gtlscertificate: Allow any type of private key in PEM files

Allow any type of private key in PEM files by treating PEM guards ending with "PRIVATE KEY-----" as a private key instead of looking for a pre-defined set of PEM guards. This enables the possibility for custom GTlsBackend to add support for new key types. Test cases have been expanded to ensure PEM parsing works for private key when either header or footer is missing. Encrypted PKCS#8 is still rejected. Test case has been added for this to ensure behaviour is the same before and after this change.
2025-09-06 16:08:43 +02:00 · 2018-12-10 08:48:45 +01:00
parent 73ca761a8d
commit a437a50694
6 changed files with 128 additions and 45 deletions
--- a/gio/tests/tls-certificate.c
+++ b/gio/tests/tls-certificate.c
@@ -260,6 +260,22 @@ from_files (const Reference *ref)
  g_clear_error (&error);
  g_assert_null (cert);

+  /* Missing header private key */
+  cert = g_tls_certificate_new_from_files (g_test_get_filename (G_TEST_DIST, "cert-tests", "cert1.pem", NULL),
+                                           g_test_get_filename (G_TEST_DIST, "cert-tests", "key_missing-header.pem", NULL),
+                                           &error);
+  g_assert_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE);
+  g_clear_error (&error);
+  g_assert_null (cert);
+
+  /* Missing footer private key */
+  cert = g_tls_certificate_new_from_files (g_test_get_filename (G_TEST_DIST, "cert-tests", "cert1.pem", NULL),
+                                           g_test_get_filename (G_TEST_DIST, "cert-tests", "key_missing-footer.pem", NULL),
+                                           &error);
+  g_assert_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE);
+  g_clear_error (&error);
+  g_assert_null (cert);
+
  /* Missing certificate */
  cert = g_tls_certificate_new_from_files (g_test_get_filename (G_TEST_DIST, "cert-tests", "key.pem", NULL),
                                           g_test_get_filename (G_TEST_DIST, "cert-tests", "key.pem", NULL),
@@ -333,6 +349,21 @@ from_files_pkcs8 (const Reference *ref)
  g_object_unref (cert);
 }

+static void
+from_files_pkcs8enc (const Reference *ref)
+{
+  GTlsCertificate *cert;
+  GError *error = NULL;
+
+  /* Mare sure an error is returned for encrypted key */
+  cert = g_tls_certificate_new_from_files (g_test_get_filename (G_TEST_DIST, "cert-tests", "cert1.pem", NULL),
+                                           g_test_get_filename (G_TEST_DIST, "cert-tests", "key8enc.pem", NULL),
+                                           &error);
+  g_assert_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE);
+  g_clear_error (&error);
+  g_assert_null (cert);
+}
+
 static void
 list_from_file (const Reference *ref)
 {
@@ -429,6 +460,8 @@ main (int   argc,
                        &ref, (GTestDataFunc)from_files_crlf);
  g_test_add_data_func ("/tls-certificate/from_files_pkcs8",
                        &ref, (GTestDataFunc)from_files_pkcs8);
+  g_test_add_data_func ("/tls-certificate/from_files_pkcs8enc",
+                        &ref, (GTestDataFunc)from_files_pkcs8enc);
  g_test_add_data_func ("/tls-certificate/list_from_file",
                        &ref, (GTestDataFunc)list_from_file);