From f5ae1c9dfa36d24dc80eb53eff24a5754e3ab1ad Mon Sep 17 00:00:00 2001
From: klzgrad <kizdiv@gmail.com>
Date: Sun, 16 May 2021 00:47:27 +0800
Subject: [PATCH] net/cert: Handle AIA response in PKCS#7 format

---
 src/net/cert/internal/cert_issuer_source_aia.cc | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/net/cert/internal/cert_issuer_source_aia.cc b/src/net/cert/internal/cert_issuer_source_aia.cc
index 40bdfe5c83..24f398df6d 100644
--- a/src/net/cert/internal/cert_issuer_source_aia.cc
+++ b/src/net/cert/internal/cert_issuer_source_aia.cc
@@ -9,6 +9,7 @@
 #include "base/containers/span.h"
 #include "base/logging.h"
 #include "net/cert/cert_net_fetcher.h"
+#include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "third_party/boringssl/src/pki/cert_errors.h"
 #include "third_party/boringssl/src/pki/pem.h"
@@ -143,6 +144,22 @@ bool AiaRequest::AddCompletedFetchToResults(
   //    certificates MUST be able to accept individual DER encoded
   //    certificates and SHOULD be able to accept "certs-only" CMS messages.
 
+  // Handles PKCS#7 encoded certificates
+  CertificateList certs = X509Certificate::CreateCertificateListFromBytes(
+      fetched_bytes, X509Certificate::FORMAT_AUTO);
+  bool certs_ok = false;
+  for (const auto& cert : certs) {
+    auto parsed = bssl::ParsedCertificate::Create(
+        bssl::UpRef(cert->cert_buffer()),
+        x509_util::DefaultParseCertificateOptions(), /*errors=*/nullptr);
+    if (parsed) {
+      results->push_back(parsed);
+      certs_ok = true;
+    }
+  }
+  if (certs_ok)
+    return true;
+
   // TODO(crbug.com/41405652): Some AIA responses are served as PEM, which
   // is not part of RFC 5280's profile.
   return ParseCertFromDer(fetched_bytes, results) ||