NetworkManager/libnm-util/nm-setting-8021x.c

/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */

/*
 * Dan Williams <dcbw@redhat.com>
 * Tambet Ingo <tambet@gmail.com>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the
 * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
 * Boston, MA 02110-1301 USA.
 *
 * (C) Copyright 2007 - 2008 Red Hat, Inc.
 * (C) Copyright 2007 - 2008 Novell, Inc.
 */

#include <string.h>
#include <ctype.h>
#include <dbus/dbus-glib.h>
#include "nm-setting-8021x.h"
#include "nm-param-spec-specialized.h"
#include "nm-utils.h"
#include "nm-dbus-glib-types.h"
#include "crypto.h"
#include "nm-utils-private.h"

/**
 * SECTION:nm-setting-8021x
 * @short_description: Describes 802.1x-authenticated connection properties
 * @include: nm-setting-8021x.h
 *
 * The #NMSetting8021x object is a #NMSetting subclass that describes
 * properties necessary for connection to 802.1x-authenticated networks, such as
 * WPA and WPA2 Enterprise WiFi networks and wired 802.1x networks.  802.1x
 * connections typically use certificates and/or EAP authentication methods to
 * securely verify, identify, and authenticate the client to the network itself,
 * instead of simply relying on a widely shared static key.
 *
 * It's a good idea to read up on wpa_supplicant configuration before using this
 * setting extensively, since most of the options here correspond closely with
 * the relevant wpa_supplicant configuration options.
 *
 * Furthermore, to get a good idea of 802.1x, EAP, TLS, TTLS, etc and their
 * applications to WiFi and wired networks, you'll want to get copies of the
 * following books.
 *
 *  802.11 Wireless Networks: The Definitive Guide, Second Edition
 *       Author: Matthew Gast
 *       ISBN: 978-0596100520
 *
 *  Cisco Wireless LAN Security
 *       Authors: Krishna Sankar, Sri Sundaralingam, Darrin Miller, and Andrew Balinsky
 *       ISBN: 978-1587051548
 **/

#define SCHEME_PATH "file://"

/**
 * nm_setting_802_1x_error_quark:
 *
 * Registers an error quark for #NMSetting8021x if necessary.
 *
 * Returns: the error quark used for #NMSetting8021x errors.
 **/
GQuark
nm_setting_802_1x_error_quark (void)
{
	static GQuark quark;

	if (G_UNLIKELY (!quark))
		quark = g_quark_from_static_string ("nm-setting-802-1x-error-quark");
	return quark;
}

/* This should really be standard. */
#define ENUM_ENTRY(NAME, DESC) { NAME, "" #NAME "", DESC }

GType
nm_setting_802_1x_error_get_type (void)
{
	static GType etype = 0;

	if (etype == 0) {
		static const GEnumValue values[] = {
			/* Unknown error. */
			ENUM_ENTRY (NM_SETTING_802_1X_ERROR_UNKNOWN, "UnknownError"),
			/* The specified property was invalid. */
			ENUM_ENTRY (NM_SETTING_802_1X_ERROR_INVALID_PROPERTY, "InvalidProperty"),
			/* The specified property was missing and is required. */
			ENUM_ENTRY (NM_SETTING_802_1X_ERROR_MISSING_PROPERTY, "MissingProperty"),
			{ 0, 0, 0 }
		};
		etype = g_enum_register_static ("NMSetting8021xError", values);
	}
	return etype;
}


G_DEFINE_TYPE (NMSetting8021x, nm_setting_802_1x, NM_TYPE_SETTING)

#define NM_SETTING_802_1X_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_SETTING_802_1X, NMSetting8021xPrivate))

typedef struct {
	GSList *eap; /* GSList of strings */
	char *identity;
	char *anonymous_identity;
	GByteArray *ca_cert;
	char *ca_path;
	GByteArray *client_cert;
	char *phase1_peapver;
	char *phase1_peaplabel;
	char *phase1_fast_provisioning;
	char *phase2_auth;
	char *phase2_autheap;
	GByteArray *phase2_ca_cert;
	char *phase2_ca_path;
	GByteArray *phase2_client_cert;
	char *password;
	char *pin;
	char *psk;
	GByteArray *private_key;
	char *private_key_password;
	GByteArray *phase2_private_key;
	char *phase2_private_key_password;
	gboolean system_ca_certs;
} NMSetting8021xPrivate;

enum {
	PROP_0,
	PROP_EAP,
	PROP_IDENTITY,
	PROP_ANONYMOUS_IDENTITY,
	PROP_CA_CERT,
	PROP_CA_PATH,
	PROP_CLIENT_CERT,
	PROP_PHASE1_PEAPVER,
	PROP_PHASE1_PEAPLABEL,
	PROP_PHASE1_FAST_PROVISIONING,
	PROP_PHASE2_AUTH,
	PROP_PHASE2_AUTHEAP,
	PROP_PHASE2_CA_CERT,
	PROP_PHASE2_CA_PATH,
	PROP_PHASE2_CLIENT_CERT,
	PROP_PASSWORD,
	PROP_PRIVATE_KEY,
	PROP_PRIVATE_KEY_PASSWORD,
	PROP_PHASE2_PRIVATE_KEY,
	PROP_PHASE2_PRIVATE_KEY_PASSWORD,
	PROP_PIN,
	PROP_PSK,
	PROP_SYSTEM_CA_CERTS,

	LAST_PROP
};

/**
 * nm_setting_802_1x_new:
 *
 * Creates a new #NMSetting8021x object with default values.
 *
 * Returns: the new empty #NMSetting8021x object
 **/
NMSetting *
nm_setting_802_1x_new (void)
{
	return (NMSetting *) g_object_new (NM_TYPE_SETTING_802_1X, NULL);
}

