[glib-networking/mcatanzaro/pkcs11-revert: 1/2] Revert PKCS#11 support
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking/mcatanzaro/pkcs11-revert: 1/2] Revert PKCS#11 support
- Date: Fri, 31 Jan 2020 14:52:26 +0000 (UTC)
commit d90b93a84b725c5da4886a204a59d456b4a1222c
Author: Michael Catanzaro <mcatanzaro gnome org>
Date: Fri Jan 31 08:32:58 2020 -0600
Revert PKCS#11 support
This reverts commit be1d64042226b73653be6aad033cf88c3b96aa58 and related
PKCS#11 commits.
There are three problems: (a) The glib-networking implementation normally
works, but the test has been broken for a long time. I'm not comfortable
with adding a major new feature without a working test. This is
glib-networking#104. (b) The WebKit implementation never landed. There
is a working patch, but it hasn't been accepted upstream yet. This API
isn't needed in GLib until WebKit is ready to start using it.
https://bugs.webkit.org/show_bug.cgi?id=200805. (c) Similarly, even if
the WebKit API was ready, that itself isn't useful until an application
is ready to start using it, and the Epiphany level work never happened.
See #104
tls/gnutls/gtlscertificate-gnutls.c | 130 +-
tls/gnutls/gtlscertificate-gnutls.h | 1 -
tls/gnutls/gtlsconnection-gnutls.c | 82 +-
tls/gnutls/gtlsserverconnection-gnutls.c | 4 +-
tls/tests/certificate.c | 39 -
tls/tests/connection.c | 142 --
tls/tests/meson.build | 26 +-
tls/tests/mock-pkcs11.c | 3051 ------------------------------
tls/tests/pkcs11/pkcs11.h | 252 ---
tls/tests/pkcs11/pkcs11f.h | 812 --------
tls/tests/pkcs11/pkcs11p.h | 24 -
tls/tests/pkcs11/pkcs11t.h | 1799 ------------------
tls/tests/pkcs11/pkcs11u.h | 22 -
13 files changed, 49 insertions(+), 6335 deletions(-)
---
diff --git a/tls/gnutls/gtlscertificate-gnutls.c b/tls/gnutls/gtlscertificate-gnutls.c
index 9d81cce..c6a79fd 100644
--- a/tls/gnutls/gtlscertificate-gnutls.c
+++ b/tls/gnutls/gtlscertificate-gnutls.c
@@ -39,9 +39,7 @@ enum
PROP_CERTIFICATE_PEM,
PROP_PRIVATE_KEY,
PROP_PRIVATE_KEY_PEM,
- PROP_ISSUER,
- PROP_PKCS11_URI,
- PROP_PRIVATE_KEY_PKCS11_URI,
+ PROP_ISSUER
};
struct _GTlsCertificateGnutls
@@ -49,10 +47,7 @@ struct _GTlsCertificateGnutls
GTlsCertificate parent_instance;
gnutls_x509_crt_t cert;
- gnutls_privkey_t key;
-
- gchar *pkcs11_uri;
- gchar *private_key_pkcs11_uri;
+ gnutls_x509_privkey_t key;
GTlsCertificateGnutls *issuer;
@@ -74,10 +69,7 @@ g_tls_certificate_gnutls_finalize (GObject *object)
GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
g_clear_pointer (&gnutls->cert, gnutls_x509_crt_deinit);
- g_clear_pointer (&gnutls->key, gnutls_privkey_deinit);
-
- g_clear_pointer (&gnutls->pkcs11_uri, g_free);
- g_clear_pointer (&gnutls->private_key_pkcs11_uri, g_free);
+ g_clear_pointer (&gnutls->key, gnutls_x509_privkey_deinit);
g_clear_object (&gnutls->issuer);
@@ -149,14 +141,6 @@ g_tls_certificate_gnutls_get_property (GObject *object,
g_value_set_object (value, gnutls->issuer);
break;
- case PROP_PKCS11_URI:
- g_value_set_string (value, gnutls->pkcs11_uri);
- break;
-
- case PROP_PRIVATE_KEY_PKCS11_URI:
- g_value_set_string (value, gnutls->private_key_pkcs11_uri);
- break;
-
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
}
@@ -225,10 +209,18 @@ g_tls_certificate_gnutls_set_property (GObject *object,
data.data = bytes->data;
data.size = bytes->len;
if (!gnutls->key)
- gnutls_privkey_init (&gnutls->key);
- status = gnutls_privkey_import_x509_raw (gnutls->key, &data,
- GNUTLS_X509_FMT_DER,
- NULL, GNUTLS_PKCS_PLAIN);
+ gnutls_x509_privkey_init (&gnutls->key);
+ status = gnutls_x509_privkey_import (gnutls->key, &data,
+ GNUTLS_X509_FMT_DER);
