/* * empathy-tls-certificate.c - Source for EmpathyTLSCertificate * Copyright (C) 2010 Collabora Ltd. * @author Cosimo Cecchi * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #include #include "empathy-tls-certificate.h" #include #include #include #include #include #include #define DEBUG_FLAG EMPATHY_DEBUG_TLS #include "empathy-debug.h" #include "empathy-utils.h" #include "extensions/extensions.h" enum { /* proxy properties */ PROP_CERT_TYPE = 1, PROP_CERT_DATA, PROP_STATE, LAST_PROPERTY, }; typedef struct { GSimpleAsyncResult *async_prepare_res; /* TLSCertificate properties */ gchar *cert_type; GPtrArray *cert_data; EmpTLSCertificateState state; gboolean is_prepared; } EmpathyTLSCertificatePriv; G_DEFINE_TYPE (EmpathyTLSCertificate, empathy_tls_certificate, TP_TYPE_PROXY); #define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSCertificate); static void tls_certificate_got_all_cb (TpProxy *proxy, GHashTable *properties, const GError *error, gpointer user_data, GObject *weak_object) { GPtrArray *cert_data; EmpathyTLSCertificate *self = EMPATHY_TLS_CERTIFICATE (weak_object); EmpathyTLSCertificatePriv *priv = GET_PRIV (self); if (error != NULL) { g_simple_async_result_set_from_error (priv->async_prepare_res, error); g_simple_async_result_complete (priv->async_prepare_res); tp_clear_object (&priv->async_prepare_res); return; } priv->cert_type = g_strdup (tp_asv_get_string (properties, "CertificateType")); priv->state = tp_asv_get_uint32 (properties, "State", NULL); cert_data = tp_asv_get_boxed (properties, "CertificateChainData", TP_ARRAY_TYPE_UCHAR_ARRAY_LIST); g_assert (cert_data != NULL); priv->cert_data = g_boxed_copy (TP_ARRAY_TYPE_UCHAR_ARRAY_LIST, cert_data); DEBUG ("Got a certificate chain long %u, of type %s", priv->cert_data->len, priv->cert_type); priv->is_prepared = TRUE; g_simple_async_result_complete (priv->async_prepare_res); tp_clear_object (&priv->async_prepare_res); } void empathy_tls_certificate_prepare_async (EmpathyTLSCertificate *self, GAsyncReadyCallback callback, gpointer user_data) { EmpathyTLSCertificatePriv *priv = GET_PRIV (self); /* emit an error if we're already preparing the object */ if (priv->async_prepare_res != NULL) { g_simple_async_report_error_in_idle (G_OBJECT (self), callback, user_data, G_IO_ERROR, G_IO_ERROR_PENDING, "%s", "Prepare operation already in progress on the TLS certificate."); return; } /* if the object is already prepared, just complete in idle */ if (priv->is_prepared) { tp_simple_async_report_success_in_idle (G_OBJECT (self), callback, user_data, empathy_tls_certificate_prepare_async); return; } priv->async_prepare_res = g_simple_async_result_new (G_OBJECT (self), callback, user_data, empathy_tls_certificate_prepare_async); /* call GetAll() on the certificate */ tp_cli_dbus_properties_call_get_all (self, -1, EMP_IFACE_AUTHENTICATION_TLS_CERTIFICATE, tls_certificate_got_all_cb, NULL, NULL, G_OBJECT (self)); } gboolean empathy_tls_certificate_prepare_finish (EmpathyTLSCertificate *self, GAsyncResult *result, GError **error) { gboolean retval = TRUE; if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), error)) retval = FALSE; return retval; } static void empathy_tls_certificate_finalize (GObject *object) { EmpathyTLSCertificatePriv *priv = GET_PRIV (object); DEBUG ("%p", object); g_free (priv->cert_type); tp_clear_boxed (TP_ARRAY_TYPE_UCHAR_ARRAY_LIST, &priv->cert_data); G_OBJECT_CLASS (empathy_tls_certificate_parent_class)->finalize (object); } static void empathy_tls_certificate_get_property (GObject *object, guint property_id, GValue *value, GParamSpec *pspec) { EmpathyTLSCertificatePriv *priv = GET_PRIV (object); switch (property_id) { case PROP_CERT_TYPE: g_value_set_string (value, priv->cert_type); break; case PROP_CERT_DATA: g_value_set_boxed (value, priv->cert_data); break; case PROP_STATE: g_value_set_uint (value, priv->state); break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec); break; } } static void empathy_tls_certificate_init (EmpathyTLSCertificate *self) { self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, EMPATHY_TYPE_TLS_CERTIFICATE, EmpathyTLSCertificatePriv); } static void empathy_tls_certificate_class_init (EmpathyTLSCertificateClass *klass) { GParamSpec *pspec; GObjectClass *oclass = G_OBJECT_CLASS (klass); TpProxyClass *pclass = TP_PROXY_CLASS (klass); oclass->get_property = empathy_tls_certificate_get_property; oclass->finalize = empathy_tls_certificate_finalize; pclass->interface = EMP_IFACE_QUARK_AUTHENTICATION_TLS_CERTIFICATE; pclass->must_have_unique_name = TRUE; g_type_class_add_private (klass, sizeof (EmpathyTLSCertificatePriv)); pspec = g_param_spec_string ("cert-type", "Certificate type", "The type of this certificate.", NULL, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); g_object_class_install_property (oclass, PROP_CERT_TYPE, pspec); pspec = g_param_spec_boxed ("cert-data", "Certificate chain data", "The raw DER-encoded certificate chain data.", TP_ARRAY_TYPE_UCHAR_ARRAY_LIST, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); g_object_class_install_property (oclass, PROP_CERT_DATA, pspec); pspec = g_param_spec_uint ("state", "State", "The state of this certificate.", EMP_TLS_CERTIFICATE_STATE_PENDING, NUM_EMP_TLS_CERTIFICATE_STATES -1, EMP_TLS_CERTIFICATE_STATE_PENDING, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); g_object_class_install_property (oclass, PROP_STATE, pspec); } static void cert_proxy_accept_cb (TpProxy *proxy, const GError *error, gpointer user_data, GObject *weak_object) { GSimpleAsyncResult *accept_result = user_data; DEBUG ("Callback for accept(), error %p", error); if (error != NULL) { DEBUG ("Error was %s", error->message); g_simple_async_result_set_from_error (accept_result, error); } g_simple_async_result_complete (accept_result); } static void cert_proxy_reject_cb (TpProxy *proxy, const GError *error, gpointer user_data, GObject *weak_object) { GSimpleAsyncResult *reject_result = user_data; DEBUG ("Callback for reject(), error %p", error); if (error != NULL) { DEBUG ("Error was %s", error->message); g_simple_async_result_set_from_error (reject_result, error); } g_simple_async_result_complete (reject_result); } static const gchar * reject_reason_get_dbus_error (EmpTLSCertificateRejectReason reason) { const gchar *retval = NULL; switch (reason) { case EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED: retval = tp_error_get_dbus_name (TP_ERROR_CERT_UNTRUSTED); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED: retval = tp_error_get_dbus_name (TP_ERROR_CERT_EXPIRED); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED: retval = tp_error_get_dbus_name (TP_ERROR_CERT_NOT_ACTIVATED); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_FINGERPRINT_MISMATCH: retval = tp_error_get_dbus_name (TP_ERROR_CERT_FINGERPRINT_MISMATCH); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH: retval = tp_error_get_dbus_name (TP_ERROR_CERT_HOSTNAME_MISMATCH); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED: retval = tp_error_get_dbus_name (TP_ERROR_CERT_SELF_SIGNED); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_REVOKED: retval = tp_error_get_dbus_name (TP_ERROR_CERT_REVOKED); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE: retval = tp_error_get_dbus_name (TP_ERROR_CERT_INSECURE); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED: retval = tp_error_get_dbus_name (TP_ERROR_CERT_LIMIT_EXCEEDED); break; case EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN: default: retval = tp_error_get_dbus_name (TP_ERROR_CERT_INVALID); break; } return retval; } EmpathyTLSCertificate * empathy_tls_certificate_new (TpDBusDaemon *dbus, const gchar *bus_name, const gchar *object_path, GError **error) { EmpathyTLSCertificate *retval = NULL; if (!tp_dbus_check_valid_bus_name (bus_name, TP_DBUS_NAME_TYPE_UNIQUE, error)) goto finally; if (!tp_dbus_check_valid_object_path (object_path, error)) goto finally; retval = g_object_new (EMPATHY_TYPE_TLS_CERTIFICATE, "dbus-daemon", dbus, "bus-name", bus_name, "object-path", object_path, NULL); finally: if (*error != NULL) DEBUG ("Error while creating the TLS certificate: %s", (*error)->message); return retval; } void empathy_tls_certificate_accept_async (EmpathyTLSCertificate *self, GAsyncReadyCallback callback, gpointer user_data) { GSimpleAsyncResult *accept_result; g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); DEBUG ("Accepting TLS certificate"); accept_result = g_simple_async_result_new (G_OBJECT (self), callback, user_data, empathy_tls_certificate_accept_async); emp_cli_authentication_tls_certificate_call_accept (TP_PROXY (self), -1, cert_proxy_accept_cb, accept_result, g_object_unref, G_OBJECT (self)); } gboolean empathy_tls_certificate_accept_finish (EmpathyTLSCertificate *self, GAsyncResult *result, GError **error) { if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), error)) return FALSE; return TRUE; } static GPtrArray * build_rejections_array (EmpTLSCertificateRejectReason reason, GHashTable *details) { GPtrArray *retval; GValueArray *rejection; retval = g_ptr_array_new (); rejection = tp_value_array_build (3, G_TYPE_UINT, reason, G_TYPE_STRING, reject_reason_get_dbus_error (reason), TP_HASH_TYPE_STRING_VARIANT_MAP, details, NULL); g_ptr_array_add (retval, rejection); return retval; } void empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self, EmpTLSCertificateRejectReason reason, GHashTable *details, GAsyncReadyCallback callback, gpointer user_data) { GPtrArray *rejections; GSimpleAsyncResult *reject_result; g_assert (EMPATHY_IS_TLS_CERTIFICATE (self)); DEBUG ("Rejecting TLS certificate with reason %u", reason); rejections = build_rejections_array (reason, details); reject_result = g_simple_async_result_new (G_OBJECT (self), callback, user_data, empathy_tls_certificate_reject_async); emp_cli_authentication_tls_certificate_call_reject (TP_PROXY (self), -1, rejections, cert_proxy_reject_cb, reject_result, g_object_unref, G_OBJECT (self)); tp_clear_boxed (EMP_ARRAY_TYPE_TLS_CERTIFICATE_REJECTION_LIST, &rejections); } gboolean empathy_tls_certificate_reject_finish (EmpathyTLSCertificate *self, GAsyncResult *result, GError **error) { if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result), error)) return FALSE; return TRUE; } static gsize get_exported_size (gnutls_x509_crt_t cert) { gsize retval = 2; guchar fake[2] = { 0, 0 }; /* fake an export so we get the size to allocate */ gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_PEM, fake, &retval); DEBUG ("Should allocate %lu bytes", (gulong) retval); return retval + 1; } void empathy_tls_certificate_store_ca (EmpathyTLSCertificate *self) { GArray *last_cert; gnutls_x509_crt_t cert; gnutls_datum_t datum = { NULL, 0 }; gsize exported_len; guchar *exported_cert = NULL; gint res, offset; gchar *user_certs_dir = NULL, *filename = NULL, *path = NULL; gchar *hostname = NULL; GError *error = NULL; EmpathyTLSCertificatePriv *priv = GET_PRIV (self); last_cert = g_ptr_array_index (priv->cert_data, priv->cert_data->len - 1); datum.data = (guchar *) last_cert->data; datum.size = last_cert->len; gnutls_x509_crt_init (&cert); gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER); /* make sure it's self-signed, otherwise it's not a CA */ if (gnutls_x509_crt_check_issuer (cert, cert) <= 0) { DEBUG ("Can't import the CA, as it's not self-signed"); gnutls_x509_crt_deinit (cert); return; } if (gnutls_x509_crt_get_ca_status (cert, NULL) <= 0) { DEBUG ("Can't import the CA, it's not a valid CA certificate"); gnutls_x509_crt_deinit (cert); goto out; } exported_len = get_exported_size (cert); exported_cert = g_malloc (sizeof (guchar) * exported_len); res = gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_PEM, exported_cert, &exported_len); if (res < 0) { DEBUG ("Failed to export the CA certificate; GnuTLS returned %d," "and should be %lu bytes long", res, (gulong) exported_len); gnutls_x509_crt_deinit (cert); goto out; } hostname = empathy_get_x509_certificate_hostname (cert); if (hostname == NULL) hostname = g_strdup ("ca"); gnutls_x509_crt_deinit (cert); /* write the file */ user_certs_dir = g_build_filename (g_get_user_config_dir (), "telepathy", "certs", NULL); res = g_mkdir_with_parents (user_certs_dir, S_IRWXU | S_IRWXG); if (res < 0) { DEBUG ("Failed to create the user certificate directory: %s", g_strerror (errno)); goto out; } offset = 0; do { g_free (path); if (offset == 0) filename = g_strdup_printf ("cert-%s", hostname); else filename = g_strdup_printf ("cert-%s-%d", hostname, offset); path = g_build_filename (user_certs_dir, filename, NULL); offset++; g_free (filename); } while (g_file_test (path, G_FILE_TEST_EXISTS)); DEBUG ("Will save to %s", path); g_file_set_contents (path, (const gchar *) exported_cert, exported_len, &error); if (error != NULL) { DEBUG ("Can't save the CA certificate to %s: %s", path, error->message); g_error_free (error); } out: g_free (path); g_free (exported_cert); g_free (user_certs_dir); g_free (hostname); }