From 440801eaa6333f03a46e57c59e4d97764391afae Mon Sep 17 00:00:00 2001
From: Marti Raudsepp <marti@juffo.org>
Date: Mon, 3 Sep 2012 20:58:54 +0300
Subject: [PATCH] Fix gnutls_x509_trust_list_add_trust_mem with DER-format
 certificates.

The function took a "type" argument and then happily proceeded to ignore
it and try PEM format anyway.

Most importantly, this makes gnutls_x509_trust_list_add_system_trust
work on Windows, which loads DER certificates using this function.  I'll
be damned if that actually ever worked properly -- certainly not in any
git version. :)

Also added test for gnutls_x509_trust_list_add_trust_mem.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 lib/x509/verify-high2.c |  4 ++--
 tests/x509cert-tl.c     | 54 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index d76a0f204..b0d547124 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -69,7 +69,7 @@ gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list,
   
   if (cas != NULL && cas->data != NULL)
     {
-      ret = gnutls_x509_crt_list_import2( &x509_ca_list, &x509_ncas, cas, GNUTLS_X509_FMT_PEM, 0);
+      ret = gnutls_x509_crt_list_import2( &x509_ca_list, &x509_ncas, cas, type, 0);
       if (ret < 0)
         return gnutls_assert_val(ret);
 
@@ -84,7 +84,7 @@ gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list,
 
   if (crls != NULL && crls->data != NULL)
     {
-      ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, crls, GNUTLS_X509_FMT_PEM, 0);
+      ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, crls, type, 0);
       if (ret < 0)
         return gnutls_assert_val(ret);
 
diff --git a/tests/x509cert-tl.c b/tests/x509cert-tl.c
index b0831beaa..0c432723e 100644
--- a/tests/x509cert-tl.c
+++ b/tests/x509cert-tl.c
@@ -131,6 +131,46 @@ static unsigned char server_key_pem[] =
   "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
   "-----END RSA PRIVATE KEY-----\n";
 