/**
 * nm_setting_802_1x_get_num_eap_methods:
 * @setting: the #NMSetting8021x
 *
 * Returns the number of eap methods allowed for use when connecting to the
 * network.  Generally only one EAP method is used.  Use the functions
 * nm_setting_802_1x_get_eap_method(), nm_setting_802_1x_add_eap_method(),
 * and nm_setting_802_1x_remove_eap_method() for adding, removing, and retrieving
 * allowed EAP methods.
 *
 * Returns: the number of allowed EAP methods
 **/
guint32
nm_setting_802_1x_get_num_eap_methods (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), 0);

	return g_slist_length (NM_SETTING_802_1X_GET_PRIVATE (setting)->eap);
}

/**
 * nm_setting_802_1x_get_eap_method:
 * @setting: the #NMSetting8021x
 * @i: the index of the EAP method name to return
 *
 * Returns the name of the allowed EAP method at index @i.
 *
 * Returns: the name of the allowed EAP method at index @i
 **/
const char *
nm_setting_802_1x_get_eap_method (NMSetting8021x *setting, guint32 i)
{
	NMSetting8021xPrivate *priv;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
	g_return_val_if_fail (i <= g_slist_length (priv->eap), NULL);

	return (const char *) g_slist_nth_data (priv->eap, i);
}

/**
 * nm_setting_802_1x_add_eap_method:
 * @setting: the #NMSetting8021x
 * @eap: the name of the EAP method to allow for this connection
 *
 * Adds an allowed EAP method.  The setting is not valid until at least one
 * EAP method has been added.  See #NMSetting8021x:eap property for a list of
 * allowed EAP methods.
 *
 * Returns: TRUE if the EAP method was successfully added, FALSE if it was
 *  not a valid method or if it was already allowed.
 **/
gboolean
nm_setting_802_1x_add_eap_method (NMSetting8021x *setting, const char *eap)
{
	NMSetting8021xPrivate *priv;
	GSList *iter;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
	g_return_val_if_fail (eap != NULL, FALSE);

	priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
	for (iter = priv->eap; iter; iter = g_slist_next (iter)) {
		if (!strcmp (eap, (char *) iter->data))
			return FALSE;
	}

	priv->eap = g_slist_append (priv->eap, g_ascii_strdown (eap, -1));
	return TRUE;
}

/**
 * nm_setting_802_1x_remove_eap_method:
 * @setting: the #NMSetting8021x
 * @i: the index of the EAP method to remove
 *
 * Removes the allowed EAP method at the specified index.
 **/
void
nm_setting_802_1x_remove_eap_method (NMSetting8021x *setting, guint32 i)
{
	NMSetting8021xPrivate *priv;
	GSList *elt;

	g_return_if_fail (NM_IS_SETTING_802_1X (setting));

	priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
	elt = g_slist_nth (priv->eap, i);
	g_return_if_fail (elt != NULL);

	g_free (elt->data);
	priv->eap = g_slist_delete_link (priv->eap, elt);
}

/**
 * nm_setting_802_1x_clear_eap_methods:
 * @setting: the #NMSetting8021x
 *
 * Clears all allowed EAP methods.
 **/
void
nm_setting_802_1x_clear_eap_methods (NMSetting8021x *setting)
{
	NMSetting8021xPrivate *priv;

	g_return_if_fail (NM_IS_SETTING_802_1X (setting));

	priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
	nm_utils_slist_free (priv->eap, g_free);
	priv->eap = NULL;
}

/**
 * nm_setting_802_1x_get_identity:
 * @setting: the #NMSetting8021x
 *
 * Returns the identifier used by some EAP methods (like TLS) to
 * authenticate the user.  Often this is a username or login name.
 *
 * Returns: the user identifier
 **/
const char *
nm_setting_802_1x_get_identity (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->identity;
}

/**
 * nm_setting_802_1x_get_anonymous_identity:
 * @setting: the #NMSetting8021x
 *
 * Returns the anonymous identifier used by some EAP methods (like TTLS) to
 * authenticate the user in the outer unencrypted "phase 1" authentication.  The
 * inner "phase 2" authentication will use the #NMSetting8021x:identity in
 * a secure form, if applicable for that EAP method.
 *
 * Returns: the anonymous identifier
 **/
const char *
nm_setting_802_1x_get_anonymous_identity (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->anonymous_identity;
}

/**
 * nm_setting_802_1x_get_ca_path:
 * @setting: the #NMSetting8021x
 *
 * Returns the path of the CA certificate directory if previously set.  Systems
 * will often have a directory that contains multiple individual CA certificates
 * which the supplicant can then add to the verification chain.  This may be
 * used in addition to the #NMSetting8021x:ca-cert property to add more CA
 * certificates for verifying the network to client.
 *
 * Returns: the CA certificate directory path
 **/
const char *
nm_setting_802_1x_get_ca_path (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_path;
}

/**
 * nm_setting_802_1x_get_system_ca_certs:
 * @setting: the #NMSetting8021x
 *
 * Sets the #NMSetting8021x:system-ca-certs property. The
 * #NMSetting8021x:ca-path and #NMSetting8021x:phase2-ca-path
 * properties are ignored if the #NMSetting8021x:system-ca-certs property is
 * TRUE, in which case a system-wide CA certificate directory specified at
 * compile time (using the --system-ca-path configure option) is used in place
 * of these properties. 
 *
 * Returns: TRUE if a system CA certificate path should be used, FALSE if not
 **/
gboolean
nm_setting_802_1x_get_system_ca_certs (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->system_ca_certs;
}

static NMSetting8021xCKScheme
get_cert_scheme (GByteArray *array)
{
	if (!array || !array->len)
		return NM_SETTING_802_1X_CK_SCHEME_UNKNOWN;

	if (   (array->len > strlen (SCHEME_PATH))
	    && !memcmp (array->data, SCHEME_PATH, strlen (SCHEME_PATH)))
		return NM_SETTING_802_1X_CK_SCHEME_PATH;

	return NM_SETTING_802_1X_CK_SCHEME_BLOB;
}

/**
 * nm_setting_802_1x_get_ca_cert_scheme:
 * @setting: the #NMSetting8021x
 *
 * Returns the scheme used to store the CA certificate.  If the returned scheme
 * is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_ca_cert_blob();
 * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path().
 *
 * Returns: scheme used to store the CA certificate (blob or path)
 **/
NMSetting8021xCKScheme
nm_setting_802_1x_get_ca_cert_scheme (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);

	return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert);
}

/**
 * nm_setting_802_1x_get_ca_cert_blob:
 * @setting: the #NMSetting8021x
 *
 * Returns the CA certificate blob if the CA certificate is stored using the
 * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme.  Not all EAP methods use a
 * CA certificate (LEAP for example), and those that can take advantage of the
 * CA certificate allow it to be unset.  Note that lack of a CA certificate
 * reduces security by allowing man-in-the-middle attacks, because the identity
 * of the network cannot be confirmed by the client.
 *
 * Returns: the CA certificate data
 **/
const GByteArray *
nm_setting_802_1x_get_ca_cert_blob (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_ca_cert_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert;
}

