libnm-core/8021x: add pkcs11: scheme for certificates and keys

The getters just return the whole URI as-is, without any mangling.

3 files changed, 251 insertions, 19 deletions

diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index 12dc5a62a4..f0430b079e 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -438,6 +438,8 @@ NMSetting8021xCKScheme
 nm_setting_802_1x_check_cert_scheme (gconstpointer pdata, gsize length, GError **error)
 {
 	const char *data = pdata;
+	NMSetting8021xCKScheme scheme;
+	gsize prefix_length;
 
 	g_return_val_if_fail (!length || data, NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);
 
@@ -449,10 +451,21 @@ nm_setting_802_1x_check_cert_scheme (gconstpointer pdata, gsize length, GError *
 		return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN;
 	}
 
-	/* interpret the blob as PATH if it starts with "file://". */
 	if (   length >= NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH)
 	    && !memcmp (data, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH, NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH))) {
-		/* But it must also be NUL terminated, contain at least
+		scheme = NM_SETTING_802_1X_CK_SCHEME_PATH;
+		prefix_length = NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH);
+	} else if (   length >= NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11)
+	           && !memcmp (data, NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11, NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11))) {
+		scheme = NM_SETTING_802_1X_CK_SCHEME_PKCS11;
+		prefix_length = NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11);
+	} else {
+		scheme = NM_SETTING_802_1X_CK_SCHEME_BLOB;
+		prefix_length = 0;
+	}
+
+	if (scheme != NM_SETTING_802_1X_CK_SCHEME_BLOB) {
+		/* An actual URI must be NUL terminated, contain at least
 		 * one non-NUL character, and contain only one trailing NUL
 		 * chracter.
 		 * And ensure it's UTF-8 valid too so we can pass it through
@@ -462,31 +475,29 @@ nm_setting_802_1x_check_cert_scheme (gconstpointer pdata, gsize length, GError *
 			g_set_error_literal (error,
 			                     NM_CONNECTION_ERROR,
 			                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
-			                     _("file:// URI not NUL terminated"));
+			                     _("URI not NUL terminated"));
 			return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN;
 		}
 		length--;
 
-		if (length <= NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH)) {
+		if (length <= prefix_length) {
 			g_set_error_literal (error,
 			                     NM_CONNECTION_ERROR,
 			                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
-			                     _("file:// URI is empty"));
+			                     _("URI is empty"));
 			return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN;
 		}
 
-		if (!g_utf8_validate (data + NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH), length - NM_STRLEN (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH), NULL)) {
+		if (!g_utf8_validate (data + prefix_length, length - prefix_length, NULL)) {
 			g_set_error_literal (error,
-			                     NM_CONNECTION_ERROR,
-			                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
-			                     _("file:// URI is not valid UTF-8"));
+					     NM_CONNECTION_ERROR,
+					     NM_CONNECTION_ERROR_INVALID_PROPERTY,
+					     _("URI is not valid UTF-8"));
 			return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN;
 		}
-
-		return NM_SETTING_802_1X_CK_SCHEME_PATH;
 	}
 
-	return NM_SETTING_802_1X_CK_SCHEME_BLOB;
+	return scheme;
 }
 
 static GByteArray *
@@ -524,7 +535,8 @@ load_and_verify_certificate (const char *cert_path,
  *
  * Returns the scheme used to store the CA certificate.  If the returned scheme
  * is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_ca_cert_blob();
- * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path().
+ * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path();
+ * if %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_ca_cert_uri().
  *
  * Returns: scheme used to store the CA certificate (blob or path)
  **/
@@ -590,6 +602,37 @@ nm_setting_802_1x_get_ca_cert_path (NMSetting8021x *setting)
 	return (const char *)data + strlen (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH);
 }
 
