + STACK_OF(X509)* certs = NULL; + int nid = OBJ_obj2nid(pkcs7_cert.get()->type); + if (nid == NID_pkcs7_signed) { + certs = pkcs7_cert.get()->d.sign->cert; + } else if (nid == NID_pkcs7_signedAndEnveloped) { + certs = pkcs7_cert.get()->d.signed_and_enveloped->cert; + } - if (PKCS7_get_certificates(certs, &der_data)) { - for (size_t i = 0; i < sk_X509_num(certs); ++i) { + if (certs) { + for (int i = 0; i < sk_X509_num(certs); ++i) { X509* x509_cert = X509Certificate::DupOSCertHandle(sk_X509_value(certs, i)); handles->push_back(x509_cert); } } - sk_X509_pop_free(certs, X509_free); } void ParsePrincipalValues(X509_NAME* name, @@ -107,7 +114,7 @@ void ParseSubjectAltName(X509Certificate::OSCertHandle cert, if (!alt_names.get()) return; - for (size_t i = 0; i < sk_GENERAL_NAME_num(alt_names.get()); ++i) { + for (int i = 0; i < sk_GENERAL_NAME_num(alt_names.get()); ++i) { const GENERAL_NAME* name = sk_GENERAL_NAME_value(alt_names.get(), i); if (name->type == GEN_DNS && dns_names) { const unsigned char* dns_name = ASN1_STRING_data(name->d.dNSName); @@ -502,7 +509,7 @@ bool X509Certificate::IsIssuedByEncoded( // and 'cert_names'. for (size_t n = 0; n < cert_names.size(); ++n) { - for (size_t m = 0; m < sk_X509_NAME_num(issuer_names.get()); ++m) { + for (int m = 0; m < sk_X509_NAME_num(issuer_names.get()); ++m) { X509_NAME* issuer = sk_X509_NAME_value(issuer_names.get(), m); if (X509_NAME_cmp(issuer, cert_names[n]) == 0) { return true; |