GTlsCertificate: fix loading of bad certificate chains

g_tls_certificate_new_from_file() was only loading the complete chain
if it was fully valid, but we only meant to be validating that it
formed an actual chain (since the caller may be planning to ignore
other errors).

https://bugzilla.gnome.org/show_bug.cgi?id=729739
This commit is contained in:
Dan Winship 2014-10-28 15:08:43 -04:00
parent 0728e62be8
commit 982d0e11d7

View File

@ -387,14 +387,14 @@ create_certificate_chain_from_list (GSList *pem_list,
pem = g_slist_next (pem);
}
/* Verify the certificate chain and return NULL if it doesn't
* verify. */
/* Verify that the certificates form a chain. (We don't care at this
* point if there are other problems with it.)
*/
flags = g_tls_certificate_verify (cert, NULL, root);
if (flags)
if (flags & G_TLS_CERTIFICATE_UNKNOWN_CA)
{
/* Couldn't verify the certificate chain, so unref it. */
g_object_unref (cert);
cert = NULL;
/* It wasn't a chain, it's just a bunch of unrelated certs. */
g_clear_object (&cert);
}
return cert;