diff options
-rw-r--r-- | extensions/Authentication_TLS_Certificate.xml | 177 | ||||
-rw-r--r-- | libempathy/empathy-tls-certificate.c | 28 |
2 files changed, 110 insertions, 95 deletions
diff --git a/extensions/Authentication_TLS_Certificate.xml b/extensions/Authentication_TLS_Certificate.xml index 709ea282c..aafc00414 100644 --- a/extensions/Authentication_TLS_Certificate.xml +++ b/extensions/Authentication_TLS_Certificate.xml @@ -41,6 +41,77 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. </tp:docstring> </tp:simple-type> + <tp:struct name="TLS_Certificate_Rejection" array-name="TLS_Certificate_Rejection_List"> + <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> + <p>Struct representing one reason why a TLS certificate was rejected.</p> + <p>Since there can be multiple things wrong with a TLS certificate, + arrays of this type are used to represent lists of reasons for + rejection. In that case, the most important reason SHOULD be placed + first in the list.</p> + </tp:docstring> + + <tp:member name="Reason" type="u" + tp:type="TLS_Certificate_Reject_Reason"> + <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> + <p>The value of the TLS_Certificate_Reject_Reason enumeration for + this certificate rejection. + <tp:rationale> + Clients that do not understand the <code>Error</code> member, + which may be implementation-specific, can use this property to + classify rejection reasons into common categories. + </tp:rationale> + </p> + </tp:docstring> + </tp:member> + + <tp:member name="Error" type="s" + tp:type="DBus_Error_Name"> + <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> + <p>The DBus error name for this certificate rejection.</p> + <p>This MAY correspond to the value of the <code>Reason</code> member, + or MAY be a more specific D-Bus error name, perhaps implementation-specific.</p> + </tp:docstring> + </tp:member> + + <tp:member name="Details" type="a{sv}" + tp:type="String_Variant_Map"> + <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> + <p>Additional information about why the certificate was rejected. + This MAY also include one or more of the following well-known keys:</p> + <p> + <dl> + <dt>user-requested (b)</dt> + <dd>True if the error was due to an user-requested rejection of + the certificate; False if there was an unrecoverable error in the + verification process.</dd> + <dt>expected-hostname (s)</dt> + <dd>If the rejection reason is Hostname_Mismatch, the hostname that + the server certificate was expected to have.</dd> + <dt>certificate-hostname (s)</dt> + <dd>If the rejection reason is Hostname_Mismatch, the hostname of + the certificate that was presented. + <tp:rationale> + <p>For instance, if you try to connect to gmail.com but are presented + with a TLS certificate issued to evil.example.org, the error details + for Hostname_Mismatch MAY include:</p> + <pre> + { + 'expected-hostname': 'gmail.com', + 'certificate-hostname': 'evil.example.org', + } + </pre> + </tp:rationale> + </dd> + <dt>debug-message (s)</dt> + <dd>Debugging information on the error, corresponding to the + message part of a D-Bus error message, which SHOULD NOT be + displayed to users under normal circumstances</dd> + </dl> + </p> + </tp:docstring> + </tp:member> + </tp:struct> + <tp:enum type="u" name="TLS_Certificate_State"> <tp:docstring> The possible states for a <tp:dbus-ref @@ -149,75 +220,19 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. </tp:docstring> </property> - <property name="RejectError" type="s" access="read" - tp:type="DBus_Error_Name" - tp:name-for-bindings="Reject_Error"> + <property name="Rejections" type="a(usa{sv})" access="read" + tp:type="TLS_Certificate_Rejection[]" tp:name-for-bindings="Rejections"> <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> <p>If the <tp:member-ref>State</tp:member-ref> is Rejected, - the reason why the certificate was rejected; this MAY correspond to - the <tp:member-ref>RejectReason</tp:member-ref>, or MAY be a more - specific D-Bus error name, perhaps implementation-specific.</p> + an array of <tp:type>TLS_Certificate_Rejection</tp:type> + structures containing the reason why the certificate is rejected.</p> <p>If the <tp:member-ref>State</tp:member-ref> is not Rejected, this property is not meaningful, and SHOULD be set to an empty - string.</p> - </tp:docstring> - </property> - - <property name="RejectDetails" type="a{sv}" access="read" - tp:type="String_Variant_Map" - tp:name-for-bindings="Reject_Details"> - <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> - <p>If the <tp:member-ref>State</tp:member-ref> is Rejected, - additional information about why the certificate was rejected.</p> - <p>If the <tp:member-ref>State</tp:member-ref> is not Rejected, - this property is not meaningful and SHOULD be set to an empty - map.</p> - <p>The additional information MAY also include - one or more of the following well-known keys:</p> - <dl> - <dt>user-requested (b)</dt> - <dd>True if the error was due to an user-requested rejection of - the certificate; False if there was an unrecoverable error in the - verification process.