/**
 * nm_setting_802_1x_get_ca_cert:
 * @setting: the #NMSetting8021x
 *
 * Returns the CA certificate blob if the CA certificate is stored using the
 * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme.  Not all EAP methods use a
 * CA certificate (LEAP for example), and those that can take advantage of the
 * CA certificate allow it to be unset.  Note that lack of a CA certificate
 * reduces security by allowing man-in-the-middle attacks, because the identity
 * of the network cannot be confirmed by the client.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_get_ca_cert_blob().
 *
 * Returns: the CA certificate data
 **/
const GByteArray *
nm_setting_802_1x_get_ca_cert (NMSetting8021x *setting)
{
	return nm_setting_802_1x_get_ca_cert_blob (setting);
}

/**
 * nm_setting_802_1x_get_ca_cert_path:
 * @setting: the #NMSetting8021x
 *
 * Returns the CA certificate path if the CA certificate is stored using the
 * %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.  Not all EAP methods use a
 * CA certificate (LEAP for example), and those that can take advantage of the
 * CA certificate allow it to be unset.  Note that lack of a CA certificate
 * reduces security by allowing man-in-the-middle attacks, because the identity
 * of the network cannot be confirmed by the client.
 *
 * Returns: path to the CA certificate file
 **/
const char *
nm_setting_802_1x_get_ca_cert_path (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_ca_cert_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);

	return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert->data + strlen (SCHEME_PATH));
}

/**
 * nm_setting_802_1x_set_ca_cert:
 * @setting: the #NMSetting8021x
 * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or
 *   %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the CA certificate file
 *   (PEM or DER format).  The path must be UTF-8 encoded; use
 *   g_filename_to_utf8() to convert if needed.  Passing NULL with any @scheme
 *   clears the CA certificate.
 * @scheme: desired storage scheme for the certificate
 * @out_format: on successful return, the type of the certificate added
 * @error: on unsuccessful return, an error
 *
 * Reads a certificate from disk and sets the #NMSetting8021x:ca-cert property
 * with the raw certificate data if using the %NM_SETTING_802_1X_CK_SCHEME_BLOB
 * scheme, or with the path to the certificate file if using the
 * %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_ca_cert (NMSetting8021x *self,
                               const char *value,
                               NMSetting8021xCKScheme scheme,
                               NMSetting8021xCKFormat *out_format,
                               GError **error)
{
	NMSetting8021xPrivate *priv;
	NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
	GByteArray *data;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (self), FALSE);

	if (value) {
		g_return_val_if_fail (g_utf8_validate (value, -1, NULL), FALSE);
		g_return_val_if_fail (   scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
		                      || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
		                      FALSE);
	}

	if (out_format)
		g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);

	priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	/* Clear out any previous ca_cert blob */
	if (priv->ca_cert) {
		g_byte_array_free (priv->ca_cert, TRUE);
		priv->ca_cert = NULL;
	}

	if (!value)
		return TRUE;

	data = crypto_load_and_verify_certificate (value, &format, error);
	if (data) {
		/* wpa_supplicant can only use raw x509 CA certs */
		switch (format) {
		case NM_CRYPTO_FILE_FORMAT_X509:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_X509;
			break;
		default:
			g_byte_array_free (data, TRUE);
			data = NULL;
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_CA_CERT);
			break;
		}

		if (data) {
			if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
				priv->ca_cert = data;
			else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
				/* Add the path scheme tag to the front, then the fielname */
				priv->ca_cert = g_byte_array_sized_new (strlen (value) + strlen (SCHEME_PATH) + 1);
				g_byte_array_append (priv->ca_cert, (const guint8 *) SCHEME_PATH, strlen (SCHEME_PATH));
				g_byte_array_append (priv->ca_cert, (const guint8 *) value, strlen (value));
				g_byte_array_append (priv->ca_cert, (const guint8 *) "\0", 1);
			} else
				g_assert_not_reached ();
		}
	}

	return priv->ca_cert != NULL;
}

static NMSetting8021xCKType
ck_format_to_type (NMSetting8021xCKFormat format)
{
	switch (format) {
	case NM_SETTING_802_1X_CK_FORMAT_X509:
		return NM_SETTING_802_1X_CK_TYPE_X509;
	case NM_SETTING_802_1X_CK_FORMAT_RAW_KEY:
		return NM_SETTING_802_1X_CK_TYPE_RAW_KEY;
	case NM_SETTING_802_1X_CK_FORMAT_PKCS12:
		return NM_SETTING_802_1X_CK_TYPE_PKCS12;
	default:
		break;
	}
	return NM_SETTING_802_1X_CK_TYPE_UNKNOWN;
}

/**
 * nm_setting_802_1x_set_ca_cert_from_file:
 * @setting: the #NMSetting8021x
 * @filename: the path of the CA certificate file (PEM or DER format). Passing
 *   NULL clears the CA certificate.
 * @out_ck_type: on successful return, the type of the certificate added
 * @error: on unsuccessful return, an error
 *
 * Reads a certificate from disk and sets the #NMSetting8021x:ca-cert property
 * with the raw certificate data using the %NM_SETTING_802_1X_CK_SCHEME_BLOB
 * scheme.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_set_ca_cert() with the
 *   %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_ca_cert_from_file (NMSetting8021x *setting,
                                         const char *filename,
                                         NMSetting8021xCKType *out_ck_type,
                                         GError **error)
{
	gboolean success;
	NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;

	success = nm_setting_802_1x_set_ca_cert (setting,
	                                         filename,
	                                         NM_SETTING_802_1X_CK_SCHEME_BLOB,
	                                         &format,
	                                         error);
	if (success && out_ck_type)
		*out_ck_type = ck_format_to_type (format);

	return success;
}

/**
 * nm_setting_802_1x_get_client_cert_scheme:
 * @setting: the #NMSetting8021x
 *
 * Returns the scheme used to store the client certificate.  If the returned scheme
 * is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob();
 * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path().
 *
 * Returns: scheme used to store the client certificate (blob or path)
 **/
NMSetting8021xCKScheme
nm_setting_802_1x_get_client_cert_scheme (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);

	return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert);
}

/**
 * nm_setting_802_1x_get_client_cert_blob:
 * @setting: the #NMSetting8021x
 *
 * Client certificates are used to identify the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: the client certificate data
 **/
const GByteArray *
nm_setting_802_1x_get_client_cert_blob (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_client_cert_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert;
}

/**
 * nm_setting_802_1x_get_client_cert:
 * @setting: the #NMSetting8021x
 *
 * Client certificates are used to identify the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_get_client_cert_blob().
 *
 * Returns: the client certificate data
 **/
const GByteArray *
nm_setting_802_1x_get_client_cert (NMSetting8021x *setting)
{
	return nm_setting_802_1x_get_client_cert_blob (setting);
}

