diff options
author | Jouni Malinen <jouni@qca.qualcomm.com> | 2015-12-04 13:38:50 (GMT) |
---|---|---|
committer | Jouni Malinen <j@w1.fi> | 2015-12-04 18:08:31 (GMT) |
commit | ed2566ac9ba81a90ed2bfb72ce1445e7933aa466 (patch) | |
tree | 1897170d7d65d1296683cef8aeeaef2159103b2d | |
parent | 8d27efa814e8f2c8bb4e26c1389a0cb60f8c6991 (diff) | |
download | hostap-ed2566ac9ba81a90ed2bfb72ce1445e7933aa466.zip hostap-ed2566ac9ba81a90ed2bfb72ce1445e7933aa466.tar.gz hostap-ed2566ac9ba81a90ed2bfb72ce1445e7933aa466.tar.bz2 |
EST: Implement pkcs7_to_cert() with BoringSSL
This adds one more step in completing hs20-osu-client support when using
BoringSSL instead of OpenSSL. EST client can now parse the cacerts file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
-rw-r--r-- | hs20/client/est.c | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/hs20/client/est.c b/hs20/client/est.c index c22d9ca..d754e61 100644 --- a/hs20/client/est.c +++ b/hs20/client/est.c @@ -28,16 +28,27 @@ static int pkcs7_to_cert(struct hs20_osu_client *ctx, const u8 *pkcs7, size_t len, char *pem_file, char *der_file) { #ifdef OPENSSL_IS_BORINGSSL - wpa_printf(MSG_ERROR, - "EST: pkcs7_to_cert not yet supported with BoringSSL"); - return -1; + CBS pkcs7_cbs; #else /* OPENSSL_IS_BORINGSSL */ PKCS7 *p7 = NULL; const unsigned char *p = pkcs7; +#endif /* OPENSSL_IS_BORINGSSL */ STACK_OF(X509) *certs; int i, num, ret = -1; BIO *out = NULL; +#ifdef OPENSSL_IS_BORINGSSL + certs = sk_X509_new_null(); + if (!certs) + goto fail; + CBS_init(&pkcs7_cbs, pkcs7, len); + if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) { + wpa_printf(MSG_INFO, "Could not parse PKCS#7 object: %s", + ERR_error_string(ERR_get_error(), NULL)); + write_result(ctx, "Could not parse PKCS#7 object from EST"); + goto fail; + } +#else /* OPENSSL_IS_BORINGSSL */ p7 = d2i_PKCS7(NULL, &p, len); if (p7 == NULL) { wpa_printf(MSG_INFO, "Could not parse PKCS#7 object: %s", @@ -57,6 +68,7 @@ static int pkcs7_to_cert(struct hs20_osu_client *ctx, const u8 *pkcs7, certs = NULL; break; } +#endif /* OPENSSL_IS_BORINGSSL */ if (!certs || ((num = sk_X509_num(certs)) == 0)) { wpa_printf(MSG_INFO, "No certificates found in PKCS#7 object"); @@ -89,12 +101,16 @@ static int pkcs7_to_cert(struct hs20_osu_client *ctx, const u8 *pkcs7, ret = 0; fail: +#ifdef OPENSSL_IS_BORINGSSL + if (certs) + sk_X509_pop_free(certs, X509_free); +#else /* OPENSSL_IS_BORINGSSL */ PKCS7_free(p7); +#endif /* OPENSSL_IS_BORINGSSL */ if (out) BIO_free_all(out); return ret; -#endif /* OPENSSL_IS_BORINGSSL */ } |