/**
* infinoted_startup_free:
* @startup: A #InfinotedStartup.
*
* Frees all ressources allocated by @startup.
*/
void
infinoted_startup_free(InfinotedStartup* startup)
{
guint i;
if(startup->credentials != NULL)
inf_certificate_credentials_unref(startup->credentials);
if(startup->certificates != NULL)
inf_certificate_chain_unref(startup->certificates);
if(startup->private_key != NULL)
gnutls_x509_privkey_deinit(startup->private_key);
if(startup->log != NULL)
g_object_unref(startup->log);
if(startup->options != NULL)
infinoted_options_free(startup->options);
if(startup->sasl_context != NULL)
inf_sasl_context_unref(startup->sasl_context);
g_slice_free(InfinotedStartup, startup);
inf_deinit();
}
void Gobby::CertificateManager::set_certificates(gnutls_x509_crt_t* certs,
guint n_certs,
const GError* error)
{
g_assert(n_certs == 0 || error == NULL);
InfCertificateChain* old_certificates = m_certificates;
m_certificates = NULL;
if(n_certs > 0)
m_certificates = inf_certificate_chain_new(certs, n_certs);
else
m_certificates = NULL;
if(m_certificate_error != NULL)
g_error_free(m_certificate_error);
if(error != NULL)
m_certificate_error = g_error_copy(error);
else
m_certificate_error = NULL;
check_certificate_signature();
make_credentials();
// Note that this relies on the fact that
// gnutls_certificate_set_x509_key makes a copy of the certificates
if(old_certificates != NULL)
inf_certificate_chain_unref(old_certificates);
}
Gobby::CertificateManager::~CertificateManager()
{
if(m_credentials != NULL)
inf_certificate_credentials_unref(m_credentials);
for(unsigned int i = 0; i < m_trust.size(); ++i)
gnutls_x509_crt_deinit(m_trust[i]);
if(m_certificates != NULL)
inf_certificate_chain_unref(m_certificates);
if(m_key != NULL)
gnutls_x509_privkey_deinit(m_key);
if(m_dh_params != NULL)
gnutls_dh_params_deinit(m_dh_params);
}
static void
inf_gtk_certificate_manager_query_free(InfGtkCertificateManagerQuery* query)
{
inf_signal_handlers_disconnect_by_func(
G_OBJECT(query->connection),
G_CALLBACK(inf_gtk_certificate_manager_notify_status_cb),
query
);
g_object_unref(query->connection);
inf_certificate_chain_unref(query->certificate_chain);
gtk_widget_destroy(GTK_WIDGET(query->dialog));
g_hash_table_unref(query->known_hosts);
g_slice_free(InfGtkCertificateManagerQuery, query);
}
void Gobby::CertificateManager::set_private_key(gnutls_x509_privkey_t key,
const GError* error)
{
g_assert(key == NULL || error == NULL);
gnutls_x509_privkey_t old_key = m_key;
InfCertificateChain* old_certificates = m_certificates;
if(old_certificates != NULL)
inf_certificate_chain_ref(old_certificates);
m_key = key;
if(m_key_error != NULL)
g_error_free(m_key_error);
if(error != NULL)
m_key_error = g_error_copy(error);
else
m_key_error = NULL;
// Attempt to re-load the certificate if there was an error -- maybe
// the new key fixes the problem. This makes sure that if the new key
// is compatible to the certificate, the certificate is loaded.
// TODO: It would be nicer to still keep the certificate in memory
// when it does not match the key, so we don't need to re-load it.
// Basically we just need to be able to handle the case when both
// cert_error and certificate itself are non-NULL.
