mirror of
https://gitlab.gnome.org/GNOME/glib.git
synced 2024-12-25 06:56:14 +01:00
Revert "gtlscertificate: Add support for PKCS #11 backed certificates"
This reverts commit b6d8efbebc
.
This GLib API is good, but the implentation is not ready, so there's no
reason to commit to the API in GLib 2.64. We can reland again when the
implementation is ready.
There are three problems: (a) The glib-networking implementation normally
works, but the test has been broken for a long time. I'm not comfortable
with adding a major new feature without a working test. This is
glib-networking#104. (b) The WebKit implementation never landed. There
is a working patch, but it hasn't been accepted upstream yet. This API
isn't needed in GLib until WebKit is ready to start using it.
https://bugs.webkit.org/show_bug.cgi?id=200805. (c) Similarly, even if
the WebKit API was ready, that itself isn't useful until an application
is ready to start using it, and the Epiphany level work never happened.
Let's try again for GLib 2.66. Reverting this commit now just means we
gain another six months before committing to the API forever. No reason
to keep this in GLib 2.64 when nothing is using it yet.
This commit is contained in:
parent
0d3d3e1d84
commit
d58e5de9e9
@ -3697,7 +3697,6 @@ GTlsCertificate
|
||||
g_tls_certificate_new_from_pem
|
||||
g_tls_certificate_new_from_file
|
||||
g_tls_certificate_new_from_files
|
||||
g_tls_certificate_new_from_pkcs11_uris
|
||||
g_tls_certificate_list_new_from_file
|
||||
g_tls_certificate_get_issuer
|
||||
g_tls_certificate_verify
|
||||
|
@ -60,9 +60,7 @@ enum
|
||||
PROP_CERTIFICATE_PEM,
|
||||
PROP_PRIVATE_KEY,
|
||||
PROP_PRIVATE_KEY_PEM,
|
||||
PROP_ISSUER,
|
||||
PROP_PKCS11_URI,
|
||||
PROP_PRIVATE_KEY_PKCS11_URI,
|
||||
PROP_ISSUER
|
||||
};
|
||||
|
||||
static void
|
||||
@ -76,16 +74,7 @@ g_tls_certificate_get_property (GObject *object,
|
||||
GValue *value,
|
||||
GParamSpec *pspec)
|
||||
{
|
||||
switch (prop_id)
|
||||
{
|
||||
case PROP_PKCS11_URI:
|
||||
case PROP_PRIVATE_KEY_PKCS11_URI:
|
||||
/* Subclasses must override this property but this allows older backends to not fatally error */
|
||||
g_value_set_static_string (value, NULL);
|
||||
break;
|
||||
default:
|
||||
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
|
||||
}
|
||||
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
|
||||
}
|
||||
|
||||
static void
|
||||
@ -94,15 +83,7 @@ g_tls_certificate_set_property (GObject *object,
|
||||
const GValue *value,
|
||||
GParamSpec *pspec)
|
||||
{
|
||||
switch (prop_id)
|
||||
{
|
||||
case PROP_PKCS11_URI:
|
||||
case PROP_PRIVATE_KEY_PKCS11_URI:
|
||||
/* Subclasses must override this property but this allows older backends to not fatally error */
|
||||
break;
|
||||
default:
|
||||
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
|
||||
}
|
||||
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
|
||||
}
|
||||
|
||||
static void
|
||||
@ -212,42 +193,6 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
|
||||
G_PARAM_READWRITE |
|
||||
G_PARAM_CONSTRUCT_ONLY |
|
||||
G_PARAM_STATIC_STRINGS));
|
||||
|
||||
/**
|
||||
* GTlsCertificate:pkcs11-uri: (nullable)
|
||||
*
|
||||
* A URI referencing the PKCS \#11 objects containing an X.509 certificate
|
||||
* and optionally a private key.
|
||||
*
|
||||
* If %NULL the certificate is either not backed by PKCS \#11 or the
|
||||
* #GTlsBackend does not support PKCS \#11.
|
||||
*
|
||||
* Since: 2.64
|
||||
*/
|
||||
g_object_class_install_property (gobject_class, PROP_PKCS11_URI,
|
||||
g_param_spec_string ("pkcs11-uri",
|
||||
P_("PKCS #11 URI"),
|
||||
P_("The PKCS #11 URI"),
|
||||
NULL,
|
||||
G_PARAM_READWRITE |
|
||||
G_PARAM_CONSTRUCT_ONLY |
|
||||
G_PARAM_STATIC_STRINGS));
|
||||
|
||||
/**
|
||||
* GTlsCertificate:private-key-pkcs11-uri: (nullable)
|
||||
*
|
||||
* A URI referencing a PKCS \#11 object containing a private key.
