Skip to content

/curl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CA certificate bundle handling in darwinssl. #115

Merged
merged 2 commits into from Sep 1, 2014

Conversation

@ldx
Copy link
Contributor

commented Aug 30, 2014

If the --cacert option is used with a CA certificate bundle that
contains multiple CA certificates, iterate through it, adding each
certificate as a trusted root CA.
@ldx
Fix CA certificate bundle handling in darwinssl. 
If the --cacert option is used with a CA certificate bundle that
contains multiple CA certificates, iterate through it, adding each
certificate as a trusted root CA.
Loading status checks…
4c134bc
@ldx ldx referenced this pull request Aug 30, 2014
Closed
@ldx

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

commented Aug 30, 2014

Ping @nickzman
@nickzman

This comment has been minimized.

Sign in to view
Copy link
Collaborator

commented Aug 31, 2014

I'm still experiencing a problem where it will treat files that are not DER certificates as if they were DER certificates. For example, if I set --cacert to the Safari binary that comes with OS X, it treats it like it was a certificate file when it isn't. Why does pem_to_der() return 0 if the separator line is not found?
@ldx
Check CA certificate in curl_darwinssl.c. 
SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even
if the buffer holds an invalid or corrupt certificate. Call
SecCertificateCopyPublicKey() to make sure cacert is a valid
certificate.
Loading status checks…
0426670
@ldx

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

commented Aug 31, 2014

The problem is that SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even if the buffer is non-valid DER or corrupt.

I pushed a commit which adds an extra check via calling SecCertificateCopyPublicKey() to make sure cacert is a valid certificate. It fixes the issue you mention.

Pem_to_der() returns the number of bytes it consumed from the input buffer, so that it can be used to traverse through a bundle. If it can't find a separator it assumes the certificate is not a PEM file.
nickzman added a commit that referenced this pull request Sep 1, 2014
@nickzman
Merge pull request #115 from ldx/darwinsslfixpr 
darwinssl: now accepts cacert bundles in PEM format in addition to single certs
Loading status checks…
0c14b31

@nickzman nickzman merged commit 0c14b31 into curl:master Sep 1, 2014
1 check passed

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details
@nickzman

This comment has been minimized.

Sign in to view
Copy link
Collaborator

commented Sep 1, 2014

Sorry about before. I was trying to copy & paste the change into the source file, and for some reason, it kept copying the old source without the change that fixed the problem above. Thanks for your work on this!

@lock lock bot locked as resolved and limited conversation to collaborators Jan 20, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@ldx @nickzman
You can’t perform that action at this time.