+ if (status != 0)
+ {
+ int pkcs8_status =
+ gnutls_x509_privkey_import_pkcs8 (gnutls->key, &data,
+ GNUTLS_X509_FMT_DER, NULL,
+ GNUTLS_PKCS_PLAIN);
+ if (pkcs8_status == 0)
+ status = 0;
+ }
if (status == 0)
gnutls->have_key = TRUE;
else if (!gnutls->construct_error)
@@ -248,10 +240,18 @@ g_tls_certificate_gnutls_set_property (GObject *object,
data.data = (void *)string;
data.size = strlen (string);
if (!gnutls->key)
- gnutls_privkey_init (&gnutls->key);
- status = gnutls_privkey_import_x509_raw (gnutls->key, &data,
- GNUTLS_X509_FMT_PEM,
- NULL, GNUTLS_PKCS_PLAIN);
+ gnutls_x509_privkey_init (&gnutls->key);
+ status = gnutls_x509_privkey_import (gnutls->key, &data,
+ GNUTLS_X509_FMT_PEM);
+ if (status != 0)
+ {
+ int pkcs8_status =
+ gnutls_x509_privkey_import_pkcs8 (gnutls->key, &data,
+ GNUTLS_X509_FMT_PEM, NULL,
+ GNUTLS_PKCS_PLAIN);
+ if (pkcs8_status == 0)
+ status = 0;
+ }
if (status == 0)
gnutls->have_key = TRUE;
else if (!gnutls->construct_error)
@@ -267,39 +267,6 @@ g_tls_certificate_gnutls_set_property (GObject *object,
gnutls->issuer = g_value_dup_object (value);
break;
- case PROP_PKCS11_URI:
- string = g_value_get_string (value);
- if (!string)
- break;
- g_return_if_fail (gnutls->have_cert == FALSE);
- g_return_if_fail (!gnutls->pkcs11_uri);
-
- gnutls->pkcs11_uri = g_strdup (string);
-
- status = gnutls_x509_crt_import_url (gnutls->cert, string, GNUTLS_PKCS11_OBJ_FLAG_CRT);
- if (status == GNUTLS_E_SUCCESS)
- {
- gnutls->have_cert = TRUE;
- }
- else if (!gnutls->construct_error)
- {
- gnutls->construct_error =
- g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
- _("Could not import PKCS #11 certificate URI: %s"),
- gnutls_strerror (status));
- }
- break;
-
- case PROP_PRIVATE_KEY_PKCS11_URI:
- string = g_value_get_string (value);
- if (!string)
- break;
- g_return_if_fail (gnutls->have_key == FALSE);
- g_return_if_fail (!gnutls->private_key_pkcs11_uri);
-
- gnutls->private_key_pkcs11_uri = g_strdup (string);
- break;
-
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
}
@@ -409,8 +376,6 @@ g_tls_certificate_gnutls_class_init (GTlsCertificateGnutlsClass *klass)
g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY, "private-key");
g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_PEM, "private-key-pem");
g_object_class_override_property (gobject_class, PROP_ISSUER, "issuer");
- g_object_class_override_property (gobject_class, PROP_PKCS11_URI, "pkcs11-uri");
- g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_PKCS11_URI, "private-key-pkcs11-uri");
}
static void
@@ -451,12 +416,6 @@ g_tls_certificate_gnutls_get_cert (GTlsCertificateGnutls *gnutls)
return gnutls->cert;
}
-gboolean
-g_tls_certificate_gnutls_is_pkcs11_backed (GTlsCertificateGnutls *gnutls)
-{
- return gnutls->pkcs11_uri != NULL;
-}
-
gboolean
g_tls_certificate_gnutls_has_key (GTlsCertificateGnutls *gnutls)
{
@@ -513,28 +472,23 @@ g_tls_certificate_gnutls_copy (GTlsCertificateGnutls *gnutls,
chain = chain->issuer;
}
- if (gnutls->key)
- {
- gnutls_x509_privkey_t x509_privkey;
+ if (gnutls->key)
+ {
+ gnutls_x509_privkey_t x509_privkey;
+ gnutls_privkey_t privkey;
- gnutls_privkey_export_x509 (gnutls->key, &x509_privkey);
- gnutls_privkey_import_x509 (*pkey, x509_privkey, GNUTLS_PRIVKEY_IMPORT_COPY);
- gnutls_x509_privkey_deinit (x509_privkey);
- }
- else if (gnutls->private_key_pkcs11_uri || gnutls->pkcs11_uri)
- {
- int status;
+ gnutls_x509_privkey_init (&x509_privkey);
+ gnutls_x509_privkey_cpy (x509_privkey, gnutls->key);
- status = gnutls_privkey_import_pkcs11_url (*pkey,
- gnutls->private_key_pkcs11_uri ?
