[glib-networking/mcatanzaro/pkcs11-revert: 1/2] Revert PKCS#11 support



commit d90b93a84b725c5da4886a204a59d456b4a1222c
Author: Michael Catanzaro <mcatanzaro gnome org>
Date:   Fri Jan 31 08:32:58 2020 -0600

    Revert PKCS#11 support
    
    This reverts commit be1d64042226b73653be6aad033cf88c3b96aa58 and related
    PKCS#11 commits.
    
    There are three problems: (a) The glib-networking implementation normally
    works, but the test has been broken for a long time. I'm not comfortable
    with adding a major new feature without a working test. This is
    glib-networking#104. (b) The WebKit implementation never landed. There
    is a working patch, but it hasn't been accepted upstream yet. This API
    isn't needed in GLib until WebKit is ready to start using it.
    https://bugs.webkit.org/show_bug.cgi?id=200805. (c) Similarly, even if
    the WebKit API was ready, that itself isn't useful until an application
    is ready to start using it, and the Epiphany level work never happened.
    
    See #104

 tls/gnutls/gtlscertificate-gnutls.c      |  130 +-
 tls/gnutls/gtlscertificate-gnutls.h      |    1 -
 tls/gnutls/gtlsconnection-gnutls.c       |   82 +-
 tls/gnutls/gtlsserverconnection-gnutls.c |    4 +-
 tls/tests/certificate.c                  |   39 -
 tls/tests/connection.c                   |  142 --
 tls/tests/meson.build                    |   26 +-
 tls/tests/mock-pkcs11.c                  | 3051 ------------------------------
 tls/tests/pkcs11/pkcs11.h                |  252 ---
 tls/tests/pkcs11/pkcs11f.h               |  812 --------
 tls/tests/pkcs11/pkcs11p.h               |   24 -
 tls/tests/pkcs11/pkcs11t.h               | 1799 ------------------
 tls/tests/pkcs11/pkcs11u.h               |   22 -
 13 files changed, 49 insertions(+), 6335 deletions(-)
---
diff --git a/tls/gnutls/gtlscertificate-gnutls.c b/tls/gnutls/gtlscertificate-gnutls.c
index 9d81cce..c6a79fd 100644
--- a/tls/gnutls/gtlscertificate-gnutls.c
+++ b/tls/gnutls/gtlscertificate-gnutls.c
@@ -39,9 +39,7 @@ enum
   PROP_CERTIFICATE_PEM,
   PROP_PRIVATE_KEY,
   PROP_PRIVATE_KEY_PEM,
-  PROP_ISSUER,
-  PROP_PKCS11_URI,
-  PROP_PRIVATE_KEY_PKCS11_URI,
+  PROP_ISSUER
 };
 
 struct _GTlsCertificateGnutls
@@ -49,10 +47,7 @@ struct _GTlsCertificateGnutls
   GTlsCertificate parent_instance;
 
   gnutls_x509_crt_t cert;
-  gnutls_privkey_t key;
-
-  gchar *pkcs11_uri;
-  gchar *private_key_pkcs11_uri;
+  gnutls_x509_privkey_t key;
 
   GTlsCertificateGnutls *issuer;
 
@@ -74,10 +69,7 @@ g_tls_certificate_gnutls_finalize (GObject *object)
   GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
 
   g_clear_pointer (&gnutls->cert, gnutls_x509_crt_deinit);
-  g_clear_pointer (&gnutls->key, gnutls_privkey_deinit);
-
-  g_clear_pointer (&gnutls->pkcs11_uri, g_free);
-  g_clear_pointer (&gnutls->private_key_pkcs11_uri, g_free);
+  g_clear_pointer (&gnutls->key, gnutls_x509_privkey_deinit);
 
   g_clear_object (&gnutls->issuer);
 
@@ -149,14 +141,6 @@ g_tls_certificate_gnutls_get_property (GObject    *object,
       g_value_set_object (value, gnutls->issuer);
       break;
 
