Merge r759, r760, r761 from trunk:

* src/ne_openssl.c (ne_ssl_clicert_decrypt): Check that private
key/cert match.

* test/makekeys.sh: Create a PKCS#12 client cert with embedded CA
cert.

* test/Makefile.in (clean): Clean all PKCS#12 certs.

* test/ssl.c (load_client_cert): Load the new cert.

* test/ssl.c (wildcard_init): Update error message now most hostname
commands should work OK.



git-svn-id: http://svn.webdav.org/repos/projects/neon/branches/0.25.x@762 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845

4 files changed, 21 insertions, 3 deletions

diff --git a/src/ne_openssl.c b/src/ne_openssl.c
index e95f0b7..794858c 100644
--- a/src/ne_openssl.c
+++ b/src/ne_openssl.c
@@ -792,6 +792,14 @@ int ne_ssl_clicert_decrypt(ne_ssl_client_cert *cc, const char *password)
         return -1;
     }
     
+    if (X509_check_private_key(cert, pkey) != 1) {
+        ERR_clear_error();
+        X509_free(cert);
+        EVP_PKEY_free(pkey);
+        NE_DEBUG(NE_DBG_SSL, "Decrypted private key/cert are not matched.");
+        return -1;
+    }
+
     PKCS12_free(cc->p12);
     populate_cert(&cc->cert, cert);
     cc->pkey = pkey;
diff --git a/test/Makefile.in b/test/Makefile.in
index a0ccf24..d633940 100644
--- a/test/Makefile.in
+++ b/test/Makefile.in
@@ -68,7 +68,7 @@ clean:
 	rm -f *.gc* *.da *.bb* common/*.bb* common/*.gc* common/*.da
 	rm -rf ca .libs
 	rm -f ca-stamp client.key *.csr ssigned.pem wrongcn.pem \
-	   server.cert client.cert client.p12 *.cert sparse.bin
+	   server.cert client.cert *.p12 *.cert sparse.bin
 
 check: $(TESTS) $(HELPERS)
 	@SRCDIR=$(srcdir) $(SHELL) $(srcdir)/run.sh $(TESTS)
diff --git a/test/makekeys.sh b/test/makekeys.sh
index 81a044b..586ed6f 100755
--- a/test/makekeys.sh
+++ b/test/makekeys.sh
@@ -171,6 +171,9 @@ echo | ${MKPKCS12} -name "An Unencrypted Neon Client Cert" -out unclient.p12
 # generate a PKCS#12 cert with no friendly name
 echo | ${MKPKCS12} -out noclient.p12
 
+# a PKCS#12 cert including a bundled CA cert
+echo foobar | ${MKPKCS12} -certfile ca/cert.pem -name "A Neon Client Cert With CA" -out clientca.p12
+
 ### a file containing a complete chain
 
 cat ca/cert.pem server.cert > chain.pem
diff --git a/test/ssl.c b/test/ssl.c
index 0f8683c..c57df3c 100644
--- a/test/ssl.c
+++ b/test/ssl.c
@@ -1,6 +1,6 @@
 /* 
    neon test suite
-   Copyright (C) 2002-2004, Joe Orton <joe@manyfish.co.uk>
+   Copyright (C) 2002-2005, Joe Orton <joe@manyfish.co.uk>
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -368,6 +368,13 @@ static int load_client_cert(void)
     ONV(name != NULL, ("noclient.p12 had friendly name `%s'", name));
     ne_ssl_clicert_free(cc);
 
+    /* test for ccert without a friendly name, noclient.p12 */
+    cc = ne_ssl_clicert_read("clientca.p12");
+    ONN("could not load clientca.p12", cc == NULL);
+    ONN("encrypted cert marked unencrypted?", !ne_ssl_clicert_encrypted(cc));
+    ONN("could not decrypt clientca.p12", ne_ssl_clicert_decrypt(cc, "foobar"));
+    ne_ssl_clicert_free(cc);
+
     /* tests for loading bogus files. */
     cc = ne_ssl_clicert_read("Makefile");
     ONN("loaded Makefile as client cert!?", cc != NULL);
@@ -482,7 +489,7 @@ static int wildcard_init(void)
     struct stat stbuf;
     
     t_context("wildcard.cert not found:\n"
-	      "This test requires a Linux-like hostname command, see makekeys.sh");
+	      "Could not determine hostname/FQDN from makekeys.sh");
     PRECOND(stat("wildcard.cert", &stbuf) == 0);
 
     PRECOND(lookup_hostname() == OK);