commit 0567220b8bf05ddc0079cdca140216e0f2891230
author Adam Langley <agl@google.com> Tue Dec 13 12:05:49 2016 -0800
committer Adam Langley <agl@google.com> Wed Dec 14 17:51:03 2016 +0000
tree ce77d247544fdaa9b9bda7262c7e506d32e3ce9d
parent 0c294254b53371eab9c805bf6a8f418a3d6ca9c5

Don't use X.509 functions to check ECDSA keyUsage.

This removes another dependency on the crypto/x509 code.

Change-Id: Ia72da4d47192954c2b9a32cf4bcfd7498213c0c7
Reviewed-on: https://boringssl-review.googlesource.com/12709
Reviewed-by: Adam Langley <agl@google.com>

ssl/handshake_client.c

diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index aad0de2..8c21818 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -1061,8 +1061,9 @@
     return -1;
   }
 
-  X509 *leaf = sk_X509_value(ssl->s3->new_session->x509_chain, 0);
-  if (!ssl_check_leaf_certificate(ssl, leaf)) {
+  if (!ssl_check_leaf_certificate(
+          ssl, hs->peer_pubkey,
+          sk_CRYPTO_BUFFER_value(ssl->s3->new_session->certs, 0))) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
     return -1;
   }