mirror of
https://gitlab.gnome.org/GNOME/glib.git
synced 2024-09-20 01:06:15 +02:00
GTlsCertificate: support unencrypted PKCS#8 private keys
PKCS#8 is the "right" way to encode private keys. Although the APIs do not currently support encrypted keys, we should at least support unencrypted PKCS#8 keys. https://bugzilla.gnome.org/show_bug.cgi?id=664321
This commit is contained in:
Dan Winship
parent
cb74c36678
commit
1dc8d1f932
@ -134,9 +134,14 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
|
||||
* GTlsCertificate:private-key:
|
||||
*
|
||||
* The DER (binary) encoded representation of the certificate's
|
||||
* private key. This property (or the
|
||||
* #GTlsCertificate:private-key-pem property) can be set when
|
||||
* constructing a key (eg, from a file), but cannot be read.
|
||||
* private key, in either PKCS#1 format or unencrypted PKCS#8
|
||||
* format. This property (or the #GTlsCertificate:private-key-pem
|
||||
* property) can be set when constructing a key (eg, from a file),
|
||||
* but cannot be read.
|
||||
*
|
||||
* PKCS#8 format is supported since 2.32; earlier releases only
|
||||
* support PKCS#1. You can use the <literal>openssl rsa</literal>
|
||||
* tool to convert PKCS#8 keys to PKCS#1.
|
||||
*
|
||||
* Since: 2.28
|
||||
*/
|
||||
@ -152,9 +157,15 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
|
||||
* GTlsCertificate:private-key-pem:
|
||||
*
|
||||
* The PEM (ASCII) encoded representation of the certificate's
|
||||
* private key. This property (or the #GTlsCertificate:private-key
|
||||
* property) can be set when constructing a key (eg, from a file),
|
||||
* but cannot be read.
|
||||
* private key in either PKCS#1 format ("<literal>BEGIN RSA PRIVATE
|
||||
* KEY</literal>") or unencrypted PKCS#8 format ("<literal>BEGIN
|
||||
* PRIVATE KEY</literal>"). This property (or the
|
||||
* #GTlsCertificate:private-key property) can be set when
|
||||
* constructing a key (eg, from a file), but cannot be read.
|
||||
*
|
||||
* PKCS#8 format is supported since 2.32; earlier releases only
|
||||
* support PKCS#1. You can use the <literal>openssl rsa</literal>
|
||||
* tool to convert PKCS#8 keys to PKCS#1.
|
||||
*
|
||||
* Since: 2.28
|
||||
*/
|
||||
@ -204,10 +215,14 @@ g_tls_certificate_new_internal (const gchar *certificate_pem,
|
||||
return G_TLS_CERTIFICATE (cert);
|
||||
}
|
||||
|
||||
#define PEM_CERTIFICATE_HEADER "-----BEGIN CERTIFICATE-----"
|
||||
#define PEM_CERTIFICATE_FOOTER "-----END CERTIFICATE-----"
|
||||
#define PEM_PRIVKEY_HEADER "-----BEGIN RSA PRIVATE KEY-----"
|
||||
#define PEM_PRIVKEY_FOOTER "-----END RSA PRIVATE KEY-----"
|
||||
#define PEM_CERTIFICATE_HEADER "-----BEGIN CERTIFICATE-----"
|
||||
#define PEM_CERTIFICATE_FOOTER "-----END CERTIFICATE-----"
|
||||
#define PEM_PKCS1_PRIVKEY_HEADER "-----BEGIN RSA PRIVATE KEY-----"
|
||||
#define PEM_PKCS1_PRIVKEY_FOOTER "-----END RSA PRIVATE KEY-----"
|
||||
#define PEM_PKCS8_PRIVKEY_HEADER "-----BEGIN PRIVATE KEY-----"
|
||||
#define PEM_PKCS8_PRIVKEY_FOOTER "-----END PRIVATE KEY-----"
|
||||
#define PEM_PKCS8_ENCRYPTED_HEADER "-----BEGIN ENCRYPTED PRIVATE KEY-----"
|
||||
#define PEM_PKCS8_ENCRYPTED_FOOTER "-----END ENCRYPTED PRIVATE KEY-----"
