From 75ff2b8cf698032cc373d9159fd2a12f6d497067 Mon Sep 17 00:00:00 2001
From: klzgrad <kizdiv@gmail.com>
Date: Sun, 16 May 2021 00:47:27 +0800
Subject: [PATCH] cert: Handle AIA response in PKCS#7 format

---
 src/net/cert/internal/cert_issuer_source_aia.cc | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/net/cert/internal/cert_issuer_source_aia.cc b/src/net/cert/internal/cert_issuer_source_aia.cc
index 855fa44480..59b2b1b104 100644
--- a/src/net/cert/internal/cert_issuer_source_aia.cc
+++ b/src/net/cert/internal/cert_issuer_source_aia.cc
@@ -10,6 +10,7 @@
 #include "net/cert/cert_net_fetcher.h"
 #include "net/cert/pem.h"
 #include "net/cert/pki/cert_errors.h"
+#include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "url/gurl.h"
 
@@ -141,6 +142,22 @@ bool AiaRequest::AddCompletedFetchToResults(Error error,
   //    certificates MUST be able to accept individual DER encoded
   //    certificates and SHOULD be able to accept "certs-only" CMS messages.
 
+  // Handles PKCS#7 encoded certificates
+  CertificateList certs = X509Certificate::CreateCertificateListFromBytes(
+      fetched_bytes, X509Certificate::FORMAT_AUTO);
+  bool certs_ok = false;
+  for (const auto& cert : certs) {
+    auto parsed = ParsedCertificate::Create(
+        bssl::UpRef(cert->cert_buffer()),
+        x509_util::DefaultParseCertificateOptions(), /*errors=*/nullptr);
+    if (parsed) {
+      results->push_back(parsed);
+      certs_ok = true;
+    }
+  }
+  if (certs_ok)
+    return true;
+
   // TODO(https://crbug.com/870359): Some AIA responses are served as PEM, which
   // is not part of RFC 5280's profile.
   return ParseCertFromDer(fetched_bytes, results) ||