gnutls->private_key_pkcs11_uri : gnutls->pkcs11_uri);
- if (status != GNUTLS_E_SUCCESS)
- g_warning ("Failed to copy PKCS #11 private key: %s", gnutls_strerror (status));
- }
- else
- {
- gnutls_privkey_deinit (*pkey);
- *pkey = NULL;
- }
+ gnutls_privkey_init (&privkey);
+ gnutls_privkey_import_x509 (privkey, x509_privkey, GNUTLS_PRIVKEY_IMPORT_COPY);
+ *pkey = privkey;
+ gnutls_x509_privkey_deinit (x509_privkey);
+ }
+ else
+ {
+ *pkey = NULL;
+ }
}
void
diff --git a/tls/gnutls/gtlscertificate-gnutls.h b/tls/gnutls/gtlscertificate-gnutls.h
index 838f7db..74ad7f7 100644
--- a/tls/gnutls/gtlscertificate-gnutls.h
+++ b/tls/gnutls/gtlscertificate-gnutls.h
@@ -44,7 +44,6 @@ void g_tls_certificate_gnutls_set_data (GTlsCerti
const gnutls_x509_crt_t g_tls_certificate_gnutls_get_cert (GTlsCertificateGnutls *gnutls);
gboolean g_tls_certificate_gnutls_has_key (GTlsCertificateGnutls *gnutls);
-gboolean g_tls_certificate_gnutls_is_pkcs11_backed (GTlsCertificateGnutls *gnutls);
void g_tls_certificate_gnutls_copy (GTlsCertificateGnutls *gnutls,
const gchar
*interaction_id,
diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
index 39cc7c5..e8e399c 100644
--- a/tls/gnutls/gtlsconnection-gnutls.c
+++ b/tls/gnutls/gtlsconnection-gnutls.c
@@ -74,7 +74,6 @@ typedef struct
gnutls_certificate_credentials_t creds;
gnutls_session_t session;
gchar *interaction_id;
- GCancellable *cancellable;
} GTlsConnectionGnutlsPrivate;
G_DEFINE_ABSTRACT_TYPE_WITH_CODE (GTlsConnectionGnutls, g_tls_connection_gnutls, G_TYPE_TLS_CONNECTION_BASE,
@@ -93,8 +92,6 @@ g_tls_connection_gnutls_init (GTlsConnectionGnutls *gnutls)
unique_id = g_atomic_int_add (&unique_interaction_id, 1);
priv->interaction_id = g_strdup_printf ("gtls:%d", unique_id);
-
- priv->cancellable = g_cancellable_new ();
}
static void
@@ -200,12 +197,6 @@ g_tls_connection_gnutls_finalize (GObject *object)
if (priv->creds)
gnutls_certificate_free_credentials (priv->creds);
- if (priv->cancellable)
- {
- g_cancellable_cancel (priv->cancellable);
- g_clear_object (&priv->cancellable);
- }
-
g_free (priv->interaction_id);
G_OBJECT_CLASS (g_tls_connection_gnutls_parent_class)->finalize (object);
@@ -227,71 +218,6 @@ g_tls_connection_gnutls_get_session (GTlsConnectionGnutls *gnutls)
return priv->session;
}
-static int
-on_pin_request (void *userdata,
- int attempt,
- const char *token_url,
- const char *token_label,
- unsigned int callback_flags,
- char *pin,
- size_t pin_max)
-{
- GTlsConnection *connection = G_TLS_CONNECTION (userdata);
- GTlsConnectionGnutlsPrivate *priv = g_tls_connection_gnutls_get_instance_private (G_TLS_CONNECTION_GNUTLS
(connection));
- GTlsInteraction *interaction = g_tls_connection_get_interaction (connection);
- GTlsInteractionResult result;
- GTlsPassword *password;
- GTlsPasswordFlags password_flags = 0;
- GError *error = NULL;
- gchar *description;
- int ret = -1;
-
- if (!interaction)
- return -1;
-
- if (callback_flags & GNUTLS_PIN_WRONG)
- password_flags |= G_TLS_PASSWORD_RETRY;
- if (callback_flags & GNUTLS_PIN_COUNT_LOW)
- password_flags |= G_TLS_PASSWORD_MANY_TRIES;
- if (callback_flags & GNUTLS_PIN_FINAL_TRY || attempt > 5) /* Give up at some point */
- password_flags |= G_TLS_PASSWORD_FINAL_TRY;
-
- description = g_strdup_printf (" %s (%s)", token_label, token_url);
- password = g_tls_password_new (password_flags, description);