if(m_certificate_error != NULL)
{
load_certificate();
}
else
{
check_certificate_signature();
make_credentials();
}
// Note that this relies on the fact that
// gnutls_certificate_set_x509_key makes a copy of the key
// and certificate
if(old_certificates != NULL)
inf_certificate_chain_unref(old_certificates);
if(old_key != NULL) gnutls_x509_privkey_deinit(old_key);
}
void Gobby::CertificateManager::check_certificate_signature()
{
if(!m_key || !m_certificates) return;
g_assert(m_key_error == NULL && m_certificate_error == NULL);
gnutls_x509_crt_t crt =
inf_certificate_chain_get_own_certificate(m_certificates);
if(!inf_cert_util_check_certificate_key(crt, m_key))
{
inf_certificate_chain_unref(m_certificates);
m_certificates = NULL;
g_set_error(
&m_certificate_error,
g_quark_from_static_string(
"GOBBY_CERTIFICATE_MANAGER_ERROR"),
0,
"%s",
_("Certificate does not belong to the chosen key")
);
}
}
static gboolean
inf_test_certificate_validate_run(const InfTestCertificateValidateDesc* desc,
GError** error)
{
InfIo* io;
InfdXmppServer* server;
InfXmppManager* xmpp_manager;
InfCertificateVerify* verify;
InfXmppConnection* client;
gchar* pinned_file;
InfXmlConnectionStatus status;
InfTestCertificateValidateCheckCertificateData check_certificate_data;
gboolean result;
GError* conn_error;
GHashTable* pinned;
gnutls_x509_crt_t pinned_cert;
InfCertificateChain* current_cert;
gboolean cert_equal;
/* Setup server */
io = INF_IO(inf_standalone_io_new());
server = inf_test_certificate_setup_server(
io,
desc->key_file,
desc->cert_file,
error
);
if(server == NULL)
{
g_object_unref(io);
return FALSE;
}
/* Create client */
pinned_file = inf_test_validate_setup_pin(
desc->hostname,
desc->pinned_certificate,
error
);
if(pinned_file == NULL)
{
g_object_unref(server);
g_object_unref(io);
return FALSE;
}
xmpp_manager = inf_xmpp_manager_new();
verify = inf_certificate_verify_new(xmpp_manager, pinned_file);
check_certificate_data.did_query = FALSE;
check_certificate_data.accept_query = desc->accept_query;
g_signal_connect(
G_OBJECT(verify),
"check-certificate",
G_CALLBACK(inf_test_certificate_validate_check_certificate),
&check_certificate_data
);
client = inf_test_certificate_validate_setup_client(
io,
desc->ca_file,
desc->hostname,
error
);
if(client == NULL)
{
g_unlink(pinned_file);
g_free(pinned_file);
g_object_unref(io);
g_object_unref(xmpp_manager);
g_object_unref(verify);
g_object_unref(server);
return FALSE;
}
inf_xmpp_manager_add_connection(xmpp_manager, client);
/* Okay, now watch for status changes on the client or whether a dialog
* appears. */
g_signal_connect(
G_OBJECT(client),
"notify::status",
G_CALLBACK(inf_test_validate_certificate_notify_status_cb),
io
);
conn_error = NULL;
g_signal_connect(
G_OBJECT(client),
"error",
G_CALLBACK(inf_test_validate_certificate_error_cb),
&conn_error
);
inf_standalone_io_loop(INF_STANDALONE_IO(io));
g_object_unref(io);
/* Evaluate result */
result = TRUE;
g_object_get(G_OBJECT(client), "status", &status, NULL);
if(status == INF_XML_CONNECTION_OPEN)
{
g_assert(conn_error == NULL);
if(check_certificate_data.did_query == TRUE &&
desc->expectation != INF_TEST_CERTIFICATE_VALIDATE_EXPECT_QUERY_ACCEPT)
{
g_set_error(
error,
inf_test_certificate_validate_error(),
3,
"Certificate queried and accepted but not expected to"
);
result = FALSE;
}
else if(check_certificate_data.did_query == FALSE &&
desc->expectation != INF_TEST_CERTIFICATE_VALIDATE_EXPECT_ACCEPT)
{
g_set_error(
error,
