From 1c0e4188c853c686ccf6a0161d381469aa0c4053 Mon Sep 17 00:00:00 2001 From: bakjiho Date: Mon, 20 Mar 2023 11:25:22 +0900 Subject: [PATCH 1/2] [FIX] Supports full chain certificate Supports full chain certificate with PEM string --- COpenSSL/ssl.h | 1 + COpenSSL/ssl_.c | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/COpenSSL/ssl.h b/COpenSSL/ssl.h index 189db40034..ca94a9fb4b 100644 --- a/COpenSSL/ssl.h +++ b/COpenSSL/ssl.h @@ -2200,6 +2200,7 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type); /* PEM type */ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); +int SSL_CTX_use_certificate_add_chain(SSL_CTX *ctx, X509 *ca, int idx); STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, const char *file); diff --git a/COpenSSL/ssl_.c b/COpenSSL/ssl_.c index 2e37265ce7..93ff00ae76 100644 --- a/COpenSSL/ssl_.c +++ b/COpenSSL/ssl_.c @@ -9844,6 +9844,7 @@ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) BIO_free(in); return (ret); } + #endif int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, @@ -10108,6 +10109,34 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) BIO_free(in); return (ret); } + +int SSL_CTX_use_certificate_add_chain(SSL_CTX *ctx, X509 *ca, int idx) +{ + ERR_clear_error(); + int ret = 1; + if (idx == 1) { + SSL_CTX_clear_chain_certs(ctx); + } + /* + * If we could set up our certificate, now proceed to the CA + * certificates. + */ + long r; + unsigned long err; + + r = SSL_CTX_add0_chain_cert(ctx, ca); + + /* When the while loop ends, it's usually just EOF. */ + err = ERR_peek_last_error(); + if (ERR_GET_LIB(err) == ERR_LIB_PEM + && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) + ERR_clear_error(); + else + ret = 0; /* some real error */ + + end: + return (ret); +} #endif #ifndef OPENSSL_NO_TLSEXT From 192a3073d19db8ce18e6ee070f114a6c49458054 Mon Sep 17 00:00:00 2001 From: bakjiho Date: Mon, 20 Mar 2023 11:29:21 +0900 Subject: [PATCH 2/2] [FIX] Supports full chain certificate Supports full chain certificate with PEM string --- COpenSSL/ssl_.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/COpenSSL/ssl_.c b/COpenSSL/ssl_.c index 93ff00ae76..44943b60ae 100644 --- a/COpenSSL/ssl_.c +++ b/COpenSSL/ssl_.c @@ -10117,16 +10117,12 @@ int SSL_CTX_use_certificate_add_chain(SSL_CTX *ctx, X509 *ca, int idx) if (idx == 1) { SSL_CTX_clear_chain_certs(ctx); } - /* - * If we could set up our certificate, now proceed to the CA - * certificates. - */ + long r; unsigned long err; r = SSL_CTX_add0_chain_cert(ctx, ca); - /* When the while loop ends, it's usually just EOF. */ err = ERR_peek_last_error(); if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) @@ -10134,7 +10130,6 @@ int SSL_CTX_use_certificate_add_chain(SSL_CTX *ctx, X509 *ca, int idx) else ret = 0; /* some real error */ - end: return (ret); } #endif