/** * infinoted_startup_free: * @startup: A #InfinotedStartup. * * Frees all ressources allocated by @startup. */ void infinoted_startup_free(InfinotedStartup* startup) { guint i; if(startup->credentials != NULL) inf_certificate_credentials_unref(startup->credentials); if(startup->certificates != NULL) inf_certificate_chain_unref(startup->certificates); if(startup->private_key != NULL) gnutls_x509_privkey_deinit(startup->private_key); if(startup->log != NULL) g_object_unref(startup->log); if(startup->options != NULL) infinoted_options_free(startup->options); if(startup->sasl_context != NULL) inf_sasl_context_unref(startup->sasl_context); g_slice_free(InfinotedStartup, startup); inf_deinit(); }
void Gobby::CertificateManager::set_certificates(gnutls_x509_crt_t* certs, guint n_certs, const GError* error) { g_assert(n_certs == 0 || error == NULL); InfCertificateChain* old_certificates = m_certificates; m_certificates = NULL; if(n_certs > 0) m_certificates = inf_certificate_chain_new(certs, n_certs); else m_certificates = NULL; if(m_certificate_error != NULL) g_error_free(m_certificate_error); if(error != NULL) m_certificate_error = g_error_copy(error); else m_certificate_error = NULL; check_certificate_signature(); make_credentials(); // Note that this relies on the fact that // gnutls_certificate_set_x509_key makes a copy of the certificates if(old_certificates != NULL) inf_certificate_chain_unref(old_certificates); }
Gobby::CertificateManager::~CertificateManager() { if(m_credentials != NULL) inf_certificate_credentials_unref(m_credentials); for(unsigned int i = 0; i < m_trust.size(); ++i) gnutls_x509_crt_deinit(m_trust[i]); if(m_certificates != NULL) inf_certificate_chain_unref(m_certificates); if(m_key != NULL) gnutls_x509_privkey_deinit(m_key); if(m_dh_params != NULL) gnutls_dh_params_deinit(m_dh_params); }
static void inf_gtk_certificate_manager_query_free(InfGtkCertificateManagerQuery* query) { inf_signal_handlers_disconnect_by_func( G_OBJECT(query->connection), G_CALLBACK(inf_gtk_certificate_manager_notify_status_cb), query ); g_object_unref(query->connection); inf_certificate_chain_unref(query->certificate_chain); gtk_widget_destroy(GTK_WIDGET(query->dialog)); g_hash_table_unref(query->known_hosts); g_slice_free(InfGtkCertificateManagerQuery, query); }
void Gobby::CertificateManager::set_private_key(gnutls_x509_privkey_t key, const GError* error) { g_assert(key == NULL || error == NULL); gnutls_x509_privkey_t old_key = m_key; InfCertificateChain* old_certificates = m_certificates; if(old_certificates != NULL) inf_certificate_chain_ref(old_certificates); m_key = key; if(m_key_error != NULL) g_error_free(m_key_error); if(error != NULL) m_key_error = g_error_copy(error); else m_key_error = NULL; // Attempt to re-load the certificate if there was an error -- maybe // the new key fixes the problem. This makes sure that if the new key // is compatible to the certificate, the certificate is loaded. // TODO: It would be nicer to still keep the certificate in memory // when it does not match the key, so we don't need to re-load it. // Basically we just need to be able to handle the case when both // cert_error and certificate itself are non-NULL. if(m_certificate_error != NULL) { load_certificate(); } else { check_certificate_signature(); make_credentials(); } // Note that this relies on the fact that // gnutls_certificate_set_x509_key makes a copy of the key // and certificate if(old_certificates != NULL) inf_certificate_chain_unref(old_certificates); if(old_key != NULL) gnutls_x509_privkey_deinit(old_key); }
