diff options
author | Lubomir Rintel <lkundrak@v3.sk> | 2016-12-22 17:02:20 +0000 |
---|---|---|
committer | Lubomir Rintel <lkundrak@v3.sk> | 2017-01-06 15:56:11 +0100 |
commit | 690e33bdf287b5952740925d0e208da4d1d3712e (patch) | |
tree | 7be3b2d77658a735d391c6f6c0476218aa8f9d6d | |
parent | 84c57c34bc8cb9b2d9291a9ad3ed74153fb23cb0 (diff) | |
download | NetworkManager-690e33bdf287b5952740925d0e208da4d1d3712e.tar.gz |
libnm-core/8021x: make cert/key setters handle pkcs11 URI scheme
-rw-r--r-- | libnm-core/nm-setting-8021x.c | 62 |
1 files changed, 39 insertions, 23 deletions
diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c index f0430b079e..2b386b6fa0 100644 --- a/libnm-core/nm-setting-8021x.c +++ b/libnm-core/nm-setting-8021x.c @@ -634,7 +634,7 @@ nm_setting_802_1x_get_ca_cert_uri (NMSetting8021x *setting) } static GBytes * -path_to_scheme_value (const char *path) +value_with_scheme (const char *path, const char *scheme) { GByteArray *array; gsize len; @@ -673,7 +673,7 @@ path_to_scheme_value (const char *path) **/ gboolean nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting, - const char *cert_path, + const char *value, NMSetting8021xCKScheme scheme, NMSetting8021xCKFormat *out_format, GError **error) @@ -684,10 +684,11 @@ nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting, g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE); - if (cert_path) { - g_return_val_if_fail (g_utf8_validate (cert_path, -1, NULL), FALSE); + if (value) { + g_return_val_if_fail (g_utf8_validate (value, -1, NULL), FALSE); g_return_val_if_fail ( scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB - || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, + || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH + || scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11, FALSE); } @@ -698,12 +699,18 @@ nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting, g_clear_pointer (&priv->ca_cert, g_bytes_unref); - if (!cert_path) { + if (!value) { g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_CA_CERT); return TRUE; } - data = load_and_verify_certificate (cert_path, scheme, &format, error); + if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) { + priv->ca_cert = value_with_scheme (value, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11); + g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_CA_CERT); + return TRUE; + } + + data = load_and_verify_certificate (value, scheme, &format, error); if (data) { /* wpa_supplicant can only use raw x509 CA certs */ if (format == NM_CRYPTO_FILE_FORMAT_X509) { @@ -714,7 +721,7 @@ nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting, priv->ca_cert = g_byte_array_free_to_bytes (data); data = NULL; } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) - priv->ca_cert = path_to_scheme_value (cert_path); + priv->ca_cert = value_with_scheme (value, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH); else g_assert_not_reached (); } else { @@ -1049,7 +1056,8 @@ nm_setting_802_1x_set_client_cert (NMSetting8021x *setting, if (cert_path) { g_return_val_if_fail (g_utf8_validate (cert_path, -1, NULL), FALSE); g_return_val_if_fail ( scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB - || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, + || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH + || scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11, FALSE); } @@ -1065,6 +1073,12 @@ nm_setting_802_1x_set_client_cert (NMSetting8021x *setting, return TRUE; } + if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) { + priv->client_cert = value_with_scheme (cert_path, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH); + g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_CLIENT_CERT); + return TRUE; + } + data = load_and_verify_certificate (cert_path, scheme, &format, error); if (data) { gboolean valid = FALSE; @@ -1094,7 +1108,7 @@ nm_setting_802_1x_set_client_cert (NMSetting8021x *setting, priv->client_cert = g_byte_array_free_to_bytes (data); data = NULL; } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) - priv->client_cert = path_to_scheme_value (cert_path); + priv->client_cert = value_with_scheme (cert_path, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH); else g_assert_not_reached (); } @@ -1373,7 +1387,7 @@ nm_setting_802_1x_set_phase2_ca_cert (NMSetting8021x *setting, priv->phase2_ca_cert = g_byte_array_free_to_bytes (data); data = NULL; } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) - priv->phase2_ca_cert = path_to_scheme_value (cert_path); + priv->phase2_ca_cert = value_with_scheme (cert_path, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH); else g_assert_not_reached (); } else { @@ -1759,7 +1773,7 @@ nm_setting_802_1x_set_phase2_client_cert (NMSetting8021x *setting, priv->phase2_client_cert = g_byte_array_free_to_bytes (data); data = NULL; } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) - priv->phase2_client_cert = path_to_scheme_value (cert_path); + priv->phase2_client_cert = value_with_scheme (cert_path, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH); else g_assert_not_reached (); } @@ -2033,7 +2047,7 @@ file_to_secure_bytes (const char *filename) **/ gboolean nm_setting_802_1x_set_private_key (NMSetting8021x *setting, - const char *key_path, + const char *value, const char *password, NMSetting8021xCKScheme scheme, NMSetting8021xCKFormat *out_format, @@ -2046,10 +2060,11 @@ nm_setting_802_1x_set_private_key (NMSetting8021x *setting, g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE); - if (key_path) { - g_return_val_if_fail (g_utf8_validate (key_path, -1, NULL), FALSE); + if (value) { + g_return_val_if_fail (g_utf8_validate (value, -1, NULL), FALSE); g_return_val_if_fail ( scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB - || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, + || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH + || scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11, FALSE); } @@ -2059,8 +2074,8 @@ nm_setting_802_1x_set_private_key (NMSetting8021x *setting, /* Ensure the private key is a recognized format and if the password was * given, that it decrypts the private key. */ - if (key_path) { - format = crypto_verify_private_key (key_path, password, NULL, &local_err); + if (value && scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11) { + format = crypto_verify_private_key (value, password, NULL, &local_err); if (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN) { g_set_error_literal (error, NM_CONNECTION_ERROR, @@ -2087,7 +2102,7 @@ nm_setting_802_1x_set_private_key (NMSetting8021x *setting, password_cleared = TRUE; } - if (key_path == NULL) { + if (value == NULL) { if (key_cleared) g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_PRIVATE_KEY); if (password_cleared) @@ -2099,17 +2114,18 @@ nm_setting_802_1x_set_private_key (NMSetting8021x *setting, if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) { /* FIXME: potential race after verifying the private key above */ /* FIXME: ensure blob doesn't start with file:// */ - priv->private_key = file_to_secure_bytes (key_path); + priv->private_key = file_to_secure_bytes (value); g_assert (priv->private_key); } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) - priv->private_key = path_to_scheme_value (key_path); + priv->private_key = value_with_scheme (value, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH); + else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) + priv->private_key = value_with_scheme (value, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11); else g_assert_not_reached (); /* As required by NM and wpa_supplicant, set the client-cert * property to the same PKCS#12 data. */ - g_assert (format != NM_CRYPTO_FILE_FORMAT_UNKNOWN); if (format == NM_CRYPTO_FILE_FORMAT_PKCS12) { if (priv->client_cert) g_bytes_unref (priv->client_cert); @@ -2447,7 +2463,7 @@ nm_setting_802_1x_set_phase2_private_key (NMSetting8021x *setting, priv->phase2_private_key = file_to_secure_bytes (key_path); g_assert (priv->phase2_private_key); } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) - priv->phase2_private_key = path_to_scheme_value (key_path); + priv->phase2_private_key = value_with_scheme (key_path, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH); else g_assert_not_reached (); |