It is possible to have only a user certificate (e.g. certificate.p12) in combination with the "Use FSID for key passphrase" option without an accompanying private key being passed. This is not working as expected when the private key field is empty, as I am now prompted for a key password that should've been retrieved from the FSID in the first place.
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/83
Git commit a76f4d4b0f75d1007d8fc13dc1e4c95c4a66a430 by Raphael Kubo da Costa. Committed on 15/10/2021 at 09:58. Pushed by grulich into branch 'master'. openconnect: Make FSID passphrase + empty private key combination work. It should be possible to usen FSID-protected key passphrase with a user certificate and no private key. This was not working as expected because we were always calling openconnect_set_client_cert() with QByteArray::data(). The latter will pass an empty string rather than nullptr if it is empty, which can be the case for `key` if it is not set. This causes openconnect_set_client_cert() to use that empty string rather than handle the null argument case, and we would be unexpectedly prompted for a key password when trying to connect. Avoid running into this by explicitly passing `nullptr` when we have an empty `key`. M +1 -1 vpn/openconnect/openconnectauth.cpp https://invent.kde.org/plasma/plasma-nm/commit/a76f4d4b0f75d1007d8fc13dc1e4c95c4a66a430
Git commit de0d41556adf7f9976c8b7febeb2569aed772d27 by Jan Grulich, on behalf of Raphael Kubo da Costa. Committed on 15/10/2021 at 10:07. Pushed by grulich into branch 'cherry-pick-a76f4d4b'. openconnect: Make FSID passphrase + empty private key combination work. It should be possible to usen FSID-protected key passphrase with a user certificate and no private key. This was not working as expected because we were always calling openconnect_set_client_cert() with QByteArray::data(). The latter will pass an empty string rather than nullptr if it is empty, which can be the case for `key` if it is not set. This causes openconnect_set_client_cert() to use that empty string rather than handle the null argument case, and we would be unexpectedly prompted for a key password when trying to connect. Avoid running into this by explicitly passing `nullptr` when we have an empty `key`. (cherry picked from commit a76f4d4b0f75d1007d8fc13dc1e4c95c4a66a430) M +1 -1 vpn/openconnect/openconnectauth.cpp https://invent.kde.org/plasma/plasma-nm/commit/de0d41556adf7f9976c8b7febeb2569aed772d27
Git commit c9f4c07157c269fcf9bd41981bc534d2f8b5e43b by Jan Grulich, on behalf of Raphael Kubo da Costa. Committed on 15/10/2021 at 10:08. Pushed by grulich into branch 'Plasma/5.23'. openconnect: Make FSID passphrase + empty private key combination work. It should be possible to usen FSID-protected key passphrase with a user certificate and no private key. This was not working as expected because we were always calling openconnect_set_client_cert() with QByteArray::data(). The latter will pass an empty string rather than nullptr if it is empty, which can be the case for `key` if it is not set. This causes openconnect_set_client_cert() to use that empty string rather than handle the null argument case, and we would be unexpectedly prompted for a key password when trying to connect. Avoid running into this by explicitly passing `nullptr` when we have an empty `key`. (cherry picked from commit a76f4d4b0f75d1007d8fc13dc1e4c95c4a66a430) M +1 -1 vpn/openconnect/openconnectauth.cpp https://invent.kde.org/plasma/plasma-nm/commit/c9f4c07157c269fcf9bd41981bc534d2f8b5e43b