-    case PROP_PKCS11_URI:
-      g_value_set_string (value, gnutls->pkcs11_uri);
-      break;
-
-    case PROP_PRIVATE_KEY_PKCS11_URI:
-      g_value_set_string (value, gnutls->private_key_pkcs11_uri);
-      break;
-
     default:
       G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
     }
@@ -225,10 +209,18 @@ g_tls_certificate_gnutls_set_property (GObject      *object,
       data.data = bytes->data;
       data.size = bytes->len;
       if (!gnutls->key)
-        gnutls_privkey_init (&gnutls->key);
-      status = gnutls_privkey_import_x509_raw (gnutls->key, &data,
-                                               GNUTLS_X509_FMT_DER,
-                                               NULL, GNUTLS_PKCS_PLAIN);
+        gnutls_x509_privkey_init (&gnutls->key);
+      status = gnutls_x509_privkey_import (gnutls->key, &data,
+                                           GNUTLS_X509_FMT_DER);
+      if (status != 0)
+        {
+          int pkcs8_status =
+            gnutls_x509_privkey_import_pkcs8 (gnutls->key, &data,
+                                              GNUTLS_X509_FMT_DER, NULL,
+                                              GNUTLS_PKCS_PLAIN);
+          if (pkcs8_status == 0)
+            status = 0;
+        }
       if (status == 0)
         gnutls->have_key = TRUE;
       else if (!gnutls->construct_error)
@@ -248,10 +240,18 @@ g_tls_certificate_gnutls_set_property (GObject      *object,
       data.data = (void *)string;
       data.size = strlen (string);
       if (!gnutls->key)
-        gnutls_privkey_init (&gnutls->key);
-      status = gnutls_privkey_import_x509_raw (gnutls->key, &data,
-                                               GNUTLS_X509_FMT_PEM,
-                                               NULL, GNUTLS_PKCS_PLAIN);
+        gnutls_x509_privkey_init (&gnutls->key);
+      status = gnutls_x509_privkey_import (gnutls->key, &data,
+                                           GNUTLS_X509_FMT_PEM);
+      if (status != 0)
+        {
+          int pkcs8_status =
+            gnutls_x509_privkey_import_pkcs8 (gnutls->key, &data,
+                                              GNUTLS_X509_FMT_PEM, NULL,
+                                              GNUTLS_PKCS_PLAIN);
+          if (pkcs8_status == 0)
+            status = 0;
+        }
       if (status == 0)
         gnutls->have_key = TRUE;
       else if (!gnutls->construct_error)
@@ -267,39 +267,6 @@ g_tls_certificate_gnutls_set_property (GObject      *object,
       gnutls->issuer = g_value_dup_object (value);
       break;
 
-    case PROP_PKCS11_URI:
-      string = g_value_get_string (value);
-      if (!string)
-        break;
-      g_return_if_fail (gnutls->have_cert == FALSE);
-      g_return_if_fail (!gnutls->pkcs11_uri);
-
-      gnutls->pkcs11_uri = g_strdup (string);
-
-      status = gnutls_x509_crt_import_url (gnutls->cert, string, GNUTLS_PKCS11_OBJ_FLAG_CRT);
-      if (status == GNUTLS_E_SUCCESS)
-        {
-          gnutls->have_cert = TRUE;
-        }
-      else if (!gnutls->construct_error)
-        {
-          gnutls->construct_error =
-            g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
-                          _("Could not import PKCS #11 certificate URI: %s"),
-                          gnutls_strerror (status));
-        }
-      break;
-
-    case PROP_PRIVATE_KEY_PKCS11_URI:
-      string = g_value_get_string (value);
-      if (!string)
-        break;
-      g_return_if_fail (gnutls->have_key == FALSE);
-      g_return_if_fail (!gnutls->private_key_pkcs11_uri);
-
-      gnutls->private_key_pkcs11_uri = g_strdup (string);
-      break;
-
     default:
       G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
     }
@@ -409,8 +376,6 @@ g_tls_certificate_gnutls_class_init (GTlsCertificateGnutlsClass *klass)
   g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY, "private-key");
   g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_PEM, "private-key-pem");
   g_object_class_override_property (gobject_class, PROP_ISSUER, "issuer");
-  g_object_class_override_property (gobject_class, PROP_PKCS11_URI, "pkcs11-uri");
-  g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_PKCS11_URI, "private-key-pkcs11-uri");
 }
 
 static void
@@ -451,12 +416,6 @@ g_tls_certificate_gnutls_get_cert (GTlsCertificateGnutls *gnutls)
   return gnutls->cert;
 }
 