- result = g_tls_interaction_invoke_ask_password (interaction, password,
- priv->cancellable,
- &error);
- g_free (description);
-
- switch (result)
- {
- case G_TLS_INTERACTION_FAILED:
- if (!g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
- g_warning ("Error getting PIN: %s", error->message);
- g_error_free (error);
- break;
- case G_TLS_INTERACTION_UNHANDLED:
- break;
- case G_TLS_INTERACTION_HANDLED:
- {
- gsize password_size;
- const guchar *password_data = g_tls_password_get_value (password, &password_size);
- if (password_size > pin_max)
- g_warning ("PIN is larger than max PIN size");
-
- memcpy (pin, password_data, MIN (password_size, pin_max));
- ret = GNUTLS_E_SUCCESS;
- break;
- }
- default:
- g_assert_not_reached ();
- }
-
- g_object_unref (password);
-
- return ret;
-}
-
void
g_tls_connection_gnutls_handshake_thread_get_certificate (GTlsConnectionGnutls *gnutls,
gnutls_pcert_st **pcert,
@@ -305,15 +231,9 @@ g_tls_connection_gnutls_handshake_thread_get_certificate (GTlsConnectionGnutls
if (cert)
{
- /* Send along a pre-initialized privkey so we can handle the callback here. */
- gnutls_privkey_t privkey;
- gnutls_privkey_init (&privkey);
- gnutls_privkey_set_pin_function (privkey, on_pin_request, gnutls);
-
g_tls_certificate_gnutls_copy (G_TLS_CERTIFICATE_GNUTLS (cert),
priv->interaction_id,
- pcert, pcert_length, &privkey);
- *pkey = privkey;
+ pcert, pcert_length, pkey);
}
else
{
diff --git a/tls/gnutls/gtlsserverconnection-gnutls.c b/tls/gnutls/gtlsserverconnection-gnutls.c
index 090b57d..18a97da 100644
--- a/tls/gnutls/gtlsserverconnection-gnutls.c
+++ b/tls/gnutls/gtlsserverconnection-gnutls.c
@@ -115,10 +115,8 @@ g_tls_server_connection_gnutls_initable_init (GInitable *initable,
creds = g_tls_connection_gnutls_get_credentials (G_TLS_CONNECTION_GNUTLS (gnutls));
gnutls_certificate_set_retrieve_function2 (creds,
g_tls_server_connection_gnutls_handshake_thread_retrieve_function);
- /* Currently we don't know ahead of time if a PKCS #11 backed certificate has a private key. */
cert = g_tls_connection_get_certificate (G_TLS_CONNECTION (initable));
- if (cert && !g_tls_certificate_gnutls_has_key (G_TLS_CERTIFICATE_GNUTLS (cert)) &&
- !g_tls_certificate_gnutls_is_pkcs11_backed (G_TLS_CERTIFICATE_GNUTLS (cert)))
+ if (cert && !g_tls_certificate_gnutls_has_key (G_TLS_CERTIFICATE_GNUTLS (cert)))
{
g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
_("Certificate has no private key"));
diff --git a/tls/tests/certificate.c b/tls/tests/certificate.c
index 8e69ac1..81e2ebb 100644
--- a/tls/tests/certificate.c
+++ b/tls/tests/certificate.c
@@ -26,11 +26,6 @@
#include <gio/gio.h>
-#ifdef BACKEND_IS_GNUTLS
-#include <gnutls/gnutls.h>
-#include <gnutls/pkcs11.h>
-#endif
-
#include <sys/types.h>
#include <string.h>
@@ -248,25 +243,6 @@ test_create_certificate_with_garbage_input (TestCertificate *test,
g_clear_error (&error);
}
-static void
-test_create_certificate_pkcs11 (TestCertificate *test,
- gconstpointer data)
-{
-#ifndef BACKEND_IS_GNUTLS
- g_test_skip ("This backend does not support PKCS #11");
-#else
- GTlsCertificate *cert;
- GError *error = NULL;
-
- cert = g_initable_new (test->cert_gtype, NULL, &error,
- "pkcs11-uri",
"pkcs11:model=mock;token=Mock%20Certificate;object=Mock%20Certificate",
- NULL);
-
- g_assert_no_error (error);
- g_assert_nonnull (cert);
