[network-manager-applet/lr/pkcs11: 7/14] WIP wireless-security: make eap-tls use the NMACertificateChooser
- From: Lubomir Rintel <lkundrak src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [network-manager-applet/lr/pkcs11: 7/14] WIP wireless-security: make eap-tls use the NMACertificateChooser
- Date: Fri, 24 Feb 2017 19:20:09 +0000 (UTC)
commit cdcf2e65e8c7a0e9c5362a46d72144d7595a4f6c
Author: Lubomir Rintel <lkundrak v3 sk>
Date: Wed Feb 22 18:50:40 2017 +0100
WIP wireless-security: make eap-tls use the NMACertificateChooser
src/wireless-security/eap-method-tls.c | 626 +++++++++++++++----------------
src/wireless-security/eap-method-tls.ui | 117 +------
2 files changed, 312 insertions(+), 431 deletions(-)
---
diff --git a/src/wireless-security/eap-method-tls.c b/src/wireless-security/eap-method-tls.c
index 8d17fa4..66faea4 100644
--- a/src/wireless-security/eap-method-tls.c
+++ b/src/wireless-security/eap-method-tls.c
@@ -2,6 +2,7 @@
/* NetworkManager Applet -- allow user control over networking
*
* Dan Williams <dcbw redhat com>
+ * Lubomir Rintel <lkundrak v3 sk>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -17,7 +18,7 @@
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*
- * Copyright 2007 - 2014 Red Hat, Inc.
+ * Copyright 2007 - 2017 Red Hat, Inc.
*/
#include "nm-default.h"
@@ -29,36 +30,24 @@
#include "wireless-security.h"
#include "helpers.h"
#include "nma-ui-utils.h"
+#include "nma-cert-chooser.h"
#include "utils.h"
struct _EAPMethodTLS {
EAPMethod parent;
gboolean editing_connection;
+ GtkWidget *ca_cert_chooser;
+ GtkWidget *client_cert_chooser;
};
-static void
-show_toggled_cb (GtkCheckButton *button, EAPMethod *method)
-{
- GtkWidget *widget;
- gboolean visible;
-
- widget = GTK_WIDGET (gtk_builder_get_object (method->builder, "eap_tls_private_key_password_entry"));
- g_assert (widget);
-
- visible = gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON (button));
- gtk_entry_set_visibility (GTK_ENTRY (widget), visible);
-}
-
static gboolean
validate (EAPMethod *parent, GError **error)
{
- NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
+ EAPMethodTLS *method = (EAPMethodTLS *) parent;
GtkWidget *widget;
- const char *password, *identity;
- GError *local = NULL;
- gboolean ret = TRUE;
+ const char *identity;
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_identity_entry"));
g_assert (widget);
@@ -66,78 +55,34 @@ validate (EAPMethod *parent, GError **error)
if (!identity || !strlen (identity)) {
widget_set_error (widget);
g_set_error_literal (error, NMA_ERROR, NMA_ERROR_GENERIC, _("missing EAP-TLS identity"));
- ret = FALSE;
- } else {
- widget_unset_error (widget);
- }
-
- if (!eap_method_validate_filepicker (parent->builder, "eap_tls_ca_cert_button", TYPE_CA_CERT, NULL,
NULL, &local)) {
- widget_set_error (GTK_WIDGET (gtk_builder_get_object (parent->builder,
"eap_tls_ca_cert_button")));
- if (ret) {
- g_set_error (error, NMA_ERROR, NMA_ERROR_GENERIC, _("invalid EAP-TLS CA certificate:
%s"), local->message);
- ret = FALSE;
- }
- g_clear_error (&local);
- } else if (eap_method_ca_cert_required (parent->builder, "eap_tls_ca_cert_not_required_checkbox",
"eap_tls_ca_cert_button")) {
- widget_set_error (GTK_WIDGET (gtk_builder_get_object (parent->builder,
"eap_tls_ca_cert_button")));
- if (ret) {
- g_set_error_literal (error, NMA_ERROR, NMA_ERROR_GENERIC, _("invalid EAP-TLS CA
certificate: no certificate specified"));
- ret = FALSE;
- }
- }
-
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_password_entry"));
- g_assert (widget);
- password = gtk_entry_get_text (GTK_ENTRY (widget));
- if (!password || !strlen (password)) {
- widget_set_error (widget);
- if (ret) {
- g_set_error_literal (error, NMA_ERROR, NMA_ERROR_GENERIC, _("invalid EAP-TLS
password: missing"));
- ret = FALSE;
- }
+ return FALSE;
} else {
widget_unset_error (widget);
}
- if (!eap_method_validate_filepicker (parent->builder,
- "eap_tls_private_key_button",
- TYPE_PRIVATE_KEY,
- password,
- &format,
- &local)) {
- if (ret) {
- g_set_error (error, NMA_ERROR, NMA_ERROR_GENERIC, _("invalid EAP-TLS private-key:
%s"), local->message);
- ret = FALSE;
- }
- g_clear_error (&local);
- widget_set_error (GTK_WIDGET (gtk_builder_get_object (parent->builder,
"eap_tls_private_key_button")));
- }
+ if ( gtk_widget_get_sensitive (method->ca_cert_chooser)
+ && !nma_cert_chooser_validate (NMA_CERT_CHOOSER (method->ca_cert_chooser), error))
+ return FALSE;
- if (format != NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
- if (!eap_method_validate_filepicker (parent->builder, "eap_tls_user_cert_button",
TYPE_CLIENT_CERT, NULL, NULL, &local)) {
- if (ret) {
- g_set_error (error, NMA_ERROR, NMA_ERROR_GENERIC, _("invalid EAP-TLS
user-certificate: %s"), local->message);
- ret = FALSE;
- }
- g_clear_error (&local);
- widget_set_error (GTK_WIDGET (gtk_builder_get_object (parent->builder,
"eap_tls_user_cert_button")));
- }
- }
