[glib/pgriffis/gtlscertificate-password] gtlscertificate: Add ability to load PKCS #12 encrypted files This depends on the GTlsBackend implem
- From: Patrick Griffis <pgriffis src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib/pgriffis/gtlscertificate-password] gtlscertificate: Add ability to load PKCS #12 encrypted files This depends on the GTlsBackend implem
- Date: Sat, 4 Sep 2021 00:14:24 +0000 (UTC)
commit 87e61f17e55467f492ae1777484ce605334f2f10
Author: Patrick Griffis <pgriffis igalia com>
Date: Fri Sep 3 19:13:21 2021 -0500
gtlscertificate: Add ability to load PKCS #12 encrypted files
This depends on the GTlsBackend implementing these properties
gio/gioenums.h | 5 +-
gio/gtlscertificate.c | 183 +++++++++++++++++++++++++++++++++++++++-----
gio/gtlscertificate.h | 10 ++-
gio/tests/tls-certificate.c | 17 ++++
4 files changed, 195 insertions(+), 20 deletions(-)
---
diff --git a/gio/gioenums.h b/gio/gioenums.h
index d81ada416..c7e5ab83a 100644
--- a/gio/gioenums.h
+++ b/gio/gioenums.h
@@ -1548,6 +1548,8 @@ typedef enum
* @G_TLS_ERROR_INAPPROPRIATE_FALLBACK: The TLS handshake failed
* because the client sent the fallback SCSV, indicating a protocol
* downgrade attack. Since: 2.60
+ * @G_TLS_ERROR_BAD_CERTIFICATE_PASSWORD: The certificate failed
+ * to load because a password was incorrect. Since: 2.72
*
* An error code used with %G_TLS_ERROR in a #GError returned from a
* TLS-related routine.
@@ -1562,7 +1564,8 @@ typedef enum {
G_TLS_ERROR_HANDSHAKE,
G_TLS_ERROR_CERTIFICATE_REQUIRED,
G_TLS_ERROR_EOF,
- G_TLS_ERROR_INAPPROPRIATE_FALLBACK
+ G_TLS_ERROR_INAPPROPRIATE_FALLBACK,
+ G_TLS_ERROR_BAD_CERTIFICATE_PASSWORD
} GTlsError;
/**
diff --git a/gio/gtlscertificate.c b/gio/gtlscertificate.c
index 2c238120c..62816bdc3 100644
--- a/gio/gtlscertificate.c
+++ b/gio/gtlscertificate.c
@@ -69,6 +69,8 @@ enum
PROP_ISSUER_NAME,
PROP_DNS_NAMES,
PROP_IP_ADDRESSES,
+ PROP_PKCS12_DATA,
+ PROP_PASSWORD,
};
static void
@@ -84,13 +86,16 @@ g_tls_certificate_get_property (GObject *object,
{
switch (prop_id)
{
+ /* Subclasses must override these properties but this allows older backends to not fatally error */
case PROP_PRIVATE_KEY:
case PROP_PRIVATE_KEY_PEM:
case PROP_PKCS11_URI:
case PROP_PRIVATE_KEY_PKCS11_URI:
- /* Subclasses must override this property but this allows older backends to not fatally error */
g_value_set_static_string (value, NULL);
break;
+ case PROP_PKCS12_DATA:
+ g_value_set_boxed (value, NULL);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
}
@@ -104,6 +109,8 @@ g_tls_certificate_set_property (GObject *object,
{
switch (prop_id)
{
+ case PROP_PKCS12_DATA:
+ case PROP_PASSWORD:
case PROP_PKCS11_URI:
case PROP_PRIVATE_KEY_PKCS11_URI:
/* Subclasses must override this property but this allows older backends to not fatally error */
@@ -121,6 +128,40 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
gobject_class->set_property = g_tls_certificate_set_property;
gobject_class->get_property = g_tls_certificate_get_property;
+ /**
+ * GTlsCertificate:pkcs12-data:
+ *
+ * The PKCS #12 formatted data used to construct the object.
+ * It will be %NULL if the certificate was not constructed
+ * with this property.
+ *
+ * See also: g_tls_certificate_new_from_pkcs12()
+ *
+ * Since: 2.72
+ */
+ g_object_class_install_property (gobject_class, PROP_PKCS12_DATA,
+ g_param_spec_boxed ("pkcs12-data",
+ P_("PKCS #12 data"),
+ P_("The PKCS #12 data used for construction"),
+ G_TYPE_BYTE_ARRAY,
+ G_PARAM_READWRITE |
+ G_PARAM_CONSTRUCT_ONLY |
+ G_PARAM_STATIC_STRINGS));
+ /**
+ * GTlsCertificate:password:
+ *
+ * An optional password used when constructed with GTlsCertificate:pkcs12-data.