-gboolean
-g_tls_certificate_gnutls_is_pkcs11_backed (GTlsCertificateGnutls *gnutls)
-{
-  return gnutls->pkcs11_uri != NULL;
-}
-
 gboolean
 g_tls_certificate_gnutls_has_key (GTlsCertificateGnutls *gnutls)
 {
@@ -513,28 +472,23 @@ g_tls_certificate_gnutls_copy  (GTlsCertificateGnutls  *gnutls,
       chain = chain->issuer;
     }
 
-  if (gnutls->key)
-    {
-      gnutls_x509_privkey_t x509_privkey;
+    if (gnutls->key)
+      {
+        gnutls_x509_privkey_t x509_privkey;
+        gnutls_privkey_t privkey;
 
-      gnutls_privkey_export_x509 (gnutls->key, &x509_privkey);
-      gnutls_privkey_import_x509 (*pkey, x509_privkey, GNUTLS_PRIVKEY_IMPORT_COPY);
-      gnutls_x509_privkey_deinit (x509_privkey);
-    }
-  else if (gnutls->private_key_pkcs11_uri || gnutls->pkcs11_uri)
-    {
-      int status;
+        gnutls_x509_privkey_init (&x509_privkey);
+        gnutls_x509_privkey_cpy (x509_privkey, gnutls->key);
 
-      status = gnutls_privkey_import_pkcs11_url (*pkey,
-                                                 gnutls->private_key_pkcs11_uri ? 
gnutls->private_key_pkcs11_uri : gnutls->pkcs11_uri);
-      if (status != GNUTLS_E_SUCCESS)
-        g_warning ("Failed to copy PKCS #11 private key: %s", gnutls_strerror (status));
-    }
-  else
-    {
-      gnutls_privkey_deinit (*pkey);
-      *pkey = NULL;
-    }
+        gnutls_privkey_init (&privkey);
+        gnutls_privkey_import_x509 (privkey, x509_privkey, GNUTLS_PRIVKEY_IMPORT_COPY);
+        *pkey = privkey;
+        gnutls_x509_privkey_deinit (x509_privkey);
+      }
+    else
+      {
+        *pkey = NULL;
+      }
 }
 
 void
diff --git a/tls/gnutls/gtlscertificate-gnutls.h b/tls/gnutls/gtlscertificate-gnutls.h
index 838f7db..74ad7f7 100644
--- a/tls/gnutls/gtlscertificate-gnutls.h
+++ b/tls/gnutls/gtlscertificate-gnutls.h
@@ -44,7 +44,6 @@ void                         g_tls_certificate_gnutls_set_data        (GTlsCerti
 
 const gnutls_x509_crt_t      g_tls_certificate_gnutls_get_cert        (GTlsCertificateGnutls *gnutls);
 gboolean                     g_tls_certificate_gnutls_has_key         (GTlsCertificateGnutls *gnutls);
-gboolean                     g_tls_certificate_gnutls_is_pkcs11_backed (GTlsCertificateGnutls *gnutls);
 
 void                         g_tls_certificate_gnutls_copy            (GTlsCertificateGnutls  *gnutls,
                                                                        const gchar            
*interaction_id,
diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
index 39cc7c5..e8e399c 100644
--- a/tls/gnutls/gtlsconnection-gnutls.c
+++ b/tls/gnutls/gtlsconnection-gnutls.c
@@ -74,7 +74,6 @@ typedef struct
   gnutls_certificate_credentials_t creds;
   gnutls_session_t session;
   gchar *interaction_id;
-  GCancellable *cancellable;
 } GTlsConnectionGnutlsPrivate;
 
