Google Git
Sign in
boringssl/boringssl.git/629db8cd0c84628e37aa81242b5b07fec7602f55^!/./include
commit
629db8cd0c84628e37aa81242b5b07fec7602f55
[log] [tgz]
author
Adam Langley <agl@google.com>
Tue Dec 13 09:23:27 2016 -0800
committer
Adam Langley <agl@google.com>
Wed Dec 14 18:01:10 2016 +0000
tree
b64b6002a51a447c9aa9c1516aa9af265b5ee164
parent
a4b91981f85f8daab5496344ea7e93f0de9b64b7 [diff]
Add |SSL_get_peer_full_cert_chain|.

This function always returns the full chain and will hopefully eliminate
the need for some code in Conscrypt.

Change-Id: Ib662005322c40824edf09d100a784ff00492896a
Reviewed-on: https://boringssl-review.googlesource.com/12780
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index cffa827..2a76fe2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -1388,6 +1388,20 @@
  * If a client, it does. */
 OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
 
+/* SSL_get_peer_full_cert_chain returns the peer's certificate chain, or NULL if
+ * unavailable or the peer did not use certificates. This is the unverified
+ * list of certificates as sent by the peer, not the final chain built during
+ * verification. For historical reasons, this value may not be available if
+ * resuming a serialized |SSL_SESSION|. The caller does not take ownership of
+ * the result.
+ *
+ * This is the same as |SSL_get_peer_cert_chain| except that this function
+ * always returns the full chain, i.e. the first element of the return value
+ * (if any) will be the leaf certificate. In constrast,
+ * |SSL_get_peer_cert_chain| returns only the intermediate certificates if the
+ * |ssl| is a server. */
+OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl);
+
 /* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to
  * |*out_len| bytes of SCT information from the server. This is only valid if
  * |ssl| is a client. The SCT information is a SignedCertificateTimestampList