+ *
+ * Since: 2.72
+ */
+ g_object_class_install_property (gobject_class, PROP_PASSWORD,
+ g_param_spec_string ("password",
+ P_("Password"),
+ P_("Password used when constructing from bytes"),
+ NULL,
+ G_PARAM_WRITABLE |
+ G_PARAM_CONSTRUCT_ONLY |
+ G_PARAM_STATIC_STRINGS));
/**
* GTlsCertificate:certificate:
*
@@ -684,44 +725,150 @@ g_tls_certificate_new_from_pem (const gchar *data,
}
/**
- * g_tls_certificate_new_from_file:
- * @file: (type filename): file containing a PEM-encoded certificate to import
+ * g_tls_certificate_new_from_pkcs12:
+ * @data: DER-encoded PKCS #12 format certificate data
+ * @length: the length of @data
+ * @password: (nullable): optional password for encrypted certificate data
* @error: #GError for error reporting, or %NULL to ignore.
*
- * Creates a #GTlsCertificate from the PEM-encoded data in @file. The
- * returned certificate will be the first certificate found in @file. As
- * of GLib 2.44, if @file contains more certificates it will try to load
- * a certificate chain. All certificates will be verified in the order
- * found (top-level certificate should be the last one in the file) and
- * the #GTlsCertificate:issuer property of each certificate will be set
- * accordingly if the verification succeeds. If any certificate in the
- * chain cannot be verified, the first certificate in the file will
- * still be returned.
+ * Creates a #GTlsCertificate from the data in @data. It must contain
+ * a certificate and matching private key.
+ *
+ * If extra certificates are included they will be verified as a chain
+ * and the #GTlsCertificate:issuer property will be set.
+ * All other data will be ignored.
+ *
+ * You can pass as single password for all of the data, it will be
+ * used both for the PKCS #12 container as well as encrypted
+ * private keys. If decryption fails it will error with
+ * %G_TLS_ERROR_BAD_CERTIFICATE_PASSWORD.
+ *
+ * This constructor requires support in the current #GTlsBackend.
+ * If support is missing it will error with
+ * %G_IO_ERROR_NOT_SUPPORTED.
+ *
+ * Other parsing failures will error with %G_TLS_ERROR_BAD_CERTIFICATE.
+ *
+ * Returns: the new certificate, or %NULL if @data is invalid
+ *
+ * Since: 2.72
+ */
+GTlsCertificate *
+g_tls_certificate_new_from_pkcs12 (const guchar *data,
+ gsize length,
+ const gchar *password,
+ GError **error)
+{
+ GObject *cert;
+ GTlsBackend *backend;
+ GByteArray *bytes;
+
+ g_return_val_if_fail (data != NULL, NULL);
+ g_return_val_if_fail (error == NULL || *error == NULL, NULL);
+
+ backend = g_tls_backend_get_default ();
+
+ bytes = g_byte_array_new ();
+ g_byte_array_append (bytes, data, length);
+
+ cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+ NULL, error,
+ "pkcs12-data", bytes,
+ "password", password,
+ NULL);
+
+ g_byte_array_unref (bytes);
+
+ if (cert)
+ {
+ GByteArray *resulting_bytes;
+
+ /* Some backends may not support this so check if it was successful. */
+ g_object_get (cert, "pkcs12-data", &resulting_bytes, NULL);
+
+ if (!resulting_bytes)
+ {
+ g_clear_object (&cert);
+ g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
+ _("The current TLS backend does not support PKCS #12"));
+ }
+ else
+ {
+ g_byte_array_unref (resulting_bytes);
+ }
+ }
+
+ return G_TLS_CERTIFICATE (cert);
+}
+
+/**
+ * g_tls_certificate_new_from_file_with_password:
+ * @file: (type filename): file containing a certificate to import
+ * @password: (nullable): password for PKCS #12 files or %NULL
+ * @error: #GError for error reporting, or %NULL to ignore
+ *
+ * Creates a #GTlsCertificate from the data in @file.
+ * If the filename ends in `.p12` or `.pfx` the data is loaded by
+ * g_tls_certificate_new_from_pkcs12() with @password,
+ * otherwise it is loaded by g_tls_certificate_new_from_pem().
+ * See those functions for exact details.