|
||||
|
||||
static gchar *
|
||||
parse_private_key (const gchar *data,
|
||||
@ -215,27 +230,41 @@ parse_private_key (const gchar *data,
|
||||
gboolean required,
|
||||
GError **error)
|
||||
{
|
||||
const gchar *start, *end;
|
||||
const gchar *start, *end, *footer;
|
||||
|
||||
start = g_strstr_len (data, data_len, PEM_PRIVKEY_HEADER);
|
||||
if (!start)
|
||||
start = g_strstr_len (data, data_len, PEM_PKCS1_PRIVKEY_HEADER);
|
||||
if (start)
|
||||
footer = PEM_PKCS1_PRIVKEY_FOOTER;
|
||||
else
|
||||
{
|
||||
if (required)
|
||||
start = g_strstr_len (data, data_len, PEM_PKCS8_PRIVKEY_HEADER);
|
||||
if (start)
|
||||
footer = PEM_PKCS8_PRIVKEY_FOOTER;
|
||||
else
|
||||
{
|
||||
g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
|
||||
_("No PEM-encoded private key found"));
|
||||
start = g_strstr_len (data, data_len, PEM_PKCS8_ENCRYPTED_HEADER);
|
||||
if (start)
|
||||
{
|
||||
g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
|
||||
_("Cannot decrypt PEM-encoded private key"));
|
||||
}
|
||||
else if (required)
|
||||
{
|
||||
g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
|
||||
_("No PEM-encoded private key found"));
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
end = g_strstr_len (start, data_len - (data - start), PEM_PRIVKEY_FOOTER);
|
||||
end = g_strstr_len (start, data_len - (data - start), footer);
|
||||
if (!end)
|
||||
{
|
||||
g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
|
||||
_("Could not parse PEM-encoded private key"));
|
||||
return NULL;
|
||||
}
|
||||
end += strlen (PEM_PRIVKEY_FOOTER);
|
||||
end += strlen (footer);
|
||||
while (*end == '\r' || *end == '\n')
|
||||
end++;
|
||||
|
||||
@ -286,7 +315,9 @@ parse_next_pem_certificate (const gchar **data,
|
||||
*
|
||||
* Creates a new #GTlsCertificate from the PEM-encoded data in @data.
|
||||
* If @data includes both a certificate and a private key, then the
|
||||
* returned certificate will include the private key data as well.
|
||||
* returned certificate will include the private key data as well. (See
|
||||
* the #GTlsCertificate:private-key-pem property for information about
|
||||
* supported formats.)
|
||||
*
|
||||
* If @data includes multiple certificates, only the first one will be
|
||||
* parsed.
|
||||
@ -336,7 +367,8 @@ g_tls_certificate_new_from_pem (const gchar *data,
|
||||
*
|
||||
* Creates a #GTlsCertificate from the PEM-encoded data in @file. If
|
||||
* @file cannot be read or parsed, the function will return %NULL and
|
||||
* set @error. Otherwise, this behaves like g_tls_certificate_new().
|
||||
* set @error. Otherwise, this behaves like
|
||||
* g_tls_certificate_new_from_pem().
|
||||
*
|
||||
* Return value: the new certificate, or %NULL on error
|
||||
*
|
||||
@ -367,7 +399,7 @@ g_tls_certificate_new_from_file (const gchar *file,
|
||||
* Creates a #GTlsCertificate from the PEM-encoded data in @cert_file
|
||||
* and @key_file. If either file cannot be read or parsed, the
|
||||
* function will return %NULL and set @error. Otherwise, this behaves
|
||||
* like g_tls_certificate_new().
|
||||
* like g_tls_certificate_new_from_pem().