</dd> - <dt>expected-hostname (s)</dt> - <dd>If the rejection reason is Hostname_Mismatch, the hostname that - the server certificate was expected to have.</dd> - <dt>certificate-hostname (s)</dt> - <dd>If the rejection reason is Hostname_Mismatch, the hostname of - the certificate that was presented. - <tp:rationale> - <p>For instance, if you try to connect to gmail.com but are presented - with a TLS certificate issued to evil.example.org, the error details - for Hostname_Mismatch MAY include:</p> - <pre> - { - 'expected-hostname': 'gmail.com', - 'certificate-hostname': 'evil.example.org', - } - </pre> - </tp:rationale> - </dd> - <dt>debug-message (s)</dt> - <dd>Debugging information on the error, corresponding to the - message part of a D-Bus error message, which SHOULD NOT be - displayed to users under normal circumstances</dd> - </dl> - </tp:docstring> - </property> - - <property name="RejectReason" type="u" access="read" - tp:type="TLS_Certificate_Reject_Reason" - tp:name-for-bindings="Reject_Reason"> - <tp:docstring> - If the <tp:member-ref>State</tp:member-ref> is Rejected, the - reason why the certificate was rejected. - <tp:rationale> - Clients that do not understand the <tp:member-ref>RejectError</tp:member-ref>, - which may be implementation-specific, can use this property to - classify rejection reasons into common categories. - </tp:rationale> - Otherwise, this property is not meaningful, and SHOULD be set to - Unknown. + array.</p> + <p>The first rejection in the list MAY be assumed to be + the most important; if the array contains more than one + element, the CM MAY either use the values after the first, + or ignore them.</p> </tp:docstring> </property> @@ -252,19 +267,9 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. <tp:docstring> The <tp:member-ref>State</tp:member-ref> of this certificate has changed to Rejected. </tp:docstring> - <arg name="Reason" type="u" tp:type="TLS_Certificate_Reject_Reason"> - <tp:docstring> - The new value of <tp:member-ref>RejectReason</tp:member-ref>. - </tp:docstring> - </arg> - <arg name="Error" type="s" tp:type="DBus_Error_Name"> - <tp:docstring> - The new value of <tp:member-ref>RejectError</tp:member-ref>. - </tp:docstring> - </arg> - <arg name="Details" type="a{sv}" tp:type="String_Variant_Map"> + <arg name="Rejections" type="a(usa{sv})" tp:type="TLS_Certificate_Rejection[]"> <tp:docstring> - The new value of <tp:member-ref>RejectDetails</tp:member-ref> + The new value of the <tp:member-ref>Rejections</tp:member-ref> property. </tp:docstring> </arg> </signal> @@ -279,22 +284,10 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. <tp:docstring> Rejects this certificate. </tp:docstring> - <arg direction="in" type="u" name="Reason" - tp:type="TLS_Certificate_Reject_Reason"> - <tp:docstring> - The new value of <tp:member-ref>RejectReason</tp:member-ref>. - </tp:docstring> - </arg> - <arg direction="in" type="s" name="Error" - tp:type="DBus_Error_Name"> - <tp:docstring> - The new value of <tp:member-ref>RejectError</tp:member-ref>. - </tp:docstring> - </arg> - <arg direction="in" type="a{sv}" name="Details" - tp:type="String_Variant_Map"> + <arg direction="in" type="a(usa{sv})" name="Rejections" + tp:type="TLS_Certificate_Rejection[]"> <tp:docstring> - The new value of <tp:member-ref>RejectDetails</tp:member-ref>. + The new value of the <tp:member-ref>Rejections</tp:member-ref> property. </tp:docstring> </arg> </method> diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index ca107008a..931bbcc64 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -374,6 +374,25 @@ empathy_tls_certificate_accept_finish (EmpathyTLSCertificate *self, return TRUE; } +static GPtrArray * +build_rejections_array (EmpTLSCertificateRejectReason reason, + GHashTable *details) +{ + GPtrArray *retval; + GValueArray *rejection; + + retval = g_ptr_array_new (); + rejection = tp_value_array_build (3, + G_TYPE_UINT, reason, + G_TYPE_STRING, reject_reason_get_dbus_error (reason), + TP_HASH_TYPE_STRING_VARIANT_MAP, details, + NULL); + + g_ptr_array_add (retval, rejection); + + return retval; +} + void empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, EmpTLSCertificateRejectReason reason, @@ -381,20 +400,23 @@ empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, GAsyncReadyCallback callback, gpointer user_data) { - const gchar *dbus_error; + GPtrArray *rejections; GSimpleAsyncResult *reject_result; g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); DEBUG ("Rejecting TLS certificate with reason %u", reason); - dbus_error = reject_reason_get_dbus_error (reason); + rejections = build_rejections_array (reason, details); reject_result = g_simple_async_result_new (G_OBJECT (self), callback, user_data, empathy_tls_certificate_reject_async); emp_cli_authentication_tls_certificate_call_reject (TP_PROXY (self), - -1, reason, dbus_error, details, cert_proxy_reject_cb, + -1, rejections, cert_proxy_reject_cb, reject_result, g_object_unref, G_OBJECT (self)); + + tp_clear_boxed (EMP_ARRAY_TYPE_TLS_CERTIFICATE_REJECTION_LIST, + &rejections); } gboolean |