darwinssl: Use CopyCertSubject() to check CA cert.

SecCertificateCopyPublicKey() is not available on iPhone. Use CopyCertSubject() instead to see if the certificate returned by SecCertificateCreateWithData() is valid. Reported-by: Toby Peterson
2024-08-13 17:03:50 -04:00 · 2014-09-03 11:39:16 +02:00 · 2014-09-03 11:39:16 +02:00 · fd1ce3856a
commit fd1ce3856a
parent c6ee182bd4
1 changed files with 15 additions and 4 deletions
--- a/lib/vtls/curl_darwinssl.c
+++ b/lib/vtls/curl_darwinssl.c
@ -1672,14 +1672,25 @@ static int append_cert_to_array(struct SessionHandle *data,
    }

    /* Check if cacert is valid. */
-    SecKeyRef key;
-    OSStatus ret = SecCertificateCopyPublicKey(cacert, &key);
-    if(ret != noErr) {
+    CFStringRef subject = CopyCertSubject(cacert);
+    if(subject) {
+      char subject_cbuf[128];
+      memset(subject_cbuf, 0, 128);
+      if(!CFStringGetCString(subject,
+                            subject_cbuf,
+                            128,
+                            kCFStringEncodingUTF8)) {
+        CFRelease(cacert);
+        failf(data, "SSL: invalid CA certificate subject");
+        return CURLE_SSL_CACERT;
+      }
+      CFRelease(subject);
+    }
+    else {
      CFRelease(cacert);
      failf(data, "SSL: invalid CA certificate");
      return CURLE_SSL_CACERT;
    }
-    CFRelease(key);

    CFArrayAppendValue(array, cacert);
    CFRelease(cacert);