+/**
+ * nm_setting_802_1x_get_ca_cert_uri:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns the CA certificate URI analogously to
+ * nm_setting_802_1x_get_ca_cert_blob() and
+ * nm_setting_802_1x_get_ca_cert_path().
+ *
+ * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC
+ * 7512), but may be extended to other schemes in future (such as 'file' URIs
+ * for local files and 'data' URIs for inline certificate data).
+ *
+ * Returns: the URI string
+ *
+ * Since: 1.6
+ **/
+const char *
+nm_setting_802_1x_get_ca_cert_uri (NMSetting8021x *setting)
+{
+	NMSetting8021xCKScheme scheme;
+	gconstpointer data;
+
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+	scheme = nm_setting_802_1x_get_ca_cert_scheme (setting);
+	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11, NULL);
+
+	data = g_bytes_get_data (NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert, NULL);
+	return (const char *)data;
+}
+
 static GBytes *
 path_to_scheme_value (const char *path)
 {
@@ -875,7 +918,8 @@ nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting)
  *
  * Returns the scheme used to store the client certificate.  If the returned scheme
  * is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob();
- * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path().
+ * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path();
+ * if %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_client_cert_uri().
  *
  * Returns: scheme used to store the client certificate (blob or path)
  **/
@@ -936,6 +980,37 @@ nm_setting_802_1x_get_client_cert_path (NMSetting8021x *setting)
 }
 
 /**
+ * nm_setting_802_1x_get_client_cert_uri:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns the client certificate URI analogously to
+ * nm_setting_802_1x_get_client_cert_blob() and
+ * nm_setting_802_1x_get_client_cert_path().
+ *
+ * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC
+ * 7512), but may be extended to other schemes in future (such as 'file' URIs
+ * for local files and 'data' URIs for inline certificate data).
+ *
+ * Returns: the URI string
+ *
+ * Since: 1.6
+ **/
+const char *
+nm_setting_802_1x_get_client_cert_uri (NMSetting8021x *setting)
+{
+	NMSetting8021xCKScheme scheme;
+	gconstpointer data;
+
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+	scheme = nm_setting_802_1x_get_client_cert_scheme (setting);
+	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11, NULL);
+
+	data = g_bytes_get_data (NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert, NULL);
+	return (const char *)data;
+}
+
+/**
  * nm_setting_802_1x_set_client_cert:
  * @setting: the #NMSetting8021x
  * @cert_path: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH
@@ -1138,7 +1213,8 @@ nm_setting_802_1x_get_phase2_ca_path (NMSetting8021x *setting)
  * Returns the scheme used to store the "phase 2" CA certificate.  If the
  * returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
  * nm_setting_802_1x_get_ca_cert_blob(); if %NM_SETTING_802_1X_CK_SCHEME_PATH,
- * use nm_setting_802_1x_get_ca_cert_path().
+ * use nm_setting_802_1x_get_ca_cert_path(); if %NM_SETTING_802_1X_CK_SCHEME_PKCS11,
+ * use nm_setting_802_1x_get_ca_cert_uri().
  *
  * Returns: scheme used to store the "phase 2" CA certificate (blob or path)
  **/
@@ -1205,6 +1281,37 @@ nm_setting_802_1x_get_phase2_ca_cert_path (NMSetting8021x *setting)
 }
 
 /**
+ * nm_setting_802_1x_get_phase2_ca_cert_uri:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns the "phase 2" CA certificate URI analogously to
+ * nm_setting_802_1x_get_phase2_ca_cert_blob() and
+ * nm_setting_802_1x_get_phase2_ca_cert_path().
+ *
+ * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC
+ * 7512), but may be extended to other schemes in future (such as 'file' URIs
+ * for local files and 'data' URIs for inline certificate data).
+ *
+ * Returns: the URI string
+ *
+ * Since: 1.6
+ **/
+const char *
+nm_setting_802_1x_get_phase2_ca_cert_uri (NMSetting8021x *setting)
+{
+	NMSetting8021xCKScheme scheme;
+	gconstpointer data;
+
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+	scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (setting);
+	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11, NULL);
+
+	data = g_bytes_get_data (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert, NULL);
+	return (const char *)data;
+}
+
+/**
  * nm_setting_802_1x_set_phase2_ca_cert:
  * @setting: the #NMSetting8021x
  * @cert_path: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH
@@ -1474,7 +1581,9 @@ nm_setting_802_1x_clear_phase2_altsubject_matches (NMSetting8021x *setting)
  * returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
  * nm_setting_802_1x_get_client_cert_blob(); if
  * %NM_SETTING_802_1X_CK_SCHEME_PATH, use
- * nm_setting_802_1x_get_client_cert_path().
+ * nm_setting_802_1x_get_client_cert_path(); if
+ * %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use
+ * nm_setting_802_1x_get_client_cert_uri().
  *
  * Returns: scheme used to store the "phase 2" client certificate (blob or path)
  **/
@@ -1535,6 +1644,37 @@ nm_setting_802_1x_get_phase2_client_cert_path (NMSetting8021x *setting)
 }
 
