[glib-networking/glib-2-30] gnutls: correctly handle self-signed anchor certificates

[Dan Winship <danw src gnome org>]

commit 03f313721ddd1488a078c0087ba5826829a9aff0
Author: Dan Winship <danw gnome org>
Date:   Thu Sep 29 14:49:38 2011 -0400

    gnutls: correctly handle self-signed anchor certificates
    
    If a self-signed certificate is an anchor of the database, then it
    should verify according to g_tls_database_verify_chain(); we were
    accidentally reporting G_TLS_CERTIFICATE_UNKNOWN_CA in this case.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=660508

 tls/gnutls/gtlsdatabase-gnutls.c |   32 ++++++++++++++++----------------
 1 files changed, 16 insertions(+), 16 deletions(-)
---
diff --git a/tls/gnutls/gtlsdatabase-gnutls.c b/tls/gnutls/gtlsdatabase-gnutls.c
index 18d46fa..f986de7 100644
--- a/tls/gnutls/gtlsdatabase-gnutls.c
+++ b/tls/gnutls/gtlsdatabase-gnutls.c
@@ -92,7 +92,7 @@ build_certificate_chain (GTlsDatabaseGnutls      *self,
       g_tls_certificate_gnutls_set_issuer (certificate, NULL);
       return STATUS_PINNED;
     }
-  else if(*error)
+  else if (*error)
     {
       return STATUS_FAILURE;
     }
@@ -102,7 +102,21 @@ build_certificate_chain (GTlsDatabaseGnutls      *self,
       if (g_cancellable_set_error_if_cancelled (cancellable, error))
         return STATUS_FAILURE;
 
-      /* Was the last certificate self-signed? */
+      /* Look up whether this certificate is an anchor */
+      if (g_tls_database_gnutls_lookup_assertion (self, certificate,
+                                                  G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE,
+                                                  purpose, identity, cancellable, error))
+        {
+          g_tls_certificate_gnutls_set_issuer (certificate, NULL);
+          *anchor = certificate;
+          return STATUS_ANCHORED;
+        }
+      else if (*error)
+        {
+          return STATUS_FAILURE;
+        }
+
+      /* Is it self-signed? */
       if (is_self_signed (certificate))
         {
           g_tls_certificate_gnutls_set_issuer (certificate, NULL);
@@ -135,20 +149,6 @@ build_certificate_chain (GTlsDatabaseGnutls      *self,
 
       g_assert (issuer);
       certificate = G_TLS_CERTIFICATE_GNUTLS (issuer);
-
-      /* Now look up whether this certificate is an anchor */
-      if (g_tls_database_gnutls_lookup_assertion (self, certificate,
-                                                  G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE,
-                                                  purpose, identity, cancellable, error))
-        {
-          g_tls_certificate_gnutls_set_issuer (certificate, NULL);
-          *anchor = certificate;
-          return STATUS_ANCHORED;
-        }
-      else if (*error)
-        {
-          return STATUS_FAILURE;
-        }
     }
 
   g_assert_not_reached ();