+ if (!nma_cert_chooser_validate (NMA_CERT_CHOOSER (method->client_cert_chooser), error))
+ return FALSE;
- return ret;
+ return TRUE;
}
static void
ca_cert_not_required_toggled (GtkWidget *ignored, gpointer user_data)
{
- EAPMethod *parent = user_data;
+ EAPMethodTLS *method = (EAPMethodTLS *) user_data;
- eap_method_ca_cert_not_required_toggled (parent->builder, "eap_tls_ca_cert_not_required_checkbox",
"eap_tls_ca_cert_button");
+ gtk_widget_set_sensitive (method->ca_cert_chooser,
+ !gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON (ignored)));
}
static void
add_to_size_group (EAPMethod *parent, GtkSizeGroup *group)
{
+ EAPMethodTLS *method = (EAPMethodTLS *) parent;
GtkWidget *widget;
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder,
"eap_tls_ca_cert_not_required_checkbox"));
@@ -148,21 +93,8 @@ add_to_size_group (EAPMethod *parent, GtkSizeGroup *group)
g_assert (widget);
gtk_size_group_add_widget (group, widget);
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_user_cert_label"));
- g_assert (widget);
- gtk_size_group_add_widget (group, widget);
-
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_ca_cert_label"));
- g_assert (widget);
- gtk_size_group_add_widget (group, widget);
-
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_label"));
- g_assert (widget);
- gtk_size_group_add_widget (group, widget);
-
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_password_label"));
- g_assert (widget);
- gtk_size_group_add_widget (group, widget);
+ nma_cert_chooser_add_to_size_group (NMA_CERT_CHOOSER (method->client_cert_chooser), group);
+ nma_cert_chooser_add_to_size_group (NMA_CERT_CHOOSER (method->ca_cert_chooser), group);
}
static void
@@ -172,11 +104,12 @@ fill_connection (EAPMethod *parent, NMConnection *connection, NMSettingSecretFla
NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
NMSetting8021x *s_8021x;
NMSettingSecretFlags secret_flags;
- GtkWidget *widget, *passwd_entry;
- char *ca_filename, *pk_filename, *cc_filename;
+ GtkWidget *widget;
+ char *value;
const char *password = NULL;
GError *error = NULL;
gboolean ca_cert_error = FALSE;
+ NMSetting8021xCKScheme scheme;
s_8021x = nm_connection_get_setting_802_1x (connection);
g_assert (s_8021x);
@@ -191,39 +124,31 @@ fill_connection (EAPMethod *parent, NMConnection *connection, NMSettingSecretFla
g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, gtk_entry_get_text (GTK_ENTRY (widget)), NULL);
/* TLS private key */
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_password_entry"));
- g_assert (widget);
- password = gtk_entry_get_text (GTK_ENTRY (widget));
- g_assert (password);
- passwd_entry = widget;
-
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_button"));
- g_assert (widget);
- pk_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
- g_assert (pk_filename);
+ password = g_strdup (nma_cert_chooser_get_key_password (NMA_CERT_CHOOSER
(method->client_cert_chooser)));
+ value = nma_cert_chooser_get_key (NMA_CERT_CHOOSER (method->client_cert_chooser), &scheme);
if (parent->phase2) {
- if (!nm_setting_802_1x_set_phase2_private_key (s_8021x, pk_filename, password,
NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
- g_warning ("Couldn't read phase2 private key '%s': %s", pk_filename, error ?
error->message : "(unknown)");
+ if (!nm_setting_802_1x_set_phase2_private_key (s_8021x, value, password, scheme, &format,
&error)) {
+ g_warning ("Couldn't read phase2 private key '%s': %s", value, error ? error->message
: "(unknown)");
g_clear_error (&error);
}
} else {
- if (!nm_setting_802_1x_set_private_key (s_8021x, pk_filename, password,
NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
- g_warning ("Couldn't read private key '%s': %s", pk_filename, error ? error->message
: "(unknown)");
+ if (!nm_setting_802_1x_set_private_key (s_8021x, value, password, scheme, &format, &error)) {
+ g_warning ("Couldn't read private key '%s': %s", value, error ? error->message :
"(unknown)");
g_clear_error (&error);
}
}
- g_free (pk_filename);
/* Save 802.1X password flags to the connection */
- secret_flags = nma_utils_menu_to_secret_flags (passwd_entry);
+ secret_flags = nma_cert_chooser_get_key_password_flags (NMA_CERT_CHOOSER
(method->client_cert_chooser));
nm_setting_set_secret_flags (NM_SETTING (s_8021x), parent->password_flags_name,
secret_flags, NULL);
/* Update secret flags and popup when editing the connection */
if (method->editing_connection) {
- nma_utils_update_password_storage (passwd_entry, secret_flags,
- NM_SETTING (s_8021x), parent->password_flags_name);
+ nma_cert_chooser_update_key_password_storage (NMA_CERT_CHOOSER (method->client_cert_chooser),
+ secret_flags, NM_SETTING (s_8021x),
+ parent->password_flags_name);
}
/* TLS client certificate */
@@ -231,213 +156,269 @@ fill_connection (EAPMethod *parent, NMConnection *connection, NMSettingSecretFla
/* If the key is pkcs#12 nm_setting_802_1x_set_private_key() already
* set the client certificate for us.