 /**
+ * nm_setting_802_1x_get_phase2_client_cert_uri:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns the "phase 2" client certificate URI analogously to
+ * nm_setting_802_1x_get_phase2_ca_cert_blob() and
+ * nm_setting_802_1x_get_phase2_ca_cert_path().
+ *
+ * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC
+ * 7512), but may be extended to other schemes in future (such as 'file' URIs
+ * for local files and 'data' URIs for inline certificate data).
+ *
+ * Returns: the URI string
+ *
+ * Since: 1.6
+ **/
+const char *
+nm_setting_802_1x_get_phase2_client_cert_uri (NMSetting8021x *setting)
+{
+	NMSetting8021xCKScheme scheme;
+	gconstpointer data;
+
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+	scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (setting);
+	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11, NULL);
+
+	data = g_bytes_get_data (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert, NULL);
+	return (const char *)data;
+}
+
+/**
  * nm_setting_802_1x_set_phase2_client_cert:
  * @setting: the #NMSetting8021x
  * @cert_path: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH
@@ -1729,7 +1869,9 @@ nm_setting_802_1x_get_pin_flags (NMSetting8021x *setting)
  * %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
  * nm_setting_802_1x_get_client_cert_blob(); if
  * %NM_SETTING_802_1X_CK_SCHEME_PATH, use
- * nm_setting_802_1x_get_client_cert_path().
+ * nm_setting_802_1x_get_client_cert_path(); if
+ * %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use
+ * nm_setting_802_1x_get_client_cert_uri().
  *
  * Returns: scheme used to store the private key (blob or path)
  **/
@@ -1793,6 +1935,37 @@ nm_setting_802_1x_get_private_key_path (NMSetting8021x *setting)
 	return (const char *)data + strlen (NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH);
 }
 
+/**
+ * nm_setting_802_1x_get_private_key_uri:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns the private key URI analogously to
+ * nm_setting_802_1x_get_private_key_blob() and
+ * nm_setting_802_1x_get_private_key_path().
+ *
+ * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC
+ * 7512), but may be extended to other schemes in future (such as 'file' URIs
+ * for local files and 'data' URIs for inline certificate data).
+ *
+ * Returns: the URI string
+ *
+ * Since: 1.6
+ **/
+const char *
+nm_setting_802_1x_get_private_key_uri (NMSetting8021x *setting)
+{
+	NMSetting8021xCKScheme scheme;
+	gconstpointer data;
+
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+	scheme = nm_setting_802_1x_get_private_key_scheme (setting);
+	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11, NULL);
+
+	data = g_bytes_get_data (NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key, NULL);
+	return (const char *)data;
+}
+
 static void
 free_secure_bytes (gpointer data)
 {
@@ -2067,7 +2240,9 @@ nm_setting_802_1x_get_phase2_private_key_password_flags (NMSetting8021x *setting
  * scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
  * nm_setting_802_1x_get_client_cert_blob(); if
  * %NM_SETTING_802_1X_CK_SCHEME_PATH, use
- * nm_setting_802_1x_get_client_cert_path().
+ * nm_setting_802_1x_get_client_cert_path(); if
+ * %NM_SETTING_802_1X_CK_SCHEME_PKCS11, use
+ * nm_setting_802_1x_get_client_cert_uri().
  *
  * Returns: scheme used to store the "phase 2" private key (blob or path)
  **/
@@ -2132,6 +2307,37 @@ nm_setting_802_1x_get_phase2_private_key_path (NMSetting8021x *setting)
 }
 