 G_DEFINE_ABSTRACT_TYPE_WITH_CODE (GTlsConnectionGnutls, g_tls_connection_gnutls, G_TYPE_TLS_CONNECTION_BASE,
@@ -93,8 +92,6 @@ g_tls_connection_gnutls_init (GTlsConnectionGnutls *gnutls)
 
   unique_id = g_atomic_int_add (&unique_interaction_id, 1);
   priv->interaction_id = g_strdup_printf ("gtls:%d", unique_id);
-
-  priv->cancellable = g_cancellable_new ();
 }
 
 static void
@@ -200,12 +197,6 @@ g_tls_connection_gnutls_finalize (GObject *object)
   if (priv->creds)
     gnutls_certificate_free_credentials (priv->creds);
 
-  if (priv->cancellable)
-    {
-      g_cancellable_cancel (priv->cancellable);
-      g_clear_object (&priv->cancellable);
-    }
-
   g_free (priv->interaction_id);
 
   G_OBJECT_CLASS (g_tls_connection_gnutls_parent_class)->finalize (object);
@@ -227,71 +218,6 @@ g_tls_connection_gnutls_get_session (GTlsConnectionGnutls *gnutls)
   return priv->session;
 }
 
-static int
-on_pin_request (void         *userdata,
-                int           attempt,
-                const char   *token_url,
-                const char   *token_label,
-                unsigned int  callback_flags,
-                char         *pin,
-                size_t        pin_max)
-{
-  GTlsConnection *connection = G_TLS_CONNECTION (userdata);
-  GTlsConnectionGnutlsPrivate *priv = g_tls_connection_gnutls_get_instance_private (G_TLS_CONNECTION_GNUTLS 
(connection));
-  GTlsInteraction *interaction = g_tls_connection_get_interaction (connection);
-  GTlsInteractionResult result;
-  GTlsPassword *password;
-  GTlsPasswordFlags password_flags = 0;
-  GError *error = NULL;
-  gchar *description;
-  int ret = -1;
-
-  if (!interaction)
-    return -1;
-
-  if (callback_flags & GNUTLS_PIN_WRONG)
-    password_flags |= G_TLS_PASSWORD_RETRY;
-  if (callback_flags & GNUTLS_PIN_COUNT_LOW)
-    password_flags |= G_TLS_PASSWORD_MANY_TRIES;
-  if (callback_flags & GNUTLS_PIN_FINAL_TRY || attempt > 5) /* Give up at some point */
-    password_flags |= G_TLS_PASSWORD_FINAL_TRY;
-
-  description = g_strdup_printf (" %s (%s)", token_label, token_url);
-  password = g_tls_password_new (password_flags, description);
-  result = g_tls_interaction_invoke_ask_password (interaction, password,
-                                                  priv->cancellable,
-                                                  &error);
-  g_free (description);
-
-  switch (result)
-    {
-    case G_TLS_INTERACTION_FAILED:
-      if (!g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
-        g_warning ("Error getting PIN: %s", error->message);
-      g_error_free (error);
-      break;
-    case G_TLS_INTERACTION_UNHANDLED:
-      break;
-    case G_TLS_INTERACTION_HANDLED:
-      {
-        gsize password_size;
-        const guchar *password_data = g_tls_password_get_value (password, &password_size);
-        if (password_size > pin_max)
-          g_warning ("PIN is larger than max PIN size");
-
-        memcpy (pin, password_data, MIN (password_size, pin_max));
-        ret = GNUTLS_E_SUCCESS;
-        break;
-      }
-    default:
-      g_assert_not_reached ();
-    }
-
-  g_object_unref (password);
-
-  return ret;
-}
-
 void
 g_tls_connection_gnutls_handshake_thread_get_certificate (GTlsConnectionGnutls  *gnutls,
                                                           gnutls_pcert_st      **pcert,
@@ -305,15 +231,9 @@ g_tls_connection_gnutls_handshake_thread_get_certificate (GTlsConnectionGnutls
 
