From 8d72b18028c35d887c2352e3f08aacd9b7096f4c Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Thu, 2 Dec 2010 18:08:51 +0000 Subject: libempathy: Store certificate exceptions in gnome-keyring. Use libgcr to store certificate trust exceptions properly. --- libempathy/empathy-tls-certificate.c | 127 ----------------------------------- libempathy/empathy-tls-certificate.h | 2 - libempathy/empathy-tls-verifier.c | 21 ++++++ libempathy/empathy-tls-verifier.h | 2 + 4 files changed, 23 insertions(+), 129 deletions(-) (limited to 'libempathy') diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c index 931bbcc64..c14deec57 100644 --- a/libempathy/empathy-tls-certificate.c +++ b/libempathy/empathy-tls-certificate.c @@ -430,130 +430,3 @@ empathy_tls_certificate_reject_finish (EmpathyTLSCertificate *self, return TRUE; } - -static gsize -get_exported_size (gnutls_x509_crt_t cert) -{ - gsize retval = 2; - guchar fake[2] = { 0, 0 }; - - /* fake an export so we get the size to allocate */ - gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_PEM, - fake, &retval); - - DEBUG ("Should allocate %lu bytes", (gulong) retval); - - return retval + 1; -} - -void -empathy_tls_certificate_store_ca (EmpathyTLSCertificate *self) -{ - GArray *last_cert; - gnutls_x509_crt_t cert; - gnutls_datum_t datum = { NULL, 0 }; - gsize exported_len; - guchar *exported_cert = NULL; - gint res, offset; - gchar *user_certs_dir = NULL, *filename = NULL, *path = NULL; - gchar *hostname = NULL; - GError *error = NULL; - EmpathyTLSCertificatePriv *priv = GET_PRIV (self); - - last_cert = g_ptr_array_index (priv->cert_data, priv->cert_data->len - 1); - datum.data = (guchar *) last_cert->data; - datum.size = last_cert->len; - - gnutls_x509_crt_init (&cert); - gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER); - - /* make sure it's self-signed, otherwise it's not a CA */ - if (gnutls_x509_crt_check_issuer (cert, cert) <= 0) - { - DEBUG ("Can't import the CA, as it's not self-signed"); - gnutls_x509_crt_deinit (cert); - - return; - } - - if (gnutls_x509_crt_get_ca_status (cert, NULL) <= 0) - { - DEBUG ("Can't import the CA, it's not a valid CA certificate"); - gnutls_x509_crt_deinit (cert); - - goto out; - } - - exported_len = get_exported_size (cert); - exported_cert = g_malloc (sizeof (guchar) * exported_len); - - res = gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_PEM, - exported_cert, &exported_len); - - if (res < 0) - { - DEBUG ("Failed to export the CA certificate; GnuTLS returned %d," - "and should be %lu bytes long", res, (gulong) exported_len); - gnutls_x509_crt_deinit (cert); - - goto out; - } - - hostname = empathy_get_x509_certificate_hostname (cert); - - if (hostname == NULL) - hostname = g_strdup ("ca"); - - gnutls_x509_crt_deinit (cert); - - /* write the file */ - user_certs_dir = g_build_filename (g_get_user_config_dir (), - "telepathy", "certs", NULL); - - res = g_mkdir_with_parents (user_certs_dir, S_IRWXU | S_IRWXG); - - if (res < 0) - { - DEBUG ("Failed to create the user certificate directory: %s", - g_strerror (errno)); - - goto out; - } - - offset = 0; - - do - { - g_free (path); - - if (offset == 0) - filename = g_strdup_printf ("cert-%s", hostname); - else - filename = g_strdup_printf ("cert-%s-%d", hostname, offset); - - path = g_build_filename (user_certs_dir, filename, NULL); - - offset++; - g_free (filename); - } - while (g_file_test (path, G_FILE_TEST_EXISTS)); - - DEBUG ("Will save to %s", path); - - g_file_set_contents (path, (const gchar *) exported_cert, exported_len, - &error); - - if (error != NULL) - { - DEBUG ("Can't save the CA certificate to %s: %s", - path, error->message); - - g_error_free (error); - } - - out: - g_free (path); - g_free (exported_cert); - g_free (user_certs_dir); - g_free (hostname); -} diff --git a/libempathy/empathy-tls-certificate.h b/libempathy/empathy-tls-certificate.h index d9dd07d44..8ad3d209e 100644 --- a/libempathy/empathy-tls-certificate.h +++ b/libempathy/empathy-tls-certificate.h @@ -88,8 +88,6 @@ gboolean empathy_tls_certificate_reject_finish (EmpathyTLSCertificate *self, GAsyncResult *result, GError **error); -void empathy_tls_certificate_store_ca (EmpathyTLSCertificate *self); - G_END_DECLS #endif /* #ifndef __EMPATHY_TLS_CERTIFICATE_H__*/ diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c index 638b46bb7..3c547fb1c 100644 --- a/libempathy/empathy-tls-verifier.c +++ b/libempathy/empathy-tls-verifier.c @@ -489,3 +489,24 @@ empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self, return TRUE; } + +void +empathy_tls_verifier_store_exception (EmpathyTLSVerifier *self) +{ + GArray *last_cert; + GcrCertificate *cert; + GPtrArray *certs; + GError *error = NULL; + EmpathyTLSVerifierPriv *priv = GET_PRIV (self); + + g_object_get (priv->certificate, "cert-data", &certs, NULL); + last_cert = g_ptr_array_index (certs, certs->len - 1); + cert = gcr_simple_certificate_new_static ((gpointer)last_cert->data, + last_cert->len); + + if (!gcr_trust_add_certificate_exception (cert, GCR_PURPOSE_CLIENT_AUTH, + priv->hostname, NULL, &error)) + DEBUG ("Can't store the certificate exeption: %s", error->message); + + g_object_unref (cert); +} diff --git a/libempathy/empathy-tls-verifier.h b/libempathy/empathy-tls-verifier.h index e73a71aeb..e333bc81e 100644 --- a/libempathy/empathy-tls-verifier.h +++ b/libempathy/empathy-tls-verifier.h @@ -74,6 +74,8 @@ gboolean empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self, GHashTable **details, GError **error); +void empathy_tls_verifier_store_exception (EmpathyTLSVerifier *self); + G_END_DECLS #endif /* #ifndef __EMPATHY_TLS_VERIFIER_H__*/ -- cgit v1.2.3