*/
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_user_cert_button"));
- g_assert (widget);
- cc_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
- g_assert (cc_filename);
-
+ value = nma_cert_chooser_get_cert (NMA_CERT_CHOOSER (method->client_cert_chooser), &scheme);
format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
if (parent->phase2) {
- if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, cc_filename,
NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
- g_warning ("Couldn't read phase2 client certificate '%s': %s", cc_filename,
error ? error->message : "(unknown)");
+ if (!nm_setting_802_1x_set_phase2_client_cert (s_8021x, value, scheme, &format,
&error)) {
+ g_warning ("Couldn't read phase2 client certificate '%s': %s", value, error ?
error->message : "(unknown)");
g_clear_error (&error);
}
} else {
- if (!nm_setting_802_1x_set_client_cert (s_8021x, cc_filename,
NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
- g_warning ("Couldn't read client certificate '%s': %s", cc_filename, error ?
error->message : "(unknown)");
+ if (!nm_setting_802_1x_set_client_cert (s_8021x, value, scheme, &format, &error)) {
+ g_warning ("Couldn't read client certificate '%s': %s", value, error ?
error->message : "(unknown)");
g_clear_error (&error);
}
}
- g_free (cc_filename);
+ g_free (value);
}
/* TLS CA certificate */
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_ca_cert_button"));
- g_assert (widget);
- ca_filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
-
+ value = nma_cert_chooser_get_cert (NMA_CERT_CHOOSER (method->ca_cert_chooser), &scheme);
format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
if (parent->phase2) {
- if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, ca_filename,
NM_SETTING_802_1X_CK_SCHEME_PATH, &format, &error)) {
- g_warning ("Couldn't read phase2 CA certificate '%s': %s", ca_filename, error ?
error->message : "(unknown)");
+ if (!nm_setting_802_1x_set_phase2_ca_cert (s_8021x, value, scheme, &format, &error)) {
+ g_warning ("Couldn't read phase2 CA certificate '%s': %s", value, error ?
error->message : "(unknown)");
g_clear_error (&error);
ca_cert_error = TRUE;
}
} else {
- if (!nm_setting_802_1x_set_ca_cert (s_8021x, ca_filename, NM_SETTING_802_1X_CK_SCHEME_PATH,
&format, &error)) {
- g_warning ("Couldn't read CA certificate '%s': %s", ca_filename, error ?
error->message : "(unknown)");
+ if (!nm_setting_802_1x_set_ca_cert (s_8021x, value, scheme, &format, &error)) {
+ g_warning ("Couldn't read CA certificate '%s': %s", value, error ? error->message :
"(unknown)");
g_clear_error (&error);
ca_cert_error = TRUE;
}
}
- eap_method_ca_cert_ignore_set (parent, connection, ca_filename, ca_cert_error);
- g_free (ca_filename);
+ eap_method_ca_cert_ignore_set (parent, connection, value, ca_cert_error);
+ g_free (value);
}
-static void
-private_key_picker_helper (EAPMethod *parent, const char *filename, gboolean changed)
+static GError *
+client_cert_validate_cb (NMACertChooser *cert_chooser, gpointer user_data)
{
- NMSetting8021x *setting;
- NMSetting8021xCKFormat cert_format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
- const char *password;
- GtkWidget *widget;
-
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_password_entry"));
- g_assert (widget);
- password = gtk_entry_get_text (GTK_ENTRY (widget));
+ NMSetting8021xCKScheme scheme;
+ NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
+ gs_unref_object NMSetting8021x *setting = NULL;
+ gs_free char *value = NULL;
+ GError *local = NULL;
setting = (NMSetting8021x *) nm_setting_802_1x_new ();
- nm_setting_802_1x_set_private_key (setting, filename, password, NM_SETTING_802_1X_CK_SCHEME_PATH,
&cert_format, NULL);
- g_object_unref (setting);
-
- /* With PKCS#12, the client cert must be the same as the private key */
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_user_cert_button"));
- if (cert_format == NM_SETTING_802_1X_CK_FORMAT_PKCS12) {
- gtk_file_chooser_unselect_all (GTK_FILE_CHOOSER (widget));
- gtk_widget_set_sensitive (widget, FALSE);
- } else if (changed)
- gtk_widget_set_sensitive (widget, TRUE);
-
- /* Warn the user if the private key is unencrypted */
- if (!eap_method_is_encrypted_private_key (filename)) {
- GtkWidget *dialog;
- GtkWidget *toplevel;
- GtkWindow *parent_window = NULL;
-
- toplevel = gtk_widget_get_toplevel (parent->ui_widget);