 /**
+ * nm_setting_802_1x_get_phase2_private_key_uri:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns the "phase 2" private key URI analogously to
+ * nm_setting_802_1x_get_phase2_private_key_blob() and
+ * nm_setting_802_1x_get_phase2_private_key_path().
+ *
+ * Currently it's limited to PKCS#11 URIs ('pkcs11' scheme as defined by RFC
+ * 7512), but may be extended to other schemes in future (such as 'file' URIs
+ * for local files and 'data' URIs for inline certificate data).
+ *
+ * Returns: the URI string
+ *
+ * Since: 1.6
+ **/
+const char *
+nm_setting_802_1x_get_phase2_private_key_uri (NMSetting8021x *setting)
+{
+	NMSetting8021xCKScheme scheme;
+	gconstpointer data;
+
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+	scheme = nm_setting_802_1x_get_phase2_private_key_scheme (setting);
+	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11, NULL);
+
+	data = g_bytes_get_data (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key, NULL);
+	return (const char *)data;
+}
+
+/**
  * nm_setting_802_1x_set_phase2_private_key:
  * @setting: the #NMSetting8021x
  * @key_path: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or
@@ -2371,6 +2577,8 @@ need_secrets_tls (NMSetting8021x *self,
 		scheme = nm_setting_802_1x_get_phase2_private_key_scheme (self);
 		if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
 			path = nm_setting_802_1x_get_phase2_private_key_path (self);
+		else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11)
+			return;
 		else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
 			blob = nm_setting_802_1x_get_phase2_private_key_blob (self);
 		else {
@@ -2385,6 +2593,8 @@ need_secrets_tls (NMSetting8021x *self,
 		scheme = nm_setting_802_1x_get_private_key_scheme (self);
 		if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
 			path = nm_setting_802_1x_get_private_key_path (self);
+		else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11)
+			return;
 		else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
 			blob = nm_setting_802_1x_get_private_key_blob (self);
 		else {
diff --git a/libnm-core/nm-setting-8021x.h b/libnm-core/nm-setting-8021x.h
index 5cdcb3d5bc..393a2d35de 100644
--- a/libnm-core/nm-setting-8021x.h
+++ b/libnm-core/nm-setting-8021x.h
@@ -32,6 +32,7 @@
 G_BEGIN_DECLS
 
 #define NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH "file://"
+#define NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11 "pkcs11:"
 
 /**
  * NMSetting8021xCKFormat:
@@ -60,6 +61,8 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_format >*/
  * item data
  * @NM_SETTING_802_1X_CK_SCHEME_PATH: certificate or key is stored as a path
  * to a file containing the certificate or key data
+ * @NM_SETTING_802_1X_CK_SCHEME_PKCS11: certificate or key is stored as a
+ * URI of an object on a PKCS#11 token
  *
  * #NMSetting8021xCKScheme values indicate how a certificate or private key is
  * stored in the setting properties, either as a blob of the item's data, or as
@@ -68,7 +71,8 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_format >*/
 typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
 	NM_SETTING_802_1X_CK_SCHEME_UNKNOWN = 0,
 	NM_SETTING_802_1X_CK_SCHEME_BLOB,
-	NM_SETTING_802_1X_CK_SCHEME_PATH
+	NM_SETTING_802_1X_CK_SCHEME_PATH,
+	NM_SETTING_802_1X_CK_SCHEME_PKCS11,
 } NMSetting8021xCKScheme;
 
