[glib/mcatanzaro/pkcs11-deferral] Revert "gtlscertificate: Add support for PKCS #11 backed certificates"
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib/mcatanzaro/pkcs11-deferral] Revert "gtlscertificate: Add support for PKCS #11 backed certificates"
- Date: Thu, 30 Jan 2020 10:17:54 +0000 (UTC)
commit 4d46d841114569aeb0e5c02de152a1967712fea5
Author: Michael Catanzaro <mcatanzaro gnome org>
Date: Thu Jan 30 04:10:05 2020 -0600
Revert "gtlscertificate: Add support for PKCS #11 backed certificates"
This reverts commit b6d8efbebcc0ad1e12bf16f47a173cadfcbf986d.
This GLib API is good, but the implentation is not ready, so there's no
reason to commit to the API in GLib 2.64. We can reland again when the
implementation is ready.
There are three problems: (a) The glib-networking implementation normally
works, but the test has been broken for a long time. I'm not comfortable
with adding a major new feature without a working test. This is
glib-networking#104. (b) The WebKit implementation never landed. There
is a working patch, but it hasn't been accepted upstream due to lack of
tests. This API isn't needed in GLib until WebKit is ready to start
using it. https://bugs.webkit.org/show_bug.cgi?id=200805. (c) Similarly,
the WebKit implementation requires basic Epiphany-level support that was
never finished.
Let's try again for GLib 2.66. Reverting this commit now just means we
gain another six months before committing to the API forever. No reason
to keep this in GLib 2.64 when nothing is using it yet.
docs/reference/gio/gio-sections-common.txt | 1 -
gio/gtlscertificate.c | 132 +----------------------------
gio/gtlscertificate.h | 5 --
gio/tests/gtesttlsbackend.c | 25 +-----
gio/tests/tls-certificate.c | 37 --------
5 files changed, 4 insertions(+), 196 deletions(-)
---
diff --git a/docs/reference/gio/gio-sections-common.txt b/docs/reference/gio/gio-sections-common.txt
index e174153c9..cd62b8a44 100644
--- a/docs/reference/gio/gio-sections-common.txt
+++ b/docs/reference/gio/gio-sections-common.txt
@@ -3697,7 +3697,6 @@ GTlsCertificate
g_tls_certificate_new_from_pem
g_tls_certificate_new_from_file
g_tls_certificate_new_from_files
-g_tls_certificate_new_from_pkcs11_uris
g_tls_certificate_list_new_from_file
g_tls_certificate_get_issuer
g_tls_certificate_verify
diff --git a/gio/gtlscertificate.c b/gio/gtlscertificate.c
index ca9c9b67b..72de5eb1f 100644
--- a/gio/gtlscertificate.c
+++ b/gio/gtlscertificate.c
@@ -60,9 +60,7 @@ enum
PROP_CERTIFICATE_PEM,
PROP_PRIVATE_KEY,
PROP_PRIVATE_KEY_PEM,
- PROP_ISSUER,
- PROP_PKCS11_URI,
- PROP_PRIVATE_KEY_PKCS11_URI,
+ PROP_ISSUER
};
static void
@@ -76,16 +74,7 @@ g_tls_certificate_get_property (GObject *object,
GValue *value,
GParamSpec *pspec)
{
- switch (prop_id)
- {
- case PROP_PKCS11_URI:
- case PROP_PRIVATE_KEY_PKCS11_URI:
- /* Subclasses must override this property but this allows older backends to not fatally error */
- g_value_set_static_string (value, NULL);
- break;
- default:
- G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
- }
+ G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
}
static void
@@ -94,15 +83,7 @@ g_tls_certificate_set_property (GObject *object,
const GValue *value,
GParamSpec *pspec)
{
- switch (prop_id)
- {
- case PROP_PKCS11_URI:
- case PROP_PRIVATE_KEY_PKCS11_URI:
- /* Subclasses must override this property but this allows older backends to not fatally error */
- break;
- default:
- G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
- }
+ G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
}
static void
@@ -212,42 +193,6 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
G_PARAM_READWRITE |
G_PARAM_CONSTRUCT_ONLY |
G_PARAM_STATIC_STRINGS));
-
- /**
- * GTlsCertificate:pkcs11-uri: (nullable)
- *
- * A URI referencing the PKCS \#11 objects containing an X.509 certificate
- * and optionally a private key.
- *
- * If %NULL the certificate is either not backed by PKCS \#11 or the
- * #GTlsBackend does not support PKCS \#11.
