From fd1ce3856a77981ffe5e9d83b1843374e5a88d58 Mon Sep 17 00:00:00 2001 From: Vilmos Nebehaj Date: Wed, 3 Sep 2014 11:39:16 +0200 Subject: [PATCH] darwinssl: Use CopyCertSubject() to check CA cert. SecCertificateCopyPublicKey() is not available on iPhone. Use CopyCertSubject() instead to see if the certificate returned by SecCertificateCreateWithData() is valid. Reported-by: Toby Peterson --- lib/vtls/curl_darwinssl.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/lib/vtls/curl_darwinssl.c b/lib/vtls/curl_darwinssl.c index 372635747..f229c6fe2 100644 --- a/lib/vtls/curl_darwinssl.c +++ b/lib/vtls/curl_darwinssl.c @@ -1672,14 +1672,25 @@ static int append_cert_to_array(struct SessionHandle *data, } /* Check if cacert is valid. */ - SecKeyRef key; - OSStatus ret = SecCertificateCopyPublicKey(cacert, &key); - if(ret != noErr) { + CFStringRef subject = CopyCertSubject(cacert); + if(subject) { + char subject_cbuf[128]; + memset(subject_cbuf, 0, 128); + if(!CFStringGetCString(subject, + subject_cbuf, + 128, + kCFStringEncodingUTF8)) { + CFRelease(cacert); + failf(data, "SSL: invalid CA certificate subject"); + return CURLE_SSL_CACERT; + } + CFRelease(subject); + } + else { CFRelease(cacert); failf(data, "SSL: invalid CA certificate"); return CURLE_SSL_CACERT; } - CFRelease(key); CFArrayAppendValue(array, cacert); CFRelease(cacert);