Set OPENSSL_EC_NAMED_CURVE explicitly on EC key so that certificate has ASN1 OID and NIST curve inf…

webrtc/base/opensslidentity.cc

Index: webrtc/base/opensslidentity.cc
diff --git a/webrtc/base/opensslidentity.cc b/webrtc/base/opensslidentity.cc
index 58a0cd8adeb2b2f48b7851cc02493c7918108fca..d98a59d5865a4384c276c296c43ea254b41c75b7 100644
--- a/webrtc/base/opensslidentity.cc
+++ b/webrtc/base/opensslidentity.cc
@@ -61,6 +61,12 @@ static EVP_PKEY* MakeKey(const KeyParams& key_params) {
   } else if (key_params.type() == KT_ECDSA) {
     if (key_params.ec_curve() == EC_NIST_P256) {
       EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+      // Ensure curve name is included when EC key is

[mattdr-at-webrtc.org, 2016/12/02 19:10:29]

The whitespace is a bit weird here -- it seems to associate the comment with the
previous call.

Let's have:

EC_KEY* ec_key = ...
<blank line>
//
//
//
EC_KEY_set_asn1_flag...
<blank line>
if (!pkey ...

that way it's obvious which call the comment refers to.

+      // is serialized. Without this call, OpenSSL versions
+      // before 1.1.0 will create certificates that don't work
+      // for TLS. This is a no-op for BoringSSL and OpenSSL 1.1.0+
+
+      EC_KEY_set_asn1_flag(ec_key, OPENSSL_EC_NAMED_CURVE);
       if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) ||
           !EVP_PKEY_assign_EC_KEY(pkey, ec_key)) {
         EVP_PKEY_free(pkey);