PKCS#12 certs with embedded CA certs and GnuTLS

Joe Orton joe at manyfish.co.uk
Thu Oct 30 15:08:41 EDT 2008


This issue (Debian bug 480041) is almost certainly a neon bug.

I can reproduce the error with a PKCS#12 cert with an embedded CA cert; 
if anybody else seeing this problem can confirm it's fixed with the 
patch below, that would be great.

Regards, Joe

Index: src/ne_gnutls.c
===================================================================
--- src/ne_gnutls.c	(revision 1588)
+++ src/ne_gnutls.c	(working copy)
@@ -974,6 +974,10 @@
             switch (type) {
             case GNUTLS_BAG_PKCS8_KEY:
             case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
+                /* Ignore any but the first key encountered; really
+                 * need to match up keyids. */
+                if (*pkey) break;
+
                 gnutls_x509_privkey_init(pkey);
 
                 ret = gnutls_pkcs12_bag_get_data(bag, j, &data);
@@ -986,6 +990,10 @@
                 if (ret < 0) continue;
                 break;
             case GNUTLS_BAG_CERTIFICATE:
+                /* Ignore any but the first cert encountered; again,
+                 * really need to match up keyids. */
+                if (*x5) break;
+
                 gnutls_x509_crt_init(x5);
 
                 ret = gnutls_pkcs12_bag_get_data(bag, j, &data);




More information about the neon mailing list