From 08fda12858f9ea81f09cffaecf73da465ae964df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Klime=C5=A1?= <jklimes@redhat.com>
Date: Thu, 28 Apr 2011 05:08:59 -0400
Subject: [PATCH] libnm-util: fix loading/verifying certificates to allow DER
 format (rh #699591)

The start and end tags '-----BEGIN/END CERTIFICATE-----' was checked first,
which ruled out DER format. This is fixed now and a test is added.
---
 libnm-util/crypto.c                     |  19 ++++++++++++-------
 libnm-util/tests/Makefile.am            |   3 +++
 libnm-util/tests/certs/Makefile.am      |   1 +
 libnm-util/tests/certs/test_ca_cert.der | Bin 0 -> 1162 bytes
 4 files changed, 16 insertions(+), 7 deletions(-)
 create mode 100644 libnm-util/tests/certs/test_ca_cert.der

diff --git a/libnm-util/crypto.c b/libnm-util/crypto.c
index ffb3cbdd8e..991b3c3e47 100644
--- a/libnm-util/crypto.c
+++ b/libnm-util/crypto.c
@@ -585,14 +585,19 @@ crypto_load_and_verify_certificate (const char *file,
 		return contents;
 	}
 
-	array = extract_pem_cert_data (contents, error);
-	if (!array) {
-		g_byte_array_free (contents, TRUE);
-		return NULL;
-	}
+	/* Check for plain DER format */
+	if (contents->len > 2 && contents->data[0] == 0x30 && contents->data[1] == 0x82) {
+		*out_file_format = crypto_verify_cert (contents->data, contents->len, error);
+	} else {
+		array = extract_pem_cert_data (contents, error);
+		if (!array) {
+			g_byte_array_free (contents, TRUE);
+			return NULL;
+		}
 
-	*out_file_format = crypto_verify_cert (array->data, array->len, error);
-	g_byte_array_free (array, TRUE);
+		*out_file_format = crypto_verify_cert (array->data, array->len, error);
+		g_byte_array_free (array, TRUE);
+	}
 
 	if (*out_file_format != NM_CRYPTO_FILE_FORMAT_X509) {
 		g_byte_array_free (contents, TRUE);
diff --git a/libnm-util/tests/Makefile.am b/libnm-util/tests/Makefile.am
index 4e2a8a78e1..daf4d688e2 100644
--- a/libnm-util/tests/Makefile.am
+++ b/libnm-util/tests/Makefile.am
@@ -93,6 +93,9 @@ check-local: test-settings-defaults test-crypto test-secrets
 # Another CA certificate
 	$(abs_builddir)/test-crypto --cert $(srcdir)/certs/test2_ca_cert.pem
 
+# Normal CA certificate (DER format)
+	$(abs_builddir)/test-crypto --cert $(srcdir)/certs/test_ca_cert.der
+
 # CA certificate without an ending newline
 	$(abs_builddir)/test-crypto --cert $(srcdir)/certs/ca-no-ending-newline.pem
 
diff --git a/libnm-util/tests/certs/Makefile.am b/libnm-util/tests/certs/Makefile.am
index 4cd8a24bc6..02d5a5f526 100644
--- a/libnm-util/tests/certs/Makefile.am
+++ b/libnm-util/tests/certs/Makefile.am
@@ -9,6 +9,7 @@
 
 EXTRA_DIST = \
 	test_ca_cert.pem \
+	test_ca_cert.der \
 	test_key_and_cert.pem \
 	test-cert.p12 \
 	test2_ca_cert.pem \
diff --git a/libnm-util/tests/certs/test_ca_cert.der b/libnm-util/tests/certs/test_ca_cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..e844f65b2cddf05a6c862b6cf38d9691223b0e34
GIT binary patch
literal 1162
zcmXqLVresIV$NH@%*4pV#L4i?CuW*j+_eh^ylk9WZ60mkc^Mg5Ss4r(I}EuEIN6v(
zS=fY`LW2#33<N+N4q;BG)S~R-jLf1`LjeOmkQlo#yI*Q~QfX18p}2u4NQ6t6&$m*+
zIX|}`F|Sg=rzFLY*MJ)&!7a>El3H8><1$0JG6qs`+c_D<ctL6$K!jd$ey)L>IIn@F
zfe{EA8JZeJiSrs-8W<WILb-#<sZESZ$N|a7%D~*j$j@NV#K^_e#K_2St+=E7sQbcI
z<#ukX!<Tw4|E-=~Jom?}DSvt<N@>kw>Dac}Ts1SLMtXZnmz!tfo}csC)y%ru|2*MP
z{C%ffnZaO1QU3L9JgHXUGJF^EYpfR4?w!k~DKqo<!%J7cEN%+<vVU{Lzc-;rRaEj0
zJwIDIg)fuo(A7mvg==TN-nwr3ri<&vSS}suo$+9nLA|$;@wER8MFPL1bHYS6^#@!t
zz8-bDL`UFQ>hmd0N0ctJFY{2@SY?)S<KWHDktrAIJFO?4%1xPSBewe2#r+5TeqX8I
zvM=Re_o9g&N|AG}tW<v+@}{C`(_?js9acqMDMojDEb0QbT>6pPYOz@UUF_80DPmg^
zFYabyW@KPo-1xzu@vVU@FhR)jv52vV1R3iorByaPb=2#%-t_d$uYEI(`wSZQg5;H1
z8n+rWZfd})W?^IBlE&^q6#q>~`H2VQd|?(=17=3X|Hz2~n7e?9f{`KZ=w_+;&exs8
z>QCp~;ZJKlDE+D7fyON-%Zas3tG?|zR@5-##+Ret=6n9RYA>Fd@Z>t1_tXQ|+Kr^9
zsM)NWX!*wCyMgCit~BjCQU^{ioI3UV8SCx$eQGkA;xl%t3nlfl_*(lKELd=!lX-5%
zv2$r(tLHl_7K_RVMEfO$t8TW5`R{OZ&B=+OM#AZrN;7q04u6UBbj!_M$>+`a``}i^
zOd~hR6Q*%)DVxqR+9j~?tqJ=7XeHBz$)~=Rosl#6?Y&^@OdGbDLfaHK-EceYD{vtx
zWtLN>Q@nsu@T+HkmYN<GY5Q)oE$74JSBFDAzV{l1t%%{-R(K%ePLpV5?Wxk0)sxCT
F0|3w%pU(gQ

literal 0
HcmV?d00001