Deprecate SSL_PRIVATE_KEY_METHOD type and max_signature_len.
Instead, extract it from the certificate, which is what everyone was
doing anyway. A follow-up change will take advantage of this cleanup to
deduplicate code between signing and verifying for which keys are good
for which signature algorithms.
BUG=188
Change-Id: Ic3f83a6477e8fa53e5e7233f4545f4d2c4b58d01
Reviewed-on: https://boringssl-review.googlesource.com/14565
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 4722a66..87b60e9 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -861,6 +861,25 @@
return 1;
}
+int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+ if (!ssl_has_certificate(ssl)) {
+ /* Nothing to do. */
+ return 1;
+ }
+
+ if (!ssl->ctx->x509_method->ssl_auto_chain_if_needed(ssl)) {
+ return 0;
+ }
+
+ CBS leaf;
+ CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0), &leaf);
+
+ EVP_PKEY_free(hs->local_pubkey);
+ hs->local_pubkey = ssl_cert_parse_pubkey(&leaf);
+ return hs->local_pubkey != NULL;
+}
+
static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list,
size_t list_len) {
CBS sct_list;
