[glib/tls-database: 46/47] Change GTlsClientConnection::accepted-cas to contain DER DNs

From: Stefan Walter <stefw src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib/tls-database: 46/47] Change GTlsClientConnection::accepted-cas to contain DER DNs
Date: Sun, 26 Dec 2010 16:27:16 +0000 (UTC)
commit 2a6fec67ac309295fc2e9cd84b7a09bba223c452
Author: Stef Walter <stefw collabora co uk>
Date:   Fri Dec 24 10:50:14 2010 -0600

    Change GTlsClientConnection::accepted-cas to contain DER DNs
    
    This property is now a GPtrArray of GByteArray values. Each
    GByteArray contains the raw DER DN of the certificate authority.
    This is far more useful for looking up a certificate (with the
    relevant issuer) than a string encoded DN.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=637262

 gio/gtlsclientconnection.c |   16 +++++++++++-----
 gio/gtlsclientconnection.h |    2 +-
 gio/tests/socket-client.c  |   35 +++++++++++++++++++++++++++++++++--
 3 files changed, 45 insertions(+), 8 deletions(-)
---
diff --git a/gio/gtlsclientconnection.c b/gio/gtlsclientconnection.c
index 92cd9f5..e5982d0 100644
--- a/gio/gtlsclientconnection.c
+++ b/gio/gtlsclientconnection.c
@@ -133,13 +133,16 @@ g_tls_client_connection_default_init (GTlsClientConnectionInterface *iface)
    * server requests a client certificate during the handshake, then
    * this property will be set after the handshake completes.
    *
+   * Each item in the array is a #GByteArray which contains the complete
+   * subject DN of the certificate authority.
+   *
    * Since: 2.28
    */
   g_object_interface_install_property (iface,
 				       g_param_spec_boxed ("accepted-cas",
 							   P_("Accepted CAs"),
 							   P_("Distinguished names of the CAs the server accepts certificates from"),
-							   G_TYPE_STRV,
+							   G_TYPE_PTR_ARRAY,
 							   G_PARAM_READABLE |
 							   G_PARAM_STATIC_STRINGS));
 }
@@ -316,15 +319,18 @@ g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn,
  * during the TLS handshake if the server requests a certificate.
  * Otherwise, it will be %NULL.
  *
- * Return value: (transfer full) (array zero-terminated=1): the list
- * of CA names, which you must free (eg, with g_strfreev()).
+ * Each item in the array is a #GByteArray which contains the complete
+ * subject DN of the certificate authority.
+ *
+ * Return value: (transfer full): the list
+ * of CA DNs, which you must unref with g_ptr_array_unref().
  *
  * Since: 2.28
  */
-char **
+GPtrArray *
 g_tls_client_connection_get_accepted_cas (GTlsClientConnection *conn)
 {
-  char **accepted_cas = NULL;
+  GPtrArray *accepted_cas = NULL;
 
   g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), NULL);
 
diff --git a/gio/gtlsclientconnection.h b/gio/gtlsclientconnection.h
index 2aaaa97..116bd56 100644
--- a/gio/gtlsclientconnection.h
+++ b/gio/gtlsclientconnection.h
@@ -65,7 +65,7 @@ void                  g_tls_client_connection_set_server_identity  (GTlsClientCo
 gboolean              g_tls_client_connection_get_use_ssl3         (GTlsClientConnection    *conn);
 void                  g_tls_client_connection_set_use_ssl3         (GTlsClientConnection    *conn,
 								    gboolean                 use_ssl3);
-char **               g_tls_client_connection_get_accepted_cas     (GTlsClientConnection    *conn);
+GPtrArray *           g_tls_client_connection_get_accepted_cas     (GTlsClientConnection    *conn);
 
 G_END_DECLS
 
diff --git a/gio/tests/socket-client.c b/gio/tests/socket-client.c
index 6068034..0dff6e5 100644
--- a/gio/tests/socket-client.c
+++ b/gio/tests/socket-client.c
@@ -76,6 +76,9 @@ main (int argc,
   GIOStream *connection;
   GInputStream *istream;
   GOutputStream *ostream;
+  GPtrArray *accepted_cas;
+  GByteArray *dn;
+  gint i;
 
   g_thread_init (NULL);
 
@@ -219,8 +222,36 @@ main (int argc,
       if (!g_tls_connection_handshake (G_TLS_CONNECTION (tls_conn),
 				       cancellable, &error))
 	{
-	  g_printerr ("Error during TLS handshake: %s\n",
-		      error->message);
+          if (g_error_matches (error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED))
+            {
+              accepted_cas = g_tls_client_connection_get_accepted_cas (G_TLS_CLIENT_CONNECTION (tls_conn));
+              if (!accepted_cas)
+                {
+                  g_printerr ("Client certificate is required\n");
+                }
+              else
+                {
+                  g_printerr ("Client certificate is required from one of %d authorities\n",
+                              accepted_cas->len);
+                  for (i = 0; i < accepted_cas->len; ++i)
+                    {
+                      dn = g_ptr_array_index (accepted_cas, i);
+                      /*
+                       * A DER encoded SEQUENCE (including DNs) coincidentally start
+                       * with the character '0'
+                       */
+                      g_printerr ("  Authority has %sDER DN of length: %d\n",
+                                  dn->data[0] == '0' ? "" : "invalid ",
+                                  dn->len);
+                    }
+                  g_ptr_array_unref (accepted_cas);
+                }
+            }
+          else
+            {
+              g_printerr ("Error during TLS handshake: %s\n",
+                          error->message);
+            }
 	  return 1;
 	}
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]