From d58e5de9e9c8d93e64d34aa8a7100bdfbc9b8dac Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Thu, 30 Jan 2020 04:10:05 -0600 Subject: [PATCH] Revert "gtlscertificate: Add support for PKCS #11 backed certificates" This reverts commit b6d8efbebcc0ad1e12bf16f47a173cadfcbf986d. This GLib API is good, but the implentation is not ready, so there's no reason to commit to the API in GLib 2.64. We can reland again when the implementation is ready. There are three problems: (a) The glib-networking implementation normally works, but the test has been broken for a long time. I'm not comfortable with adding a major new feature without a working test. This is glib-networking#104. (b) The WebKit implementation never landed. There is a working patch, but it hasn't been accepted upstream yet. This API isn't needed in GLib until WebKit is ready to start using it. https://bugs.webkit.org/show_bug.cgi?id=200805. (c) Similarly, even if the WebKit API was ready, that itself isn't useful until an application is ready to start using it, and the Epiphany level work never happened. Let's try again for GLib 2.66. Reverting this commit now just means we gain another six months before committing to the API forever. No reason to keep this in GLib 2.64 when nothing is using it yet. --- docs/reference/gio/gio-sections-common.txt | 1 - gio/gtlscertificate.c | 132 +-------------------- gio/gtlscertificate.h | 5 - gio/tests/gtesttlsbackend.c | 25 +--- gio/tests/tls-certificate.c | 37 ------ 5 files changed, 4 insertions(+), 196 deletions(-) diff --git a/docs/reference/gio/gio-sections-common.txt b/docs/reference/gio/gio-sections-common.txt index e174153c9..cd62b8a44 100644 --- a/docs/reference/gio/gio-sections-common.txt +++ b/docs/reference/gio/gio-sections-common.txt @@ -3697,7 +3697,6 @@ GTlsCertificate g_tls_certificate_new_from_pem g_tls_certificate_new_from_file g_tls_certificate_new_from_files -g_tls_certificate_new_from_pkcs11_uris g_tls_certificate_list_new_from_file g_tls_certificate_get_issuer g_tls_certificate_verify diff --git a/gio/gtlscertificate.c b/gio/gtlscertificate.c index ca9c9b67b..72de5eb1f 100644 --- a/gio/gtlscertificate.c +++ b/gio/gtlscertificate.c @@ -60,9 +60,7 @@ enum PROP_CERTIFICATE_PEM, PROP_PRIVATE_KEY, PROP_PRIVATE_KEY_PEM, - PROP_ISSUER, - PROP_PKCS11_URI, - PROP_PRIVATE_KEY_PKCS11_URI, + PROP_ISSUER }; static void @@ -76,16 +74,7 @@ g_tls_certificate_get_property (GObject *object, GValue *value, GParamSpec *pspec) { - switch (prop_id) - { - case PROP_PKCS11_URI: - case PROP_PRIVATE_KEY_PKCS11_URI: - /* Subclasses must override this property but this allows older backends to not fatally error */ - g_value_set_static_string (value, NULL); - break; - default: - G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); - } + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); } static void @@ -94,15 +83,7 @@ g_tls_certificate_set_property (GObject *object, const GValue *value, GParamSpec *pspec) { - switch (prop_id) - { - case PROP_PKCS11_URI: - case PROP_PRIVATE_KEY_PKCS11_URI: - /* Subclasses must override this property but this allows older backends to not fatally error */ - break; - default: - G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); - } + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); } static void @@ -212,42 +193,6 @@ g_tls_certificate_class_init (GTlsCertificateClass *class) G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS)); - - /** - * GTlsCertificate:pkcs11-uri: (nullable) - * - * A URI referencing the PKCS \#11 objects containing an X.509 certificate - * and optionally a private key. - * - * If %NULL the certificate is either not backed by PKCS \#11 or the - * #GTlsBackend does not support PKCS \#11. - * - * Since: 2.64 - */ - g_object_class_install_property (gobject_class, PROP_PKCS11_URI, - g_param_spec_string ("pkcs11-uri", - P_("PKCS #11 URI"), - P_("The PKCS #11 URI"), - NULL, - G_PARAM_READWRITE | - G_PARAM_CONSTRUCT_ONLY | - G_PARAM_STATIC_STRINGS)); - - /** - * GTlsCertificate:private-key-pkcs11-uri: (nullable) - * - * A URI referencing a PKCS \#11 object containing a private key. - * - * Since: 2.64 - */ - g_object_class_install_property (gobject_class, PROP_PRIVATE_KEY_PKCS11_URI, - g_param_spec_string ("private-key-pkcs11-uri", - P_("PKCS #11 URI"), - P_("The PKCS #11 URI for a private key"), - NULL, - G_PARAM_READWRITE | - G_PARAM_CONSTRUCT_ONLY | - G_PARAM_STATIC_STRINGS)); } static GTlsCertificate * @@ -646,77 +591,6 @@ g_tls_certificate_new_from_files (const gchar *cert_file, return cert; } -/** - * g_tls_certificate_new_from_pkcs11_uris: - * @pkcs11_uri: A PKCS \#11 URI - * @private_key_pkcs11_uri: (nullable): A PKCS \#11 URI - * @error: #GError for error reporting, or %NULL to ignore. - * - * Creates a #GTlsCertificate from a PKCS \#11 URI. - * - * An example @pkcs11_uri would be `pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01` - * - * Where the token’s layout is: - * - * ``` - * Object 0: - * URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=private%20key;type=private - * Type: Private key (RSA-2048) - * ID: 01 - * - * Object 1: - * URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=Certificate%20for%20Authentication;type=cert - * Type: X.509 Certificate (RSA-2048) - * ID: 01 - * ``` - * - * In this case the certificate and private key would both be detected and used as expected. - * @pkcs_uri may also just reference an X.509 certificate object and then optionally - * @private_key_pkcs11_uri allows using a private key exposed under a different URI. - * - * Note that the private key is not accessed until usage and may fail or require a PIN later. - * - * Returns: (transfer full): the new certificate, or %NULL on error - * - * Since: 2.64 - */ -GTlsCertificate * -g_tls_certificate_new_from_pkcs11_uris (const gchar *pkcs11_uri, - const gchar *private_key_pkcs11_uri, - GError **error) -{ - GObject *cert; - GTlsBackend *backend; - - g_return_val_if_fail (error == NULL || *error == NULL, NULL); - g_return_val_if_fail (pkcs11_uri, NULL); - - backend = g_tls_backend_get_default (); - - cert = g_initable_new (g_tls_backend_get_certificate_type (backend), - NULL, error, - "pkcs11-uri", pkcs11_uri, - "private-key-pkcs11-uri", private_key_pkcs11_uri, - NULL); - - if (cert != NULL) - { - gchar *objects_uri; - - /* Old implementations might not override this property */ - g_object_get (cert, "pkcs11-uri", &objects_uri, NULL); - if (objects_uri == NULL) - { - g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, _("This GTlsBackend does not support creating PKCS #11 certificates")); - g_object_unref (cert); - return NULL; - } - g_free (objects_uri); - } - - return G_TLS_CERTIFICATE (cert); -} - /** * g_tls_certificate_list_new_from_file: * @file: (type filename): file containing PEM-encoded certificates to import diff --git a/gio/gtlscertificate.h b/gio/gtlscertificate.h index 66fe59a03..a064543c4 100644 --- a/gio/gtlscertificate.h +++ b/gio/gtlscertificate.h @@ -71,11 +71,6 @@ GLIB_AVAILABLE_IN_ALL GTlsCertificate *g_tls_certificate_new_from_files (const gchar *cert_file, const gchar *key_file, GError **error); -GLIB_AVAILABLE_IN_2_64 -GTlsCertificate *g_tls_certificate_new_from_pkcs11_uris (const gchar *pkcs11_uri, - const gchar *private_key_pkcs11_uri, - GError **error); - GLIB_AVAILABLE_IN_ALL GList *g_tls_certificate_list_new_from_file (const gchar *file, GError **error); diff --git a/gio/tests/gtesttlsbackend.c b/gio/tests/gtesttlsbackend.c index 3051eaae7..157a4a3f3 100644 --- a/gio/tests/gtesttlsbackend.c +++ b/gio/tests/gtesttlsbackend.c @@ -91,8 +91,6 @@ struct _GTestTlsCertificate { gchar *key_pem; gchar *cert_pem; GTlsCertificate *issuer; - gchar *pkcs11_uri; - gchar *private_key_pkcs11_uri; }; struct _GTestTlsCertificateClass { @@ -105,9 +103,7 @@ enum PROP_CERT_CERTIFICATE_PEM, PROP_CERT_PRIVATE_KEY, PROP_CERT_PRIVATE_KEY_PEM, - PROP_CERT_ISSUER, - PROP_CERT_PKCS11_URI, - PROP_CERT_PRIVATE_KEY_PKCS11_URI, + PROP_CERT_ISSUER }; static void g_test_tls_certificate_initable_iface_init (GInitableIface *iface); @@ -145,15 +141,6 @@ g_test_tls_certificate_get_property (GObject *object, case PROP_CERT_ISSUER: g_value_set_object (value, cert->issuer); break; - case PROP_CERT_PKCS11_URI: - /* This test value simulates a backend that ignores the value - because it is unsupported */ - if (g_strcmp0 (cert->pkcs11_uri, "unsupported") != 0) - g_value_set_string (value, cert->pkcs11_uri); - break; - case PROP_CERT_PRIVATE_KEY_PKCS11_URI: - g_value_set_string (value, cert->private_key_pkcs11_uri); - break; default: g_assert_not_reached (); break; @@ -179,12 +166,6 @@ g_test_tls_certificate_set_property (GObject *object, case PROP_CERT_ISSUER: cert->issuer = g_value_dup_object (value); break; - case PROP_CERT_PKCS11_URI: - cert->pkcs11_uri = g_value_dup_string (value); - break; - case PROP_CERT_PRIVATE_KEY_PKCS11_URI: - cert->private_key_pkcs11_uri = g_value_dup_string (value); - break; case PROP_CERT_CERTIFICATE: case PROP_CERT_PRIVATE_KEY: /* ignore */ @@ -202,8 +183,6 @@ g_test_tls_certificate_finalize (GObject *object) g_free (cert->cert_pem); g_free (cert->key_pem); - g_free (cert->pkcs11_uri); - g_free (cert->private_key_pkcs11_uri); g_clear_object (&cert->issuer); G_OBJECT_CLASS (g_test_tls_certificate_parent_class)->finalize (object); @@ -226,8 +205,6 @@ g_test_tls_certificate_class_init (GTestTlsCertificateClass *test_class) g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY, "private-key"); g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY_PEM, "private-key-pem"); g_object_class_override_property (gobject_class, PROP_CERT_ISSUER, "issuer"); - g_object_class_override_property (gobject_class, PROP_CERT_PKCS11_URI, "pkcs11-uri"); - g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY_PKCS11_URI, "private-key-pkcs11-uri"); } static void diff --git a/gio/tests/tls-certificate.c b/gio/tests/tls-certificate.c index 9fa78f152..e1ba23737 100644 --- a/gio/tests/tls-certificate.c +++ b/gio/tests/tls-certificate.c @@ -398,38 +398,6 @@ list_from_file (const Reference *ref) g_assert_cmpint (g_list_length (list), ==, 0); } -static void -from_pkcs11_uri (void) -{ - GError *error = NULL; - GTlsCertificate *cert; - gchar *pkcs11_uri = NULL; - - cert = g_tls_certificate_new_from_pkcs11_uris ("pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=ca-bundle.crt", NULL, &error); - g_assert_no_error (error); - g_assert_nonnull (cert); - - g_object_get (cert, "pkcs11-uri", &pkcs11_uri, NULL); - g_assert_cmpstr ("pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=ca-bundle.crt", ==, pkcs11_uri); - g_free (pkcs11_uri); - - g_object_unref (cert); -} - -static void -from_unsupported_pkcs11_uri (void) -{ - GError *error = NULL; - GTlsCertificate *cert; - - /* This is a magic value in gtesttlsbackend.c simulating an unsupported backend */ - cert = g_tls_certificate_new_from_pkcs11_uris ("unsupported", NULL, &error); - g_assert_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED); - g_assert_null (cert); - - g_clear_error (&error); -} - int main (int argc, char *argv[]) @@ -496,11 +464,6 @@ main (int argc, &ref, (GTestDataFunc)from_files_pkcs8enc); g_test_add_data_func ("/tls-certificate/list_from_file", &ref, (GTestDataFunc)list_from_file); - g_test_add_func ("/tls-certificate/pkcs11-uri", - from_pkcs11_uri); - g_test_add_func ("/tls-certificate/pkcs11-uri-unsupported", - from_unsupported_pkcs11_uri); - rtv = g_test_run();