inf_test_certificate_validate_error(),
0,
"Certificate accepted but not expected to"
);
result = FALSE;
}
}
else
{
g_assert(check_certificate_data.did_query || conn_error != NULL);
/* TODO: The certificate verification result is not preserved at
* the moment. We could change this in
* inf_xmpp_connection_certificate_verify_cancel such that the existing
* error is used if any, or otherwise our own is created. */
if(conn_error != NULL &&
conn_error->domain != inf_xmpp_connection_error_quark() &&
conn_error->code != INF_XMPP_CONNECTION_ERROR_CERTIFICATE_NOT_TRUSTED)
{
g_propagate_error(error, conn_error);
conn_error = NULL;
result = FALSE;
}
else if(check_certificate_data.did_query == TRUE &&
desc->expectation != INF_TEST_CERTIFICATE_VALIDATE_EXPECT_QUERY_REJECT)
{
g_set_error(
error,
inf_test_certificate_validate_error(),
2,
"Certificate queried and rejected but not expected to"
);
result = FALSE;
}
else if(check_certificate_data.did_query == FALSE &&
desc->expectation != INF_TEST_CERTIFICATE_VALIDATE_EXPECT_REJECT)
{
g_set_error(
error,
inf_test_certificate_validate_error(),
1,
"Certificate rejected but not expected to"
);
result = FALSE;
}
if(conn_error != NULL)
{
g_error_free(conn_error);
conn_error = NULL;
}
}
/* If we got the expected result, check whether the host was correctly
* pinned or not. */
if(result == TRUE)
{
pinned = inf_cert_util_read_certificate_map(pinned_file, error);
if(pinned == NULL)
{
result = FALSE;
}
else
{
pinned_cert = g_hash_table_lookup(pinned, desc->hostname);
cert_equal = FALSE;
if(pinned_cert != NULL)
{
g_object_get(
G_OBJECT(client),
"remote-certificate", ¤t_cert,
NULL
);
cert_equal = inf_cert_util_compare_fingerprint(
pinned_cert,
inf_certificate_chain_get_own_certificate(current_cert),
&conn_error
);
inf_certificate_chain_unref(current_cert);
}
if(conn_error != NULL)
{
g_propagate_error(error, conn_error);
conn_error = NULL;
}
else if(cert_equal == TRUE && desc->expect_pinned == FALSE)
{
g_set_error(
error,
inf_test_certificate_validate_error(),
4,
"Certificate was pinned but not expected to"
);
result = FALSE;
}
else if(pinned_cert == NULL && desc->expect_pinned == TRUE)
{
g_set_error(
error,
inf_test_certificate_validate_error(),
5,
"Certificate was not pinned but expected to"
);
result = FALSE;
}
g_hash_table_destroy(pinned);
}
}
g_unlink(pinned_file);
g_free(pinned_file);
g_object_unref(xmpp_manager);
g_object_unref(verify);
g_object_unref(server);
g_object_unref(client);
return result;
}
static gboolean
infinoted_plugin_certificate_auth_initialize(InfinotedPluginManager* manager,
gpointer plugin_info,
GError** error)
{
InfinotedPluginCertificateAuth* plugin;
InfCertificateCredentials* creds;
GPtrArray* read_certs;
int res;
guint i;
gnutls_x509_crt_t* sign_certs;
InfCertificateChain* sign_chain;
gnutls_x509_privkey_t super_key;
InfCertUtilDescription desc;
gnutls_x509_crt_t super_cert;
InfAclAccountId super_id;
gnutls_x509_crt_t chain[2];
gboolean written;
InfdDirectory* directory;
InfBrowserIter iter;
InfAclSheetSet sheet_set;
InfAclSheet sheet;
InfRequest* request;
plugin = (InfinotedPluginCertificateAuth*)plugin_info;
plugin->manager = manager;
creds = infinoted_plugin_manager_get_credentials(manager);
if(creds == NULL)
{
g_set_error(
error,
infinoted_plugin_certificate_auth_error_quark(),
INFINOTED_PLUGIN_CERTIFICATE_AUTH_ERROR_NO_CREDENTIALS,
"%s",
_("The certificate-auth plugin can only be used when TLS is enabled "
"and a server certificate has been set.")