- if (gtk_widget_is_toplevel (toplevel))
- parent_window = GTK_WINDOW (toplevel);
-
- dialog = gtk_message_dialog_new (parent_window,
- GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
- GTK_MESSAGE_WARNING,
- GTK_BUTTONS_OK,
- "%s",
- _("Unencrypted private keys are insecure"));
- gtk_message_dialog_format_secondary_text (GTK_MESSAGE_DIALOG (dialog),
- "%s",
- _("The selected private key does not appear to be
protected by a password. This could allow your security credentials to be compromised. Please select a
password-protected private key.\n\n(You can password-protect your private key with openssl)"));
- gtk_dialog_run (GTK_DIALOG (dialog));
- gtk_widget_destroy (dialog);
+
+ value = nma_cert_chooser_get_cert (cert_chooser, &scheme);
+ if (!value) {
+ return g_error_new_literal (NMA_ERROR, NMA_ERROR_GENERIC,
+ _("no user certificate selected"));
}
+ if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
+ if (!g_file_test (value, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR)) {
+ return g_error_new_literal (NMA_ERROR, NMA_ERROR_GENERIC,
+ _("selected user certificate file does not exist"));
+ }
+ }
+
+ if (!nm_setting_802_1x_set_client_cert (setting, value, scheme, &format, &local))
+ return local;
+
+ return NULL;
}
-static void
-private_key_picker_file_set_cb (GtkWidget *chooser, gpointer user_data)
+static GError *
+client_key_validate_cb (NMACertChooser *cert_chooser, gpointer user_data)
{
- EAPMethod *parent = (EAPMethod *) user_data;
- char *filename;
+ NMSetting8021xCKScheme scheme;
+ gs_free char *value = NULL;
- filename = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (chooser));
- if (filename)
- private_key_picker_helper (parent, filename, TRUE);
- g_free (filename);
+
+ value = nma_cert_chooser_get_key (cert_chooser, &scheme);
+ if (!value) {
+ return g_error_new_literal (NMA_ERROR, NMA_ERROR_GENERIC,
+ _("no key selected"));
+ }
+ if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
+ if (!g_file_test (value, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR)) {
+ return g_error_new_literal (NMA_ERROR, NMA_ERROR_GENERIC,
+ _("selected key file does not exist"));
+ }
+ }
+
+ return NULL;
}
-static void reset_filter (GtkWidget *widget, GParamSpec *spec, gpointer user_data)
+static GError *
+client_key_password_validate_cb (NMACertChooser *cert_chooser, gpointer user_data)
{
- if (!gtk_file_chooser_get_filter (GTK_FILE_CHOOSER (widget))) {
- g_signal_handlers_block_by_func (widget, reset_filter, user_data);
- gtk_file_chooser_set_filter (GTK_FILE_CHOOSER (widget), GTK_FILE_FILTER (user_data));
- g_signal_handlers_unblock_by_func (widget, reset_filter, user_data);
+ NMSetting8021xCKScheme scheme;
+ NMSettingSecretFlags secret_flags;
+ gs_unref_object NMSetting8021x *setting = NULL;
+ gs_free char *value = NULL;
+ const char *password = NULL;
+ GError *local = NULL;
+
+ secret_flags = nma_cert_chooser_get_key_password_flags (cert_chooser);
+ if ( secret_flags & NM_SETTING_SECRET_FLAG_NOT_SAVED
+ || secret_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
+ return NULL;
+
+ setting = (NMSetting8021x *) nm_setting_802_1x_new ();
+
+ value = nma_cert_chooser_get_key (cert_chooser, &scheme);
+ password = nma_cert_chooser_get_key_password (cert_chooser);
+ if (!nm_setting_802_1x_set_private_key (setting, value, password, scheme, NULL, &local))
+ return local;
+
+ return NULL;
+}
+
+static GError *
+ca_cert_validate_cb (NMACertChooser *cert_chooser, gpointer user_data)
+{
+ NMSetting8021xCKScheme scheme;
+ NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
+ gs_unref_object NMSetting8021x *setting = NULL;
+ gs_free char *value = NULL;
+ GError *local = NULL;
+
+ setting = (NMSetting8021x *) nm_setting_802_1x_new ();
+
+ value = nma_cert_chooser_get_cert (cert_chooser, &scheme);
+ if (!value) {
+ return g_error_new_literal (NMA_ERROR, NMA_ERROR_GENERIC,
+ _("no CA certificate selected"));
+ }
+ if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
+ if (!g_file_test (value, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR)) {
+ return g_error_new_literal (NMA_ERROR, NMA_ERROR_GENERIC,
+ _("selected CA certificate file does not exist"));
+ }
}
+
+ if (!nm_setting_802_1x_set_ca_cert (setting, value, scheme, &format, &local))
+ return local;
+
+ return NULL;
+}
+
+static void
+client_cert_fixup_pkcs12 (NMACertChooser *cert_chooser, gpointer user_data)
+{
