Index: webrtc/rtc_base/opensslstreamadapter.cc |
diff --git a/webrtc/rtc_base/opensslstreamadapter.cc b/webrtc/rtc_base/opensslstreamadapter.cc |
index 1c0b57894acd8de29a0bb5d9565ae079168053f6..71adbb4530d8a6b00e0bbce6184802190c9f79a8 100644 |
--- a/webrtc/rtc_base/opensslstreamadapter.cc |
+++ b/webrtc/rtc_base/opensslstreamadapter.cc |
@@ -38,6 +38,7 @@ |
namespace { |
bool g_use_time_callback_for_testing = false; |
+ const int kMaxSupportedCertChainDepth = 3; |
davidben_webrtc
2017/09/26 23:21:46
3 is a remarkably small number. Where did you get
|
} |
namespace rtc { |
@@ -1110,15 +1111,20 @@ int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { |
// For now we ignore the parent certificates and verify the leaf against |
// the digest. |
// |
- // TODO(jiayl): Verify the chain is a proper chain and report the chain to |
- // |stream->peer_certificate_|. |
- if (depth > 0) { |
- LOG(LS_INFO) << "Ignored chained certificate at depth " << depth; |
- return 1; |
- } |
OpenSSLStreamAdapter* stream = |
reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl)); |
+ if (depth == 0) { |
davidben_webrtc
2017/09/26 23:21:46
Huh? This is the error depth...
|
+ // Record the peer's certificate. |
+ stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); |
+ } else { |
+ STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store); |
+ if (sk_X509_num(chain) >= kMaxSupportedCertChainDepth) { |
+ LOG(LS_INFO) << "Ignore chained certificate at depth " << depth; |
+ return 1; |
+ } |
+ stream->peer_certificate_.reset(new OpenSSLCertificate(chain)); |
davidben_webrtc
2017/09/26 23:21:46
This callback gets called multiple times as the ce
|
+ } |
// Record the peer's certificate. |
stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); |