|
||||
*
|
||||
* Since: 2.64
|
||||
*/
|
||||
g_object_class_install_property (gobject_class, PROP_PRIVATE_KEY_PKCS11_URI,
|
||||
g_param_spec_string ("private-key-pkcs11-uri",
|
||||
P_("PKCS #11 URI"),
|
||||
P_("The PKCS #11 URI for a private key"),
|
||||
NULL,
|
||||
G_PARAM_READWRITE |
|
||||
G_PARAM_CONSTRUCT_ONLY |
|
||||
G_PARAM_STATIC_STRINGS));
|
||||
}
|
||||
|
||||
static GTlsCertificate *
|
||||
@ -646,77 +591,6 @@ g_tls_certificate_new_from_files (const gchar *cert_file,
|
||||
return cert;
|
||||
}
|
||||
|
||||
/**
|
||||
* g_tls_certificate_new_from_pkcs11_uris:
|
||||
* @pkcs11_uri: A PKCS \#11 URI
|
||||
* @private_key_pkcs11_uri: (nullable): A PKCS \#11 URI
|
||||
* @error: #GError for error reporting, or %NULL to ignore.
|
||||
*
|
||||
* Creates a #GTlsCertificate from a PKCS \#11 URI.
|
||||
*
|
||||
* An example @pkcs11_uri would be `pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01`
|
||||
*
|
||||
* Where the token’s layout is:
|
||||
*
|
||||
* ```
|
||||
* Object 0:
|
||||
* URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=private%20key;type=private
|
||||
* Type: Private key (RSA-2048)
|
||||
* ID: 01
|
||||
*
|
||||
* Object 1:
|
||||
* URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=Certificate%20for%20Authentication;type=cert
|
||||
* Type: X.509 Certificate (RSA-2048)
|
||||
* ID: 01
|
||||
* ```
|
||||
*
|
||||
* In this case the certificate and private key would both be detected and used as expected.
|
||||
* @pkcs_uri may also just reference an X.509 certificate object and then optionally
|
||||
* @private_key_pkcs11_uri allows using a private key exposed under a different URI.
|
||||
*
|
||||
* Note that the private key is not accessed until usage and may fail or require a PIN later.
|
||||
*
|
||||
* Returns: (transfer full): the new certificate, or %NULL on error
|
||||
*
|
||||
* Since: 2.64
|
||||
*/
|
||||
GTlsCertificate *
|
||||
g_tls_certificate_new_from_pkcs11_uris (const gchar *pkcs11_uri,
|
||||
const gchar *private_key_pkcs11_uri,
|
||||
GError **error)
|
||||
{
|
||||
GObject *cert;
|
||||
GTlsBackend *backend;
|
||||
|
||||
g_return_val_if_fail (error == NULL || *error == NULL, NULL);
|
||||
g_return_val_if_fail (pkcs11_uri, NULL);
|
||||
|
||||
backend = g_tls_backend_get_default ();
|
||||
|
||||
cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
|
||||
NULL, error,
|
||||
"pkcs11-uri", pkcs11_uri,
|
||||
"private-key-pkcs11-uri", private_key_pkcs11_uri,
|
||||
NULL);
|
||||
|
||||
if (cert != NULL)
|
||||
{
|
||||
gchar *objects_uri;
|
||||
|
||||
/* Old implementations might not override this property */
|
||||
g_object_get (cert, "pkcs11-uri", &objects_uri, NULL);
|
||||
if (objects_uri == NULL)
|
||||
{
|
||||
g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, _("This GTlsBackend does not support creating PKCS #11 certificates"));
|
||||
g_object_unref (cert);
|
||||
return NULL;
|
||||
}
|
||||
g_free (objects_uri);
|
||||
}
|
||||
|
||||
return G_TLS_CERTIFICATE (cert);
|
||||
}
|
||||
|
||||
/**
|
||||
* g_tls_certificate_list_new_from_file:
|
||||
* @file: (type filename): file containing PEM-encoded certificates to import
|
||||
|
@ -71,11 +71,6 @@ GLIB_AVAILABLE_IN_ALL
|
||||
GTlsCertificate *g_tls_certificate_new_from_files (const gchar *cert_file,
|
||||
const gchar *key_file,
|
||||
GError **error);
|
||||
GLIB_AVAILABLE_IN_2_64
|
||||
GTlsCertificate *g_tls_certificate_new_from_pkcs11_uris (const gchar *pkcs11_uri,
|
||||
const gchar *private_key_pkcs11_uri,
|
||||
GError **error);
|
||||
|
||||
GLIB_AVAILABLE_IN_ALL
|
||||
GList *g_tls_certificate_list_new_from_file (const gchar *file,
|
||||
GError **error);
|
||||
|
@ -91,8 +91,6 @@ struct _GTestTlsCertificate {
|
||||
gchar *key_pem;
|
||||
gchar *cert_pem;
|
||||
GTlsCertificate *issuer;
|
||||
gchar *pkcs11_uri;
|
||||
gchar *private_key_pkcs11_uri;
|
||||
};
|
||||
|
||||
struct _GTestTlsCertificateClass {
|
||||
@ -105,9 +103,7 @@ enum
|
||||
PROP_CERT_CERTIFICATE_PEM,
|
||||
PROP_CERT_PRIVATE_KEY,
|
||||
PROP_CERT_PRIVATE_KEY_PEM,