   if (cert)
     {
-      /* Send along a pre-initialized privkey so we can handle the callback here. */
-      gnutls_privkey_t privkey;
-      gnutls_privkey_init (&privkey);
-      gnutls_privkey_set_pin_function (privkey, on_pin_request, gnutls);
-
       g_tls_certificate_gnutls_copy (G_TLS_CERTIFICATE_GNUTLS (cert),
                                      priv->interaction_id,
-                                     pcert, pcert_length, &privkey);
-      *pkey = privkey;
+                                     pcert, pcert_length, pkey);
     }
   else
     {
diff --git a/tls/gnutls/gtlsserverconnection-gnutls.c b/tls/gnutls/gtlsserverconnection-gnutls.c
index 090b57d..18a97da 100644
--- a/tls/gnutls/gtlsserverconnection-gnutls.c
+++ b/tls/gnutls/gtlsserverconnection-gnutls.c
@@ -115,10 +115,8 @@ g_tls_server_connection_gnutls_initable_init (GInitable       *initable,
   creds = g_tls_connection_gnutls_get_credentials (G_TLS_CONNECTION_GNUTLS (gnutls));
   gnutls_certificate_set_retrieve_function2 (creds, 
g_tls_server_connection_gnutls_handshake_thread_retrieve_function);
 
-  /* Currently we don't know ahead of time if a PKCS #11 backed certificate has a private key. */
   cert = g_tls_connection_get_certificate (G_TLS_CONNECTION (initable));
-  if (cert && !g_tls_certificate_gnutls_has_key (G_TLS_CERTIFICATE_GNUTLS (cert)) &&
-      !g_tls_certificate_gnutls_is_pkcs11_backed (G_TLS_CERTIFICATE_GNUTLS (cert)))
+  if (cert && !g_tls_certificate_gnutls_has_key (G_TLS_CERTIFICATE_GNUTLS (cert)))
     {
       g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
                            _("Certificate has no private key"));
diff --git a/tls/tests/certificate.c b/tls/tests/certificate.c
index 8e69ac1..81e2ebb 100644
--- a/tls/tests/certificate.c
+++ b/tls/tests/certificate.c
@@ -26,11 +26,6 @@
 
 #include <gio/gio.h>
 
-#ifdef BACKEND_IS_GNUTLS
-#include <gnutls/gnutls.h>
-#include <gnutls/pkcs11.h>
-#endif
-
 #include <sys/types.h>
 #include <string.h>
 
@@ -248,25 +243,6 @@ test_create_certificate_with_garbage_input (TestCertificate *test,
   g_clear_error (&error);
 }
 
-static void
-test_create_certificate_pkcs11 (TestCertificate *test,
-                                gconstpointer data)
-{
-#ifndef BACKEND_IS_GNUTLS
-  g_test_skip ("This backend does not support PKCS #11");
-#else
-  GTlsCertificate *cert;
-  GError *error = NULL;
-
-  cert = g_initable_new (test->cert_gtype, NULL, &error,
-                         "pkcs11-uri", 
"pkcs11:model=mock;token=Mock%20Certificate;object=Mock%20Certificate",
-                         NULL);
-
-  g_assert_no_error (error);
-  g_assert_nonnull (cert);
-#endif
-}
-
 static void
 test_create_certificate_chain (void)
 {
@@ -580,25 +556,12 @@ int
 main (int   argc,
       char *argv[])
 {
-#ifdef BACKEND_IS_GNUTLS
-  char *module_path;
-#endif
-
   g_test_init (&argc, &argv, NULL);
 
   g_setenv ("GSETTINGS_BACKEND", "memory", TRUE);
   g_setenv ("GIO_USE_TLS", BACKEND, TRUE);
   g_assert (g_ascii_strcasecmp (G_OBJECT_TYPE_NAME (g_tls_backend_get_default ()), "GTlsBackend" BACKEND) == 
0);
 