);
return FALSE;
}
read_certs =
inf_cert_util_read_certificate(plugin->ca_list_file, NULL, error);
if(read_certs == NULL) return FALSE;
if(read_certs->len == 0)
{
g_set_error(
error,
infinoted_plugin_certificate_auth_error_quark(),
INFINOTED_PLUGIN_CERTIFICATE_AUTH_ERROR_NO_CAS,
_("File \"%s\" does not contain any CA certificates"),
plugin->ca_list_file
);
g_ptr_array_free(read_certs, TRUE);
return FALSE;
}
plugin->n_cas = read_certs->len;
plugin->cas = (gnutls_x509_crt_t*)g_ptr_array_free(read_certs, FALSE);
res = gnutls_certificate_set_x509_trust(
inf_certificate_credentials_get(creds),
plugin->cas,
plugin->n_cas
);
if(res < 0)
{
inf_gnutls_set_error(error, res);
return FALSE;
}
if(plugin->ca_key_file != NULL)
{
plugin->ca_key =
inf_cert_util_read_private_key(plugin->ca_key_file, error);
if(plugin->ca_key == NULL)
return FALSE;
/* Walk through certificates and find the certificate that the key
* belongs to. */
for(i = 0; i < plugin->n_cas; ++i)
if(inf_cert_util_check_certificate_key(plugin->cas[i], plugin->ca_key))
break;
if(i == plugin->n_cas)
{
gnutls_x509_privkey_deinit(plugin->ca_key);
plugin->ca_key = NULL;
g_set_error(
error,
infinoted_plugin_certificate_auth_error_quark(),
INFINOTED_PLUGIN_CERTIFICATE_AUTH_ERROR_NO_CA_FOR_KEY,
"%s",
_("The given CA key does not match with any of the CA certificates")
);
return FALSE;
}
plugin->ca_key_index = i;
/* Set the signing certificate of the directory, so that it can handle
* account creation requests. Note that this takes ownership of the
* certificate, so we take special care in the cleanup code in
* infinoted_plugin_certificate_auth_deinitialize(). */
sign_certs = g_malloc(sizeof(gnutls_x509_crt_t));
sign_certs[0] = plugin->cas[plugin->ca_key_index];
sign_chain = inf_certificate_chain_new(sign_certs, 1);
infd_directory_set_certificate(
infinoted_plugin_manager_get_directory(plugin->manager),
plugin->ca_key,
sign_chain
);
inf_certificate_chain_unref(sign_chain);
}
if(plugin->super_user != NULL)
{
if(plugin->ca_key == NULL)
{
g_set_error(
error,
infinoted_plugin_certificate_auth_error_quark(),
INFINOTED_PLUGIN_CERTIFICATE_AUTH_ERROR_NO_CA_KEY,
"%s",
_("Cannot generate a superuser certificate without CA key")
);
return FALSE;
}
/* Create a private key and certificate for the super user. */
infinoted_log_info(
infinoted_plugin_manager_get_log(plugin->manager),
_("Creating 4096-bit RSA private key for the super user account...")
);
super_key =
inf_cert_util_create_private_key(GNUTLS_PK_RSA, 4096, error);
if(super_key == NULL)
return FALSE;
desc.validity = 12 * 3600; /* 12 hours */
desc.dn_common_name = "Super User";
desc.san_dnsname = NULL;
super_cert = inf_cert_util_create_signed_certificate(
super_key,
&desc,
plugin->cas[plugin->ca_key_index],
plugin->ca_key,
error
);
if(super_cert == NULL)
{
gnutls_x509_privkey_deinit(super_key);
return FALSE;
}
super_id = infd_directory_create_acl_account(
infinoted_plugin_manager_get_directory(plugin->manager),
_("Super User"),
TRUE, /* transient */
&super_cert,
1,
error
);
if(super_id == 0)
{
gnutls_x509_crt_deinit(super_cert);
gnutls_x509_privkey_deinit(super_key);
return FALSE;
}
plugin->super_id = super_id;
chain[0] = super_cert;
chain[1] = plugin->cas[plugin->ca_key_index];
written = inf_cert_util_write_certificate_with_key(
super_key,
chain,
2,
plugin->super_user,
error
);
gnutls_x509_crt_deinit(super_cert);
gnutls_x509_privkey_deinit(super_key);
if(written == FALSE)
return FALSE;
inf_browser_get_root(
INF_BROWSER(infinoted_plugin_manager_get_directory(plugin->manager)),
&iter
);
directory = infinoted_plugin_manager_get_directory(plugin->manager);
sheet.account = super_id;
sheet.mask = INF_ACL_MASK_ALL;
infd_directory_get_support_mask(directory, &sheet.perms);
sheet_set.n_sheets = 1;
sheet_set.own_sheets = NULL;
sheet_set.sheets = &sheet;
request = inf_browser_set_acl(
INF_BROWSER(directory),
&iter,
&sheet_set,
infinoted_plugin_certificate_auth_set_acl_cb,
plugin
);
if(request != NULL)
{
plugin->set_acl_request = request;
g_object_ref(plugin->set_acl_request);
}
}
return TRUE;
}
