libnm-util: fix loading/verifying certificates to allow DER format (rh #699591)

The start and end tags '-----BEGIN/END CERTIFICATE-----' was checked first,
which ruled out DER format. This is fixed now and a test is added.

libnm-util/crypto.c

@@ -585,14 +585,19 @@ crypto_load_and_verify_certificate (const char *file,
 		return contents;
 	}
 
-	array = extract_pem_cert_data (contents, error);
-	if (!array) {
-		g_byte_array_free (contents, TRUE);
-		return NULL;
-	}
+	/* Check for plain DER format */
+	if (contents->len > 2 && contents->data[0] == 0x30 && contents->data[1] == 0x82) {
+		*out_file_format = crypto_verify_cert (contents->data, contents->len, error);
+	} else {
+		array = extract_pem_cert_data (contents, error);
+		if (!array) {
+			g_byte_array_free (contents, TRUE);
+			return NULL;
+		}
 
-	*out_file_format = crypto_verify_cert (array->data, array->len, error);
-	g_byte_array_free (array, TRUE);
+		*out_file_format = crypto_verify_cert (array->data, array->len, error);
+		g_byte_array_free (array, TRUE);
+	}
 
 	if (*out_file_format != NM_CRYPTO_FILE_FORMAT_X509) {
 		g_byte_array_free (contents, TRUE);

libnm-util/tests/Makefile.am

@@ -93,6 +93,9 @@ check-local: test-settings-defaults test-crypto test-secrets
 # Another CA certificate
 	$(abs_builddir)/test-crypto --cert $(srcdir)/certs/test2_ca_cert.pem
 
+# Normal CA certificate (DER format)
+	$(abs_builddir)/test-crypto --cert $(srcdir)/certs/test_ca_cert.der
+
 # CA certificate without an ending newline
 	$(abs_builddir)/test-crypto --cert $(srcdir)/certs/ca-no-ending-newline.pem
 

libnm-util/tests/certs/Makefile.am

@@ -9,6 +9,7 @@
 
 EXTRA_DIST = \
 	test_ca_cert.pem \
+	test_ca_cert.der \
 	test_key_and_cert.pem \
 	test-cert.p12 \
 	test2_ca_cert.pem \