-#ifdef BACKEND_IS_GNUTLS
-  module_path = g_test_build_filename (G_TEST_BUILT, "mock-pkcs11.so", NULL);
-  g_assert_true (g_file_test (module_path, G_FILE_TEST_EXISTS));
-
-  g_assert (gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_MANUAL, NULL) == GNUTLS_E_SUCCESS);
-  g_assert (gnutls_pkcs11_add_provider (module_path, NULL) == GNUTLS_E_SUCCESS);
-  g_free (module_path);
-#endif
-
   g_test_add ("/tls/" BACKEND "/certificate/create-pem", TestCertificate, NULL,
               setup_certificate, test_create_pem, teardown_certificate);
   g_test_add ("/tls/" BACKEND "/certificate/create-der", TestCertificate, NULL,
@@ -611,8 +574,6 @@ main (int   argc,
               setup_certificate, test_create_certificate_with_issuer, teardown_certificate);
   g_test_add ("/tls/" BACKEND "/certificate/create-with-garbage-input", TestCertificate, NULL,
               setup_certificate, test_create_certificate_with_garbage_input, teardown_certificate);
-  g_test_add ("/tls/" BACKEND "/certificate/pkcs11", TestCertificate, NULL,
-              setup_certificate, test_create_certificate_pkcs11, teardown_certificate);
 
   g_test_add_func ("/tls/" BACKEND "/certificate/create-chain", test_create_certificate_chain);
   g_test_add_func ("/tls/" BACKEND "/certificate/create-no-chain", test_create_certificate_no_chain);
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index ed62c49..21a150a 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -35,7 +35,6 @@
 
 #ifdef BACKEND_IS_GNUTLS
 #include <gnutls/gnutls.h>
-#include <gnutls/pkcs11.h>
 #else
 #include "openssl-include.h"
 #endif
@@ -1065,110 +1064,6 @@ test_client_auth_connection (TestConnection *test,
   g_assert_true (g_tls_certificate_is_same (peer, cert));
 }
 