-#endif
-}
-
static void
test_create_certificate_chain (void)
{
@@ -580,25 +556,12 @@ int
main (int argc,
char *argv[])
{
-#ifdef BACKEND_IS_GNUTLS
- char *module_path;
-#endif
-
g_test_init (&argc, &argv, NULL);
g_setenv ("GSETTINGS_BACKEND", "memory", TRUE);
g_setenv ("GIO_USE_TLS", BACKEND, TRUE);
g_assert (g_ascii_strcasecmp (G_OBJECT_TYPE_NAME (g_tls_backend_get_default ()), "GTlsBackend" BACKEND) ==
0);
-#ifdef BACKEND_IS_GNUTLS
- module_path = g_test_build_filename (G_TEST_BUILT, "mock-pkcs11.so", NULL);
- g_assert_true (g_file_test (module_path, G_FILE_TEST_EXISTS));
-
- g_assert (gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_MANUAL, NULL) == GNUTLS_E_SUCCESS);
- g_assert (gnutls_pkcs11_add_provider (module_path, NULL) == GNUTLS_E_SUCCESS);
- g_free (module_path);
-#endif
-
g_test_add ("/tls/" BACKEND "/certificate/create-pem", TestCertificate, NULL,
setup_certificate, test_create_pem, teardown_certificate);
g_test_add ("/tls/" BACKEND "/certificate/create-der", TestCertificate, NULL,
@@ -611,8 +574,6 @@ main (int argc,
setup_certificate, test_create_certificate_with_issuer, teardown_certificate);
g_test_add ("/tls/" BACKEND "/certificate/create-with-garbage-input", TestCertificate, NULL,
setup_certificate, test_create_certificate_with_garbage_input, teardown_certificate);
- g_test_add ("/tls/" BACKEND "/certificate/pkcs11", TestCertificate, NULL,
- setup_certificate, test_create_certificate_pkcs11, teardown_certificate);
g_test_add_func ("/tls/" BACKEND "/certificate/create-chain", test_create_certificate_chain);
g_test_add_func ("/tls/" BACKEND "/certificate/create-no-chain", test_create_certificate_no_chain);
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index ed62c49..21a150a 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -35,7 +35,6 @@
#ifdef BACKEND_IS_GNUTLS
#include <gnutls/gnutls.h>
-#include <gnutls/pkcs11.h>
#else
#include "openssl-include.h"
#endif
@@ -1065,110 +1064,6 @@ test_client_auth_connection (TestConnection *test,
g_assert_true (g_tls_certificate_is_same (peer, cert));
}
-/* https://gitlab.gnome.org/GNOME/glib-networking/issues/104 */
-#if 0
-static void
-test_client_auth_pkcs11_connection (TestConnection *test,
- gconstpointer data)
-{
-#ifndef BACKEND_IS_GNUTLS
- g_test_skip ("This backend does not support PKCS #11");
-#else
- GIOStream *connection;
- GError *error = NULL;
- GTlsCertificate *cert;
- GTlsCertificate *peer;
- gboolean cas_changed;
- GSocketClient *client;
- GTlsInteraction *interaction;
-
- test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
- g_assert_no_error (error);
- g_assert_nonnull (test->database);
-
- interaction = mock_interaction_new_static_password ("ABC123");
-
- connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUIRED);
- test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
- g_assert_no_error (error);
- g_assert_nonnull (test->client_connection);
- g_object_unref (connection);
-
- g_tls_connection_set_interaction (G_TLS_CONNECTION (test->client_connection), interaction);
- g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), test->database);
-
- cert = g_tls_certificate_new_from_pkcs11_uris
("pkcs11:model=mock;manufacturer=GLib-Networking;serial=1;token=Mock%20Certificate;id=%4D%6F%63%6B%20%43%65%72%74%69%66%69%63%61%74%65;object=Mock%20Certificate;type=cert",
-
