[glib-networking/tls-database: 6/7] Add @purpose argument to GTlsDatabase::verify_chain()
- From: Stefan Walter <stefw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking/tls-database: 6/7] Add @purpose argument to GTlsDatabase::verify_chain()
- Date: Tue, 28 Dec 2010 02:54:49 +0000 (UTC)
commit 3a04018f0fbf536497e9e281004c2906be982a77
Author: Stef Walter <stefw collabora co uk>
Date: Mon Dec 27 18:27:07 2010 -0600
Add @purpose argument to GTlsDatabase::verify_chain()
So that we can use the verify_chain() method for both client and
server connections.
tls/gnutls/gtlsdatabase-gnutls.c | 20 +++++++++++++-------
tls/gnutls/gtlsdatabase-gnutls.h | 2 ++
tls/gnutls/gtlsfiledatabase-gnutls.c | 7 +++++++
tls/gnutls/gtlspkcs11database-gnutls.c | 5 +++--
4 files changed, 25 insertions(+), 9 deletions(-)
---
diff --git a/tls/gnutls/gtlsdatabase-gnutls.c b/tls/gnutls/gtlsdatabase-gnutls.c
index b492823..b8c1248 100644
--- a/tls/gnutls/gtlsdatabase-gnutls.c
+++ b/tls/gnutls/gtlsdatabase-gnutls.c
@@ -57,6 +57,7 @@ is_self_signed (GTlsCertificateGnutls *certificate)
static gint
build_certificate_chain (GTlsDatabaseGnutls *self,
GTlsCertificateGnutls *chain,
+ const gchar *purpose,
GSocketConnectable *identity,
GTlsDatabaseVerifyFlags flags,
GCancellable *cancellable,
@@ -69,6 +70,7 @@ build_certificate_chain (GTlsDatabaseGnutls *self,
g_assert (anchor);
g_assert (chain);
+ g_assert (purpose);
g_assert (error);
g_assert (!*error);
@@ -84,7 +86,7 @@ build_certificate_chain (GTlsDatabaseGnutls *self,
/* First check for pinned certificate */
if (g_tls_database_gnutls_lookup_assertion (self, certificate,
G_TLS_DATABASE_GNUTLS_PINNED_CERTIFICATE,
- identity, cancellable, error))
+ purpose, identity, cancellable, error))
{
g_tls_certificate_gnutls_set_issuer (certificate, NULL);
return STATUS_PINNED;
@@ -130,7 +132,7 @@ build_certificate_chain (GTlsDatabaseGnutls *self,
/* Now look up whether this certificate is an anchor */
if (g_tls_database_gnutls_lookup_assertion (self, certificate,
G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE,
- identity, cancellable, error))
+ purpose, identity, cancellable, error))
{
g_tls_certificate_gnutls_set_issuer (certificate, NULL);
return STATUS_ANCHORED;
@@ -197,7 +199,8 @@ convert_certificate_chain_to_gnutls (GTlsCertificateGnutls *chain,
static GTlsCertificateFlags
g_tls_database_gnutls_verify_chain (GTlsDatabase *database,
GTlsCertificate *chain,
- GSocketConnectable *identity,
+ const gchar *purpose,
+ GSocketConnectable *identity,
GTlsDatabaseVerifyFlags flags,
GCancellable *cancellable,
GError **error)
@@ -215,6 +218,7 @@ g_tls_database_gnutls_verify_chain (GTlsDatabase *database,
G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (chain),
G_TLS_CERTIFICATE_GENERIC_ERROR);
+ g_return_val_if_fail (purpose, G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (!identity || G_IS_SOCKET_CONNECTABLE (identity),
G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (!error || !*error, G_TLS_CERTIFICATE_GENERIC_ERROR);
@@ -222,8 +226,8 @@ g_tls_database_gnutls_verify_chain (GTlsDatabase *database,
self = G_TLS_DATABASE_GNUTLS (database);
anchor = NULL;
- status = build_certificate_chain (self, G_TLS_CERTIFICATE_GNUTLS (chain), identity,
- flags, cancellable, &anchor, &err);
+ status = build_certificate_chain (self, G_TLS_CERTIFICATE_GNUTLS (chain), purpose,
+ identity, flags, cancellable, &anchor, &err);
if (status == STATUS_FAILURE)
{
g_propagate_error (error, err);
@@ -289,7 +293,8 @@ gboolean
g_tls_database_gnutls_lookup_assertion (GTlsDatabaseGnutls *self,
GTlsCertificateGnutls *certificate,
GTlsDatabaseGnutlsAssertion assertion,
- GSocketConnectable *connectable,
+ const gchar *purpose,