+ NMSetting8021xCKScheme cert_scheme, key_scheme;
+ NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
+ gs_free char *cert_value = NULL;
+ gs_free char *key_value = NULL;
+ gs_unref_object NMSetting8021x *setting = NULL;
+
+ setting = (NMSetting8021x *) nm_setting_802_1x_new ();
+
+ cert_value = nma_cert_chooser_get_cert (cert_chooser, &cert_scheme);
+ key_value = nma_cert_chooser_get_key (cert_chooser, &key_scheme);
+
+ if ( !cert_value || key_value || cert_scheme != key_scheme
+ || !nm_setting_802_1x_set_client_cert (setting, cert_value, cert_scheme, &format, NULL))
+ return;
+
+ if (format == NM_SETTING_802_1X_CK_FORMAT_PKCS12)
+ nma_cert_chooser_set_key (cert_chooser, cert_value, cert_scheme);
}
typedef const char * (*PathFunc) (NMSetting8021x *setting);
+typedef const char * (*UriFunc) (NMSetting8021x *setting);
typedef NMSetting8021xCKScheme (*SchemeFunc) (NMSetting8021x *setting);
+typedef const char * (*PasswordFunc) (NMSetting8021x *setting);
static void
-setup_filepicker (GtkBuilder *builder,
- const char *name,
- const char *title,
- WirelessSecurity *ws_parent,
- EAPMethod *parent,
- NMSetting8021x *s_8021x,
- SchemeFunc scheme_func,
- PathFunc path_func,
- gboolean privkey,
- gboolean client_cert)
+setup_cert_chooser (NMACertChooser *cert_chooser,
+ NMSetting8021x *s_8021x,
+ SchemeFunc cert_scheme_func,
+ PathFunc cert_path_func,
+ UriFunc cert_uri_func,
+ PasswordFunc cert_password_func,
+ SchemeFunc key_scheme_func,
+ PathFunc key_path_func,
+ UriFunc key_uri_func,
+ PasswordFunc key_password_func)
{
- GtkWidget *widget;
- GtkFileFilter *filter;
- const char *filename = NULL;
-
- widget = GTK_WIDGET (gtk_builder_get_object (builder, name));
- g_assert (widget);
- gtk_file_chooser_set_local_only (GTK_FILE_CHOOSER (widget), TRUE);
- gtk_file_chooser_button_set_title (GTK_FILE_CHOOSER_BUTTON (widget), title);
-
- if (s_8021x && path_func && scheme_func) {
- if (scheme_func (s_8021x) == NM_SETTING_802_1X_CK_SCHEME_PATH) {
- filename = path_func (s_8021x);
- if (filename)
- gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), filename);
+ NMSetting8021xCKScheme scheme = NM_SETTING_802_1X_CK_SCHEME_UNKNOWN;
+ const char *value = NULL;
+
+
+ if (s_8021x && cert_path_func && cert_uri_func && cert_scheme_func) {
+ scheme = cert_scheme_func (s_8021x);
+ switch (scheme) {
+ case NM_SETTING_802_1X_CK_SCHEME_PATH:
+ value = cert_path_func (s_8021x);
+ break;
+#ifdef NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11
+/* Not available in libnm-glib */
+ case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
+ value = cert_uri_func (s_8021x);
+ if (cert_password_func)
+ nma_cert_chooser_set_cert_password (cert_chooser, cert_password_func
(s_8021x));
+ break;
+#endif
+ case NM_SETTING_802_1X_CK_SCHEME_UNKNOWN:
+ /* No CA set. */
+ break;
+ default:
+ g_warning ("unhandled certificate scheme %d", scheme);
}
- }
- /* Connect a special handler for private keys to intercept PKCS#12 key types
- * and desensitize the user cert button.
- */
- if (privkey) {
- g_signal_connect (G_OBJECT (widget), "selection-changed",
- (GCallback) private_key_picker_file_set_cb,
- parent);
- if (filename)
- private_key_picker_helper (parent, filename, FALSE);
}
+ nma_cert_chooser_set_cert (cert_chooser, value, scheme);
+
+ if (s_8021x && key_path_func && key_uri_func && key_scheme_func) {
+ scheme = key_scheme_func (s_8021x);
+ switch (scheme) {
+ case NM_SETTING_802_1X_CK_SCHEME_PATH:
+ value = key_path_func (s_8021x);
+ break;
+#ifdef NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11
+/* Not available in libnm-glib */
+ case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
+ value = key_uri_func (s_8021x);
+ break;
+#endif
+ case NM_SETTING_802_1X_CK_SCHEME_UNKNOWN:
+ /* No certificate set. */
+ break;
+ default:
+ g_warning ("unhandled key scheme %d", scheme);
+ }
- g_signal_connect (G_OBJECT (widget), "selection-changed",
- (GCallback) wireless_security_changed_cb,
- ws_parent);
-
- filter = eap_method_default_file_chooser_filter_new (privkey);
- gtk_file_chooser_add_filter (GTK_FILE_CHOOSER (widget), filter);
+ nma_cert_chooser_set_key (cert_chooser, value, scheme);
+ }
- /* For some reason, GTK+ calls set_current_filter (..., NULL) from
- * gtkfilechooserdefault.c::show_and_select_files_finished_loading() on our
- * dialog; so force-reset the filter to what we want it to be whenever
- * it gets cleared.