-/* https://gitlab.gnome.org/GNOME/glib-networking/issues/104 */
-#if 0
-static void
-test_client_auth_pkcs11_connection (TestConnection *test,
-                                    gconstpointer   data)
-{
-#ifndef BACKEND_IS_GNUTLS
-  g_test_skip ("This backend does not support PKCS #11");
-#else
-  GIOStream *connection;
-  GError *error = NULL;
-  GTlsCertificate *cert;
-  GTlsCertificate *peer;
-  gboolean cas_changed;
-  GSocketClient *client;
-  GTlsInteraction *interaction;
-
-  test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
-  g_assert_no_error (error);
-  g_assert_nonnull (test->database);
-
-  interaction = mock_interaction_new_static_password ("ABC123");
-
-  connection = start_async_server_and_connect_to_it (test, G_TLS_AUTHENTICATION_REQUIRED);
-  test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
-  g_assert_no_error (error);
-  g_assert_nonnull (test->client_connection);
-  g_object_unref (connection);
-
-  g_tls_connection_set_interaction (G_TLS_CONNECTION (test->client_connection), interaction);
-  g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), test->database);
-
-  cert = g_tls_certificate_new_from_pkcs11_uris 
("pkcs11:model=mock;manufacturer=GLib-Networking;serial=1;token=Mock%20Certificate;id=%4D%6F%63%6B%20%43%65%72%74%69%66%69%63%61%74%65;object=Mock%20Certificate;type=cert",
-                                                 
"pkcs11:model=mock;manufacturer=GLib-Networking;serial=1;token=Mock%20Certificate;id=%4D%6F%63%6B%20%50%72%69%76%61%74%65%20%4B%65%79;object=Mock%20Private%20Key;type=private",
-                                                 &error);
-  g_assert_no_error (error);
-
-  g_tls_connection_set_certificate (G_TLS_CONNECTION (test->client_connection), cert);
-
-  /* All validation in this test */
-  g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
-                                                G_TLS_CERTIFICATE_VALIDATE_ALL);
-
-  cas_changed = FALSE;
-  g_signal_connect (test->client_connection, "notify::accepted-cas",
-                    G_CALLBACK (on_notify_accepted_cas), &cas_changed);
-
-  read_test_data_async (test);
-  g_main_loop_run (test->loop);
-  wait_until_server_finished (test);
-
-  g_assert_no_error (test->read_error);
-  g_assert_no_error (test->server_error);
-
-  peer = g_tls_connection_get_peer_certificate (G_TLS_CONNECTION (test->server_connection));
-  g_assert_nonnull (peer);
-  g_assert_true (g_tls_certificate_is_same (peer, cert));
-  g_assert_true (cas_changed);
-
-  g_object_unref (cert);
-  g_object_unref (test->client_connection);
-  g_clear_object (&test->server_connection);
-
-  /* Now start a new connection to the same server with a different client cert.
-   * Also test using a single URI matching both the cert and private key.
-   */
-  client = g_socket_client_new ();
-  connection = G_IO_STREAM (g_socket_client_connect (client, G_SOCKET_CONNECTABLE (test->address),
-                                                     NULL, &error));
-  g_assert_no_error (error);
-  g_object_unref (client);
-  test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
-  g_assert_no_error (error);
-  g_assert_nonnull (test->client_connection);
-  g_object_unref (connection);
-
-  g_tls_connection_set_interaction (G_TLS_CONNECTION (test->client_connection), interaction);
-  g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
-                                                0);
-  cert = g_tls_certificate_new_from_pkcs11_uris 
("pkcs11:model=mock;manufacturer=GLib-Networking;serial=1;token=Mock%20Certificate;id=%4D%6F%63%6B%20%50%72%69%76%61%74%65%20%4B%65%79%20%32",
-                                                 NULL,
-                                                 &error);
-  g_assert_no_error (error);
-  g_tls_connection_set_certificate (G_TLS_CONNECTION (test->client_connection), cert);
-  g_object_unref (cert);
-  g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), test->database);
-
-  read_test_data_async (test);
-  g_main_loop_run (test->loop);
-  wait_until_server_finished (test);
-
-  g_assert_no_error (test->read_error);
-  g_assert_no_error (test->server_error);
-
-  /* peer should see the second client cert */
-  peer = g_tls_connection_get_peer_certificate (G_TLS_CONNECTION (test->server_connection));
-  g_assert_nonnull (peer);
-  g_assert_true (g_tls_certificate_is_same (peer, cert));
-
-  g_object_unref (interaction);
-#endif
-}
-#endif
-
 static void
 test_client_auth_rehandshake (TestConnection *test,
                               gconstpointer   data)
@@ -2550,10 +2445,6 @@ main (int   argc,
       char *argv[])
 {
   int ret;
-#ifdef BACKEND_IS_GNUTLS
-  char *module_path;
-  const char *spy_path;
-#endif
 
   g_test_init (&argc, &argv, NULL);
   g_test_bug_base ("http://bugzilla.gnome.org/";);
@@ -2563,34 +2454,6 @@ main (int   argc,
 
   g_assert_true (g_ascii_strcasecmp (G_OBJECT_TYPE_NAME (g_tls_backend_get_default ()), "GTlsBackend" 
BACKEND) == 0);
 
