[glib-networking/glib-2-68] Revert "gnutls: download missing intermediate certificates at runtime"

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib-networking/glib-2-68] Revert "gnutls: download missing intermediate certificates at runtime"
Date: Thu, 22 Apr 2021 14:31:09 +0000 (UTC)

commit a3e1e22e3726372efb52eaa0173d4f87d49d5a33
Author: Michael Catanzaro <mcatanzaro gnome org>
Date:   Thu Apr 22 09:23:16 2021 -0500

    Revert "gnutls: download missing intermediate certificates at runtime"
    
    This reverts commit 248003f3f1b631bed332e09b68ff1c1312e1db43.
    
    This is not quite ready yet, and I don't want to maintain it on the
    GLib 2.68 branch. See #160 for details on further work required.

 tls/gnutls/gtlsdatabase-gnutls.c | 139 ---------------------------------------
 1 file changed, 139 deletions(-)
---
diff --git a/tls/gnutls/gtlsdatabase-gnutls.c b/tls/gnutls/gtlsdatabase-gnutls.c
index 41fccb2..3e8ca3e 100644
--- a/tls/gnutls/gtlsdatabase-gnutls.c
+++ b/tls/gnutls/gtlsdatabase-gnutls.c
@@ -66,9 +66,6 @@ typedef struct
    * string handles. This array is populated on demand.
    */
   GHashTable *handles;
-
-  /* Unowned. This is only set temporarily, during certificate verification. */
-  GCancellable *verify_chain_cancellable;
 } GTlsDatabaseGnutlsPrivate;
 
 static void g_tls_database_gnutls_initable_interface_init (GInitableIface *iface);
@@ -223,8 +220,6 @@ g_tls_database_gnutls_finalize (GObject *object)
   GTlsDatabaseGnutls *self = G_TLS_DATABASE_GNUTLS (object);
   GTlsDatabaseGnutlsPrivate *priv = g_tls_database_gnutls_get_instance_private (self);
 
-  g_assert (!priv->verify_chain_cancellable);
-
   g_clear_pointer (&priv->subjects, g_hash_table_destroy);
   g_clear_pointer (&priv->issuers, g_hash_table_destroy);
   g_clear_pointer (&priv->complete, g_hash_table_destroy);
@@ -502,13 +497,10 @@ g_tls_database_gnutls_verify_chain (GTlsDatabase             *database,
     return G_TLS_CERTIFICATE_GENERIC_ERROR;
 
   g_mutex_lock (&priv->mutex);
-  g_assert (!priv->verify_chain_cancellable);
-  priv->verify_chain_cancellable = cancellable;
   gnutls_chain = convert_certificate_chain_to_gnutls (G_TLS_CERTIFICATE_GNUTLS (chain));
   gerr = gnutls_x509_trust_list_verify_crt (priv->trust_list,
                                             gnutls_chain->chain, gnutls_chain->length,
                                             0, &gnutls_result, NULL);
-  priv->verify_chain_cancellable = NULL;
   g_mutex_unlock (&priv->mutex);
 
   if (gerr != 0 || g_cancellable_set_error_if_cancelled (cancellable, error))
@@ -585,133 +577,6 @@ g_tls_database_gnutls_populate_trust_list (GTlsDatabaseGnutls        *self,
   return gerr >= 0;
 }
 