"pkcs11:model=mock;manufacturer=GLib-Networking;serial=1;token=Mock%20Certificate;id=%4D%6F%63%6B%20%50%72%69%76%61%74%65%20%4B%65%79;object=Mock%20Private%20Key;type=private",
- &error);
- g_assert_no_error (error);
-
- g_tls_connection_set_certificate (G_TLS_CONNECTION (test->client_connection), cert);
-
- /* All validation in this test */
- g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
- G_TLS_CERTIFICATE_VALIDATE_ALL);
-
- cas_changed = FALSE;
- g_signal_connect (test->client_connection, "notify::accepted-cas",
- G_CALLBACK (on_notify_accepted_cas), &cas_changed);
-
- read_test_data_async (test);
- g_main_loop_run (test->loop);
- wait_until_server_finished (test);
-
- g_assert_no_error (test->read_error);
- g_assert_no_error (test->server_error);
-
- peer = g_tls_connection_get_peer_certificate (G_TLS_CONNECTION (test->server_connection));
- g_assert_nonnull (peer);
- g_assert_true (g_tls_certificate_is_same (peer, cert));
- g_assert_true (cas_changed);
-
- g_object_unref (cert);
- g_object_unref (test->client_connection);
- g_clear_object (&test->server_connection);
-
- /* Now start a new connection to the same server with a different client cert.
- * Also test using a single URI matching both the cert and private key.
- */
- client = g_socket_client_new ();
- connection = G_IO_STREAM (g_socket_client_connect (client, G_SOCKET_CONNECTABLE (test->address),
- NULL, &error));
- g_assert_no_error (error);
- g_object_unref (client);
- test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
- g_assert_no_error (error);
- g_assert_nonnull (test->client_connection);
- g_object_unref (connection);
-
- g_tls_connection_set_interaction (G_TLS_CONNECTION (test->client_connection), interaction);
- g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
- 0);
- cert = g_tls_certificate_new_from_pkcs11_uris
("pkcs11:model=mock;manufacturer=GLib-Networking;serial=1;token=Mock%20Certificate;id=%4D%6F%63%6B%20%50%72%69%76%61%74%65%20%4B%65%79%20%32",
- NULL,
- &error);
- g_assert_no_error (error);
- g_tls_connection_set_certificate (G_TLS_CONNECTION (test->client_connection), cert);
- g_object_unref (cert);
- g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), test->database);
-
- read_test_data_async (test);
- g_main_loop_run (test->loop);
- wait_until_server_finished (test);
-
- g_assert_no_error (test->read_error);
- g_assert_no_error (test->server_error);
-
- /* peer should see the second client cert */
- peer = g_tls_connection_get_peer_certificate (G_TLS_CONNECTION (test->server_connection));
- g_assert_nonnull (peer);
- g_assert_true (g_tls_certificate_is_same (peer, cert));
-
- g_object_unref (interaction);
-#endif
-}
-#endif
-
static void
test_client_auth_rehandshake (TestConnection *test,
gconstpointer data)
@@ -2550,10 +2445,6 @@ main (int argc,
char *argv[])
{
int ret;
-#ifdef BACKEND_IS_GNUTLS
- char *module_path;
- const char *spy_path;
-#endif
g_test_init (&argc, &argv, NULL);
g_test_bug_base ("http://bugzilla.gnome.org/");
@@ -2563,34 +2454,6 @@ main (int argc,
g_assert_true (g_ascii_strcasecmp (G_OBJECT_TYPE_NAME (g_tls_backend_get_default ()), "GTlsBackend"
BACKEND) == 0);
-#ifdef BACKEND_IS_GNUTLS
- module_path = g_test_build_filename (G_TEST_BUILT, "mock-pkcs11.so", NULL);
- g_assert_true (g_file_test (module_path, G_FILE_TEST_EXISTS));
-