 
@@ -177,6 +181,8 @@ const char *      nm_setting_802_1x_get_phase2_ca_path               (NMSetting8
 NMSetting8021xCKScheme nm_setting_802_1x_get_ca_cert_scheme          (NMSetting8021x *setting);
 GBytes *               nm_setting_802_1x_get_ca_cert_blob            (NMSetting8021x *setting);
 const char *           nm_setting_802_1x_get_ca_cert_path            (NMSetting8021x *setting);
+NM_AVAILABLE_IN_1_6
+const char *           nm_setting_802_1x_get_ca_cert_uri             (NMSetting8021x *setting);
 gboolean               nm_setting_802_1x_set_ca_cert                 (NMSetting8021x *setting,
                                                                       const char *cert_path,
                                                                       NMSetting8021xCKScheme scheme,
@@ -201,6 +207,8 @@ const char *      nm_setting_802_1x_get_domain_suffix_match          (NMSetting8
 NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme      (NMSetting8021x *setting);
 GBytes *               nm_setting_802_1x_get_client_cert_blob        (NMSetting8021x *setting);
 const char *           nm_setting_802_1x_get_client_cert_path        (NMSetting8021x *setting);
+NM_AVAILABLE_IN_1_6
+const char *           nm_setting_802_1x_get_client_cert_uri         (NMSetting8021x *setting);
 gboolean               nm_setting_802_1x_set_client_cert             (NMSetting8021x *setting,
                                                                       const char *cert_path,
                                                                       NMSetting8021xCKScheme scheme,
@@ -220,6 +228,8 @@ const char *      nm_setting_802_1x_get_phase2_autheap               (NMSetting8
 NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_ca_cert_scheme   (NMSetting8021x *setting);
 GBytes *               nm_setting_802_1x_get_phase2_ca_cert_blob     (NMSetting8021x *setting);
 const char *           nm_setting_802_1x_get_phase2_ca_cert_path     (NMSetting8021x *setting);
+NM_AVAILABLE_IN_1_6
+const char *           nm_setting_802_1x_get_phase2_ca_cert_uri      (NMSetting8021x *setting);
 gboolean               nm_setting_802_1x_set_phase2_ca_cert          (NMSetting8021x *setting,
                                                                       const char *cert_path,
                                                                       NMSetting8021xCKScheme scheme,
@@ -244,6 +254,8 @@ const char *      nm_setting_802_1x_get_phase2_domain_suffix_match          (NMS
 NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme   (NMSetting8021x *setting);
 GBytes *               nm_setting_802_1x_get_phase2_client_cert_blob     (NMSetting8021x *setting);
 const char *           nm_setting_802_1x_get_phase2_client_cert_path     (NMSetting8021x *setting);
+NM_AVAILABLE_IN_1_6
+const char *           nm_setting_802_1x_get_phase2_client_cert_uri      (NMSetting8021x *setting);
 gboolean               nm_setting_802_1x_set_phase2_client_cert          (NMSetting8021x *setting,
                                                                           const char *cert_path,
                                                                           NMSetting8021xCKScheme scheme,
@@ -261,6 +273,8 @@ NMSettingSecretFlags nm_setting_802_1x_get_pin_flags                 (NMSetting8
 NMSetting8021xCKScheme nm_setting_802_1x_get_private_key_scheme          (NMSetting8021x *setting);
 GBytes *               nm_setting_802_1x_get_private_key_blob            (NMSetting8021x *setting);
 const char *           nm_setting_802_1x_get_private_key_path            (NMSetting8021x *setting);
+NM_AVAILABLE_IN_1_6
+const char *           nm_setting_802_1x_get_private_key_uri             (NMSetting8021x *setting);
 gboolean               nm_setting_802_1x_set_private_key                 (NMSetting8021x *setting,
                                                                           const char *key_path,
                                                                           const char *password,
@@ -275,6 +289,8 @@ NMSetting8021xCKFormat nm_setting_802_1x_get_private_key_format          (NMSett
 NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_private_key_scheme   (NMSetting8021x *setting);
 GBytes *               nm_setting_802_1x_get_phase2_private_key_blob     (NMSetting8021x *setting);
 const char *           nm_setting_802_1x_get_phase2_private_key_path     (NMSetting8021x *setting);
+NM_AVAILABLE_IN_1_6
+const char *           nm_setting_802_1x_get_phase2_private_key_uri      (NMSetting8021x *setting);
 gboolean               nm_setting_802_1x_set_phase2_private_key          (NMSetting8021x *setting,
                                                                           const char *key_path,
                                                                           const char *password,
diff --git a/libnm/libnm.ver b/libnm/libnm.ver
index 309c4b82d8..cc39286564 100644
--- a/libnm/libnm.ver
+++ b/libnm/libnm.ver
@@ -1106,6 +1106,12 @@ global:
 	nm_setting_proxy_get_browser_only;
 	nm_setting_proxy_get_pac_url;
 	nm_setting_proxy_get_pac_script;
+	nm_setting_802_1x_get_ca_cert_uri;
+	nm_setting_802_1x_get_phase2_ca_cert_uri;
+	nm_setting_802_1x_get_client_cert_uri;
+	nm_setting_802_1x_get_phase2_client_cert_uri;
+	nm_setting_802_1x_get_private_key_uri;
+	nm_setting_802_1x_get_phase2_private_key_uri;
 	nm_utils_is_json_object;
 	nm_utils_version;
 	nm_utils_is_valid_iface_name;