GNOME Bugzilla – Bug 754264
GLib 2.44 certificate chain construction fails if the PEM includes a private key
Last modified: 2015-08-29 14:28:14 UTC
Since da053e345b4729a8a166eca54da257ae9accc7b1 GTlsCertificate has supported loading a list of certs into a GTlsCertificate with g_tls_certificate_new_from_pem()/g_tls_certificate_new_from_file()/g_tls_certificate_new_from_files(). This is different from the not-very-useful g_tls_certificate_list_new_from_file() in that the GTlsCertificate's issuer property will point to another GTlsCertificate, with the effect that the first GTlsCertificate can be set on a GTlsConnection to send an entire certificate chain to the peer, something that was not previously possible with GLib. Turns out this only works if there is no private key in the file: the current code is intolerant of anything following the final character of the final certificate in the file. The documentation doesn't say private keys are supported, but the new behavior is not really useful at all if private keys aren't supported, since that makes it impossible to use the GTlsCertificate with a GTlsConnection.
Created attachment 310224 [details] [review] GTlsCertificate: fix loading of chain with private key If a private key (or anything, in fact) follows the final certificate in the file, certificate parsing will be aborted and only the first certificate in the chain will be returned, with the private key not set. Be tolerant of this, rather than expecting the final character in the file to be the newline following the last certificate.
Created attachment 310225 [details] [review] Add certificate chain construction test Enhance GTestTlsBackend to allow setting the issuer property of GTlsCertificates, and add a test to ensure certificate chain construction with g_tls_certificate_new_from_pem() works as expected.
Attachment 310224 [details] pushed as 587068c - GTlsCertificate: fix loading of chain with private key Attachment 310225 [details] pushed as 516adb9 - Add certificate chain construction test