generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Check CA certificate in curl_darwinssl.c.

Browse Source 
SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even
if the buffer holds an invalid or corrupt certificate. Call
SecCertificateCopyPublicKey() to make sure cacert is a valid
certificate.
This commit is contained in:
Vilmos Nebehaj 2014-09-01 00:17:25 +02:00
parent 4c134bcfce
commit 0426670f0a
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/vtls/curl_darwinssl.c
View File

@ -1671,6 +1671,16 @@ static int append_cert_to_array(struct SessionHandle *data,
return CURLE_SSL_CACERT; return CURLE_SSL_CACERT;
} }
/* Check if cacert is valid. */
SecKeyRef key;
OSStatus ret = SecCertificateCopyPublicKey(cacert, &key);
if(ret != noErr) {
CFRelease(cacert);
failf(data, "SSL: invalid CA certificate");
return CURLE_SSL_CACERT;
}
CFRelease(key);
CFArrayAppendValue(array, cacert); CFArrayAppendValue(array, cacert);
CFRelease(cacert); CFRelease(cacert);