-#if GNUTLS_VERSION_MAJOR > 3 || GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 7
-static int
-issuer_missing_cb (gnutls_x509_trust_list_t   tlist,
-                   const gnutls_x509_crt_t    crt,
-                   gnutls_x509_crt_t        **issuers,
-                   guint                     *issuers_size)
-{
-  GTlsDatabaseGnutls *self = gnutls_x509_trust_list_get_ptr (tlist);
-  GTlsDatabaseGnutlsPrivate *priv = g_tls_database_gnutls_get_instance_private (self);
-  gnutls_datum_t datum;
-  GFile *file = NULL;
-  GFileInputStream *istream = NULL;
-  char *aia = NULL;
-  char *scheme = NULL;
-  int gerr;
-  int ret = -1;
-  guchar buffer[2048];
-  gssize n_read;
-  GByteArray *der = NULL;
-  GError *error = NULL;
-
-  /* The server sent an incomplete certificate chain, but we may be able to
-   * download the missing certificate to allow verification to proceed. See
-   * Authority Information Access, RFC 5280 §4.2.2.1. Also see:
-   * 
https://blogs.gnome.org/mcatanzaro/2015/01/30/mozilla-is-responsible-for-the-redhat-corpmerchandise-com-fiasco/
-   */
-
-  /* Note: priv->mutex is already locked by g_tls_database_gnutls_verify_chain(). */
-
-  for (int i = 0; ; i++)
-    {
-      gerr = gnutls_x509_crt_get_authority_info_access (crt, i, GNUTLS_IA_CAISSUERS_URI, &datum, NULL);
-      if (gerr == GNUTLS_E_UNKNOWN_ALGORITHM)
-        continue;
-
-      if (gerr == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
-        return -1;
-
-      if (gerr < 0)
-        {
-          g_warning ("Failed to read Authority Information Access from certificate: %s", gnutls_strerror 
(gerr));
-          return -1;
-        }
-
-      /* Success */
-      break;
-    }
-  g_assert (gerr == GNUTLS_E_SUCCESS);
-
-  aia = g_malloc0 (datum.size + 1);
-  memcpy (aia, datum.data, datum.size);
-
-  if (!g_uri_is_valid (aia, G_URI_FLAGS_NONE, &error))
-    {
-      g_warning ("Authority Information Access URI %s is not a valid URI: %s", aia, error->message);
-      goto out;
-    }
-
-  /* We support only HTTP. Notably, HTTPS is not supported because (a) it is
-   * not specified by RFC 5280, and (b) since we have no way to break a
-   * recursive loop if the connection to retrieve the certificate itself also
-   * requires a missing certificate. We could easily support FTP, but we don't,
-   * because that's silly. Also note that we don't support "certs-only" CMS
-   * messages, we only support directly retrieving a DER certificate. Finally,
-   * we don't support the case where accessLocation is a directoryName, so no
-   * private DAP or LDAP.
-   */
-  scheme = g_uri_parse_scheme (aia);
-  if (!scheme || strcmp (scheme, "http") != 0)
-    {
-      g_warning ("Authority Information Access URI %s uses unsupported URI scheme '%s'", scheme, aia);
-      goto out;
-    }
-
-  file = g_file_new_for_uri (aia);
-  istream = g_file_read (file, priv->verify_chain_cancellable, &error);
-  if (!istream)
-    {
-      g_warning ("Failed to download missing issuer certificate from Authority Information Access URI %s: 
failed g_file_read (do you need to install gvfs?): %s",
-                 aia, error->message);
-      goto out;
-    }
-
-  der = g_byte_array_sized_new (sizeof (buffer));
-  do
-    {
-      n_read = g_input_stream_read (G_INPUT_STREAM (istream), buffer, sizeof (buffer),
-                                    priv->verify_chain_cancellable, &error);
-      if (n_read == -1)
-        {
-          g_warning ("Failed to download missing issuer certificate from Authority Information Access URI 
%s: failed g_input_stream_read: %s",
-                     aia, error->message);
-          goto out;
-        }
-      g_byte_array_append (der, buffer, n_read);
-    } while (n_read > 0);
-
-  gnutls_free (datum.data);
-  datum.size = der->len;
-  datum.data = (unsigned char *)g_byte_array_free (der, FALSE);
-  der = NULL;
-
-  gerr = gnutls_x509_crt_list_import2 (issuers, issuers_size, &datum, GNUTLS_X509_FMT_DER, 0);
-  if (gerr < 0)
-    {
-      g_warning ("Failed to download missing issuer certificate from Authority Information Access URI %s: 
failed gnutls_x509_crt_import: %s",
-                 aia, gnutls_strerror (gerr));
-      goto out;
-    }
-
-  ret = 0;
-
-out:
-  if (error)
-    g_error_free (error);
-  if (file)
-    g_object_unref (file);
-  if (istream)
-    g_object_unref (istream);
-  if (der)
-    g_byte_array_unref (der);
-  gnutls_free (datum.data);
-  g_free (aia);
-  return ret;
-}
-#endif
-
 static void
 g_tls_database_gnutls_class_init (GTlsDatabaseGnutlsClass *klass)
 {
@@ -747,10 +612,6 @@ g_tls_database_gnutls_initable_init (GInitable     *initable,
     return FALSE;
 
   gnutls_x509_trust_list_init (&trust_list, 0);
-#if GNUTLS_VERSION_MAJOR > 3 || GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 7
-  gnutls_x509_trust_list_set_getissuer_function (trust_list, issuer_missing_cb);
-  gnutls_x509_trust_list_set_ptr (trust_list, self);
-#endif
 
   g_assert (G_TLS_DATABASE_GNUTLS_GET_CLASS (self)->populate_trust_list);
   if (!G_TLS_DATABASE_GNUTLS_GET_CLASS (self)->populate_trust_list (self, trust_list, error))
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]