|
||||
*
|
||||
* Return value: the new certificate, or %NULL on error
|
||||
*
|
||||
|
||||
16
gio/tests/key8.pem
Normal file
16
gio/tests/key8.pem
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKyWtOX6CneVCwQY
|
||||
x6COFAyjDnKGKelDvKOLfqyga5SlTKdA+zs/m2beiNk95AY2Zih/cKxzbJOswusK
|
||||
J23zEWRyC1nJ04n2xBISDBzah/ieW998hlt0hH7XdY49VGZLm0FWRBYWuVIW1DvQ
|
||||
EOE0rdJl+QBvj5CYtJHUwkVpQ9atAgMBAAECgYBROeyRgAiFF0RD/VWWnseY2vTl
|
||||
uXboLdUOM4y+uhFnuBRHczHKRLlixMErXRGASwHxdWkWAIzNQ7XI4NKF0KwSD2QI
|
||||
Hd/NJaS6crz5MXZMo4zm5aVDCJ8om9w2KxE1uDevxbKAwxdpZIUDfFahG5nki3SM
|
||||
5fXy/7HlEceif+RpEQJBAOXoVLCAkt40CRGkw1AZ1GGYx6wdaY00G/dajOqbpamT
|
||||
Cjllc+wu3emmt3QY3mNfQgbtyVPX94wP38b7dQapOPcCQQDALQzaC/5BSFtoH4pK
|
||||
U5kM6LiCyeGeydozsdAYMknmejjLYS+dgjdjms8lZ515iUJXdxwyK2OeNwgkcidF
|
||||
kEh7AkEA2CxqZUOf1RrsZBCeLVT8I4B6TtWhB8o1eZFE6tvLGvVNKcbBBxTSR/4g
|
||||
hSNVB+7rsIQpR5LMCoBqkzihQtAe5QJBAL0n2p2I7oNdcDNF0D2mmWAedPavNXex
|
||||
ISh+3d/jJ+BG7z4oc9CqSlCtITWlDliBZR5obAVptc0WR9pvzf3nrZ8CQGXyM+J1
|
||||
B0pYSBJrqHmmbj76xct1aXunqOLJ60frhbseeFGvITem2tEY7SFJXW/hvHcMrN4m
|
||||
IlGVZRaJKXvzby0=
|
||||
-----END PRIVATE KEY-----
|
||||
@ -30,6 +30,7 @@ typedef struct
|
||||
{
|
||||
gchar *cert_pems[3];
|
||||
gchar *key_pem;
|
||||
gchar *key8_pem;
|
||||
} Reference;
|
||||
|
||||
static void
|
||||
@ -199,7 +200,35 @@ from_files (const Reference *ref)
|
||||
g_assert (cert);
|
||||
g_object_unref (cert);
|
||||
}
|
||||
|
||||
|
||||
|
||||
static void
|
||||
from_files_pkcs8 (const Reference *ref)
|
||||
{
|
||||
GTlsCertificate *cert;
|
||||
gchar *parsed_cert_pem = NULL;
|
||||
const gchar *parsed_key_pem = NULL;
|
||||
GError *error = NULL;
|
||||
|
||||
cert = g_tls_certificate_new_from_files (SRCDIR "/cert1.pem",
|
||||
SRCDIR "/key8.pem",
|
||||
&error);
|
||||
g_assert_no_error (error);
|
||||
g_assert (cert);
|
||||
|
||||
g_object_get (cert,
|
||||
"certificate-pem", &parsed_cert_pem,
|
||||
NULL);
|
||||
parsed_key_pem = g_test_tls_connection_get_private_key_pem (cert);
|
||||
g_assert_cmpstr (parsed_cert_pem, ==, ref->cert_pems[0]);
|
||||
g_free (parsed_cert_pem);
|
||||
parsed_cert_pem = NULL;
|
||||
g_assert_cmpstr (parsed_key_pem, ==, ref->key8_pem);
|
||||
parsed_key_pem = NULL;
|
||||
|
||||
g_object_unref (cert);
|
||||
}
|
||||
|
||||
static void
|
||||
list_from_file (const Reference *ref)
|
||||
{
|
||||
@ -258,6 +287,9 @@ main (int argc,
|
||||
g_file_get_contents (SRCDIR "/key.pem", &ref.key_pem, NULL, &error);
|
||||
g_assert_no_error (error);
|
||||
g_assert (ref.key_pem);
|
||||
g_file_get_contents (SRCDIR "/key8.pem", &ref.key8_pem, NULL, &error);
|
||||
g_assert_no_error (error);
|
||||
g_assert (ref.key8_pem);
|
||||
|
||||
g_test_add_data_func ("/tls-certificate/pem-parser",
|
||||
&ref, (GTestDataFunc)pem_parser);
|
||||
@ -265,6 +297,8 @@ main (int argc,
|
||||
&ref, (GTestDataFunc)from_file);
|
||||
g_test_add_data_func ("/tls-certificate/from_files",
|
||||
&ref, (GTestDataFunc)from_files);
|
||||
g_test_add_data_func ("/tls-certificate/from_files_pkcs8",
|
||||
&ref, (GTestDataFunc)from_files_pkcs8);
|
||||
g_test_add_data_func ("/tls-certificate/list_from_file",
|
||||
&ref, (GTestDataFunc)list_from_file);
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user