From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Fri, 2 Mar 2018 22:09:11 +0000 (+0100)
Subject: gnutls_x509_crt_export2: avoid re-encoding
X-Git-Tag: gnutls_3_6_3~217^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3da2eea62bf70971f89ec493bc6e60a88a811f80;p=thirdparty%2Fgnutls.git

gnutls_x509_crt_export2: avoid re-encoding

That prevents possible re-encoding issues in libtasn1 or ambiguously
formatted DER data, from affecting verbatim usage of certificates.

Relates #403

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---

diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 190a839baf..162a49be4e 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -2903,13 +2903,26 @@ gnutls_x509_crt_export(gnutls_x509_crt_t cert,
 		       gnutls_x509_crt_fmt_t format, void *output_data,
 		       size_t * output_data_size)
 {
-	if (cert == NULL) {
+	gnutls_datum_t out;
+	int ret;
+
+	ret = gnutls_x509_crt_export2(cert, format, &out);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+
+	if (format == GNUTLS_X509_FMT_PEM)
+		ret = _gnutls_copy_string(&out, (uint8_t*)output_data, output_data_size);
+	else
+		ret = _gnutls_copy_data(&out, (uint8_t*)output_data, output_data_size);
+	if (ret < 0) {
 		gnutls_assert();
-		return GNUTLS_E_INVALID_REQUEST;
+		goto cleanup;
 	}
 
-	return _gnutls_x509_export_int(cert->cert, format, PEM_X509_CERT2,
-				       output_data, output_data_size);
+	ret = 0;
+ cleanup:
+	gnutls_free(out.data);
+	return ret;
 }
 
 /**
@@ -2938,6 +2951,15 @@ gnutls_x509_crt_export2(gnutls_x509_crt_t cert,
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
+	if (!cert->modified && cert->der.size) {
+		if (format == GNUTLS_X509_FMT_DER)
+			return _gnutls_set_datum(out, cert->der.data, cert->der.size);
+		else
+			return _gnutls_fbase64_encode(PEM_X509_CERT2, cert->der.data,
+						      cert->der.size, out);
+
+	}
+
 	return _gnutls_x509_export_int2(cert->cert, format, PEM_X509_CERT2,
 					out);
 }