OpenSSL/BoringSSL: Read certificate chain from client_cert on Android

If the keychain holds additional certificates other than the end certificate, read them into the certificate chain. Signed-off-by: Paul Stewart <pstew@google.com>
2017-01-25 13:59:16 -08:00 · 2017-01-25 13:59:16 -08:00 · 6d08f23f0a
commit 6d08f23f0a
parent 92607e91fb
1 changed files with 12 additions and 1 deletions
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -2371,13 +2371,24 @@ static int tls_connection_client_cert(struct tls_connection *conn,
 		int ret = -1;
 		if (bio) {
 			x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
-			BIO_free(bio);
 		}
 		if (x509) {
 			if (SSL_use_certificate(conn->ssl, x509) == 1)
 				ret = 0;
 			X509_free(x509);
 		}
+
+		/* Read additional certificates into the chain. */
+		while (bio) {
+			x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+			if (x509) {
+				/* Takes ownership of x509 */
+				SSL_add0_chain_cert(conn->ssl, x509);
+			} else {
+				BIO_free(bio);
+				bio = NULL;
+			}
+		}
 		return ret;
 	}
 #endif /* ANDROID */