kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Add |SSL_get_peer_full_cert_chain|. 

This function always returns the full chain and will hopefully eliminate
the need for some code in Conscrypt.

Change-Id: Ib662005322c40824edf09d100a784ff00492896a
Reviewed-on: https://boringssl-review.googlesource.com/12780
Reviewed-by: Adam Langley <agl@google.com>
kris/onging/CECPQ3_patch15
Adam Langley 7 years ago
parent
a4b91981f8
commit
629db8cd0c
2 changed files with 23 additions and 0 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +14
    -0
      include/openssl/ssl.h
  2. +9
    -0
      ssl/ssl_lib.c

+ 14
- 0
include/openssl/ssl.h View File

@@ -1388,6 +1388,20 @@ OPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl);
* If a client, it does. */
OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);

/* SSL_get_peer_full_cert_chain returns the peer's certificate chain, or NULL if
* unavailable or the peer did not use certificates. This is the unverified
* list of certificates as sent by the peer, not the final chain built during
* verification. For historical reasons, this value may not be available if
* resuming a serialized |SSL_SESSION|. The caller does not take ownership of
* the result.
*
* This is the same as |SSL_get_peer_cert_chain| except that this function
* always returns the full chain, i.e. the first element of the return value
* (if any) will be the leaf certificate. In constrast,
* |SSL_get_peer_cert_chain| returns only the intermediate certificates if the
* |ssl| is a server. */
OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl);

/* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to
* |*out_len| bytes of SCT information from the server. This is only valid if
* |ssl| is a client. The SCT information is a SignedCertificateTimestampList


+ 9
- 0
ssl/ssl_lib.c View File

@@ -1122,6 +1122,15 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
return session->x509_chain_without_leaf;
}

STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl) {
SSL_SESSION *session = SSL_get_session(ssl);
if (session == NULL) {
return NULL;
}

return session->x509_chain;
}

int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
size_t max_out) {
/* tls-unique is not defined for SSL 3.0 or TLS 1.3. */


Write Preview
Loading…
Cancel
Save