- */
- if (client_cert)
- g_signal_connect (G_OBJECT (widget), "notify::filter", (GCallback) reset_filter, filter);
+ if (s_8021x && key_password_func)
+ nma_cert_chooser_set_key_password (cert_chooser, key_password_func (s_8021x));
}
+#ifndef NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11
+/* Not available in libnm-glib */
+#define nm_setting_802_1x_get_ca_cert_password NULL
+#define nm_setting_802_1x_get_ca_cert_uri NULL
+#define nm_setting_802_1x_get_client_cert_password NULL
+#define nm_setting_802_1x_get_client_cert_uri NULL
+#define nm_setting_802_1x_get_private_key_uri NULL
+#define nm_setting_802_1x_get_phase2_ca_cert_password NULL
+#define nm_setting_802_1x_get_phase2_ca_cert_uri NULL
+#define nm_setting_802_1x_get_phase2_client_cert_password NULL
+#define nm_setting_802_1x_get_phase2_client_cert_uri NULL
+#define nm_setting_802_1x_get_phase2_private_key_uri NULL
+#endif
+
static void
update_secrets (EAPMethod *parent, NMConnection *connection)
{
- NMSetting8021x *s_8021x;
- HelperSecretFunc password_func;
- SchemeFunc scheme_func;
- PathFunc path_func;
- const char *filename;
- GtkWidget *widget;
-
- if (parent->phase2) {
- password_func = (HelperSecretFunc) nm_setting_802_1x_get_phase2_private_key_password;
- scheme_func = nm_setting_802_1x_get_phase2_private_key_scheme;
- path_func = nm_setting_802_1x_get_phase2_private_key_path;
- } else {
- password_func = (HelperSecretFunc) nm_setting_802_1x_get_private_key_password;
- scheme_func = nm_setting_802_1x_get_private_key_scheme;
- path_func = nm_setting_802_1x_get_private_key_path;
- }
-
- helper_fill_secret_entry (connection,
- parent->builder,
- "eap_tls_private_key_password_entry",
- NM_TYPE_SETTING_802_1X,
- password_func);
+ EAPMethodTLS *method = (EAPMethodTLS *) parent;
- /* Set the private key filepicker button path if we have a private key */
- s_8021x = nm_connection_get_setting_802_1x (connection);
- if (s_8021x && (scheme_func (s_8021x) == NM_SETTING_802_1X_CK_SCHEME_PATH)) {
- filename = path_func (s_8021x);
- if (filename) {
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder,
"eap_tls_private_key_button"));
- g_assert (widget);
- gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), filename);
- }
- }
+ setup_cert_chooser (NMA_CERT_CHOOSER (method->client_cert_chooser),
+ nm_connection_get_setting_802_1x (connection),
+ NULL,
+ NULL,
+ NULL,
+ parent->phase2 ? nm_setting_802_1x_get_phase2_client_cert_password :
nm_setting_802_1x_get_client_cert_password,
+ parent->phase2 ? nm_setting_802_1x_get_phase2_private_key_scheme :
nm_setting_802_1x_get_private_key_scheme,
+ parent->phase2 ? nm_setting_802_1x_get_phase2_private_key_path :
nm_setting_802_1x_get_private_key_path,
+ parent->phase2 ? nm_setting_802_1x_get_phase2_private_key_uri :
nm_setting_802_1x_get_private_key_uri,
+ parent->phase2 ? nm_setting_802_1x_get_phase2_private_key_password :
nm_setting_802_1x_get_private_key_password);
}
EAPMethodTLS *
@@ -491,24 +472,68 @@ eap_method_tls_new (WirelessSecurity *ws_parent,
if (s_8021x && nm_setting_802_1x_get_identity (s_8021x))
gtk_entry_set_text (GTK_ENTRY (widget), nm_setting_802_1x_get_identity (s_8021x));
- setup_filepicker (parent->builder, "eap_tls_user_cert_button",
- _("Choose your personal certificate"),
- ws_parent, parent, s_8021x,
- phase2 ? nm_setting_802_1x_get_phase2_client_cert_scheme :
nm_setting_802_1x_get_client_cert_scheme,
- phase2 ? nm_setting_802_1x_get_phase2_client_cert_path :
nm_setting_802_1x_get_client_cert_path,
- FALSE, TRUE);
- setup_filepicker (parent->builder, "eap_tls_ca_cert_button",
- _("Choose a Certificate Authority certificate"),
- ws_parent, parent, s_8021x,
- phase2 ? nm_setting_802_1x_get_phase2_ca_cert_scheme :
nm_setting_802_1x_get_ca_cert_scheme,
- phase2 ? nm_setting_802_1x_get_phase2_ca_cert_path :
nm_setting_802_1x_get_ca_cert_path,
- FALSE, FALSE);
- setup_filepicker (parent->builder, "eap_tls_private_key_button",
- _("Choose your private key"),
- ws_parent, parent, s_8021x,
- phase2 ? nm_setting_802_1x_get_phase2_private_key_scheme :
nm_setting_802_1x_get_private_key_scheme,
- phase2 ? nm_setting_802_1x_get_phase2_private_key_path :
nm_setting_802_1x_get_private_key_path,
- TRUE, FALSE);
+ widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_grid"));
+ g_assert (widget);
+
+ method->client_cert_chooser = nma_cert_chooser_new ("User",
+ secrets_only ? NMA_CERT_CHOOSER_FLAG_PASSWORDS :
0);
+ gtk_grid_attach (GTK_GRID (widget), method->client_cert_chooser, 0, 1, 2, 1);
+ gtk_widget_show (method->client_cert_chooser);
+
+ g_signal_connect (method->client_cert_chooser, "cert-validate",
+ G_CALLBACK (client_cert_validate_cb),
+ NULL);
+ g_signal_connect (method->client_cert_chooser,
+ "key-validate",
+ G_CALLBACK (client_key_validate_cb),
