From 9c7cfc6e2ffbaebc09ff26394cbccddf704733f8 Mon Sep 17 00:00:00 2001 From: klzgrad Date: Sun, 16 May 2021 00:47:27 +0800 Subject: [PATCH] net/cert: Handle AIA response in PKCS#7 format --- src/net/cert/internal/cert_issuer_source_aia.cc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/net/cert/internal/cert_issuer_source_aia.cc b/src/net/cert/internal/cert_issuer_source_aia.cc index 40bdfe5c83..24f398df6d 100644 --- a/src/net/cert/internal/cert_issuer_source_aia.cc +++ b/src/net/cert/internal/cert_issuer_source_aia.cc @@ -9,6 +9,7 @@ #include "base/containers/span.h" #include "base/logging.h" #include "net/cert/cert_net_fetcher.h" +#include "net/cert/x509_certificate.h" #include "net/cert/x509_util.h" #include "third_party/boringssl/src/pki/cert_errors.h" #include "third_party/boringssl/src/pki/pem.h" @@ -143,6 +144,22 @@ bool AiaRequest::AddCompletedFetchToResults( // certificates MUST be able to accept individual DER encoded // certificates and SHOULD be able to accept "certs-only" CMS messages. + // Handles PKCS#7 encoded certificates + CertificateList certs = X509Certificate::CreateCertificateListFromBytes( + fetched_bytes, X509Certificate::FORMAT_AUTO); + bool certs_ok = false; + for (const auto& cert : certs) { + auto parsed = bssl::ParsedCertificate::Create( + bssl::UpRef(cert->cert_buffer()), + x509_util::DefaultParseCertificateOptions(), /*errors=*/nullptr); + if (parsed) { + results->push_back(parsed); + certs_ok = true; + } + } + if (certs_ok) + return true; + // TODO(crbug.com/41405652): Some AIA responses are served as PEM, which // is not part of RFC 5280's profile. return ParseCertFromDer(fetched_bytes, results) ||