1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
Index: net/third_party/nss/ssl/ssl.h
===================================================================
--- net/third_party/nss/ssl/ssl.h (revision 225295)
+++ net/third_party/nss/ssl/ssl.h (working copy)
@@ -434,6 +434,15 @@
*/
SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
+/*
+** Return the certificates presented by the SSL peer. If the SSL peer
+** did not present certificates, return NULL with the
+** SSL_ERROR_NO_CERTIFICATE error. On failure, return NULL with an error
+** code other than SSL_ERROR_NO_CERTIFICATE.
+** "fd" the socket "file" descriptor
+*/
+SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd);
+
/* SSL_PeerStapledOCSPResponses returns the OCSP responses that were provided
* by the TLS server. The return value is a pointer to an internal SECItemArray
* that contains the returned OCSP responses; it is only valid until the
@@ -463,18 +472,6 @@
SSLKEAType kea);
/*
-** Return references to the certificates presented by the SSL peer.
-** |maxNumCerts| must contain the size of the |certs| array. On successful
-** return, |*numCerts| contains the number of certificates available and
-** |certs| will contain references to as many certificates as would fit.
-** Therefore if |*numCerts| contains a value less than or equal to
-** |maxNumCerts|, then all certificates were returned.
-*/
-SSL_IMPORT SECStatus SSL_PeerCertificateChain(
- PRFileDesc *fd, CERTCertificate **certs,
- unsigned int *numCerts, unsigned int maxNumCerts);
-
-/*
** Authenticate certificate hook. Called when a certificate comes in
** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
** certificate.
Index: net/third_party/nss/ssl/sslauth.c
===================================================================
--- net/third_party/nss/ssl/sslauth.c (revision 225295)
+++ net/third_party/nss/ssl/sslauth.c (working copy)
@@ -28,38 +28,43 @@
}
/* NEED LOCKS IN HERE. */
-SECStatus
-SSL_PeerCertificateChain(PRFileDesc *fd, CERTCertificate **certs,
- unsigned int *numCerts, unsigned int maxNumCerts)
+CERTCertList *
+SSL_PeerCertificateChain(PRFileDesc *fd)
{
sslSocket *ss;
- ssl3CertNode* cur;
+ CERTCertList *chain = NULL;
+ CERTCertificate *cert;
+ ssl3CertNode *cur;
ss = ssl_FindSocket(fd);
if (!ss) {
SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
SSL_GETPID(), fd));
- return SECFailure;
+ return NULL;
}
- if (!ss->opt.useSecurity)
- return SECFailure;
-
- if (ss->sec.peerCert == NULL) {
- *numCerts = 0;
- return SECSuccess;
+ if (!ss->opt.useSecurity || !ss->sec.peerCert) {
+ PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
+ return NULL;
}
-
- *numCerts = 1; /* for the leaf certificate */
- if (maxNumCerts > 0)
- certs[0] = CERT_DupCertificate(ss->sec.peerCert);
-
+ chain = CERT_NewCertList();
+ if (!chain) {
+ return NULL;
+ }
+ cert = CERT_DupCertificate(ss->sec.peerCert);
+ if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
+ goto loser;
+ }
for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
- if (*numCerts < maxNumCerts)
- certs[*numCerts] = CERT_DupCertificate(cur->cert);
- (*numCerts)++;
+ cert = CERT_DupCertificate(cur->cert);
+ if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
+ goto loser;
+ }
}
+ return chain;
- return SECSuccess;
+loser:
+ CERT_DestroyCertList(chain);
+ return NULL;
}
/* NEED LOCKS IN HERE. */
|
