Bug 443770 - "Use FSID for key passphrase" fails when private key is empty
Summary: "Use FSID for key passphrase" fails when private key is empty
Status: RESOLVED FIXED
Alias: None
Product: plasma-nm
Classification: Plasma
Component: general (show other bugs)
Version: master
Platform: Other Linux
: NOR normal (vote)
Target Milestone: ---
Assignee: Jan Grulich
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-15 09:58 UTC by Raphael Kubo da Costa
Modified: 2021-10-15 15:45 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In: 5.23.1


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Kubo da Costa 2021-10-15 09:58:06 UTC
It is possible to have only a user certificate (e.g. certificate.p12) in combination with the "Use FSID for key passphrase" option without an accompanying private key being passed.

This is not working as expected when the private key field is empty, as I am now prompted for a key password that should've been retrieved from the FSID in the first place.
Comment 1 Bug Janitor Service 2021-10-15 09:59:00 UTC
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/83
Comment 2 Raphael Kubo da Costa 2021-10-15 10:07:16 UTC
Git commit a76f4d4b0f75d1007d8fc13dc1e4c95c4a66a430 by Raphael Kubo da Costa.
Committed on 15/10/2021 at 09:58.
Pushed by grulich into branch 'master'.

openconnect: Make FSID passphrase + empty private key combination work.

It should be possible to usen FSID-protected key passphrase with a user
certificate and no private key.

This was not working as expected because we were always calling
openconnect_set_client_cert() with QByteArray::data(). The latter will pass
an empty string rather than nullptr if it is empty, which can be the case
for `key` if it is not set. This causes openconnect_set_client_cert() to use
that empty string rather than handle the null argument case, and we would be
unexpectedly prompted for a key password when trying to connect.

Avoid running into this by explicitly passing `nullptr` when we have an
empty `key`.

M  +1    -1    vpn/openconnect/openconnectauth.cpp

https://invent.kde.org/plasma/plasma-nm/commit/a76f4d4b0f75d1007d8fc13dc1e4c95c4a66a430
Comment 3 Jan Grulich 2021-10-15 10:07:59 UTC
Git commit de0d41556adf7f9976c8b7febeb2569aed772d27 by Jan Grulich, on behalf of Raphael Kubo da Costa.
Committed on 15/10/2021 at 10:07.
Pushed by grulich into branch 'cherry-pick-a76f4d4b'.

openconnect: Make FSID passphrase + empty private key combination work.

It should be possible to usen FSID-protected key passphrase with a user
certificate and no private key.

This was not working as expected because we were always calling
openconnect_set_client_cert() with QByteArray::data(). The latter will pass
an empty string rather than nullptr if it is empty, which can be the case
for `key` if it is not set. This causes openconnect_set_client_cert() to use
that empty string rather than handle the null argument case, and we would be
unexpectedly prompted for a key password when trying to connect.

Avoid running into this by explicitly passing `nullptr` when we have an
empty `key`.


(cherry picked from commit a76f4d4b0f75d1007d8fc13dc1e4c95c4a66a430)

M  +1    -1    vpn/openconnect/openconnectauth.cpp

https://invent.kde.org/plasma/plasma-nm/commit/de0d41556adf7f9976c8b7febeb2569aed772d27
Comment 4 Jan Grulich 2021-10-15 10:08:44 UTC
Git commit c9f4c07157c269fcf9bd41981bc534d2f8b5e43b by Jan Grulich, on behalf of Raphael Kubo da Costa.
Committed on 15/10/2021 at 10:08.
Pushed by grulich into branch 'Plasma/5.23'.

openconnect: Make FSID passphrase + empty private key combination work.

It should be possible to usen FSID-protected key passphrase with a user
certificate and no private key.

This was not working as expected because we were always calling
openconnect_set_client_cert() with QByteArray::data(). The latter will pass
an empty string rather than nullptr if it is empty, which can be the case
for `key` if it is not set. This causes openconnect_set_client_cert() to use
that empty string rather than handle the null argument case, and we would be
unexpectedly prompted for a key password when trying to connect.

Avoid running into this by explicitly passing `nullptr` when we have an
empty `key`.


(cherry picked from commit a76f4d4b0f75d1007d8fc13dc1e4c95c4a66a430)

M  +1    -1    vpn/openconnect/openconnectauth.cpp

https://invent.kde.org/plasma/plasma-nm/commit/c9f4c07157c269fcf9bd41981bc534d2f8b5e43b