+ NULL);
+ g_signal_connect (method->client_cert_chooser,
+ "key-password-validate",
+ G_CALLBACK (client_key_password_validate_cb),
+ NULL);
+ g_signal_connect (method->client_cert_chooser,
+ "changed",
+ G_CALLBACK (client_cert_fixup_pkcs12),
+ ws_parent);
+ g_signal_connect (method->client_cert_chooser,
+ "changed",
+ G_CALLBACK (wireless_security_changed_cb),
+ ws_parent);
+
+ setup_cert_chooser (NMA_CERT_CHOOSER (method->client_cert_chooser), s_8021x,
+ phase2 ? nm_setting_802_1x_get_phase2_client_cert_scheme :
nm_setting_802_1x_get_client_cert_scheme,
+ phase2 ? nm_setting_802_1x_get_phase2_client_cert_path :
nm_setting_802_1x_get_client_cert_path,
+ phase2 ? nm_setting_802_1x_get_phase2_client_cert_uri :
nm_setting_802_1x_get_client_cert_uri,
+ phase2 ? nm_setting_802_1x_get_phase2_client_cert_password :
nm_setting_802_1x_get_client_cert_password,
+ phase2 ? nm_setting_802_1x_get_phase2_private_key_scheme :
nm_setting_802_1x_get_private_key_scheme,
+ phase2 ? nm_setting_802_1x_get_phase2_private_key_path :
nm_setting_802_1x_get_private_key_path,
+ phase2 ? nm_setting_802_1x_get_phase2_private_key_uri :
nm_setting_802_1x_get_private_key_uri,
+ phase2 ? nm_setting_802_1x_get_phase2_private_key_password :
nm_setting_802_1x_get_private_key_password);
+
+ method->ca_cert_chooser = nma_cert_chooser_new ("CA",
+ NMA_CERT_CHOOSER_FLAG_CERT
+ | (secrets_only ? NMA_CERT_CHOOSER_FLAG_PASSWORDS :
0));
+ gtk_grid_attach (GTK_GRID (widget), method->ca_cert_chooser, 0, 2, 2, 1);
+ gtk_widget_show (method->ca_cert_chooser);
+
+ g_signal_connect (method->ca_cert_chooser,
+ "cert-validate",
+ G_CALLBACK (ca_cert_validate_cb),
+ NULL);
+ g_signal_connect (method->ca_cert_chooser,
+ "changed",
+ G_CALLBACK (wireless_security_changed_cb),
+ ws_parent);
+
+ setup_cert_chooser (NMA_CERT_CHOOSER (method->ca_cert_chooser), s_8021x,
+ phase2 ? nm_setting_802_1x_get_phase2_ca_cert_scheme :
nm_setting_802_1x_get_ca_cert_scheme,
+ phase2 ? nm_setting_802_1x_get_phase2_ca_cert_path :
nm_setting_802_1x_get_ca_cert_path,
+ phase2 ? nm_setting_802_1x_get_phase2_ca_cert_uri :
nm_setting_802_1x_get_ca_cert_uri,
+ phase2 ? nm_setting_802_1x_get_phase2_ca_cert_password :
nm_setting_802_1x_get_ca_cert_password,
+ NULL,
+ NULL,
+ NULL,
+ NULL);
if (connection && eap_method_ca_cert_ignore_get (parent, connection)) {
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_ca_cert_button"));
@@ -517,45 +542,10 @@ eap_method_tls_new (WirelessSecurity *ws_parent,
widget = GTK_WIDGET (gtk_builder_get_object (parent->builder,
"eap_tls_ca_cert_not_required_checkbox"));
gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON (widget), ca_not_required);
- /* Fill secrets, if any */
- if (connection)
- update_secrets (parent, connection);
-
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_password_entry"));
- g_assert (widget);
- g_signal_connect (G_OBJECT (widget), "changed",
- (GCallback) wireless_security_changed_cb,
- ws_parent);
-
/* Create password-storage popup menu for password entry under entry's secondary icon */
- nma_utils_setup_password_storage (widget, 0, (NMSetting *) s_8021x, parent->password_flags_name,
- FALSE, secrets_only);
-
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "show_checkbutton_eaptls"));
- g_assert (widget);
- g_signal_connect (G_OBJECT (widget), "toggled",
- (GCallback) show_toggled_cb,
- parent);
-
- if (secrets_only) {
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_identity_entry"));
- gtk_widget_set_sensitive (widget, FALSE);
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_user_cert_label"));
- gtk_widget_hide (widget);
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_user_cert_button"));
- gtk_widget_hide (widget);
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_label"));
- gtk_widget_hide (widget);
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_private_key_button"));
- gtk_widget_hide (widget);
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_ca_cert_label"));
- gtk_widget_hide (widget);
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder, "eap_tls_ca_cert_button"));
- gtk_widget_hide (widget);
- widget = GTK_WIDGET (gtk_builder_get_object (parent->builder,
"eap_tls_ca_cert_not_required_checkbox"));
- gtk_widget_hide (widget);
- }
+ nma_cert_chooser_setup_key_password_storage (NMA_CERT_CHOOSER (method->client_cert_chooser),
+ 0, (NMSetting *) s_8021x, parent->password_flags_name,
+ FALSE, secrets_only);
return method;
}
-
diff --git a/src/wireless-security/eap-method-tls.ui b/src/wireless-security/eap-method-tls.ui
index 94bad98..1e47d6f 100644
--- a/src/wireless-security/eap-method-tls.ui
+++ b/src/wireless-security/eap-method-tls.ui
@@ -8,7 +8,7 @@
<property name="show_tabs">False</property>
<property name="show_border">False</property>
