@@ -165,19 +165,30 @@ Dart_Handle X509Helper::WrappedX509Certificate(X509* certificate) {
165
165
}
166
166
167
167
static int SetTrustedCertificatesBytesPKCS12 (SSL_CTX* context,
168
- ScopedMemBIO * bio,
168
+ BIO * bio,
169
169
const char * password) {
170
- CBS cbs;
171
- CBS_init (&cbs, bio->data (), bio->length ());
170
+ ScopedPKCS12 p12 (d2i_PKCS12_bio (bio, NULL ));
171
+ if (p12.get () == NULL ) {
172
+ return 0 ;
173
+ }
172
174
173
175
EVP_PKEY* key = NULL ;
174
- ScopedX509Stack cert_stack (sk_X509_new_null ());
175
- int status = PKCS12_get_key_and_certs (&key, cert_stack.get (), &cbs, password);
176
+ X509* cert = NULL ;
177
+ STACK_OF (X509)* ca_certs = NULL ;
178
+ int status = PKCS12_parse (p12.get (), password, &key, &cert, &ca_certs);
176
179
if (status == 0 ) {
177
180
return status;
178
181
}
179
182
183
+ ScopedX509Stack cert_stack (ca_certs);
180
184
X509_STORE* store = SSL_CTX_get_cert_store (context);
185
+ status = X509_STORE_add_cert (store, cert);
186
+ // X509_STORE_add_cert increments the reference count of cert on success.
187
+ X509_free (cert);
188
+ if (status == 0 ) {
189
+ return status;
190
+ }
191
+
181
192
X509* ca;
182
193
while ((ca = sk_X509_shift (cert_stack.get ())) != NULL ) {
183
194
status = X509_STORE_add_cert (store, ca);
@@ -223,7 +234,8 @@ void SSLCertContext::SetTrustedCertificatesBytes(Dart_Handle cert_bytes,
223
234
if (SecureSocketUtils::NoPEMStartLine ()) {
224
235
ERR_clear_error ();
225
236
BIO_reset (bio.bio ());
226
- status = SetTrustedCertificatesBytesPKCS12 (context (), &bio, password);
237
+ status =
238
+ SetTrustedCertificatesBytesPKCS12 (context (), bio.bio (), password);
227
239
}
228
240
} else {
229
241
// The PEM file was successfully parsed.
@@ -235,14 +247,25 @@ void SSLCertContext::SetTrustedCertificatesBytes(Dart_Handle cert_bytes,
235
247
}
236
248
237
249
static int SetClientAuthoritiesPKCS12 (SSL_CTX* context,
238
- ScopedMemBIO * bio,
250
+ BIO * bio,
239
251
const char * password) {
240
- CBS cbs;
241
- CBS_init (&cbs, bio->data (), bio->length ());
252
+ ScopedPKCS12 p12 (d2i_PKCS12_bio (bio, NULL ));
253
+ if (p12.get () == NULL ) {
254
+ return 0 ;
255
+ }
242
256
243
257
EVP_PKEY* key = NULL ;
244
- ScopedX509Stack cert_stack (sk_X509_new_null ());
245
- int status = PKCS12_get_key_and_certs (&key, cert_stack.get (), &cbs, password);
258
+ X509* cert = NULL ;
259
+ STACK_OF (X509)* ca_certs = NULL ;
260
+ int status = PKCS12_parse (p12.get (), password, &key, &cert, &ca_certs);
261
+ if (status == 0 ) {
262
+ return status;
263
+ }
264
+
265
+ ScopedX509Stack cert_stack (ca_certs);
266
+ status = SSL_CTX_add_client_CA (context, cert);
267
+ // SSL_CTX_add_client_CA increments the reference count of cert on success.
