GnuTLS can accept PKCS#12 certs with either empty or NULL passwords[1], but unlike OpenSSL[2], both options need to be tried separately. [1] https://gitorious.org/gnutls/gnutls/commit/7c4c21c0e84a539558e3e1689d8a7b8a2c4c0056 [2] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a331a305e9c9c5353bd42db6dbda78a418285708 Signed-off-by: Kevin Cernekee <cernekee at gmail.com> --- gnutls.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/gnutls.c b/gnutls.c index 36164db..7400d17 100644 --- a/gnutls.c +++ b/gnutls.c @@ -345,7 +345,15 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo, pass = vpninfo->cert_password; while ((err = gnutls_pkcs12_verify_mac(p12, pass)) == GNUTLS_E_MAC_VERIFY_FAILED) { - if (pass) + if (!pass) { + /* OpenSSL's PKCS12_parse() code will try both NULL and "" automatically, + * but GnuTLS requires two separate attempts. */ + err = gnutls_pkcs12_verify_mac(p12, ""); + if (err != GNUTLS_E_MAC_VERIFY_FAILED) { + pass = strdup(""); + break; + } + } else vpn_progress(vpninfo, PRG_ERR, _("Failed to decrypt PKCS#12 certificate file\n")); free(pass); -- 1.7.9.5