-#ifdef BACKEND_IS_GNUTLS
-  module_path = g_test_build_filename (G_TEST_BUILT, "mock-pkcs11.so", NULL);
-  g_assert_true (g_file_test (module_path, G_FILE_TEST_EXISTS));
-
-  /* This just adds extra logging which is useful for debugging */
-  spy_path = g_getenv ("PKCS11SPY_PATH");
-  if (!spy_path)
-    {
-      spy_path = "/usr/lib64/pkcs11-spy.so"; /* Fedora's path */
-      if (!g_file_test (spy_path, G_FILE_TEST_EXISTS))
-        spy_path = "/usr/lib/x86_64-linux-gnu/pkcs11-spy.so"; /* Debian/Ubuntu's path */
-    }
-
-  if (g_file_test (spy_path, G_FILE_TEST_EXISTS))
-    {
-      g_debug ("Using PKCS #11 Spy");
-      g_setenv ("PKCS11SPY", module_path, TRUE);
-      g_free (module_path);
-      module_path = g_strdup (spy_path);
-    }
-
-  ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_MANUAL, NULL);
-  g_assert_cmpint (ret, ==, GNUTLS_E_SUCCESS);
-  ret = gnutls_pkcs11_add_provider (module_path, NULL);
-  g_assert_cmpint (ret, ==, GNUTLS_E_SUCCESS);
-  g_free (module_path);
-#endif
-
   g_test_add ("/tls/" BACKEND "/connection/basic", TestConnection, NULL,
               setup_connection, test_basic_connection, teardown_connection);
   g_test_add ("/tls/" BACKEND "/connection/verified", TestConnection, NULL,
@@ -2621,11 +2484,6 @@ main (int   argc,
               setup_connection, test_client_auth_request_fail, teardown_connection);
   g_test_add ("/tls/" BACKEND "/connection/client-auth-request-none", TestConnection, NULL,
               setup_connection, test_client_auth_request_none, teardown_connection);
-  /* https://gitlab.gnome.org/GNOME/glib-networking/issues/104 */
-#if 0
-  g_test_add ("/tls/" BACKEND "/connection/client-auth-pkcs11", TestConnection, NULL,
-              setup_connection, test_client_auth_pkcs11_connection, teardown_connection);
-#endif
   g_test_add ("/tls/" BACKEND "/connection/no-database", TestConnection, NULL,
               setup_connection, test_connection_no_database, teardown_connection);
   g_test_add ("/tls/" BACKEND "/connection/failed", TestConnection, NULL,
diff --git a/tls/tests/meson.build b/tls/tests/meson.build
index 2920796..8d8bb71 100644
--- a/tls/tests/meson.build
+++ b/tls/tests/meson.build
@@ -21,32 +21,16 @@ envs = [
   'G_TEST_BUILDDIR=' + meson.current_build_dir(),
 ]
 
-if backends.contains('gnutls')
-  mock_pkcs11_module = shared_module('mock-pkcs11',
-    sources: 'mock-pkcs11.c',
-    name_prefix: '',
-    gnu_symbol_visibility: 'hidden',
-    dependencies: [
-      gio_dep,
-      gnutls_dep,
-    ],
-    install: enable_installed_tests,
-    install_dir: installed_tests_execdir
-  )
-else
-  mock_pkcs11_module = []
-endif
-
 if enable_installed_tests
   install_subdir('files', install_dir: installed_tests_execdir)
 endif
 
 test_programs = [
-  ['certificate', [], deps, [], [mock_pkcs11_module]],
-  ['file-database', [], deps, [], []],
-  ['connection', ['mock-interaction.c'], deps, [], [mock_pkcs11_module]],
+  ['certificate', [], deps, []],
+  ['file-database', [], deps, []],
+  ['connection', ['mock-interaction.c'], deps, []],
 # DTLS tests are disabled until we fix https://gitlab.gnome.org/GNOME/glib-networking/issues/49
-#  ['dtls-connection', ['mock-interaction.c'], deps, [], [mock_pkcs11_module]],
+#  ['dtls-connection', ['mock-interaction.c'], deps, []],
 ]
 
 foreach backend: backends
@@ -96,7 +80,7 @@ foreach backend: backends
       'G_TEST_BUILDDIR=@0@'.format(meson.current_build_dir())
     ]
 
-    test(program_name, exe, env: test_envs, depends: program[4])
+    test(program_name, exe, env: test_envs)
 
     if backend == 'gnutls' and program[0] == 'connection' or program[0] == 'dtls-connection'
       # Run the tests again, this time with TLS 1.3 disabled so we can test TLS 1.2.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]