void Gobby::CertificateManager::set_dh_params(gnutls_dh_params_t dh_params) { gnutls_dh_params_t old_dh_params = m_dh_params; GError* error = NULL; std::string filename = config_filename("dh_params.pem"); inf_cert_util_write_dh_params(dh_params, filename.c_str(), &error); if(error != NULL) { g_warning( _("Failed to write Diffie-Hellman parameters " "to \"%s\": %s"), filename.c_str(), error->message); g_error_free(error); } m_dh_params = dh_params; make_credentials(); // TODO: Note that the credentials do only store a pointer to the // DH params, so we cannot just delete the DH params here, since the // old credentials might still be in use. // For the moment we don't let this happen -- in principle it should // not happen; once we have valid DH params at one point we don't // need to change them again. // For the future maybe it could make sense to store the DH params // in the InfCertificateCredentials struct, so that their lifetime // is coupled. g_assert(old_dh_params == NULL); }
void Gobby::CertificateManager::load_trust() { std::vector<gnutls_x509_crt_t> old_trust; old_trust.swap(m_trust); GError* error = NULL; const std::string& filename = m_preferences.security.trusted_cas; if(!filename.empty()) { GPtrArray* array = inf_cert_util_read_certificate( filename.c_str(), NULL, &error); if(array != NULL) { guint n_certs = array->len; gnutls_x509_crt_t* certs = reinterpret_cast<gnutls_x509_crt_t*>( g_ptr_array_free(array, FALSE)); m_trust.assign(certs, certs + n_certs); g_free(certs); } } if(m_trust_error != NULL) g_error_free(m_trust_error); m_trust_error = error; make_credentials(); // Note that this relies on the fact that // gnutls_certificate_set_x509_trust makes a copy of the certificates for(unsigned int i = 0; i < old_trust.size(); ++i) gnutls_x509_crt_deinit(old_trust[i]); }
Gobby::CertificateManager::CertificateManager(Preferences& preferences): m_preferences(preferences), m_dh_params(NULL), m_key(NULL), m_certificates(NULL), m_credentials(NULL), m_key_error(NULL), m_certificate_error(NULL), m_trust_error(NULL) { m_conn_key_file = m_preferences.security.key_file. signal_changed().connect(sigc::mem_fun( *this, &CertificateManager::on_key_file_changed)); m_conn_certificate_file = m_preferences.security.certificate_file. signal_changed().connect(sigc::mem_fun( *this, &CertificateManager::on_certificate_file_changed)); m_preferences.security.use_system_trust.signal_changed().connect( sigc::mem_fun( *this, &CertificateManager::on_trusted_cas_changed)); m_preferences.security.trusted_cas.signal_changed().connect( sigc::mem_fun( *this, &CertificateManager::on_trusted_cas_changed)); m_preferences.security.authentication_enabled. signal_changed().connect( sigc::mem_fun( *this, &CertificateManager:: on_authentication_enabled_changed)); // TODO: Load these only on request, to improve the startup time load_dh_params(); load_key(); load_certificate(); load_trust(); make_credentials(); }
void Gobby::CertificateManager::set_certificates(gnutls_x509_crt_t* certs, guint n_certs, const GError* error) { g_assert(n_certs == 0 || error == NULL); InfCertificateChain* old_certificates = m_certificates; m_certificates = NULL; if(n_certs > 0) m_certificates = inf_certificate_chain_new(certs, n_certs); else m_certificates = NULL; if(m_certificate_error != NULL) g_error_free(m_certificate_error); if(error != NULL) m_certificate_error = g_error_copy(error); else m_certificate_error = NULL; check_certificate_signature(); make_credentials(); // Note that this relies on the fact that // gnutls_certificate_set_x509_key makes a copy of the certificates if(old_certificates != NULL) inf_certificate_chain_unref(old_certificates); }
void Gobby::CertificateManager::set_private_key(gnutls_x509_privkey_t key, const GError* error) { g_assert(key == NULL || error == NULL); gnutls_x509_privkey_t old_key = m_key; InfCertificateChain* old_certificates = m_certificates; if(old_certificates != NULL) inf_certificate_chain_ref(old_certificates); m_key = key; if(m_key_error != NULL) g_error_free(m_key_error); if(error != NULL) m_key_error = g_error_copy(error); else m_key_error = NULL; // Attempt to re-load the certificate if there was an error -- maybe // the new key fixes the problem. This makes sure that if the new key // is compatible to the certificate, the certificate is loaded. // TODO: It would be nicer to still keep the certificate in memory // when it does not match the key, so we don't need to re-load it. // Basically we just need to be able to handle the case when both // cert_error and certificate itself are non-NULL. if(m_certificate_error != NULL) { load_certificate(); } else { check_certificate_signature(); make_credentials(); } // Note that this relies on the fact that // gnutls_certificate_set_x509_key makes a copy of the key // and certificate if(old_certificates != NULL) inf_certificate_chain_unref(old_certificates); if(old_key != NULL) gnutls_x509_privkey_deinit(old_key); }