+ GSocketConnectable *identity,
GCancellable *cancellable,
GError **error)
{
@@ -298,7 +303,8 @@ g_tls_database_gnutls_lookup_assertion (GTlsDatabaseGnutls *self,
return G_TLS_DATABASE_GNUTLS_GET_CLASS (self)->lookup_assertion (self,
certificate,
assertion,
- connectable,
+ purpose,
+ identity,
cancellable,
error);
}
diff --git a/tls/gnutls/gtlsdatabase-gnutls.h b/tls/gnutls/gtlsdatabase-gnutls.h
index fbb575e..f4bf8a5 100644
--- a/tls/gnutls/gtlsdatabase-gnutls.h
+++ b/tls/gnutls/gtlsdatabase-gnutls.h
@@ -44,6 +44,7 @@ struct _GTlsDatabaseGnutlsClass
gboolean (*lookup_assertion) (GTlsDatabaseGnutls *self,
GTlsCertificateGnutls *certificate,
GTlsDatabaseGnutlsAssertion assertion,
+ const gchar *purpose,
GSocketConnectable *identity,
GCancellable *cancellable,
GError **error);
@@ -60,6 +61,7 @@ GType g_tls_database_gnutls_get_type (void) G_GNUC_CONST;
gboolean g_tls_database_gnutls_lookup_assertion (GTlsDatabaseGnutls *self,
GTlsCertificateGnutls *certificate,
GTlsDatabaseGnutlsAssertion assertion,
+ const gchar *purpose,
GSocketConnectable *identity,
GCancellable *cancellable,
GError **error);
diff --git a/tls/gnutls/gtlsfiledatabase-gnutls.c b/tls/gnutls/gtlsfiledatabase-gnutls.c
index 12bda9b..4917867 100644
--- a/tls/gnutls/gtlsfiledatabase-gnutls.c
+++ b/tls/gnutls/gtlsfiledatabase-gnutls.c
@@ -249,6 +249,7 @@ static gboolean
g_tls_file_database_gnutls_lookup_assertion (GTlsDatabaseGnutls *database,
GTlsCertificateGnutls *certificate,
GTlsDatabaseGnutlsAssertion assertion,
+ const gchar *purpose,
GSocketConnectable *identity,
GCancellable *cancellable,
GError **error)
@@ -259,6 +260,7 @@ g_tls_file_database_gnutls_lookup_assertion (GTlsDatabaseGnutls *databa
GHashTable *anchors;
g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (certificate), FALSE);
+ g_return_val_if_fail (purpose, FALSE);
g_return_val_if_fail (!identity || G_IS_SOCKET_CONNECTABLE (identity), FALSE);
g_return_val_if_fail (!error || !*error, FALSE);
@@ -266,6 +268,11 @@ g_tls_file_database_gnutls_lookup_assertion (GTlsDatabaseGnutls *databa
if (assertion != G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE)
return FALSE;
+ /*
+ * TODO: We should be parsing any Extended Key Usage attributes and
+ * comparing them to the purpose.
+ */
+
g_object_get (certificate, "certificate", &der, NULL);
g_return_val_if_fail (der, FALSE);
diff --git a/tls/gnutls/gtlspkcs11database-gnutls.c b/tls/gnutls/gtlspkcs11database-gnutls.c
index b60a9a2..72b71ad 100644
--- a/tls/gnutls/gtlspkcs11database-gnutls.c
+++ b/tls/gnutls/gtlspkcs11database-gnutls.c
@@ -353,6 +353,7 @@ static gboolean
g_tls_pkcs11_database_gnutls_lookup_assertion (GTlsDatabaseGnutls *database,
GTlsCertificateGnutls *certificate,
GTlsDatabaseGnutlsAssertion assertion,
+ const gchar *purpose,
GSocketConnectable *identity,
GCancellable *cancellable,
GError **error)
@@ -364,6 +365,7 @@ g_tls_pkcs11_database_gnutls_lookup_assertion (GTlsDatabaseGnutls *data
const gchar *peer;
g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (certificate), FALSE);
+ g_return_val_if_fail (purpose, FALSE);
g_return_val_if_fail (!identity || G_IS_SOCKET_CONNECTABLE (identity), FALSE);
g_return_val_if_fail (!error || !*error, FALSE);
@@ -379,8 +381,7 @@ g_tls_pkcs11_database_gnutls_lookup_assertion (GTlsDatabaseGnutls *data
g_pkcs11_array_add_value (match, CKA_X_CERTIFICATE_VALUE, der->data, der->len);
g_byte_array_unref (der);
- /* TLS Server Authentication */
- g_pkcs11_array_add_value (match, CKA_X_PURPOSE, "1.3.6.1.5.5.7.3.1", -1);
+ g_pkcs11_array_add_value (match, CKA_X_PURPOSE, purpose, -1);
if (assertion == G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE)
{
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]