libnm-util: rework certificate and private key handling

First, it was not easily possible to set a private key without also providing a password. This used to be OK, but now with secret flags it may be the case that when the connection is read, there's no private key password. So functions that set the private key must account for NULL passwords. Unfortunately, the crytpo code did not handle this case well. We need to be able to independently (a) verify that a file looks like a certificate or private key and (b) that a given password decrypts a private key. Previously the crypto code would fail to verify the file when the password was NULL. So this change fixes up the crytpo code for a more distinct split between these two operations, such that if no password is given, the file is still checked to ensure that it's a private key or a certificate. If a password is given, the password is checked against the private key file. This commit also changes how private keys and certificates were handled with the BLOB scheme. Previously only the first certificate or first private key was included in the property data, while now the entire file is encoded in the data. This is intended to fix cases where multiple private keys or certificates are present in a PEM file. It also allows clients to push certificate data to NetworkManager for storage in system settings locations, which was not as flexible before when only part of the certificate or key was sent as the data.
author: Dan Williams <dcbw@redhat.com> 2011-03-02 12:00:47 -0600
committer: Dan Williams <dcbw@redhat.com> 2011-03-02 12:00:47 -0600
commit: 28e6523b8d4eb031777dd0d3f5118bbfc8fa45a9 (patch)
tree: 17be4c968bfe8d2976dbe49cd0c513ffe551f705 /libnm-util/crypto.h
parent: 02f676c0010ccaa4d70099a32cac8dc4663612a9 (diff)
download: NetworkManager-28e6523b8d4eb031777dd0d3f5118bbfc8fa45a9.tar.gz
1 files changed, 24 insertions, 16 deletions
diff --git a/libnm-util/crypto.h b/libnm-util/crypto.h
index 38471cea63..cdf053e722 100644
--- a/libnm-util/crypto.h
+++ b/libnm-util/crypto.h
@@ -18,9 +18,12 @@
  * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
  * Boston, MA 02110-1301 USA.
  *
- * (C) Copyright 2007 - 2008 Red Hat, Inc.
+ * (C) Copyright 2007 - 2011 Red Hat, Inc.
  */
 
+#ifndef __CRYPTO_H__
+#define __CRYPTO_H__
+
 #include <glib.h>
 
 #define MD5_HASH_LEN 20
@@ -51,8 +54,7 @@ enum {
 typedef enum {
 	NM_CRYPTO_KEY_TYPE_UNKNOWN = 0,
 	NM_CRYPTO_KEY_TYPE_RSA,
-	NM_CRYPTO_KEY_TYPE_DSA,
-	NM_CRYPTO_KEY_TYPE_ENCRYPTED
+	NM_CRYPTO_KEY_TYPE_DSA
 } NMCryptoKeyType;
 
 typedef enum {
@@ -69,26 +71,31 @@ gboolean crypto_init (GError **error);
 
 void crypto_deinit (void);
 
-GByteArray * crypto_get_private_key_data (GByteArray *contents,
-                                          const char *password,
-                                          NMCryptoKeyType *out_key_type,
-                                          NMCryptoFileFormat *out_file_format,
-                                          GError **error);
+GByteArray *crypto_decrypt_private_key_data (const GByteArray *contents,
+                                             const char *password,
+                                             NMCryptoKeyType *out_key_type,
+                                             GError **error);
 
-GByteArray * crypto_get_private_key (const char *file,
-                                     const char *password,
-                                     NMCryptoKeyType *out_key_type,
-                                     NMCryptoFileFormat *out_file_format,
-                                     GError **error);
+GByteArray *crypto_decrypt_private_key (const char *file,
+                                        const char *password,
+                                        NMCryptoKeyType *out_key_type,
+                                        GError **error);
 
-GByteArray * crypto_load_and_verify_certificate (const char *file,
-                                                 NMCryptoFileFormat *out_file_format,
-                                                 GError **error);
+GByteArray *crypto_load_and_verify_certificate (const char *file,
+                                                NMCryptoFileFormat *out_file_format,
+                                                GError **error);
 
 gboolean crypto_is_pkcs12_file (const char *file, GError **error);
 
 gboolean crypto_is_pkcs12_data (const GByteArray *data);
 
+NMCryptoFileFormat crypto_verify_private_key_data (const GByteArray *contents,
+                                                   const char *password,
+                                                   GError **error);
+
+NMCryptoFileFormat crypto_verify_private_key (const char *file,
+                                              const char *password,
+                                              GError **error);
 
 /* Internal utils API bits for crypto providers */
 
@@ -129,3 +136,4 @@ gboolean crypto_verify_pkcs12 (const GByteArray *data,
                                const char *password,
                                GError **error);
 
+#endif  /* __CRYPTO_H__ */
author	Dan Williams <dcbw@redhat.com>	2011-03-02 12:00:47 -0600
committer	Dan Williams <dcbw@redhat.com>	2011-03-02 12:00:47 -0600
commit	28e6523b8d4eb031777dd0d3f5118bbfc8fa45a9 (patch)
tree	17be4c968bfe8d2976dbe49cd0c513ffe551f705 /libnm-util/crypto.h
parent	02f676c0010ccaa4d70099a32cac8dc4663612a9 (diff)
download	NetworkManager-28e6523b8d4eb031777dd0d3f5118bbfc8fa45a9.tar.gz