EST: Implement pkcs7_to_cert() with BoringSSL

This adds one more step in completing hs20-osu-client support when using
BoringSSL instead of OpenSSL. EST client can now parse the cacerts file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/hs20/client/est.c b/hs20/client/est.c
index c22d9ca2e072ce44d2616500788c3db52708cb48..d754e6108949372f71c770a5e5de81c86cc0b776 100644 (file)
--- a/hs20/client/est.c
+++ b/hs20/client/est.c
@@ -28,16 +28,27 @@ static int pkcs7_to_cert(struct hs20_osu_client *ctx, const u8 *pkcs7,
                         size_t len, char *pem_file, char *der_file)
 {
 #ifdef OPENSSL_IS_BORINGSSL
-       wpa_printf(MSG_ERROR,
-               "EST: pkcs7_to_cert not yet supported with BoringSSL");
-       return -1;
+       CBS pkcs7_cbs;
 #else /* OPENSSL_IS_BORINGSSL */
        PKCS7 *p7 = NULL;
        const unsigned char *p = pkcs7;
+#endif /* OPENSSL_IS_BORINGSSL */
        STACK_OF(X509) *certs;
        int i, num, ret = -1;
        BIO *out = NULL;
 
+#ifdef OPENSSL_IS_BORINGSSL
+       certs = sk_X509_new_null();
+       if (!certs)
+               goto fail;
+       CBS_init(&pkcs7_cbs, pkcs7, len);
+       if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) {
+               wpa_printf(MSG_INFO, "Could not parse PKCS#7 object: %s",
+                          ERR_error_string(ERR_get_error(), NULL));
+               write_result(ctx, "Could not parse PKCS#7 object from EST");
+               goto fail;
+       }
+#else /* OPENSSL_IS_BORINGSSL */
        p7 = d2i_PKCS7(NULL, &p, len);
        if (p7 == NULL) {
                wpa_printf(MSG_INFO, "Could not parse PKCS#7 object: %s",
@@ -57,6 +68,7 @@ static int pkcs7_to_cert(struct hs20_osu_client *ctx, const u8 *pkcs7,
                certs = NULL;
                break;
        }
+#endif /* OPENSSL_IS_BORINGSSL */
 
        if (!certs || ((num = sk_X509_num(certs)) == 0)) {
                wpa_printf(MSG_INFO, "No certificates found in PKCS#7 object");
@@ -89,12 +101,16 @@ static int pkcs7_to_cert(struct hs20_osu_client *ctx, const u8 *pkcs7,
        ret = 0;
 
 fail:
+#ifdef OPENSSL_IS_BORINGSSL
+       if (certs)
+               sk_X509_pop_free(certs, X509_free);
+#else /* OPENSSL_IS_BORINGSSL */
        PKCS7_free(p7);
+#endif /* OPENSSL_IS_BORINGSSL */
        if (out)
                BIO_free_all(out);
 
        return ret;
-#endif /* OPENSSL_IS_BORINGSSL */
 }