From d51854a95a8a3343f2718dcebf6762e93bb570e8 Mon Sep 17 00:00:00 2001
From: Mark Kelly <mark.kelly@lexisnexisrisk.com>
Date: Mon, 18 Sep 2023 12:16:16 -0400
Subject: [PATCH] HPCC-27255 TLS cert/key as buffers 4a

Signed-off-by: Mark Kelly <mark.kelly@lexisnexisrisk.com>
---
 system/security/securesocket/securesocket.cpp | 80 ++++++++++---------
 1 file changed, 42 insertions(+), 38 deletions(-)

diff --git a/system/security/securesocket/securesocket.cpp b/system/security/securesocket/securesocket.cpp
index 37285487129..f5b56eaa8d4 100644
--- a/system/security/securesocket/securesocket.cpp
+++ b/system/security/securesocket/securesocket.cpp
@@ -1231,47 +1231,11 @@ static bool useCertificateChainPEMBuffer(SSL_CTX *ctx, const char *certBuf, int
     return true;
 }
 
-static bool setVerifyCertsPEMBuffer(SSL_CTX *ctx, const char *caCertBuf, int caCertLen=-1)
-{
-    // this routine based on code originally from:
-    // https://stackoverflow.com/questions/5052563/c-openssl-use-root-ca-from-buffer-rather-than-file-ssl-ctx-load-verify-locat
-
-    // can have multiple certs in buffer
-
-    OwnedEVPBio cbio(BIO_new_mem_buf(caCertBuf, caCertLen));
-    if (!cbio)
-        return false;
-
-    OwnedX509Store store(X509_STORE_new());
-    if (!store)
-        return false;
-
-    OwnedX509StkPtr infoStk(PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL));
-    if (!infoStk)
-        return false;
-
-    X509_INFO *infoVal;
-    for (int i = 0; i < sk_X509_INFO_num(infoStk); i++)
-    {
-        infoVal = sk_X509_INFO_value(infoStk, i);
-        if (infoVal->x509)
-        {
-            if (!X509_STORE_add_cert(store, infoVal->x509))
-                return false;
-
-            infoVal->x509 = NULL;
-        }
-    }
-
-    SSL_CTX_set_cert_store(ctx, store.getClear());
-
-    return true;
-}
-
 class CSecureSocketContext : public CInterfaceOf<ISecureSocketContext>
 {
 private:
     OwnedSSLCTX m_ctx;
+    OwnedX509Store m_store;
 #if (OPENSSL_VERSION_NUMBER > 0x00909000L) 
     const SSL_METHOD* m_meth = nullptr;
 #else
@@ -1345,13 +1309,53 @@ class CSecureSocketContext : public CInterfaceOf<ISecureSocketContext>
         if (containsEmbeddedKey(caCertsPathOrBuf))
         {
             // can have multiple certs in buffer
-            if (!setVerifyCertsPEMBuffer(m_ctx, caCertsPathOrBuf))
+            if (!setVerifyCertsPEMBuffer(caCertsPathOrBuf))
                 throw makeStringException(-1, "Error loading CA certificates");
         }
         else if (SSL_CTX_load_verify_locations(m_ctx, caCertsPathOrBuf, NULL) != 1)
             throw makeStringExceptionV(-1, "Error loading CA certificates from %s", caCertsPathOrBuf);
     }
 
+    bool setVerifyCertsPEMBuffer(const char *caCertBuf, int caCertLen=-1)
+    {
+        // this routine based on code originally from:
+        // https://stackoverflow.com/questions/5052563/c-openssl-use-root-ca-from-buffer-rather-than-file-ssl-ctx-load-verify-locat
+
+        // can have multiple certs in buffer
+
+        OwnedEVPBio cbio(BIO_new_mem_buf(caCertBuf, caCertLen));
+        if (!cbio)
+            return false;
+
+        if (m_store)
+            m_store.clear();
+
+        m_store.setown(X509_STORE_new());
+        if (!m_store)
+            return false;
+
+        OwnedX509StkPtr infoStk(PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL));
+        if (!infoStk)
+            return false;
+
+        X509_INFO *infoVal;
+        for (int i = 0; i < sk_X509_INFO_num(infoStk); i++)
+        {
+            infoVal = sk_X509_INFO_value(infoStk, i);
+            if (infoVal->x509)
+            {
+                if (!X509_STORE_add_cert(m_store, infoVal->x509))
+                    return false;
+
+                infoVal->x509 = NULL;
+            }
+        }
+
+        SSL_CTX_set1_cert_store(m_ctx, m_store);
+
+        return true;
+    }
+
 public:
     CSecureSocketContext(SecureSocketType sockettype)
     {