/**
 * nm_setting_802_1x_get_client_cert_path:
 * @setting: the #NMSetting8021x
 *
 * Client certificates are used to identify the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: path to the client certificate file
 **/
const char *
nm_setting_802_1x_get_client_cert_path (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_client_cert_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);

	return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->client_cert->data + strlen (SCHEME_PATH));
}

/**
 * nm_setting_802_1x_set_client_cert:
 * @setting: the #NMSetting8021x
 * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or
 *   %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the client certificate
 *   file (PEM, DER, or PKCS#12 format).  The path must be UTF-8 encoded; use
 *   g_filename_to_utf8() to convert if needed.  Passing NULL with any @scheme
 *   clears the client certificate.
 * @scheme: desired storage scheme for the certificate
 * @out_format: on successful return, the type of the certificate added
 * @error: on unsuccessful return, an error
 *
 * Reads a certificate from disk and sets the #NMSetting8021x:client-cert
 * property with the raw certificate data if using the
 * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate
 * file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
 *
 * Client certificates are used to identify the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_client_cert (NMSetting8021x *self,
                                   const char *value,
                                   NMSetting8021xCKScheme scheme,
                                   NMSetting8021xCKFormat *out_format,
                                   GError **error)
{
	NMSetting8021xPrivate *priv;
	NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
	GByteArray *data;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (self), FALSE);

	if (value) {
		g_return_val_if_fail (g_utf8_validate (value, -1, NULL), FALSE);
		g_return_val_if_fail (   scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
		                      || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
		                      FALSE);
	}

	if (out_format)
		g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);

	priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	/* Clear out any previous ca_cert blob */
	if (priv->client_cert) {
		g_byte_array_free (priv->client_cert, TRUE);
		priv->client_cert = NULL;
	}

	if (!value)
		return TRUE;

	data = crypto_load_and_verify_certificate (value, &format, error);
	if (data) {
		/* wpa_supplicant can only use raw x509 CA certs */
		switch (format) {
		case NM_CRYPTO_FILE_FORMAT_X509:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_X509;
			break;
		case NM_CRYPTO_FILE_FORMAT_PKCS12:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_PKCS12;
			break;
		default:
			g_byte_array_free (data, TRUE);
			data = NULL;
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_CLIENT_CERT);
			break;
		}

		if (data) {
			if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
				priv->client_cert = data;
			else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
				/* Add the path scheme tag to the front, then the fielname */
				priv->client_cert = g_byte_array_sized_new (strlen (value) + strlen (SCHEME_PATH) + 1);
				g_byte_array_append (priv->client_cert, (const guint8 *) SCHEME_PATH, strlen (SCHEME_PATH));
				g_byte_array_append (priv->client_cert, (const guint8 *) value, strlen (value));
				g_byte_array_append (priv->client_cert, (const guint8 *) "\0", 1);
			} else
				g_assert_not_reached ();
		}
	}

	return priv->client_cert != NULL;
}

/**
 * nm_setting_802_1x_set_client_cert_from_file:
 * @setting: the #NMSetting8021x
 * @filename: the path of the client certificate file (PEM, DER, or
 *   PKCS#12 format).  Passing NULL clears the client certificate.
 * @out_ck_type: on successful return, the type of the certificate added
 * @error: on unsuccessful return, an error
 *
 * Reads a certificate from disk and sets the #NMSetting8021x:client-cert
 * property with the raw certificate data.
 *
 * Client certificates are used to identify the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_set_client_cert() with the
 *   %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_client_cert_from_file (NMSetting8021x *setting,
                                             const char *filename,
                                             NMSetting8021xCKType *out_ck_type,
                                             GError **error)
{
	gboolean success;
	NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;

	success = nm_setting_802_1x_set_client_cert (setting,
	                                             filename,
	                                             NM_SETTING_802_1X_CK_SCHEME_BLOB,
	                                             &format,
	                                             error);
	if (success && out_ck_type)
		*out_ck_type = ck_format_to_type (format);

	return success;
}

/**
 * nm_setting_802_1x_get_phase1_peapver:
 * @setting: the #NMSetting8021x
 *
 * Returns: the "phase 1" PEAP version to be used when authenticating with
 *  EAP-PEAP as contained in the #NMSetting8021x:phase1-peapver property.  Valid
 *  values are NULL (unset), "0" (PEAP version 0), and "1" (PEAP version 1).
 **/
const char *
nm_setting_802_1x_get_phase1_peapver (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase1_peapver;
}

/**
 * nm_setting_802_1x_get_phase1_peaplabel:
 * @setting: the #NMSetting8021x
 *
 * Returns: whether the "phase 1" PEAP label is new-style or old-style, to be
 *  used when authenticating with EAP-PEAP, as contained in the
 *  #NMSetting8021x:phase1-peaplabel property.  Valid values are NULL (unset),
 *  "0" (use old-style label), and "1" (use new-style label).  See the
 *  wpa_supplicant documentation for more details.
 **/
const char *
nm_setting_802_1x_get_phase1_peaplabel (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase1_peaplabel;
}

/**
 * nm_setting_802_1x_get_phase1_fast_provisioning:
 * @setting: the #NMSetting8021x
 *
 * Returns: whether "phase 1" PEAP fast provisioning should be used, as specified
 *  by the #NMSetting8021x:phase1-fast-provisioning property.  See the
 *  wpa_supplicant documentation for more details.
 **/
const char *
nm_setting_802_1x_get_phase1_fast_provisioning (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase1_fast_provisioning;
}

/**
 * nm_setting_802_1x_get_phase2_auth:
 * @setting: the #NMSetting8021x
 *
 * Returns: the "phase 2" non-EAP (ex MD5) allowed authentication method as
 *   specified by the #NMSetting8021x:phase2-auth property.
 **/
const char *
nm_setting_802_1x_get_phase2_auth (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_auth;
}

/**
 * nm_setting_802_1x_get_phase2_autheap:
 * @setting: the #NMSetting8021x
 *
 * Returns: the "phase 2" EAP-based (ex TLS) allowed authentication method as
 *   specified by the #NMSetting8021x:phase2-autheap property.
 **/
const char *
nm_setting_802_1x_get_phase2_autheap (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_autheap;
}

/**
 * nm_setting_802_1x_get_phase2_ca_path:
 * @setting: the #NMSetting8021x
 *
 * Returns the path of the "phase 2" CA certificate directory if previously set.
 * Systems will often have a directory that contains multiple individual CA
 * certificates which the supplicant can then add to the verification chain.
 * This may be used in addition to the #NMSetting8021x:phase2-ca-cert property
 * to add more CA certificates for verifying the network to client.
 *
 * Returns: the "phase 2" CA certificate directory path
 **/
const char *
nm_setting_802_1x_get_phase2_ca_path (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_path;
}

