From fd1ce3856a77981ffe5e9d83b1843374e5a88d58 Mon Sep 17 00:00:00 2001
From: Vilmos Nebehaj <v.nebehaj@gmail.com>
Date: Wed, 3 Sep 2014 11:39:16 +0200
Subject: darwinssl: Use CopyCertSubject() to check CA cert.

SecCertificateCopyPublicKey() is not available on iPhone. Use
CopyCertSubject() instead to see if the certificate returned by
SecCertificateCreateWithData() is valid.

Reported-by: Toby Peterson
---
 lib/vtls/curl_darwinssl.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/lib/vtls/curl_darwinssl.c b/lib/vtls/curl_darwinssl.c
index 372635747..f229c6fe2 100644
--- a/lib/vtls/curl_darwinssl.c
+++ b/lib/vtls/curl_darwinssl.c
@@ -1672,14 +1672,25 @@ static int append_cert_to_array(struct SessionHandle *data,
     }
 
     /* Check if cacert is valid. */
-    SecKeyRef key;
-    OSStatus ret = SecCertificateCopyPublicKey(cacert, &key);
-    if(ret != noErr) {
+    CFStringRef subject = CopyCertSubject(cacert);
+    if(subject) {
+      char subject_cbuf[128];
+      memset(subject_cbuf, 0, 128);
+      if(!CFStringGetCString(subject,
+                            subject_cbuf,
+                            128,
+                            kCFStringEncodingUTF8)) {
+        CFRelease(cacert);
+        failf(data, "SSL: invalid CA certificate subject");
+        return CURLE_SSL_CACERT;
+      }
+      CFRelease(subject);
+    }
+    else {
       CFRelease(cacert);
       failf(data, "SSL: invalid CA certificate");
       return CURLE_SSL_CACERT;
     }
-    CFRelease(key);
 
     CFArrayAppendValue(array, cacert);
     CFRelease(cacert);
-- 
cgit v1.2.3