<child>
- <object class="GtkGrid">
+ <object class="GtkGrid" id="eap_tls_grid">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="row_spacing">6</property>
@@ -40,17 +40,6 @@
</packing>
</child>
<child>
- <object class="GtkFileChooserButton" id="eap_tls_ca_cert_button">
- <property name="visible">True</property>
- <property name="can_focus">False</property>
- <property name="hexpand">True</property>
- </object>
- <packing>
- <property name="left_attach">1</property>
- <property name="top_attach">2</property>
- </packing>
- </child>
- <child>
<object class="GtkCheckButton" id="eap_tls_ca_cert_not_required_checkbox">
<property name="label" translatable="yes">No CA certificate is _required</property>
<property name="visible">True</property>
@@ -67,111 +56,13 @@
</packing>
</child>
<child>
- <object class="GtkFileChooserButton" id="eap_tls_private_key_button">
- <property name="visible">True</property>
- <property name="can_focus">False</property>
- <property name="hexpand">True</property>
- </object>
- <packing>
- <property name="left_attach">1</property>
- <property name="top_attach">4</property>
- </packing>
- </child>
- <child>
- <object class="GtkEntry" id="eap_tls_private_key_password_entry">
- <property name="visible">True</property>
- <property name="can_focus">True</property>
- <property name="hexpand">True</property>
- <property name="visibility">False</property>
- <property name="activates_default">True</property>
- </object>
- <packing>
- <property name="left_attach">1</property>
- <property name="top_attach">5</property>
- </packing>
- </child>
- <child>
- <object class="GtkCheckButton" id="show_checkbutton_eaptls">
- <property name="label" translatable="yes">Sho_w password</property>
- <property name="visible">True</property>
- <property name="can_focus">True</property>
- <property name="receives_default">False</property>
- <property name="halign">start</property>
- <property name="hexpand">True</property>
- <property name="use_underline">True</property>
- <property name="draw_indicator">True</property>
- </object>
- <packing>
- <property name="left_attach">1</property>
- <property name="top_attach">6</property>
- </packing>
- </child>
- <child>
- <object class="GtkFileChooserButton" id="eap_tls_user_cert_button">
- <property name="visible">True</property>
- <property name="can_focus">False</property>
- <property name="hexpand">True</property>
- </object>
- <packing>
- <property name="left_attach">1</property>
- <property name="top_attach">1</property>
- </packing>
- </child>
- <child>
- <object class="GtkLabel" id="eap_tls_user_cert_label">
- <property name="visible">True</property>
- <property name="can_focus">False</property>
- <property name="label" translatable="yes">_User certificate:</property>
- <property name="use_underline">True</property>
- <property name="mnemonic_widget">eap_tls_user_cert_button</property>
- <property name="xalign">0</property>
- </object>
- <packing>
- <property name="left_attach">0</property>
- <property name="top_attach">1</property>
- </packing>
- </child>
- <child>
- <object class="GtkLabel" id="eap_tls_ca_cert_label">
- <property name="visible">True</property>
- <property name="can_focus">False</property>
- <property name="label" translatable="yes">C_A certificate:</property>
- <property name="use_underline">True</property>
- <property name="mnemonic_widget">eap_tls_ca_cert_button</property>
- <property name="xalign">0</property>
- </object>
- <packing>
- <property name="left_attach">0</property>
- <property name="top_attach">2</property>
- </packing>
+ <placeholder/>
</child>
<child>
- <object class="GtkLabel" id="eap_tls_private_key_label">
- <property name="visible">True</property>
- <property name="can_focus">False</property>
- <property name="label" translatable="yes">Private _key:</property>
- <property name="use_underline">True</property>
- <property name="mnemonic_widget">eap_tls_private_key_button</property>
- <property name="xalign">0</property>
- </object>
- <packing>
- <property name="left_attach">0</property>
- <property name="top_attach">4</property>
- </packing>
+ <placeholder/>
</child>
<child>
- <object class="GtkLabel" id="eap_tls_private_key_password_label">
- <property name="visible">True</property>
- <property name="can_focus">False</property>
- <property name="label" translatable="yes">_Private key password:</property>
- <property name="use_underline">True</property>
- <property name="mnemonic_widget">eap_tls_private_key_password_entry</property>
- <property name="xalign">0</property>
- </object>
- <packing>
- <property name="left_attach">0</property>
- <property name="top_attach">5</property>
- </packing>
+ <placeholder/>
</child>
<child>
<placeholder/>
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]