Google Git
Sign in
boringssl / boringssl / 629db8cd0c84628e37aa81242b5b07fec7602f55^! / .
commit629db8cd0c84628e37aa81242b5b07fec7602f55[log] [tgz]
authorAdam Langley <agl@google.com>Tue Dec 13 09:23:27 2016 -0800
committerAdam Langley <agl@google.com>Wed Dec 14 18:01:10 2016 +0000
treeb64b6002a51a447c9aa9c1516aa9af265b5ee164
parenta4b91981f85f8daab5496344ea7e93f0de9b64b7 [diff]
Add |SSL_get_peer_full_cert_chain|.

This function always returns the full chain and will hopefully eliminate
the need for some code in Conscrypt.

Change-Id: Ib662005322c40824edf09d100a784ff00492896a
Reviewed-on: https://boringssl-review.googlesource.com/12780
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index cffa827..2a76fe2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -1388,6 +1388,20 @@
  * If a client, it does. */
 OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
 
+/* SSL_get_peer_full_cert_chain returns the peer's certificate chain, or NULL if
+ * unavailable or the peer did not use certificates. This is the unverified
+ * list of certificates as sent by the peer, not the final chain built during
+ * verification. For historical reasons, this value may not be available if
+ * resuming a serialized |SSL_SESSION|. The caller does not take ownership of
+ * the result.
+ *
+ * This is the same as |SSL_get_peer_cert_chain| except that this function
+ * always returns the full chain, i.e. the first element of the return value
+ * (if any) will be the leaf certificate. In constrast,
+ * |SSL_get_peer_cert_chain| returns only the intermediate certificates if the
+ * |ssl| is a server. */
+OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl);
+
 /* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to
  * |*out_len| bytes of SCT information from the server. This is only valid if
  * |ssl| is a client. The SCT information is a SignedCertificateTimestampList

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 078b62b..77e86a8 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c

@@ -1122,6 +1122,15 @@
   return session->x509_chain_without_leaf;
 }
 
+STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl) {
+  SSL_SESSION *session = SSL_get_session(ssl);
+  if (session == NULL) {
+    return NULL;
+  }
+
+  return session->x509_chain;
+}
+
 int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
                        size_t max_out) {
   /* tls-unique is not defined for SSL 3.0 or TLS 1.3. */