[glib/mcatanzaro/pkcs11-deferral] Revert "gtlscertificate: Add support for PKCS #11 backed certificates"



commit 4d46d841114569aeb0e5c02de152a1967712fea5
Author: Michael Catanzaro <mcatanzaro gnome org>
Date:   Thu Jan 30 04:10:05 2020 -0600

    Revert "gtlscertificate: Add support for PKCS #11 backed certificates"
    
    This reverts commit b6d8efbebcc0ad1e12bf16f47a173cadfcbf986d.
    
    This GLib API is good, but the implentation is not ready, so there's no
    reason to commit to the API in GLib 2.64. We can reland again when the
    implementation is ready.
    
    There are three problems: (a) The glib-networking implementation normally
    works, but the test has been broken for a long time. I'm not comfortable
    with adding a major new feature without a working test. This is
    glib-networking#104. (b) The WebKit implementation never landed. There
    is a working patch, but it hasn't been accepted upstream due to lack of
    tests. This API isn't needed in GLib until WebKit is ready to start
    using it. https://bugs.webkit.org/show_bug.cgi?id=200805. (c) Similarly,
    the WebKit implementation requires basic Epiphany-level support that was
    never finished.
    
    Let's try again for GLib 2.66. Reverting this commit now just means we
    gain another six months before committing to the API forever. No reason
    to keep this in GLib 2.64 when nothing is using it yet.

 docs/reference/gio/gio-sections-common.txt |   1 -
 gio/gtlscertificate.c                      | 132 +----------------------------
 gio/gtlscertificate.h                      |   5 --
 gio/tests/gtesttlsbackend.c                |  25 +-----
 gio/tests/tls-certificate.c                |  37 --------
 5 files changed, 4 insertions(+), 196 deletions(-)
---
diff --git a/docs/reference/gio/gio-sections-common.txt b/docs/reference/gio/gio-sections-common.txt
index e174153c9..cd62b8a44 100644
--- a/docs/reference/gio/gio-sections-common.txt
+++ b/docs/reference/gio/gio-sections-common.txt
@@ -3697,7 +3697,6 @@ GTlsCertificate
 g_tls_certificate_new_from_pem
 g_tls_certificate_new_from_file
 g_tls_certificate_new_from_files
-g_tls_certificate_new_from_pkcs11_uris
 g_tls_certificate_list_new_from_file
 g_tls_certificate_get_issuer
 g_tls_certificate_verify
diff --git a/gio/gtlscertificate.c b/gio/gtlscertificate.c
index ca9c9b67b..72de5eb1f 100644
--- a/gio/gtlscertificate.c
+++ b/gio/gtlscertificate.c
@@ -60,9 +60,7 @@ enum
   PROP_CERTIFICATE_PEM,
   PROP_PRIVATE_KEY,
   PROP_PRIVATE_KEY_PEM,
-  PROP_ISSUER,
-  PROP_PKCS11_URI,
-  PROP_PRIVATE_KEY_PKCS11_URI,
+  PROP_ISSUER
 };
 
 static void
@@ -76,16 +74,7 @@ g_tls_certificate_get_property (GObject    *object,
                                GValue     *value,
                                GParamSpec *pspec)
 {
-  switch (prop_id)
-    {
-      case PROP_PKCS11_URI:
-      case PROP_PRIVATE_KEY_PKCS11_URI:
-        /* Subclasses must override this property but this allows older backends to not fatally error */
-        g_value_set_static_string (value, NULL);
-        break;
-      default:
-        G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
-    }
+  G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
 }
 
 static void
@@ -94,15 +83,7 @@ g_tls_certificate_set_property (GObject      *object,
                                const GValue *value,
                                GParamSpec   *pspec)
 {
-  switch (prop_id)
-    {
-      case PROP_PKCS11_URI:
-      case PROP_PRIVATE_KEY_PKCS11_URI:
-        /* Subclasses must override this property but this allows older backends to not fatally error */
-        break;
-      default:
-        G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
-    }
+  G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
 }
 
 static void
@@ -212,42 +193,6 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
                                                        G_PARAM_READWRITE |
                                                        G_PARAM_CONSTRUCT_ONLY |
                                                        G_PARAM_STATIC_STRINGS));
-
-  /**
-   * GTlsCertificate:pkcs11-uri: (nullable)
-   *
-   * A URI referencing the PKCS \#11 objects containing an X.509 certificate
-   * and optionally a private key.
-   *
-   * If %NULL the certificate is either not backed by PKCS \#11 or the
-   * #GTlsBackend does not support PKCS \#11.
-   *
-   * Since: 2.64
-   */
-  g_object_class_install_property (gobject_class, PROP_PKCS11_URI,
-                                   g_param_spec_string ("pkcs11-uri",
-                                                        P_("PKCS #11 URI"),
-                                                        P_("The PKCS #11 URI"),
-                                                        NULL,
-                                                        G_PARAM_READWRITE |
-                                                        G_PARAM_CONSTRUCT_ONLY |
-                                                        G_PARAM_STATIC_STRINGS));
-
-  /**
-   * GTlsCertificate:private-key-pkcs11-uri: (nullable)
-   *
-   * A URI referencing a PKCS \#11 object containing a private key.
-   *
-   * Since: 2.64
-   */
-  g_object_class_install_property (gobject_class, PROP_PRIVATE_KEY_PKCS11_URI,
-                                   g_param_spec_string ("private-key-pkcs11-uri",
-                                                        P_("PKCS #11 URI"),
-                                                        P_("The PKCS #11 URI for a private key"),
-                                                        NULL,
-                                                        G_PARAM_READWRITE |
-                                                        G_PARAM_CONSTRUCT_ONLY |
-                                                        G_PARAM_STATIC_STRINGS));
 }
 
