This changeset exposes
* `not-valid-before`
* `not-valid-after`
* `subject-name`
* `issuer-name`
on GTlsCertificate provided by the underlying TLS Backend.
In order to make use of these changes,
see the related [glib-networking MR][glib-networking].
This change aims to help populate more of the [`Certificate`][wk-cert]
info in the WebKit Inspector Protocol on Linux.
This changeset stems from work in Microsoft Playwright to [add more info
into its HAR capture][pw] generated from the Inspector Protocol events
and will bring feature parity across WebKit platforms.
[wk-cert]: 8afe31a018/Source/JavaScriptCore/inspector/protocol/Security.json
[pw]: https://github.com/microsoft/playwright/pull/6631
[glib-networking]: https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/156
This reverts commit b6d8efbebc.
This GLib API is good, but the implentation is not ready, so there's no
reason to commit to the API in GLib 2.64. We can reland again when the
implementation is ready.
There are three problems: (a) The glib-networking implementation normally
works, but the test has been broken for a long time. I'm not comfortable
with adding a major new feature without a working test. This is
glib-networking#104. (b) The WebKit implementation never landed. There
is a working patch, but it hasn't been accepted upstream yet. This API
isn't needed in GLib until WebKit is ready to start using it.
https://bugs.webkit.org/show_bug.cgi?id=200805. (c) Similarly, even if
the WebKit API was ready, that itself isn't useful until an application
is ready to start using it, and the Epiphany level work never happened.
Let's try again for GLib 2.66. Reverting this commit now just means we
gain another six months before committing to the API forever. No reason
to keep this in GLib 2.64 when nothing is using it yet.
Allow any type of private key in PEM files by treating PEM guards ending
with "PRIVATE KEY-----" as a private key instead of looking for a
pre-defined set of PEM guards. This enables the possibility for custom
GTlsBackend to add support for new key types.
Test cases have been expanded to ensure PEM parsing works for private
key when either header or footer is missing.
Encrypted PKCS#8 is still rejected. Test case has been added for this to
ensure behaviour is the same before and after this change.
It's unnecessary, and only adds visual noise; we have been fairly
inconsistent in the past, but the semi-colon-less version clearly
dominates in the code base.
https://bugzilla.gnome.org/show_bug.cgi?id=669355
If we have an input parameter (or return value) we need to use (nullable).
However, if it is an (inout) or (out) parameter, (optional) is sufficient.
It looks like (nullable) could be used for everything according to the
Annotation documentation, but (optional) is more specific.
If the certificate constructor is called as:
g_tls_certificate_new_from_pem (data, length, NULL);
and PEM parsing fails for the private key, the function would have
continued to try and create a certificate using a NULL key_pem value,
which would have failed or crashed.
Use g_propagate_error() correctly to avoid this.
Coverity CID: 1325403
If a private key (or anything, in fact) follows the final certificate in
the file, certificate parsing will be aborted and only the first
certificate in the chain will be returned, with the private key not set.
Be tolerant of this, rather than expecting the final character in the
file to be the newline following the last certificate.
https://bugzilla.gnome.org/show_bug.cgi?id=754264
g_tls_certificate_new_from_file() was only loading the complete chain
if it was fully valid, but we only meant to be validating that it
formed an actual chain (since the caller may be planning to ignore
other errors).
https://bugzilla.gnome.org/show_bug.cgi?id=729739
This patch changes the behavior of the following functions:
g_tls_certificate_new_from_pem
g_tls_certificate_new_from_file
g_tls_certificate_new_from_files
If more than one certificate is found it will try to load the chain.
It is assumed that the chain will be in the right order (top-level
certificate will be the last one in the file). If the chain cannot be
verified, the first certificate in the file will be returned as before.
https://bugzilla.gnome.org/show_bug.cgi?id=729739
g_tls_certificate_list_new_from_file() was supposed to ignore non-PEM
content, but it accidentally required that there not be anything after
the last certificate. Fix that.
https://bugzilla.gnome.org/show_bug.cgi?id=727692
* In order to add contstruct properties to an abstract base
calls, and retain ABI stability, the base class must add a
default implementation of those properties.
* We cannot add a default implementation of certificate-bytes
or private-key-bytes since certificate and private-key properties
are writable on construct-only.
This reverts commit 541c985869.
https://bugzilla.gnome.org/show_bug.cgi?id=682081
* A certificate sorta acts as a public key, but more specifically
it contains a public key (in its subjectPublicKeyInfo) field.
* Documentation was confusing and could have read like the
certificate and certificate-pem properties were returning the
public key part of the certificate.
https://bugzilla.gnome.org/show_bug.cgi?id=681158
PKCS#8 is the "right" way to encode private keys. Although the APIs do
not currently support encrypted keys, we should at least support
unencrypted PKCS#8 keys.
https://bugzilla.gnome.org/show_bug.cgi?id=664321
g_tls_certificate_list_new_from_file() was leaking the file contents,
and GSource was leaking the GSourcePrivate structure that got
created when using child sources.
Add a method to verify a certificate against a CA; this can be used
for apps that need to test against non-default CAs.
Also make the GTlsCertificate::issuer property virtual
This adds an extension point for TLS connections to gio, with a
gnutls-based implementation in glib-networking.
Full TLS support is still a work in progress; the current API is
missing some features, and parts of it may still be changed before
2.28.
https://bugzilla.gnome.org/show_bug.cgi?id=588189