/**
 * nm_setting_802_1x_get_phase2_ca_cert_scheme:
 * @setting: the #NMSetting8021x
 *
 * Returns the scheme used to store the "phase 2" CA certificate.  If the
 * returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
 * nm_setting_802_1x_get_ca_cert_blob(); if %NM_SETTING_802_1X_CK_SCHEME_PATH,
 * use nm_setting_802_1x_get_ca_cert_path().
 *
 * Returns: scheme used to store the "phase 2" CA certificate (blob or path)
 **/
NMSetting8021xCKScheme
nm_setting_802_1x_get_phase2_ca_cert_scheme (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);

	return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert);
}

/**
 * nm_setting_802_1x_get_phase2_ca_cert_blob:
 * @setting: the #NMSetting8021x
 *
 * Returns the "phase 2" CA certificate blob if the CA certificate is stored
 * using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme.  Not all EAP methods use
 * a CA certificate (LEAP for example), and those that can take advantage of the
 * CA certificate allow it to be unset.  Note that lack of a CA certificate
 * reduces security by allowing man-in-the-middle attacks, because the identity
 * of the network cannot be confirmed by the client.
 *
 * Returns: the "phase 2" CA certificate data
 **/
const GByteArray *
nm_setting_802_1x_get_phase2_ca_cert_blob (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert;
}

/**
 * nm_setting_802_1x_get_phase2_ca_cert:
 * @setting: the #NMSetting8021x
 *
 * Returns the "phase 2" CA certificate blob.  Not all EAP methods use
 * a CA certificate (LEAP for example), and those that can take advantage of the
 * CA certificate allow it to be unset.  Note that lack of a CA certificate
 * reduces security by allowing man-in-the-middle attacks, because the identity
 * of the network cannot be confirmed by the client.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_get_phase2_ca_cert_blob().
 *
 * Returns: the "phase 2" CA certificate data
 **/
const GByteArray *
nm_setting_802_1x_get_phase2_ca_cert (NMSetting8021x *setting)
{
	return nm_setting_802_1x_get_phase2_ca_cert_blob (setting);
}

/**
 * nm_setting_802_1x_get_phase2_ca_cert_path:
 * @setting: the #NMSetting8021x
 *
 * Returns the "phase 2" CA certificate path if the CA certificate is stored
 * using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.  Not all EAP methods use
 * a CA certificate (LEAP for example), and those that can take advantage of the
 * CA certificate allow it to be unset.  Note that lack of a CA certificate
 * reduces security by allowing man-in-the-middle attacks, because the identity
 * of the network cannot be confirmed by the client.
 *
 * Returns: path to the "phase 2" CA certificate file
 **/
const char *
nm_setting_802_1x_get_phase2_ca_cert_path (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);

	return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_ca_cert->data + strlen (SCHEME_PATH));
}

/**
 * nm_setting_802_1x_set_phase2_ca_cert:
 * @setting: the #NMSetting8021x
 * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or
 *   %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" CA
 *   certificate file (PEM or DER format).  The path must be UTF-8 encoded; use
 *   g_filename_to_utf8() to convert if needed.  Passing NULL with any @scheme
 *   clears the "phase2" CA certificate.
 * @scheme: desired storage scheme for the certificate
 * @out_format: on successful return, the type of the certificate added
 * @error: on unsuccessful return, an error
 *
 * Reads a certificate from disk and sets the #NMSetting8021x:phase2-ca-cert
 * property with the raw certificate data if using the
 * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate
 * file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_phase2_ca_cert (NMSetting8021x *self,
                                      const char *value,
                                      NMSetting8021xCKScheme scheme,
                                      NMSetting8021xCKFormat *out_format,
                                      GError **error)
{
	NMSetting8021xPrivate *priv;
	NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
	GByteArray *data;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (self), FALSE);

	if (value) {
		g_return_val_if_fail (g_utf8_validate (value, -1, NULL), FALSE);
		g_return_val_if_fail (   scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
		                      || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
		                      FALSE);
	}

	if (out_format)
		g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);

	priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	/* Clear out any previous ca_cert blob */
	if (priv->phase2_ca_cert) {
		g_byte_array_free (priv->phase2_ca_cert, TRUE);
		priv->phase2_ca_cert = NULL;
	}

	if (!value)
		return TRUE;

	data = crypto_load_and_verify_certificate (value, &format, error);
	if (data) {
		/* wpa_supplicant can only use raw x509 CA certs */
		switch (format) {
		case NM_CRYPTO_FILE_FORMAT_X509:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_X509;
			break;
		default:
			g_byte_array_free (data, TRUE);
			data = NULL;
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_PHASE2_CA_CERT);
			break;
		}

		if (data) {
			if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
				priv->phase2_ca_cert = data;
			else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
				/* Add the path scheme tag to the front, then the fielname */
				priv->phase2_ca_cert = g_byte_array_sized_new (strlen (value) + strlen (SCHEME_PATH) + 1);
				g_byte_array_append (priv->phase2_ca_cert, (const guint8 *) SCHEME_PATH, strlen (SCHEME_PATH));
				g_byte_array_append (priv->phase2_ca_cert, (const guint8 *) value, strlen (value));
				g_byte_array_append (priv->phase2_ca_cert, (const guint8 *) "\0", 1);
			} else
				g_assert_not_reached ();
		}
	}

	return priv->phase2_ca_cert != NULL;
}

/**
 * nm_setting_802_1x_set_phase2_ca_cert_from_file:
 * @setting: the #NMSetting8021x
 * @filename: the path of the "phase2" CA certificate file (PEM or DER format).
 *   Passing NULL with any @scheme clears the "phase2" CA certificate.
 * @out_ck_type: on successful return, the type of the certificate added
 * @error: on unsuccessful return, an error
 *
 * Reads a certificate from disk and sets the #NMSetting8021x:phase2-ca-cert
 * property with the raw certificate data.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_set_phase2_ca_cert().
 *   with the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_phase2_ca_cert_from_file (NMSetting8021x *setting,
                                                const char *filename,
                                                NMSetting8021xCKType *out_ck_type,
                                                GError **error)
{
	gboolean success;
	NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;

	success = nm_setting_802_1x_set_phase2_ca_cert (setting,
	                                                filename,
	                                                NM_SETTING_802_1X_CK_SCHEME_BLOB,
	                                                &format,
	                                                error);
	if (success && out_ck_type)
		*out_ck_type = ck_format_to_type (format);

	return success;
}

/**
 * nm_setting_802_1x_get_phase2_client_cert_scheme:
 * @setting: the #NMSetting8021x
 *
 * Returns the scheme used to store the "phase 2" client certificate.  If the
 * returned scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
 * nm_setting_802_1x_get_client_cert_blob(); if
 * %NM_SETTING_802_1X_CK_SCHEME_PATH, use
 * nm_setting_802_1x_get_client_cert_path().
 *
 * Returns: scheme used to store the "phase 2" client certificate (blob or path)
 **/
NMSetting8021xCKScheme
nm_setting_802_1x_get_phase2_client_cert_scheme (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);

	return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert);
}

/**
 * nm_setting_802_1x_get_phase2_client_cert_blob:
 * @setting: the #NMSetting8021x
 *
 * Client certificates are used to identify the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: the "phase 2" client certificate data
 **/
const GByteArray *
nm_setting_802_1x_get_phase2_client_cert_blob (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert;
}