- *
- * Since: 2.64
- */
- g_object_class_install_property (gobject_class, PROP_PKCS11_URI,
- g_param_spec_string ("pkcs11-uri",
- P_("PKCS #11 URI"),
- P_("The PKCS #11 URI"),
- NULL,
- G_PARAM_READWRITE |
- G_PARAM_CONSTRUCT_ONLY |
- G_PARAM_STATIC_STRINGS));
-
- /**
- * GTlsCertificate:private-key-pkcs11-uri: (nullable)
- *
- * A URI referencing a PKCS \#11 object containing a private key.
- *
- * Since: 2.64
- */
- g_object_class_install_property (gobject_class, PROP_PRIVATE_KEY_PKCS11_URI,
- g_param_spec_string ("private-key-pkcs11-uri",
- P_("PKCS #11 URI"),
- P_("The PKCS #11 URI for a private key"),
- NULL,
- G_PARAM_READWRITE |
- G_PARAM_CONSTRUCT_ONLY |
- G_PARAM_STATIC_STRINGS));
}
static GTlsCertificate *
@@ -646,77 +591,6 @@ g_tls_certificate_new_from_files (const gchar *cert_file,
return cert;
}
-/**
- * g_tls_certificate_new_from_pkcs11_uris:
- * @pkcs11_uri: A PKCS \#11 URI
- * @private_key_pkcs11_uri: (nullable): A PKCS \#11 URI
- * @error: #GError for error reporting, or %NULL to ignore.
- *
- * Creates a #GTlsCertificate from a PKCS \#11 URI.
- *
- * An example @pkcs11_uri would be
`pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01`
- *
- * Where the token’s layout is:
- *
- * ```
- * Object 0:
- * URL:
pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=private%20key;type=private
- * Type: Private key (RSA-2048)
- * ID: 01
- *
- * Object 1:
- * URL:
pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=Certificate%20for%20Authentication;type=cert
- * Type: X.509 Certificate (RSA-2048)
- * ID: 01
- * ```
- *
- * In this case the certificate and private key would both be detected and used as expected.
- * @pkcs_uri may also just reference an X.509 certificate object and then optionally
- * @private_key_pkcs11_uri allows using a private key exposed under a different URI.
- *
- * Note that the private key is not accessed until usage and may fail or require a PIN later.
- *
- * Returns: (transfer full): the new certificate, or %NULL on error
- *
- * Since: 2.64
- */
-GTlsCertificate *
-g_tls_certificate_new_from_pkcs11_uris (const gchar *pkcs11_uri,
- const gchar *private_key_pkcs11_uri,
- GError **error)
-{
- GObject *cert;
- GTlsBackend *backend;
-
- g_return_val_if_fail (error == NULL || *error == NULL, NULL);
- g_return_val_if_fail (pkcs11_uri, NULL);
-
- backend = g_tls_backend_get_default ();
-
- cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
- NULL, error,
- "pkcs11-uri", pkcs11_uri,
- "private-key-pkcs11-uri", private_key_pkcs11_uri,
- NULL);
-
- if (cert != NULL)
- {
- gchar *objects_uri;
-
- /* Old implementations might not override this property */
- g_object_get (cert, "pkcs11-uri", &objects_uri, NULL);
- if (objects_uri == NULL)
- {
- g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, _("This GTlsBackend does not
support creating PKCS #11 certificates"));
- g_object_unref (cert);
- return NULL;
- }
- g_free (objects_uri);
- }
-
- return G_TLS_CERTIFICATE (cert);
-}
-
/**
* g_tls_certificate_list_new_from_file:
* @file: (type filename): file containing PEM-encoded certificates to import
diff --git a/gio/gtlscertificate.h b/gio/gtlscertificate.h
index 66fe59a03..a064543c4 100644
--- a/gio/gtlscertificate.h
+++ b/gio/gtlscertificate.h
@@ -71,11 +71,6 @@ GLIB_AVAILABLE_IN_ALL
GTlsCertificate *g_tls_certificate_new_from_files (const gchar *cert_file,
const gchar *key_file,
GError **error);
-GLIB_AVAILABLE_IN_2_64
-GTlsCertificate *g_tls_certificate_new_from_pkcs11_uris (const gchar *pkcs11_uri,
- const gchar *private_key_pkcs11_uri,
- GError **error);
-
GLIB_AVAILABLE_IN_ALL
GList *g_tls_certificate_list_new_from_file (const gchar *file,
GError **error);
diff --git a/gio/tests/gtesttlsbackend.c b/gio/tests/gtesttlsbackend.c
index 3051eaae7..157a4a3f3 100644
--- a/gio/tests/gtesttlsbackend.c
+++ b/gio/tests/gtesttlsbackend.c
@@ -91,8 +91,6 @@ struct _GTestTlsCertificate {