- /* This just adds extra logging which is useful for debugging */
- spy_path = g_getenv ("PKCS11SPY_PATH");
- if (!spy_path)
- {
- spy_path = "/usr/lib64/pkcs11-spy.so"; /* Fedora's path */
- if (!g_file_test (spy_path, G_FILE_TEST_EXISTS))
- spy_path = "/usr/lib/x86_64-linux-gnu/pkcs11-spy.so"; /* Debian/Ubuntu's path */
- }
-
- if (g_file_test (spy_path, G_FILE_TEST_EXISTS))
- {
- g_debug ("Using PKCS #11 Spy");
- g_setenv ("PKCS11SPY", module_path, TRUE);
- g_free (module_path);
- module_path = g_strdup (spy_path);
- }
-
- ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_MANUAL, NULL);
- g_assert_cmpint (ret, ==, GNUTLS_E_SUCCESS);
- ret = gnutls_pkcs11_add_provider (module_path, NULL);
- g_assert_cmpint (ret, ==, GNUTLS_E_SUCCESS);
- g_free (module_path);
-#endif
-
g_test_add ("/tls/" BACKEND "/connection/basic", TestConnection, NULL,
setup_connection, test_basic_connection, teardown_connection);
g_test_add ("/tls/" BACKEND "/connection/verified", TestConnection, NULL,
@@ -2621,11 +2484,6 @@ main (int argc,
setup_connection, test_client_auth_request_fail, teardown_connection);
g_test_add ("/tls/" BACKEND "/connection/client-auth-request-none", TestConnection, NULL,
setup_connection, test_client_auth_request_none, teardown_connection);
- /* https://gitlab.gnome.org/GNOME/glib-networking/issues/104 */
-#if 0
- g_test_add ("/tls/" BACKEND "/connection/client-auth-pkcs11", TestConnection, NULL,
- setup_connection, test_client_auth_pkcs11_connection, teardown_connection);
-#endif
g_test_add ("/tls/" BACKEND "/connection/no-database", TestConnection, NULL,
setup_connection, test_connection_no_database, teardown_connection);
g_test_add ("/tls/" BACKEND "/connection/failed", TestConnection, NULL,
diff --git a/tls/tests/meson.build b/tls/tests/meson.build
index 2920796..8d8bb71 100644
--- a/tls/tests/meson.build
+++ b/tls/tests/meson.build
@@ -21,32 +21,16 @@ envs = [
'G_TEST_BUILDDIR=' + meson.current_build_dir(),
]
-if backends.contains('gnutls')
- mock_pkcs11_module = shared_module('mock-pkcs11',
- sources: 'mock-pkcs11.c',
- name_prefix: '',
- gnu_symbol_visibility: 'hidden',
- dependencies: [
- gio_dep,
- gnutls_dep,
- ],
- install: enable_installed_tests,
- install_dir: installed_tests_execdir
- )
-else
- mock_pkcs11_module = []
-endif
-
if enable_installed_tests
install_subdir('files', install_dir: installed_tests_execdir)
endif
test_programs = [
- ['certificate', [], deps, [], [mock_pkcs11_module]],
- ['file-database', [], deps, [], []],
- ['connection', ['mock-interaction.c'], deps, [], [mock_pkcs11_module]],
+ ['certificate', [], deps, []],
+ ['file-database', [], deps, []],
+ ['connection', ['mock-interaction.c'], deps, []],
# DTLS tests are disabled until we fix https://gitlab.gnome.org/GNOME/glib-networking/issues/49
-# ['dtls-connection', ['mock-interaction.c'], deps, [], [mock_pkcs11_module]],
+# ['dtls-connection', ['mock-interaction.c'], deps, []],
]
foreach backend: backends
@@ -96,7 +80,7 @@ foreach backend: backends
'G_TEST_BUILDDIR=@0@'.format(meson.current_build_dir())
]
- test(program_name, exe, env: test_envs, depends: program[4])
+ test(program_name, exe, env: test_envs)
if backend == 'gnutls' and program[0] == 'connection' or program[0] == 'dtls-connection'
# Run the tests again, this time with TLS 1.3 disabled so we can test TLS 1.2.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]