/**
 * nm_setting_802_1x_get_phase2_client_cert:
 * @setting: the #NMSetting8021x
 *
 * Client certificates are used to identify the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_get_phase2_client_cert_blob().
 *
 * Returns: the "phase 2" client certificate data
 **/
const GByteArray *
nm_setting_802_1x_get_phase2_client_cert (NMSetting8021x *setting)
{
	return nm_setting_802_1x_get_phase2_client_cert_blob (setting);
}

/**
 * nm_setting_802_1x_get_phase2_client_cert_path:
 * @setting: the #NMSetting8021x
 *
 * Client certificates are used to identify the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: path to the "phase 2" client certificate file
 **/
const char *
nm_setting_802_1x_get_phase2_client_cert_path (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);

	return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_client_cert->data + strlen (SCHEME_PATH));
}

/**
 * nm_setting_802_1x_set_phase2_client_cert:
 * @setting: the #NMSetting8021x
 * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or
 *   %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" client
 *   certificate file (PEM, DER, or PKCS#12 format).  The path must be UTF-8
 *   encoded; use g_filename_to_utf8() to convert if needed.  Passing NULL with
 *   any @scheme clears the "phase2" client certificate.
 * @scheme: desired storage scheme for the certificate
 * @out_format: on successful return, the type of the certificate added
 * @error: on unsuccessful return, an error
 *
 * Reads a certificate from disk and sets the #NMSetting8021x:phase2-client-cert
 * property with the raw certificate data if using the
 * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate
 * file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
 *
 * Client certificates are used to identify the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_phase2_client_cert (NMSetting8021x *self,
                                          const char *value,
                                          NMSetting8021xCKScheme scheme,
                                          NMSetting8021xCKFormat *out_format,
                                          GError **error)
{
	NMSetting8021xPrivate *priv;
	NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
	GByteArray *data;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (self), FALSE);

	if (value) {
		g_return_val_if_fail (g_utf8_validate (value, -1, NULL), FALSE);
		g_return_val_if_fail (   scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
		                      || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
		                      FALSE);
	}

	if (out_format)
		g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);

	priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	/* Clear out any previous ca_cert blob */
	if (priv->phase2_client_cert) {
		g_byte_array_free (priv->phase2_client_cert, TRUE);
		priv->phase2_client_cert = NULL;
	}

	if (!value)
		return TRUE;

	data = crypto_load_and_verify_certificate (value, &format, error);
	if (data) {
		/* wpa_supplicant can only use raw x509 CA certs */
		switch (format) {
		case NM_CRYPTO_FILE_FORMAT_X509:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_X509;
			break;
		case NM_CRYPTO_FILE_FORMAT_PKCS12:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_PKCS12;
			break;
		default:
			g_byte_array_free (data, TRUE);
			data = NULL;
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
			break;
		}

		if (data) {
			if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
				priv->phase2_client_cert = data;
			else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
				/* Add the path scheme tag to the front, then the fielname */
				priv->phase2_client_cert = g_byte_array_sized_new (strlen (value) + strlen (SCHEME_PATH) + 1);
				g_byte_array_append (priv->phase2_client_cert, (const guint8 *) SCHEME_PATH, strlen (SCHEME_PATH));
				g_byte_array_append (priv->phase2_client_cert, (const guint8 *) value, strlen (value));
				g_byte_array_append (priv->phase2_client_cert, (const guint8 *) "\0", 1);
			} else
				g_assert_not_reached ();
		}
	}

	return priv->phase2_client_cert != NULL;
}

/**
 * nm_setting_802_1x_set_phase2_client_cert_from_file:
 * @setting: the #NMSetting8021x
 * @filename: pass the path of the "phase2" client certificate file (PEM, DER,
 *   or PKCS#12 format).  Passing NULL clears the "phase2" client certificate.
 * @out_ck_type: on successful return, the type of the certificate added
 * @error: on unsuccessful return, an error
 *
 * Reads a certificate from disk and sets the #NMSetting8021x:phase2-client-cert
 * property with the raw certificate data.
 *
 * Client certificates are used to identify the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_set_phase2_client_cert() with the.
 *   %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_phase2_client_cert_from_file (NMSetting8021x *setting,
                                                    const char *filename,
                                                    NMSetting8021xCKType *out_ck_type,
                                                    GError **error)
{
	gboolean success;
	NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;

	success = nm_setting_802_1x_set_phase2_client_cert (setting,
	                                                    filename,
	                                                    NM_SETTING_802_1X_CK_SCHEME_BLOB,
	                                                    &format,
	                                                    error);
	if (success && out_ck_type)
		*out_ck_type = ck_format_to_type (format);

	return success;
}

/**
 * nm_setting_802_1x_get_password:
 * @setting: the #NMSetting8021x
 *
 * Returns: the password used by the authentication method, if any, as specified
 *   by the #NMSetting8021x:password property
 **/
const char *
nm_setting_802_1x_get_password (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->password;
}

/**
 * nm_setting_802_1x_get_pin:
 * @setting: the #NMSetting8021x
 *
 * Returns: the PIN used by the authentication method, if any, as specified
 *   by the #NMSetting8021x:pin property
 **/
const char *
nm_setting_802_1x_get_pin (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->pin;
}

/**
 * nm_setting_802_1x_get_psk:
 * @setting: the #NMSetting8021x
 *
 * Returns: the Pre-Shared-Key used by the authentication method, if any, as
 *   specified by the #NMSetting8021x:psk property
 **/
const char *
nm_setting_802_1x_get_psk (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->psk;
}