*
* If @file cannot be read or parsed, the function will return %NULL and
- * set @error. Otherwise, this behaves like
- * g_tls_certificate_new_from_pem().
+ * set @error.
*
* Returns: the new certificate, or %NULL on error
*
- * Since: 2.28
+ * Since: 2.72
*/
GTlsCertificate *
-g_tls_certificate_new_from_file (const gchar *file,
- GError **error)
+g_tls_certificate_new_from_file_with_password (const gchar *file,
+ const gchar *password,
+ GError **error)
{
GTlsCertificate *cert;
gchar *contents;
gsize length;
+ g_return_val_if_fail (file != NULL, NULL);
+ g_return_val_if_fail (error == NULL || *error == NULL, NULL);
+
if (!g_file_get_contents (file, &contents, &length, error))
return NULL;
- cert = g_tls_certificate_new_from_pem (contents, length, error);
+ if (g_str_has_suffix (file, ".p12") || g_str_has_suffix (file, ".pfx"))
+ cert = g_tls_certificate_new_from_pkcs12 (contents, length, password, error);
+ else
+ cert = g_tls_certificate_new_from_pem (contents, length, error);
+
g_free (contents);
return cert;
}
+/**
+ * g_tls_certificate_new_from_file:
+ * @file: (type filename): file containing a certificate to import
+ * @error: #GError for error reporting, or %NULL to ignore
+ *
+ * Creates a #GTlsCertificate from the data in @file.
+ * As of 2.72, if the filename ends in `.p12` or `.pfx` the data is loaded by
+ * g_tls_certificate_new_from_pkcs12() otherwise it is loaded by
+ * g_tls_certificate_new_from_pem(). See those functions for
+ * exact details.
+ *
+ * If @file cannot be read or parsed, the function will return %NULL and
+ * set @error.
+ *
+ * Returns: the new certificate, or %NULL on error
+ *
+ * Since: 2.28
+ */
+GTlsCertificate *
+g_tls_certificate_new_from_file (const gchar *file,
+ GError **error)
+{
+ return g_tls_certificate_new_from_file_with_password (file, NULL, error);
+}
+
/**
* g_tls_certificate_new_from_files:
* @cert_file: (type filename): file containing one or more PEM-encoded
diff --git a/gio/gtlscertificate.h b/gio/gtlscertificate.h
index 3b92b97fc..03e93ff55 100644
--- a/gio/gtlscertificate.h
+++ b/gio/gtlscertificate.h
@@ -63,7 +63,15 @@ GLIB_AVAILABLE_IN_ALL
GTlsCertificate *g_tls_certificate_new_from_pem (const gchar *data,
gssize length,
GError **error);
-
+GLIB_AVAILABLE_IN_2_70
+GTlsCertificate *g_tls_certificate_new_from_pkcs12 (const guchar *data,
+ gsize length,
+ const gchar *password,
+ GError **error);
+GLIB_AVAILABLE_IN_2_70
+GTlsCertificate *g_tls_certificate_new_from_file_with_password (const gchar *file,
+ const gchar *password,
+ GError **error);
GLIB_AVAILABLE_IN_ALL
GTlsCertificate *g_tls_certificate_new_from_file (const gchar *file,
GError **error);
diff --git a/gio/tests/tls-certificate.c b/gio/tests/tls-certificate.c
index 2995b1028..a2191cd8f 100644
--- a/gio/tests/tls-certificate.c
+++ b/gio/tests/tls-certificate.c
@@ -586,6 +586,21 @@ ip_addresses (void)
g_object_unref (cert);
}
+static void
+from_pkcs12 (void)
+{
+ GTlsCertificate *cert;
+ GError *error = NULL;
+ const guchar data[1] = { 0 };
+
+ /* This simply fails because our test backend doesn't support this
+ * property. This reflects using a backend that doesn't support it. */
+ cert = g_tls_certificate_new_from_pkcs12 (data, 1, NULL, &error);
+
+ g_assert_null (cert);
+ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED);
+}
+
int
main (int argc,
char *argv[])
@@ -656,6 +671,8 @@ main (int argc,
from_pkcs11_uri);
g_test_add_func ("/tls-certificate/pkcs11-uri-unsupported",
from_unsupported_pkcs11_uri);
+ g_test_add_func ("/tls-certificate/from_pkcs12",
+ from_pkcs12);
g_test_add_func ("/tls-certificate/not-valid-before",
not_valid_before);
g_test_add_func ("/tls-certificate/not-valid-after",
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]