|
||||
PROP_CERT_ISSUER,
|
||||
PROP_CERT_PKCS11_URI,
|
||||
PROP_CERT_PRIVATE_KEY_PKCS11_URI,
|
||||
PROP_CERT_ISSUER
|
||||
};
|
||||
|
||||
static void g_test_tls_certificate_initable_iface_init (GInitableIface *iface);
|
||||
@ -145,15 +141,6 @@ g_test_tls_certificate_get_property (GObject *object,
|
||||
case PROP_CERT_ISSUER:
|
||||
g_value_set_object (value, cert->issuer);
|
||||
break;
|
||||
case PROP_CERT_PKCS11_URI:
|
||||
/* This test value simulates a backend that ignores the value
|
||||
because it is unsupported */
|
||||
if (g_strcmp0 (cert->pkcs11_uri, "unsupported") != 0)
|
||||
g_value_set_string (value, cert->pkcs11_uri);
|
||||
break;
|
||||
case PROP_CERT_PRIVATE_KEY_PKCS11_URI:
|
||||
g_value_set_string (value, cert->private_key_pkcs11_uri);
|
||||
break;
|
||||
default:
|
||||
g_assert_not_reached ();
|
||||
break;
|
||||
@ -179,12 +166,6 @@ g_test_tls_certificate_set_property (GObject *object,
|
||||
case PROP_CERT_ISSUER:
|
||||
cert->issuer = g_value_dup_object (value);
|
||||
break;
|
||||
case PROP_CERT_PKCS11_URI:
|
||||
cert->pkcs11_uri = g_value_dup_string (value);
|
||||
break;
|
||||
case PROP_CERT_PRIVATE_KEY_PKCS11_URI:
|
||||
cert->private_key_pkcs11_uri = g_value_dup_string (value);
|
||||
break;
|
||||
case PROP_CERT_CERTIFICATE:
|
||||
case PROP_CERT_PRIVATE_KEY:
|
||||
/* ignore */
|
||||
@ -202,8 +183,6 @@ g_test_tls_certificate_finalize (GObject *object)
|
||||
|
||||
g_free (cert->cert_pem);
|
||||
g_free (cert->key_pem);
|
||||
g_free (cert->pkcs11_uri);
|
||||
g_free (cert->private_key_pkcs11_uri);
|
||||
g_clear_object (&cert->issuer);
|
||||
|
||||
G_OBJECT_CLASS (g_test_tls_certificate_parent_class)->finalize (object);
|
||||
@ -226,8 +205,6 @@ g_test_tls_certificate_class_init (GTestTlsCertificateClass *test_class)
|
||||
g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY, "private-key");
|
||||
g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY_PEM, "private-key-pem");
|
||||
g_object_class_override_property (gobject_class, PROP_CERT_ISSUER, "issuer");
|
||||
g_object_class_override_property (gobject_class, PROP_CERT_PKCS11_URI, "pkcs11-uri");
|
||||
g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY_PKCS11_URI, "private-key-pkcs11-uri");
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -398,38 +398,6 @@ list_from_file (const Reference *ref)
|
||||
g_assert_cmpint (g_list_length (list), ==, 0);
|
||||
}
|
||||
|
||||
static void
|
||||
from_pkcs11_uri (void)
|
||||
{
|
||||
GError *error = NULL;
|
||||
GTlsCertificate *cert;
|
||||
gchar *pkcs11_uri = NULL;
|
||||
|
||||
cert = g_tls_certificate_new_from_pkcs11_uris ("pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=ca-bundle.crt", NULL, &error);
|
||||
g_assert_no_error (error);
|
||||
g_assert_nonnull (cert);
|
||||
|
||||
g_object_get (cert, "pkcs11-uri", &pkcs11_uri, NULL);
|
||||
g_assert_cmpstr ("pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=ca-bundle.crt", ==, pkcs11_uri);
|
||||
g_free (pkcs11_uri);
|
||||
|
||||
g_object_unref (cert);
|
||||
}
|
||||
|
||||
static void
|
||||
from_unsupported_pkcs11_uri (void)
|
||||
{
|
||||
GError *error = NULL;
|
||||
GTlsCertificate *cert;
|
||||
|
||||
/* This is a magic value in gtesttlsbackend.c simulating an unsupported backend */
|
||||
cert = g_tls_certificate_new_from_pkcs11_uris ("unsupported", NULL, &error);
|
||||
g_assert_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED);
|
||||
g_assert_null (cert);
|
||||
|
||||
g_clear_error (&error);
|
||||
}
|
||||
|
||||
int
|
||||
main (int argc,
|
||||
char *argv[])
|
||||
@ -496,11 +464,6 @@ main (int argc,
|
||||
&ref, (GTestDataFunc)from_files_pkcs8enc);
|
||||
g_test_add_data_func ("/tls-certificate/list_from_file",
|
||||
&ref, (GTestDataFunc)list_from_file);
|
||||
g_test_add_func ("/tls-certificate/pkcs11-uri",
|
||||
from_pkcs11_uri);
|
||||
g_test_add_func ("/tls-certificate/pkcs11-uri-unsupported",
|
||||
from_unsupported_pkcs11_uri);
|
||||
|
||||
|
||||
rtv = g_test_run();
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user