/**
 * nm_setting_802_1x_get_private_key_scheme:
 * @setting: the #NMSetting8021x
 *
 * Returns the scheme used to store the private key.  If the returned scheme is
 * %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
 * nm_setting_802_1x_get_client_cert_blob(); if
 * %NM_SETTING_802_1X_CK_SCHEME_PATH, use
 * nm_setting_802_1x_get_client_cert_path().
 *
 * Returns: scheme used to store the private key (blob or path)
 **/
NMSetting8021xCKScheme
nm_setting_802_1x_get_private_key_scheme (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);

	return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key);
}

/**
 * nm_setting_802_1x_get_private_key_blob:
 * @setting: the #NMSetting8021x
 *
 * Private keys are used to authenticate the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: the private key data
 **/
const GByteArray *
nm_setting_802_1x_get_private_key_blob (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_private_key_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key;
}

/**
 * nm_setting_802_1x_get_private_key:
 * @setting: the #NMSetting8021x
 *
 * Private keys are used to authenticate the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_get_private_key_blob().
 *
 * Returns: the private key data
 **/
const GByteArray *
nm_setting_802_1x_get_private_key (NMSetting8021x *setting)
{
	return nm_setting_802_1x_get_private_key_blob (setting);
}

/**
 * nm_setting_802_1x_get_private_key_path:
 * @setting: the #NMSetting8021x
 *
 * Private keys are used to authenticate the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: path to the private key file
 **/
const char *
nm_setting_802_1x_get_private_key_path (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_private_key_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);

	return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key->data + strlen (SCHEME_PATH));
}

/**
 * nm_setting_802_1x_set_private_key:
 * @setting: the #NMSetting8021x
 * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or
 *   %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the private key file
 *   (PEM, DER, or PKCS#12 format).  The path must be UTF-8 encoded; use
 *   g_filename_to_utf8() to convert if needed.  Passing NULL with any @scheme
 *   clears the private key.
 * @password: password used to decrypt the private key
 * @scheme: desired storage scheme for the private key
 * @out_format: on successful return, the type of the private key added
 * @error: on unsuccessful return, an error
 *
 * Reads a private key from disk and sets the #NMSetting8021x:private-key
 * property with the raw private key data if using the
 * %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the private key
 * file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
 *
 * Private keys are used to authenticate the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_private_key (NMSetting8021x *self,
                                   const char *value,
                                   const char *password,
                                   NMSetting8021xCKScheme scheme,
                                   NMSetting8021xCKFormat *out_format,
                                   GError **error)
{
	NMSetting8021xPrivate *priv;
	NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
	NMCryptoKeyType key_type = NM_CRYPTO_KEY_TYPE_UNKNOWN;
	GByteArray *data;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (self), FALSE);

	if (value) {
		g_return_val_if_fail (g_utf8_validate (value, -1, NULL), FALSE);
		g_return_val_if_fail (   scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
		                      || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
		                      FALSE);
	}

	if (out_format)
		g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);

	priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	/* Clear out any previous private key blob */
	if (priv->private_key) {
		/* Try not to leave the private key around in memory */
		memset (priv->private_key, 0, priv->private_key->len);
		g_byte_array_free (priv->private_key, TRUE);
		priv->private_key = NULL;
	}

	g_free (priv->private_key_password);
	priv->private_key_password = NULL;

	if (!value)
		return TRUE;

	/* First verify private key password */
	data = crypto_get_private_key (value,
	                               password,
	                               &key_type,
	                               &format,
	                               error);
	if (!data) {
		/* As a special case for private keys, even if the decrypt fails,
		 * return the key's file type.
		 */
		if (out_format && crypto_is_pkcs12_file (value, NULL))
			*out_format = NM_SETTING_802_1X_CK_FORMAT_PKCS12;

		return FALSE;
	}
	memset (data->data, 0, data->len);
	g_byte_array_free (data, TRUE);

	/* Regular file verification */
	format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
	data = crypto_load_and_verify_certificate (value, &format, error);
	if (data) {
		/* wpa_supplicant can only use raw x509 CA certs */
		switch (format) {
		case NM_CRYPTO_FILE_FORMAT_RAW_KEY:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_RAW_KEY;
			break;
		case NM_CRYPTO_FILE_FORMAT_X509:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_X509;
			break;
		case NM_CRYPTO_FILE_FORMAT_PKCS12:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_PKCS12;
			break;
		default:
			g_byte_array_free (data, TRUE);
			data = NULL;
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_PRIVATE_KEY);
			break;
		}

		if (data) {
			if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) {
				priv->private_key = data;

				/* Always update the private key for blob + pkcs12 since the
				 * pkcs12 files are encrypted
				 */
				if (format == NM_CRYPTO_FILE_FORMAT_PKCS12)
					priv->private_key_password = g_strdup (password);
			} else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
				/* Add the path scheme tag to the front, then the fielname */
				priv->private_key = g_byte_array_sized_new (strlen (value) + strlen (SCHEME_PATH) + 1);
				g_byte_array_append (priv->private_key, (const guint8 *) SCHEME_PATH, strlen (SCHEME_PATH));
				g_byte_array_append (priv->private_key, (const guint8 *) value, strlen (value));
				g_byte_array_append (priv->private_key, (const guint8 *) "\0", 1);

				/* Always update the private key with paths since the key the
				 * cert refers to is encrypted.
				 */
				priv->private_key_password = g_strdup (password);
			} else
				g_assert_not_reached ();

			/* As required by NM and wpa_supplicant, set the client-cert
			 * property to the same PKCS#12 data.
			 */
			if (format == NM_CRYPTO_FILE_FORMAT_PKCS12) {
				if (priv->client_cert)
					g_byte_array_free (priv->client_cert, TRUE);
	
				priv->client_cert = g_byte_array_sized_new (priv->private_key->len);
				g_byte_array_append (priv->client_cert, priv->private_key->data, priv->private_key->len);
			}
		}
	} else {
		/* As a special case for private keys, even if the decrypt fails,
		 * return the key's file type.
		 */
		if (out_format && crypto_is_pkcs12_file (value, NULL))
			*out_format = NM_SETTING_802_1X_CK_FORMAT_PKCS12;
	}

	return priv->private_key != NULL;
}

/**
 * nm_setting_802_1x_set_private_key_from_file:
 * @setting: the #NMSetting8021x
 * @filename: the path of the private key file (PEM, DER, or PKCS#12 format).
 *   Passing NULL clears the private key.
 * @password: password used to decrypt the private key
 * @out_ck_type: on successful return, the type of the private key added
 * @error: on unsuccessful return, an error
 *
 * Reads a private key from disk and sets the #NMSetting8021x:private-key
 * property with the raw private key data.
 *
 * Private keys are used to authenticate the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_set_private_key() with.
 *   the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_private_key_from_file (NMSetting8021x *setting,
                                             const char *filename,
                                             const char *password,
                                             NMSetting8021xCKType *out_ck_type,
                                             GError **error)
{
	gboolean success;
	NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;

	success = nm_setting_802_1x_set_private_key (setting,
	                                             filename,
	                                             password,
	                                             NM_SETTING_802_1X_CK_SCHEME_BLOB,
	                                             &format,
	                                             error);
	if (success && out_ck_type)
		*out_ck_type = ck_format_to_type (format);

	return success;
}

/**
 * nm_setting_802_1x_get_private_key_password:
 * @setting: the #NMSetting8021x
 *
 * Returns: the private key password used to decrypt the private key if
 *  previously set with nm_setting_802_1x_set_private_key_from_file(),
 *  nm_setting_802_1x_set_private_key_path(), or the
 *  #NMSetting8021x:private-key-password property.
 **/
const char *
nm_setting_802_1x_get_private_key_password (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->private_key_password;
}