dbus_bool_t _dbus_credentials_test (const char *test_data_dir) { DBusCredentials *creds; DBusCredentials *creds2; if (test_data_dir == NULL) return TRUE; creds = make_credentials (12, 511, SAMPLE_SID); if (creds == NULL) _dbus_assert_not_reached ("oom"); /* test refcounting */ _dbus_credentials_ref (creds); _dbus_credentials_unref (creds); _dbus_assert (_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_USER_ID)); _dbus_assert (_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_PROCESS_ID)); _dbus_assert (_dbus_credentials_include (creds, DBUS_CREDENTIAL_WINDOWS_SID)); _dbus_assert (_dbus_credentials_get_unix_uid (creds) == 12); _dbus_assert (_dbus_credentials_get_pid (creds) == 511); _dbus_assert (strcmp (_dbus_credentials_get_windows_sid (creds), SAMPLE_SID) == 0); _dbus_assert (!_dbus_credentials_are_empty (creds)); _dbus_assert (!_dbus_credentials_are_anonymous (creds)); /* Test copy */ creds2 = _dbus_credentials_copy (creds); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (_dbus_credentials_include (creds2, DBUS_CREDENTIAL_UNIX_USER_ID)); _dbus_assert (_dbus_credentials_include (creds2, DBUS_CREDENTIAL_UNIX_PROCESS_ID)); _dbus_assert (_dbus_credentials_include (creds2, DBUS_CREDENTIAL_WINDOWS_SID)); _dbus_assert (_dbus_credentials_get_unix_uid (creds2) == 12); _dbus_assert (_dbus_credentials_get_pid (creds2) == 511); _dbus_assert (strcmp (_dbus_credentials_get_windows_sid (creds2), SAMPLE_SID) == 0); _dbus_assert (_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Same user if both unix and windows are the same */ creds2 = make_credentials (12, DBUS_PID_UNSET, SAMPLE_SID); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (_dbus_credentials_same_user (creds, creds2)); _dbus_credentials_unref (creds2); /* Not the same user if Windows is missing */ creds2 = make_credentials (12, DBUS_PID_UNSET, NULL); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (!_dbus_credentials_same_user (creds, creds2)); _dbus_assert (_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Not the same user if Windows is different */ creds2 = make_credentials (12, DBUS_PID_UNSET, OTHER_SAMPLE_SID); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (!_dbus_credentials_same_user (creds, creds2)); _dbus_assert (!_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Not the same user if Unix is missing */ creds2 = make_credentials (DBUS_UID_UNSET, DBUS_PID_UNSET, SAMPLE_SID); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (!_dbus_credentials_same_user (creds, creds2)); _dbus_assert (_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Not the same user if Unix is different */ creds2 = make_credentials (15, DBUS_PID_UNSET, SAMPLE_SID); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (!_dbus_credentials_same_user (creds, creds2)); _dbus_assert (!_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Not the same user if both are missing */ creds2 = make_credentials (DBUS_UID_UNSET, DBUS_PID_UNSET, NULL); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (!_dbus_credentials_same_user (creds, creds2)); _dbus_assert (_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Clearing credentials works */ _dbus_credentials_clear (creds); _dbus_assert (!_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_USER_ID)); _dbus_assert (!_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_PROCESS_ID)); _dbus_assert (!_dbus_credentials_include (creds, DBUS_CREDENTIAL_WINDOWS_SID)); _dbus_assert (_dbus_credentials_get_unix_uid (creds) == DBUS_UID_UNSET); _dbus_assert (_dbus_credentials_get_pid (creds) == DBUS_PID_UNSET); _dbus_assert (_dbus_credentials_get_windows_sid (creds) == NULL); _dbus_assert (_dbus_credentials_are_empty (creds)); _dbus_assert (_dbus_credentials_are_anonymous (creds)); _dbus_credentials_unref (creds); return TRUE; }
void Gobby::CertificateManager::on_authentication_enabled_changed() { make_credentials(); }