gchar *key_pem;
gchar *cert_pem;
GTlsCertificate *issuer;
- gchar *pkcs11_uri;
- gchar *private_key_pkcs11_uri;
};
struct _GTestTlsCertificateClass {
@@ -105,9 +103,7 @@ enum
PROP_CERT_CERTIFICATE_PEM,
PROP_CERT_PRIVATE_KEY,
PROP_CERT_PRIVATE_KEY_PEM,
- PROP_CERT_ISSUER,
- PROP_CERT_PKCS11_URI,
- PROP_CERT_PRIVATE_KEY_PKCS11_URI,
+ PROP_CERT_ISSUER
};
static void g_test_tls_certificate_initable_iface_init (GInitableIface *iface);
@@ -145,15 +141,6 @@ g_test_tls_certificate_get_property (GObject *object,
case PROP_CERT_ISSUER:
g_value_set_object (value, cert->issuer);
break;
- case PROP_CERT_PKCS11_URI:
- /* This test value simulates a backend that ignores the value
- because it is unsupported */
- if (g_strcmp0 (cert->pkcs11_uri, "unsupported") != 0)
- g_value_set_string (value, cert->pkcs11_uri);
- break;
- case PROP_CERT_PRIVATE_KEY_PKCS11_URI:
- g_value_set_string (value, cert->private_key_pkcs11_uri);
- break;
default:
g_assert_not_reached ();
break;
@@ -179,12 +166,6 @@ g_test_tls_certificate_set_property (GObject *object,
case PROP_CERT_ISSUER:
cert->issuer = g_value_dup_object (value);
break;
- case PROP_CERT_PKCS11_URI:
- cert->pkcs11_uri = g_value_dup_string (value);
- break;
- case PROP_CERT_PRIVATE_KEY_PKCS11_URI:
- cert->private_key_pkcs11_uri = g_value_dup_string (value);
- break;
case PROP_CERT_CERTIFICATE:
case PROP_CERT_PRIVATE_KEY:
/* ignore */
@@ -202,8 +183,6 @@ g_test_tls_certificate_finalize (GObject *object)
g_free (cert->cert_pem);
g_free (cert->key_pem);
- g_free (cert->pkcs11_uri);
- g_free (cert->private_key_pkcs11_uri);
g_clear_object (&cert->issuer);
G_OBJECT_CLASS (g_test_tls_certificate_parent_class)->finalize (object);
@@ -226,8 +205,6 @@ g_test_tls_certificate_class_init (GTestTlsCertificateClass *test_class)
g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY, "private-key");
g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY_PEM, "private-key-pem");
g_object_class_override_property (gobject_class, PROP_CERT_ISSUER, "issuer");
- g_object_class_override_property (gobject_class, PROP_CERT_PKCS11_URI, "pkcs11-uri");
- g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY_PKCS11_URI,
"private-key-pkcs11-uri");
}
static void
diff --git a/gio/tests/tls-certificate.c b/gio/tests/tls-certificate.c
index 9fa78f152..e1ba23737 100644
--- a/gio/tests/tls-certificate.c
+++ b/gio/tests/tls-certificate.c
@@ -398,38 +398,6 @@ list_from_file (const Reference *ref)
g_assert_cmpint (g_list_length (list), ==, 0);
}
-static void
-from_pkcs11_uri (void)
-{
- GError *error = NULL;
- GTlsCertificate *cert;
- gchar *pkcs11_uri = NULL;
-
- cert = g_tls_certificate_new_from_pkcs11_uris
("pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=ca-bundle.crt", NULL, &error);
- g_assert_no_error (error);
- g_assert_nonnull (cert);
-
- g_object_get (cert, "pkcs11-uri", &pkcs11_uri, NULL);
- g_assert_cmpstr ("pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=ca-bundle.crt",
==, pkcs11_uri);
- g_free (pkcs11_uri);
-
- g_object_unref (cert);
-}
-
-static void
-from_unsupported_pkcs11_uri (void)
-{
- GError *error = NULL;
- GTlsCertificate *cert;
-
- /* This is a magic value in gtesttlsbackend.c simulating an unsupported backend */
- cert = g_tls_certificate_new_from_pkcs11_uris ("unsupported", NULL, &error);
- g_assert_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED);
- g_assert_null (cert);
-
- g_clear_error (&error);
-}
-
int
main (int argc,
char *argv[])
@@ -496,11 +464,6 @@ main (int argc,
&ref, (GTestDataFunc)from_files_pkcs8enc);
g_test_add_data_func ("/tls-certificate/list_from_file",
&ref, (GTestDataFunc)list_from_file);
- g_test_add_func ("/tls-certificate/pkcs11-uri",
- from_pkcs11_uri);
- g_test_add_func ("/tls-certificate/pkcs11-uri-unsupported",
- from_unsupported_pkcs11_uri);
-
rtv = g_test_run();
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