void Gobby::CertificateManager::check_certificate_signature() { if(!m_key || !m_certificates) return; g_assert(m_key_error == NULL && m_certificate_error == NULL); gnutls_x509_crt_t crt = inf_certificate_chain_get_own_certificate(m_certificates); if(!inf_cert_util_check_certificate_key(crt, m_key)) { inf_certificate_chain_unref(m_certificates); m_certificates = NULL; g_set_error( &m_certificate_error, g_quark_from_static_string( "GOBBY_CERTIFICATE_MANAGER_ERROR"), 0, "%s", _("Certificate does not belong to the chosen key") ); } }
static gboolean inf_test_certificate_validate_run(const InfTestCertificateValidateDesc* desc, GError** error) { InfIo* io; InfdXmppServer* server; InfXmppManager* xmpp_manager; InfCertificateVerify* verify; InfXmppConnection* client; gchar* pinned_file; InfXmlConnectionStatus status; InfTestCertificateValidateCheckCertificateData check_certificate_data; gboolean result; GError* conn_error; GHashTable* pinned; gnutls_x509_crt_t pinned_cert; InfCertificateChain* current_cert; gboolean cert_equal; /* Setup server */ io = INF_IO(inf_standalone_io_new()); server = inf_test_certificate_setup_server( io, desc->key_file, desc->cert_file, error ); if(server == NULL) { g_object_unref(io); return FALSE; } /* Create client */ pinned_file = inf_test_validate_setup_pin( desc->hostname, desc->pinned_certificate, error ); if(pinned_file == NULL) { g_object_unref(server); g_object_unref(io); return FALSE; } xmpp_manager = inf_xmpp_manager_new(); verify = inf_certificate_verify_new(xmpp_manager, pinned_file); check_certificate_data.did_query = FALSE; check_certificate_data.accept_query = desc->accept_query; g_signal_connect( G_OBJECT(verify), "check-certificate", G_CALLBACK(inf_test_certificate_validate_check_certificate), &check_certificate_data ); client = inf_test_certificate_validate_setup_client( io, desc->ca_file, desc->hostname, error ); if(client == NULL) { g_unlink(pinned_file); g_free(pinned_file); g_object_unref(io); g_object_unref(xmpp_manager); g_object_unref(verify); g_object_unref(server); return FALSE; } inf_xmpp_manager_add_connection(xmpp_manager, client); /* Okay, now watch for status changes on the client or whether a dialog * appears. */ g_signal_connect( G_OBJECT(client), "notify::status", G_CALLBACK(inf_test_validate_certificate_notify_status_cb), io ); conn_error = NULL; g_signal_connect( G_OBJECT(client), "error", G_CALLBACK(inf_test_validate_certificate_error_cb), &conn_error ); inf_standalone_io_loop(INF_STANDALONE_IO(io)); g_object_unref(io); /* Evaluate result */ result = TRUE; g_object_get(G_OBJECT(client), "status", &status, NULL); if(status == INF_XML_CONNECTION_OPEN) { g_assert(conn_error == NULL); if(check_certificate_data.did_query == TRUE && desc->expectation != INF_TEST_CERTIFICATE_VALIDATE_EXPECT_QUERY_ACCEPT) { g_set_error( error, inf_test_certificate_validate_error(), 3, "Certificate queried and accepted but not expected to" ); result = FALSE; } else if(check_certificate_data.did_query == FALSE && desc->expectation != INF_TEST_CERTIFICATE_VALIDATE_EXPECT_ACCEPT) { g_set_error( error, inf_test_certificate_validate_error(), 0, "Certificate accepted but not expected to" ); result = FALSE; } } else { g_assert(check_certificate_data.did_query || conn_error != NULL); /* TODO: The certificate verification result is not preserved at * the moment. We could change this in * inf_xmpp_connection_certificate_verify_cancel such that the existing * error is used if any, or otherwise our own is created. */ if(conn_error != NULL && conn_error->domain != inf_xmpp_connection_error_quark() && conn_error->code != INF_XMPP_CONNECTION_ERROR_CERTIFICATE_NOT_TRUSTED) { g_propagate_error(error, conn_error); conn_error = NULL; result = FALSE; } else if(check_certificate_data.did_query == TRUE && desc->expectation != INF_TEST_CERTIFICATE_VALIDATE_EXPECT_QUERY_REJECT) { g_set_error( error, inf_test_certificate_validate_error(), 2, "Certificate queried and rejected but not expected to" ); result = FALSE; } else if(check_certificate_data.did_query == FALSE && desc->expectation != INF_TEST_CERTIFICATE_VALIDATE_EXPECT_REJECT) { g_set_error( error, inf_test_certificate_validate_error(), 1, "Certificate rejected but not expected to" ); result = FALSE; } if(conn_error != NULL) { g_error_free(conn_error); conn_error = NULL; } } /* If we got the expected result, check whether the host was correctly * pinned or not. */ if(result == TRUE) { pinned = inf_cert_util_read_certificate_map(pinned_file, error); if(pinned == NULL) { result = FALSE; } else { pinned_cert = g_hash_table_lookup(pinned, desc->hostname); cert_equal = FALSE; if(pinned_cert != NULL) { g_object_get( G_OBJECT(client), "remote-certificate", ¤t_cert, NULL ); cert_equal = inf_cert_util_compare_fingerprint( pinned_cert, inf_certificate_chain_get_own_certificate(current_cert), &conn_error ); inf_certificate_chain_unref(current_cert); } if(conn_error != NULL) { g_propagate_error(error, conn_error); conn_error = NULL; } else if(cert_equal == TRUE && desc->expect_pinned == FALSE) { g_set_error( error, inf_test_certificate_validate_error(), 4, "Certificate was pinned but not expected to" ); result = FALSE; } else if(pinned_cert == NULL && desc->expect_pinned == TRUE) { g_set_error( error, inf_test_certificate_validate_error(), 5, "Certificate was not pinned but expected to" ); result = FALSE; } g_hash_table_destroy(pinned); } } g_unlink(pinned_file); g_free(pinned_file); g_object_unref(xmpp_manager); g_object_unref(verify); g_object_unref(server); g_object_unref(client); return result; }
static gboolean infinoted_plugin_certificate_auth_initialize(InfinotedPluginManager* manager, gpointer plugin_info, GError** error) { InfinotedPluginCertificateAuth* plugin; InfCertificateCredentials* creds; GPtrArray* read_certs; int res; guint i; gnutls_x509_crt_t* sign_certs; InfCertificateChain* sign_chain; gnutls_x509_privkey_t super_key; InfCertUtilDescription desc; gnutls_x509_crt_t super_cert; InfAclAccountId super_id; gnutls_x509_crt_t chain[2]; gboolean written; InfdDirectory* directory; InfBrowserIter iter; InfAclSheetSet sheet_set; InfAclSheet sheet; InfRequest* request; plugin = (InfinotedPluginCertificateAuth*)plugin_info; plugin->manager = manager; creds = infinoted_plugin_manager_get_credentials(manager); if(creds == NULL) { g_set_error( error, infinoted_plugin_certificate_auth_error_quark(), INFINOTED_PLUGIN_CERTIFICATE_AUTH_ERROR_NO_CREDENTIALS, "%s", _("The certificate-auth plugin can only be used when TLS is enabled " "and a server certificate has been set.") ); return FALSE; } read_certs = inf_cert_util_read_certificate(plugin->ca_list_file, NULL, error); if(read_certs == NULL) return FALSE; if(read_certs->len == 0) { g_set_error( error, infinoted_plugin_certificate_auth_error_quark(), INFINOTED_PLUGIN_CERTIFICATE_AUTH_ERROR_NO_CAS, _("File \"%s\" does not contain any CA certificates"), plugin->ca_list_file ); g_ptr_array_free(read_certs, TRUE); return FALSE; } plugin->n_cas = read_certs->len; plugin->cas = (gnutls_x509_crt_t*)g_ptr_array_free(read_certs, FALSE); res = gnutls_certificate_set_x509_trust( inf_certificate_credentials_get(creds), plugin->cas, plugin->n_cas ); if(res < 0) { inf_gnutls_set_error(error, res); return FALSE; } if(plugin->ca_key_file != NULL) { plugin->ca_key = inf_cert_util_read_private_key(plugin->ca_key_file, error); if(plugin->ca_key == NULL) return FALSE; /* Walk through certificates and find the certificate that the key * belongs to. */ for(i = 0; i < plugin->n_cas; ++i) if(inf_cert_util_check_certificate_key(plugin->cas[i], plugin->ca_key)) break; if(i == plugin->n_cas) { gnutls_x509_privkey_deinit(plugin->ca_key); plugin->ca_key = NULL; g_set_error( error, infinoted_plugin_certificate_auth_error_quark(), INFINOTED_PLUGIN_CERTIFICATE_AUTH_ERROR_NO_CA_FOR_KEY, "%s", _("The given CA key does not match with any of the CA certificates") ); return FALSE; } plugin->ca_key_index = i; /* Set the signing certificate of the directory, so that it can handle * account creation requests. Note that this takes ownership of the * certificate, so we take special care in the cleanup code in * infinoted_plugin_certificate_auth_deinitialize(). */ sign_certs = g_malloc(sizeof(gnutls_x509_crt_t)); sign_certs[0] = plugin->cas[plugin->ca_key_index]; sign_chain = inf_certificate_chain_new(sign_certs, 1); infd_directory_set_certificate( infinoted_plugin_manager_get_directory(plugin->manager), plugin->ca_key, sign_chain ); inf_certificate_chain_unref(sign_chain); } if(plugin->super_user != NULL) { if(plugin->ca_key == NULL) { g_set_error( error, infinoted_plugin_certificate_auth_error_quark(), INFINOTED_PLUGIN_CERTIFICATE_AUTH_ERROR_NO_CA_KEY, "%s", _("Cannot generate a superuser certificate without CA key") ); return FALSE; } /* Create a private key and certificate for the super user. */ infinoted_log_info( infinoted_plugin_manager_get_log(plugin->manager), _("Creating 4096-bit RSA private key for the super user account...") ); super_key = inf_cert_util_create_private_key(GNUTLS_PK_RSA, 4096, error); if(super_key == NULL) return FALSE; desc.validity = 12 * 3600; /* 12 hours */ desc.dn_common_name = "Super User"; desc.san_dnsname = NULL; super_cert = inf_cert_util_create_signed_certificate( super_key, &desc, plugin->cas[plugin->ca_key_index], plugin->ca_key, error ); if(super_cert == NULL) { gnutls_x509_privkey_deinit(super_key); return FALSE; } super_id = infd_directory_create_acl_account( infinoted_plugin_manager_get_directory(plugin->manager), _("Super User"), TRUE, /* transient */ &super_cert, 1, error ); if(super_id == 0) { gnutls_x509_crt_deinit(super_cert); gnutls_x509_privkey_deinit(super_key); return FALSE; } plugin->super_id = super_id; chain[0] = super_cert; chain[1] = plugin->cas[plugin->ca_key_index]; written = inf_cert_util_write_certificate_with_key( super_key, chain, 2, plugin->super_user, error ); gnutls_x509_crt_deinit(super_cert); gnutls_x509_privkey_deinit(super_key); if(written == FALSE) return FALSE; inf_browser_get_root( INF_BROWSER(infinoted_plugin_manager_get_directory(plugin->manager)), &iter ); directory = infinoted_plugin_manager_get_directory(plugin->manager); sheet.account = super_id; sheet.mask = INF_ACL_MASK_ALL; infd_directory_get_support_mask(directory, &sheet.perms); sheet_set.n_sheets = 1; sheet_set.own_sheets = NULL; sheet_set.sheets = &sheet; request = inf_browser_set_acl( INF_BROWSER(directory), &iter, &sheet_set, infinoted_plugin_certificate_auth_set_acl_cb, plugin ); if(request != NULL) { plugin->set_acl_request = request; g_object_ref(plugin->set_acl_request); } } return TRUE; }