268
+ X509_free (cert);
246
269
if (status == 0 ) {
247
270
return status;
248
271
}
@@ -274,13 +297,13 @@ static int SetClientAuthoritiesPEM(SSL_CTX* context, BIO* bio) {
274
297
}
275
298
276
299
static int SetClientAuthorities (SSL_CTX* context,
277
- ScopedMemBIO * bio,
300
+ BIO * bio,
278
301
const char * password) {
279
- int status = SetClientAuthoritiesPEM (context, bio-> bio () );
302
+ int status = SetClientAuthoritiesPEM (context, bio);
280
303
if (status == 0 ) {
281
304
if (SecureSocketUtils::NoPEMStartLine ()) {
282
305
ERR_clear_error ();
283
- BIO_reset (bio-> bio () );
306
+ BIO_reset (bio);
284
307
status = SetClientAuthoritiesPKCS12 (context, bio, password);
285
308
}
286
309
} else {
@@ -296,7 +319,7 @@ void SSLCertContext::SetClientAuthoritiesBytes(
296
319
int status;
297
320
{
298
321
ScopedMemBIO bio (client_authorities_bytes);
299
- status = SetClientAuthorities (context (), & bio, password);
322
+ status = SetClientAuthorities (context (), bio. bio () , password);
300
323
}
301
324
302
325
SecureSocketUtils::CheckStatus (status, " TlsException" ,
@@ -520,31 +543,35 @@ void SSLCertContext::SetAlpnProtocolList(Dart_Handle protocols_handle,
520
543
}
521
544
522
545
static int UseChainBytesPKCS12 (SSL_CTX* context,
523
- ScopedMemBIO * bio,
546
+ BIO * bio,
524
547
const char * password) {
525
- CBS cbs;
526
- CBS_init (&cbs, bio->data (), bio->length ());
548
+ ScopedPKCS12 p12 (d2i_PKCS12_bio (bio, NULL ));
549
+ if (p12.get () == NULL ) {
550
+ return 0 ;
551
+ }
527
552
528
553
EVP_PKEY* key = NULL ;
529
- ScopedX509Stack certs (sk_X509_new_null ());
530
- int status = PKCS12_get_key_and_certs (&key, certs.get (), &cbs, password);
554
+ X509* cert = NULL ;
555
+ STACK_OF (X509)* ca_certs = NULL ;
556
+ int status = PKCS12_parse (p12.get (), password, &key, &cert, &ca_certs);
531
557
if (status == 0 ) {
532
558
return status;
533
559
}
534
560
535
- X509* ca = sk_X509_shift (certs.get ());
536
- status = SSL_CTX_use_certificate (context, ca);
561
+ ScopedX509 x509 (cert);
562
+ ScopedX509Stack certs (ca_certs);
563
+ status = SSL_CTX_use_certificate (context, x509.get ());
537
564
if (ERR_peek_error () != 0 ) {
538
565
// Key/certificate mismatch doesn't imply status is 0.
539
566
status = 0 ;
540
567
}
541
- X509_free (ca);
542
568
if (status == 0 ) {
543
569
return status;
544
570
}
545
571
546
572
SSL_CTX_clear_chain_certs (context);
547
573
574
+ X509* ca;
548
575
while ((ca = sk_X509_shift (certs.get ())) != NULL ) {
549
576
status = SSL_CTX_add0_chain_cert (context, ca);
550
577
// SSL_CTX_add0_chain_cert does not inc ref count, so don't free unless the
@@ -593,14 +620,12 @@ static int UseChainBytesPEM(SSL_CTX* context, BIO* bio) {
593
620
return SecureSocketUtils::NoPEMStartLine () ? status : 0 ;
594
621
}
595
622
596
- static int UseChainBytes (SSL_CTX* context,
597
- ScopedMemBIO* bio,
598
- const char * password) {
599
- int status = UseChainBytesPEM (context, bio->bio ());
623
+ static int UseChainBytes (SSL_CTX* context, BIO* bio, const char * password) {
624
+ int status = UseChainBytesPEM (context, bio);
600
625
if (status == 0 ) {
601
626
if (SecureSocketUtils::NoPEMStartLine ()) {
602
627
ERR_clear_error ();
603
- BIO_reset (bio-> bio () );
628
+ BIO_reset (bio);
604
629
status = UseChainBytesPKCS12 (context, bio, password);
605
630
}
606
631
} else {
@@ -613,7 +638,7 @@ static int UseChainBytes(SSL_CTX* context,
613
638
int SSLCertContext::UseCertificateChainBytes (Dart_Handle cert_chain_bytes,
614
639
const char * password) {
615
640
ScopedMemBIO bio (cert_chain_bytes);
616
- return UseChainBytes (context (), & bio, password);
641
+ return UseChainBytes (context (), bio. bio () , password);
617
642
}
618
643
619
644
static X509* GetX509Certificate (Dart_NativeArguments args) {
0 commit comments