Skip to content

Commit 88aa754

Browse files
kw217maxdymond
kw217
and
maxdymond
authored
Iterate over all certificates in a trusted cert BIO, not just the first (#522)
Previously the code which loaded a trusted certificate from file only assumed that there was a single certificate in that file, meaning that using a certificate bundle for certificate verification would not work. This fix allows the driver to read multiple trusted certificates out of a BIO and provision them in the trusted certificate store. Co-authored-by: Max Dymond <[email protected]>
1 parent bf1ff08 commit 88aa754

File tree

1 file changed

+25
-20
lines changed

1 file changed

+25
-20
lines changed

src/ssl/ssl_openssl_impl.cpp

+25-20
Original file line numberDiff line numberDiff line change
@@ -240,22 +240,6 @@ static int SSL_CTX_use_certificate_chain_bio(SSL_CTX* ctx, BIO* in) {
240240
return ret;
241241
}
242242

243-
static X509* load_cert(const char* cert, size_t cert_size) {
244-
BIO* bio = BIO_new_mem_buf(const_cast<char*>(cert), cert_size);
245-
if (bio == NULL) {
246-
return NULL;
247-
}
248-
249-
X509* x509 = PEM_read_bio_X509(bio, NULL, pem_password_callback, NULL);
250-
if (x509 == NULL) {
251-
ssl_log_errors("Unable to load certificate");
252-
}
253-
254-
BIO_free_all(bio);
255-
256-
return x509;
257-
}
258-
259243
static EVP_PKEY* load_key(const char* key, size_t key_size, const char* password) {
260244
BIO* bio = BIO_new_mem_buf(const_cast<char*>(key), key_size);
261245
if (bio == NULL) {
@@ -568,13 +552,34 @@ SslSession* OpenSslContext::create_session(const Address& address, const String&
568552
}
569553

570554
CassError OpenSslContext::add_trusted_cert(const char* cert, size_t cert_length) {
571-
X509* x509 = load_cert(cert, cert_length);
572-
if (x509 == NULL) {
555+
BIO* bio = BIO_new_mem_buf(const_cast<char*>(cert), cert_length);
556+
if (bio == NULL) {
573557
return CASS_ERROR_SSL_INVALID_CERT;
574558
}
575559

576-
X509_STORE_add_cert(trusted_store_, x509);
577-
X509_free(x509);
560+
int num_certs = 0;
561+
562+
// Iterate over the bio, reading out as many certificates as possible.
563+
for (X509* cert = PEM_read_bio_X509(bio, NULL, pem_password_callback, NULL);
564+
cert != NULL;
565+
cert = PEM_read_bio_X509(bio, NULL, pem_password_callback, NULL))
566+
{
567+
X509_STORE_add_cert(trusted_store_, cert);
568+
X509_free(cert);
569+
num_certs++;
570+
}
571+
572+
// Retrieve and discard the error tht terminated the loop,
573+
// so it doesn't cause the next PEM operation to fail mysteriously.
574+
ERR_get_error();
575+
576+
BIO_free_all(bio);
577+
578+
// If no certificates were read from the bio, that is an error.
579+
if (num_certs == 0) {
580+
ssl_log_errors("Unable to load certificate(s)");
581+
return CASS_ERROR_SSL_INVALID_CERT;
582+
}
578583

579584
return CASS_OK;
580585
}

0 commit comments

Comments
 (0)