Check CA certificate in curl_darwinssl.c.

SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even if the buffer holds an invalid or corrupt certificate. Call SecCertificateCopyPublicKey() to make sure cacert is a valid certificate.
author: Vilmos Nebehaj <v.nebehaj@gmail.com> 2014-09-01 00:17:25 +0200
committer: Vilmos Nebehaj <v.nebehaj@gmail.com> 2014-09-01 00:34:37 +0200
commit: 0426670f0a8ffa69df64a3babfb5caed522feb7f (patch)
tree: c275c0f7b1f7d3bd48e1f9f5f149ff582b1218b5
parent: 4c134bcfcefa8a78e77afde03f74104b88b45dad (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/lib/vtls/curl_darwinssl.c b/lib/vtls/curl_darwinssl.c
index 9ba287d0e..372635747 100644
--- a/lib/vtls/curl_darwinssl.c
+++ b/lib/vtls/curl_darwinssl.c
@@ -1671,6 +1671,16 @@ static int append_cert_to_array(struct SessionHandle *data,
       return CURLE_SSL_CACERT;
     }
 
+    /* Check if cacert is valid. */
+    SecKeyRef key;
+    OSStatus ret = SecCertificateCopyPublicKey(cacert, &key);
+    if(ret != noErr) {
+      CFRelease(cacert);
+      failf(data, "SSL: invalid CA certificate");
+      return CURLE_SSL_CACERT;
+    }
+    CFRelease(key);
+
     CFArrayAppendValue(array, cacert);
     CFRelease(cacert);
author	Vilmos Nebehaj <v.nebehaj@gmail.com>	2014-09-01 00:17:25 +0200
committer	Vilmos Nebehaj <v.nebehaj@gmail.com>	2014-09-01 00:34:37 +0200
commit	0426670f0a8ffa69df64a3babfb5caed522feb7f (patch)
tree	c275c0f7b1f7d3bd48e1f9f5f149ff582b1218b5
parent	4c134bcfcefa8a78e77afde03f74104b88b45dad (diff)