* src/ne_gnutls.c (pkcs12_parse): Ignore any but the first key or cert

  encountered.  Should fix issues with PKCS#12 files with embedded CA
  certs, see Debian bug 480041.

* test/ssl.c (client_cert_ca): Add test case.


git-svn-id: http://svn.webdav.org/repos/projects/neon/trunk@1589 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845

1 files changed, 8 insertions, 0 deletions

diff --git a/src/ne_gnutls.c b/src/ne_gnutls.c
index 5d58a9d..d2cf207 100644
--- a/src/ne_gnutls.c
+++ b/src/ne_gnutls.c
@@ -974,6 +974,10 @@ static int pkcs12_parse(gnutls_pkcs12 p12, gnutls_x509_privkey *pkey,
             switch (type) {
             case GNUTLS_BAG_PKCS8_KEY:
             case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
+                /* Ignore any but the first key encountered; really
+                 * need to match up keyids. */
+                if (*pkey) break;
+
                 gnutls_x509_privkey_init(pkey);
 
                 ret = gnutls_pkcs12_bag_get_data(bag, j, &data);
@@ -986,6 +990,10 @@ static int pkcs12_parse(gnutls_pkcs12 p12, gnutls_x509_privkey *pkey,
                 if (ret < 0) continue;
                 break;
             case GNUTLS_BAG_CERTIFICATE:
+                /* Ignore any but the first cert encountered; again,
+                 * really need to match up keyids. */
+                if (*x5) break;
+
                 gnutls_x509_crt_init(x5);
 
                 ret = gnutls_pkcs12_bag_get_data(bag, j, &data);