 static GTlsCertificate *
@@ -646,77 +591,6 @@ g_tls_certificate_new_from_files (const gchar  *cert_file,
   return cert;
 }
 
-/**
- * g_tls_certificate_new_from_pkcs11_uris:
- * @pkcs11_uri: A PKCS \#11 URI
- * @private_key_pkcs11_uri: (nullable): A PKCS \#11 URI
- * @error: #GError for error reporting, or %NULL to ignore.
- *
- * Creates a #GTlsCertificate from a PKCS \#11 URI.
- *
- * An example @pkcs11_uri would be 
`pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01`
- *
- * Where the token’s layout is:
- *
- * ```
- * Object 0:
- *   URL: 
pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=private%20key;type=private
- *   Type: Private key (RSA-2048)
- *   ID: 01
- *
- * Object 1:
- *   URL: 
pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=Certificate%20for%20Authentication;type=cert
- *   Type: X.509 Certificate (RSA-2048)
- *   ID: 01
- * ```
- *
- * In this case the certificate and private key would both be detected and used as expected.
- * @pkcs_uri may also just reference an X.509 certificate object and then optionally
- * @private_key_pkcs11_uri allows using a private key exposed under a different URI.
- *
- * Note that the private key is not accessed until usage and may fail or require a PIN later.
- *
- * Returns: (transfer full): the new certificate, or %NULL on error
- *
- * Since: 2.64
- */
-GTlsCertificate *
-g_tls_certificate_new_from_pkcs11_uris (const gchar  *pkcs11_uri,
-                                        const gchar  *private_key_pkcs11_uri,
-                                        GError      **error)
-{
-  GObject *cert;
-  GTlsBackend *backend;
-
-  g_return_val_if_fail (error == NULL || *error == NULL, NULL);
-  g_return_val_if_fail (pkcs11_uri, NULL);
-
-  backend = g_tls_backend_get_default ();
-
-  cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
-                         NULL, error,
-                         "pkcs11-uri", pkcs11_uri,
-                         "private-key-pkcs11-uri", private_key_pkcs11_uri,
-                         NULL);
-
-  if (cert != NULL)
-    {
-      gchar *objects_uri;
-
-      /* Old implementations might not override this property */
-      g_object_get (cert, "pkcs11-uri", &objects_uri, NULL);
-      if (objects_uri == NULL)
-        {
-          g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, _("This GTlsBackend does not 
support creating PKCS #11 certificates"));
-          g_object_unref (cert);
-          return NULL;
-        }
-      g_free (objects_uri);
-    }
-
-  return G_TLS_CERTIFICATE (cert);
-}
-
 /**
  * g_tls_certificate_list_new_from_file:
  * @file: (type filename): file containing PEM-encoded certificates to import
diff --git a/gio/gtlscertificate.h b/gio/gtlscertificate.h
index 66fe59a03..a064543c4 100644
--- a/gio/gtlscertificate.h
+++ b/gio/gtlscertificate.h
@@ -71,11 +71,6 @@ GLIB_AVAILABLE_IN_ALL
 GTlsCertificate      *g_tls_certificate_new_from_files     (const gchar         *cert_file,
                                                            const gchar         *key_file,
                                                            GError             **error);
-GLIB_AVAILABLE_IN_2_64
-GTlsCertificate      *g_tls_certificate_new_from_pkcs11_uris (const gchar       *pkcs11_uri,
-                                                              const gchar       *private_key_pkcs11_uri,
-                                                              GError           **error);
-
 GLIB_AVAILABLE_IN_ALL
 GList                *g_tls_certificate_list_new_from_file (const gchar         *file,
                                                            GError             **error);
diff --git a/gio/tests/gtesttlsbackend.c b/gio/tests/gtesttlsbackend.c
index 3051eaae7..157a4a3f3 100644
--- a/gio/tests/gtesttlsbackend.c
+++ b/gio/tests/gtesttlsbackend.c
@@ -91,8 +91,6 @@ struct _GTestTlsCertificate {
   gchar *key_pem;
   gchar *cert_pem;
   GTlsCertificate *issuer;
-  gchar *pkcs11_uri;
-  gchar *private_key_pkcs11_uri;
 };
 
