Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix CA certificate bundle handling in darwinssl. #115
referenced this pull request
Aug 30, 2014
I'm still experiencing a problem where it will treat files that are not DER certificates as if they were DER certificates. For example, if I set --cacert to the Safari binary that comes with OS X, it treats it like it was a certificate file when it isn't. Why does pem_to_der() return 0 if the separator line is not found?
The problem is that SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even if the buffer is non-valid DER or corrupt.
I pushed a commit which adds an extra check via calling SecCertificateCopyPublicKey() to make sure cacert is a valid certificate. It fixes the issue you mention.
Pem_to_der() returns the number of bytes it consumed from the input buffer, so that it can be used to traverse through a bundle. If it can't find a separator it assumes the certificate is not a PEM file.