Fix CA certificate bundle handling in darwinssl. #115
Conversation
If the --cacert option is used with a CA certificate bundle that contains multiple CA certificates, iterate through it, adding each certificate as a trusted root CA.
Ping @nickzman |
I'm still experiencing a problem where it will treat files that are not DER certificates as if they were DER certificates. For example, if I set --cacert to the Safari binary that comes with OS X, it treats it like it was a certificate file when it isn't. Why does pem_to_der() return 0 if the separator line is not found? |
SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even if the buffer holds an invalid or corrupt certificate. Call SecCertificateCopyPublicKey() to make sure cacert is a valid certificate.
The problem is that SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even if the buffer is non-valid DER or corrupt. I pushed a commit which adds an extra check via calling SecCertificateCopyPublicKey() to make sure cacert is a valid certificate. It fixes the issue you mention. Pem_to_der() returns the number of bytes it consumed from the input buffer, so that it can be used to traverse through a bundle. If it can't find a separator it assumes the certificate is not a PEM file. |
darwinssl: now accepts cacert bundles in PEM format in addition to single certs
Sorry about before. I was trying to copy & paste the change into the source file, and for some reason, it kept copying the old source without the change that fixed the problem above. Thanks for your work on this! |
If the --cacert option is used with a CA certificate bundle that
contains multiple CA certificates, iterate through it, adding each
certificate as a trusted root CA.