 struct _GTestTlsCertificateClass {
@@ -105,9 +103,7 @@ enum
   PROP_CERT_CERTIFICATE_PEM,
   PROP_CERT_PRIVATE_KEY,
   PROP_CERT_PRIVATE_KEY_PEM,
-  PROP_CERT_ISSUER,
-  PROP_CERT_PKCS11_URI,
-  PROP_CERT_PRIVATE_KEY_PKCS11_URI,
+  PROP_CERT_ISSUER
 };
 
 static void g_test_tls_certificate_initable_iface_init (GInitableIface *iface);
@@ -145,15 +141,6 @@ g_test_tls_certificate_get_property (GObject    *object,
     case PROP_CERT_ISSUER:
       g_value_set_object (value, cert->issuer);
       break;
-    case PROP_CERT_PKCS11_URI:
-      /* This test value simulates a backend that ignores the value
-         because it is unsupported */
-      if (g_strcmp0 (cert->pkcs11_uri, "unsupported") != 0)
-        g_value_set_string (value, cert->pkcs11_uri);
-      break;
-    case PROP_CERT_PRIVATE_KEY_PKCS11_URI:
-      g_value_set_string (value, cert->private_key_pkcs11_uri);
-      break;
     default:
       g_assert_not_reached ();
       break;
@@ -179,12 +166,6 @@ g_test_tls_certificate_set_property (GObject      *object,
     case PROP_CERT_ISSUER:
       cert->issuer = g_value_dup_object (value);
       break;
-    case PROP_CERT_PKCS11_URI:
-      cert->pkcs11_uri = g_value_dup_string (value);
-      break;
-    case PROP_CERT_PRIVATE_KEY_PKCS11_URI:
-      cert->private_key_pkcs11_uri = g_value_dup_string (value);
-      break;
     case PROP_CERT_CERTIFICATE:
     case PROP_CERT_PRIVATE_KEY:
       /* ignore */
@@ -202,8 +183,6 @@ g_test_tls_certificate_finalize (GObject *object)
 
   g_free (cert->cert_pem);
   g_free (cert->key_pem);
-  g_free (cert->pkcs11_uri);
-  g_free (cert->private_key_pkcs11_uri);
   g_clear_object (&cert->issuer);
 
   G_OBJECT_CLASS (g_test_tls_certificate_parent_class)->finalize (object);
@@ -226,8 +205,6 @@ g_test_tls_certificate_class_init (GTestTlsCertificateClass *test_class)
   g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY, "private-key");
   g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY_PEM, "private-key-pem");
   g_object_class_override_property (gobject_class, PROP_CERT_ISSUER, "issuer");
-  g_object_class_override_property (gobject_class, PROP_CERT_PKCS11_URI, "pkcs11-uri");
-  g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY_PKCS11_URI, 
"private-key-pkcs11-uri");
 }
 
 static void
diff --git a/gio/tests/tls-certificate.c b/gio/tests/tls-certificate.c
index 9fa78f152..e1ba23737 100644
--- a/gio/tests/tls-certificate.c
+++ b/gio/tests/tls-certificate.c
@@ -398,38 +398,6 @@ list_from_file (const Reference *ref)
   g_assert_cmpint (g_list_length (list), ==, 0);
 }
 
-static void
-from_pkcs11_uri (void)
-{
-  GError *error = NULL;
-  GTlsCertificate *cert;
-  gchar *pkcs11_uri = NULL;
-
-  cert = g_tls_certificate_new_from_pkcs11_uris 
("pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=ca-bundle.crt", NULL, &error);
-  g_assert_no_error (error);
-  g_assert_nonnull (cert);
-
-  g_object_get (cert, "pkcs11-uri", &pkcs11_uri, NULL);
-  g_assert_cmpstr ("pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=ca-bundle.crt", 
==, pkcs11_uri);
-  g_free (pkcs11_uri);
-
-  g_object_unref (cert);
-}
-
-static void
-from_unsupported_pkcs11_uri (void)
-{
-  GError *error = NULL;
-  GTlsCertificate *cert;
-
-  /* This is a magic value in gtesttlsbackend.c simulating an unsupported backend */
-  cert = g_tls_certificate_new_from_pkcs11_uris ("unsupported", NULL, &error);
-  g_assert_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED);
-  g_assert_null (cert);
-
-  g_clear_error (&error);
-}
-
 int
 main (int   argc,
       char *argv[])
@@ -496,11 +464,6 @@ main (int   argc,
                         &ref, (GTestDataFunc)from_files_pkcs8enc);
   g_test_add_data_func ("/tls-certificate/list_from_file",
                         &ref, (GTestDataFunc)list_from_file);
-  g_test_add_func ("/tls-certificate/pkcs11-uri",
-                   from_pkcs11_uri);
-  g_test_add_func ("/tls-certificate/pkcs11-uri-unsupported",
-                   from_unsupported_pkcs11_uri);
-
 
   rtv = g_test_run();
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]