+static unsigned char cert_der[602] =
+  "\x30\x82\x02\x56\x30\x82\x01\xc1\xa0\x03\x02\x01\x02\x02\x04\x46"
+  "\x26\x1d\x31\x30\x0b\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x05"
+  "\x30\x19\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0e\x47\x6e\x75"
+  "\x54\x4c\x53\x20\x74\x65\x73\x74\x20\x43\x41\x30\x1e\x17\x0d\x30"
+  "\x37\x30\x34\x31\x38\x31\x33\x32\x39\x32\x31\x5a\x17\x0d\x30\x38"
+  "\x30\x34\x31\x37\x31\x33\x32\x39\x32\x31\x5a\x30\x37\x31\x1b\x30"
+  "\x19\x06\x03\x55\x04\x0a\x13\x12\x47\x6e\x75\x54\x4c\x53\x20\x74"
+  "\x65\x73\x74\x20\x73\x65\x72\x76\x65\x72\x31\x18\x30\x16\x06\x03"
+  "\x55\x04\x03\x13\x0f\x74\x65\x73\x74\x2e\x67\x6e\x75\x74\x6c\x73"
+  "\x2e\x6f\x72\x67\x30\x81\x9c\x30\x0b\x06\x09\x2a\x86\x48\x86\xf7"
+  "\x0d\x01\x01\x01\x03\x81\x8c\x00\x30\x81\x88\x02\x81\x80\xd7\xba"
+  "\x5c\xaf\xa3\x0c\xf0\x2e\xa9\x27\x56\xaa\x53\x8e\xa8\xeb\x7f\x81"
+  "\x75\x4c\x6b\x98\xbe\x4a\xea\xb7\x1e\xf8\x4b\xc3\x6a\xc4\xda\x0d"
+  "\x00\xb8\xea\x4c\x13\x1f\x36\x16\x93\xde\x72\xef\xc6\xa4\x5e\xb2"
+  "\x6e\xb6\xca\x0a\x88\x55\x75\x90\x96\xed\xa6\x57\xbc\x0c\x3b\x76"
+  "\x0d\x97\x1e\xbd\xe9\xec\x7f\xd3\xa9\xec\xfb\x85\x64\xa0\x6b\xa0"
+  "\x48\xce\x77\x7e\x73\x9c\x31\x13\xff\x3d\xc8\xae\xa5\x60\x6e\xd9"
+  "\xb6\x8c\x5a\x9a\x6f\xb6\xbe\x9f\x6a\xbd\xa7\xf0\xa0\x33\x27\xf5"
+  "\xb7\x1d\x92\xe5\x96\x9c\x73\x52\xd6\x9f\xd6\xc8\x8e\xb1\x02\x03"
+  "\x01\x00\x01\xa3\x81\x93\x30\x81\x90\x30\x0c\x06\x03\x55\x1d\x13"
+  "\x01\x01\xff\x04\x02\x30\x00\x30\x1a\x06\x03\x55\x1d\x11\x04\x13"
+  "\x30\x11\x82\x0f\x74\x65\x73\x74\x2e\x67\x6e\x75\x74\x6c\x73\x2e"
+  "\x6f\x72\x67\x30\x13\x06\x03\x55\x1d\x25\x04\x0c\x30\x0a\x06\x08"
+  "\x2b\x06\x01\x05\x05\x07\x03\x01\x30\x0f\x06\x03\x55\x1d\x0f\x01"
+  "\x01\xff\x04\x05\x03\x03\x07\xa0\x00\x30\x1d\x06\x03\x55\x1d\x0e"
+  "\x04\x16\x04\x14\xeb\xc7\x45\x6e\xe5\xf8\x25\xca\x8c\x8d\x83\x0d"
+  "\x74\xe9\x86\xd4\xdd\x55\xb4\x75\x30\x1f\x06\x03\x55\x1d\x23\x04"
+  "\x18\x30\x16\x80\x14\xe9\x3c\x1c\xfb\xad\x92\x6e\xe6\x06\xa4\x56"
+  "\x2c\xa2\xe1\xc0\x53\x27\xc8\xf2\x95\x30\x0b\x06\x09\x2a\x86\x48"
+  "\x86\xf7\x0d\x01\x01\x05\x03\x81\x81\x00\x68\x51\x0f\x4e\xdf\xbb"
+  "\x6f\x3b\xc1\xb8\xe7\xfb\xf9\x09\x9e\x41\xc9\xf6\xf6\x44\xfa\x06"
+  "\xcc\xa1\xd5\x11\xc9\x5d\xff\x0a\x4e\x4e\x50\x45\xfc\x29\xea\x88"
+  "\x1b\xa7\xde\x09\x41\x67\x0d\x43\xf4\xbb\x60\x31\x47\x82\x50\xf5"
+  "\x03\x05\x0d\x05\x15\xf0\x77\x7a\xe2\x52\xc3\x27\xb3\x18\x1e\x48"
+  "\x3c\x58\x05\xf2\x58\x6c\x32\xde\xa2\x13\x41\xb2\xa6\x8f\x0c\x96"
+  "\xfb\x5d\xa8\xa5\x59\xb3\x10\x29\xf0\x1b\x15\x0f\x1c\x9c\xec\x60"
+  "\xac\xe2\x8b\x51\x04\x56\x27\x42\xb7\x1f\x25\xd1\x32\x16\xea\x8d"
+  "\xd2\xc8\x69\x08\x82\xbd\x02\xee\x8b\x3a";
+
 const gnutls_datum_t server_key = { server_key_pem,
   sizeof (server_key_pem)
 };
@@ -151,6 +191,7 @@ void
 doit (void)
 {
   int ret;
+  gnutls_datum_t data;
   gnutls_x509_crt_t server_crt, ca_crt;
   gnutls_x509_trust_list_t tl;
   unsigned int status;
@@ -201,6 +242,19 @@ doit (void)
   if (ret < 0 || status == 0)
     fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
 
+  /* test convenience functions in verify-high2.c */
+  data.data = cert_pem;
+  data.size = strlen(cert_pem);
+  ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_PEM, 0, 0);
+  if (ret < 1)
+    fail("gnutls_x509_trust_list_add_trust_mem: %d\n", __LINE__);
+
+  data.data = cert_der;
+  data.size = sizeof(cert_der);
+  ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_DER, 0, 0);
+  if (ret < 1)
+    fail("gnutls_x509_trust_list_add_trust_mem: %d\n", __LINE__);
+
   gnutls_x509_crt_deinit(ca_crt);
   gnutls_x509_crt_deinit(server_crt);
   gnutls_x509_trust_list_deinit(tl, 0);
-- 
2.11.4.GIT