pass CA certificates to SSLCtx when provided by pkcs12 (#1444)

* pass CA certificates to SSLCtx when provided * Apply suggestions from code review * Update src/platform/tls_openssl.c Co-authored-by: Nick Banks <nibanks@microsoft.com>
microsoft · Apr 6, 2021 · 21c9ede · 21c9ede
1 parent a97c81a
commit 21c9ede
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c
@@ -1154,11 +1154,17 @@ CxPlatTlsSecConfigCreate(
  goto Exit;
  }
 
- STACK_OF(X509) *Ca = NULL;
+ STACK_OF(X509) *CaCertificates = NULL;
  Ret =
- PKCS12_parse(Pkcs12, CredConfig->CertificatePkcs12->PrivateKeyPassword, &PrivateKey, &X509Cert, &Ca);
- if (Ca) {
- sk_X509_pop_free(Ca, X509_free); // no handling for custom certificate chains yet.
+ PKCS12_parse(Pkcs12, CredConfig->CertificatePkcs12->PrivateKeyPassword, &PrivateKey, &X509Cert, &CaCertificates);
+ if (CaCertificates) {
+ X509* CaCert;
+ while ((CaCert = sk_X509_pop(CaCertificates)) != NULL) {
+ //
+ // This transfers ownership to SSLCtx and CaCert does not need to be freed.
+ //
+ SSL_CTX_add_extra_chain_cert(SecurityConfig->SSLCtx, CaCert);
+ }
  }
  if (Pkcs12) {
  PKCS12_free(Pkcs12);