GNOME Bugzilla – Bug 724842
glib-networking: don't load non-CA certificates from database file
Last modified: 2014-02-21 19:30:28 UTC
While working on bug 724708, I was trying to load a certificate using g_tls_certificate_new_from_file(). The file would contain a certificate chain where the first certificate would be the server certificate. Then, I loaded the same file with g_tls_file_database_new(). After that, I called g_tls_database_verify_chain() so the certificate chain would be built. g_tls_database_verify_chain() always returns STATUS_ANCHORED if the certificate you are looking for is present in the database even if it's not a CA certificate. So, the building the chain is never completed.
Created attachment 269850 [details] [review] make sure certificate is a CA before adding it to database
Created attachment 269864 [details] [review] do not complain if Basic Constraint is not available I was getting a bunch of: GLib-Net-WARNING **: failed to get CA status of anchor certificate: The requested data were not available. So, I removed the warning and ignore CA certificates that don't conform to the standard.
Patch in comment 2 does not pass "make check". Test uses certificates without Basic Constraints.
The problem that brought me to do this was that in my certificate chain two certificates had the same DN, the intermediate CA and the server certificate. gtlsfiledatabase-gnutls.c uses the DN to keep hashtables to lookup for a certificate and the two certificate with the same DN was causing trouble. So, I'll mark this as INVALID as it is not mandatory to have the basic constraints extension.