From 50d9f9ad689cc43423bd207e0fbe8c637b6651a5 Mon Sep 17 00:00:00 2001
From: klzgrad <kizdiv@gmail.com>
Date: Sun, 16 May 2021 00:47:27 +0800
Subject: [PATCH] cert: Handle AIA response in PKCS#7 format

---
 src/net/cert/internal/cert_issuer_source_aia.cc | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/net/cert/internal/cert_issuer_source_aia.cc b/src/net/cert/internal/cert_issuer_source_aia.cc
index 3007f39706..bf1e2ee7c0 100644
--- a/src/net/cert/internal/cert_issuer_source_aia.cc
+++ b/src/net/cert/internal/cert_issuer_source_aia.cc
@@ -8,6 +8,7 @@
 #include "base/logging.h"
 #include "base/strings/string_piece.h"
 #include "net/cert/cert_net_fetcher.h"
+#include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "third_party/boringssl/src/pki/cert_errors.h"
 #include "third_party/boringssl/src/pki/pem.h"
@@ -143,6 +144,22 @@ bool AiaRequest::AddCompletedFetchToResults(
   //    certificates MUST be able to accept individual DER encoded
   //    certificates and SHOULD be able to accept "certs-only" CMS messages.
 
+  // Handles PKCS#7 encoded certificates
+  CertificateList certs = X509Certificate::CreateCertificateListFromBytes(
+      fetched_bytes, X509Certificate::FORMAT_AUTO);
+  bool certs_ok = false;
+  for (const auto& cert : certs) {
+    auto parsed = bssl::ParsedCertificate::Create(
+        bssl::UpRef(cert->cert_buffer()),
+        x509_util::DefaultParseCertificateOptions(), /*errors=*/nullptr);
+    if (parsed) {
+      results->push_back(parsed);
+      certs_ok = true;
+    }
+  }
+  if (certs_ok)
+    return true;
+
   // TODO(https://crbug.com/870359): Some AIA responses are served as PEM, which
   // is not part of RFC 5280's profile.
   return ParseCertFromDer(fetched_bytes, results) ||