/**
 * nm_setting_802_1x_get_private_key_format:
 * @setting: the #NMSetting8021x
 *
 * Returns: the data format of the private key data stored in the
 *   #NMSetting8021x:private-key property
 **/
NMSetting8021xCKFormat
nm_setting_802_1x_get_private_key_format (NMSetting8021x *setting)
{
	NMSetting8021xPrivate *priv;
	const char *path;
	GError *error = NULL;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_FORMAT_UNKNOWN);
	priv = NM_SETTING_802_1X_GET_PRIVATE (setting);

	if (!priv->private_key)
		return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;

	switch (nm_setting_802_1x_get_private_key_scheme (setting)) {
	case NM_SETTING_802_1X_CK_SCHEME_BLOB:
		if (crypto_is_pkcs12_data (priv->private_key))
			return NM_SETTING_802_1X_CK_FORMAT_PKCS12;
		return NM_SETTING_802_1X_CK_FORMAT_X509;
	case NM_SETTING_802_1X_CK_SCHEME_PATH:
		path = nm_setting_802_1x_get_private_key_path (setting);
		if (crypto_is_pkcs12_file (path, &error))
			return NM_SETTING_802_1X_CK_FORMAT_PKCS12;
		if (error) {
			/* Couldn't read the file or something */
			g_error_free (error);
			return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
		}
		return NM_SETTING_802_1X_CK_FORMAT_X509;
	default:
		break;
	}

	return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
}

/**
 * nm_setting_802_1x_get_private_key_type:
 * @setting: the #NMSetting8021x
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_get_private_key_format().
 *
 * Returns: the data format of the private key data stored in the
 *   #NMSetting8021x:private-key property
 **/
NMSetting8021xCKType
nm_setting_802_1x_get_private_key_type (NMSetting8021x *setting)
{
	return ck_format_to_type (nm_setting_802_1x_get_private_key_format (setting));
}

/**
 * nm_setting_802_1x_get_phase2_private_key_password:
 * @setting: the #NMSetting8021x
 *
 * Returns: the private key password used to decrypt the private key if
 *  previously set with nm_setting_802_1x_set_phase2_private_key_from_file(),
 *  nm_setting_802_1x_set_phase2_private_key_path(), or the
 *  #NMSetting8021x:phase2-private-key-password property.
 **/
const char *
nm_setting_802_1x_get_phase2_private_key_password (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key_password;
}

/**
 * nm_setting_802_1x_get_phase2_private_key_scheme:
 * @setting: the #NMSetting8021x
 *
 * Returns the scheme used to store the "phase 2" private key.  If the returned
 * scheme is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use
 * nm_setting_802_1x_get_client_cert_blob(); if
 * %NM_SETTING_802_1X_CK_SCHEME_PATH, use
 * nm_setting_802_1x_get_client_cert_path().
 *
 * Returns: scheme used to store the "phase 2" private key (blob or path)
 **/
NMSetting8021xCKScheme
nm_setting_802_1x_get_phase2_private_key_scheme (NMSetting8021x *setting)
{
	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_SCHEME_UNKNOWN);

	return get_cert_scheme (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key);
}

/**
 * nm_setting_802_1x_get_phase2_private_key_blob:
 * @setting: the #NMSetting8021x
 *
 * Private keys are used to authenticate the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: the "phase 2" private key data
 **/
const GByteArray *
nm_setting_802_1x_get_phase2_private_key_blob (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_phase2_private_key_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB, NULL);

	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key;
}

/**
 * nm_setting_802_1x_get_phase2_private_key:
 * @setting: the #NMSetting8021x
 *
 * Private keys are used to authenticate the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_get_private_key_blob().
 *
 * Returns: the "phase 2" private key data
 **/
const GByteArray *
nm_setting_802_1x_get_phase2_private_key (NMSetting8021x *setting)
{
	return nm_setting_802_1x_get_phase2_private_key_blob (setting);
}

/**
 * nm_setting_802_1x_get_phase2_private_key_path:
 * @setting: the #NMSetting8021x
 *
 * Private keys are used to authenticate the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: path to the "phase 2" private key file
 **/
const char *
nm_setting_802_1x_get_phase2_private_key_path (NMSetting8021x *setting)
{
	NMSetting8021xCKScheme scheme;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);

	scheme = nm_setting_802_1x_get_phase2_private_key_scheme (setting);
	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH, NULL);

	return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_private_key->data + strlen (SCHEME_PATH));
}

/**
 * nm_setting_802_1x_set_phase2_private_key:
 * @setting: the #NMSetting8021x
 * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or
 *   %NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" private 
 *   key file (PEM, DER, or PKCS#12 format).  The path must be UTF-8 encoded;
 *   use g_filename_to_utf8() to convert if needed.  Passing NULL with any
 *   @scheme clears the "phase2" private key.
 * @password: password used to decrypt the private key
 * @scheme: desired storage scheme for the private key
 * @out_format: on successful return, the type of the private key added
 * @error: on unsuccessful return, an error
 *
 * Reads a "phase 2" private key from disk and sets the
 * #NMSetting8021x:phase2-private-key property with the raw private key data if
 * using the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the
 * private key file if using the %NM_SETTING_802_1X_CK_SCHEME_PATH scheme.
 *
 * Private keys are used to authenticate the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_phase2_private_key (NMSetting8021x *self,
                                          const char *value,
                                          const char *password,
                                          NMSetting8021xCKScheme scheme,
                                          NMSetting8021xCKFormat *out_format,
                                          GError **error)
{
	NMSetting8021xPrivate *priv;
	NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
	NMCryptoKeyType key_type = NM_CRYPTO_KEY_TYPE_UNKNOWN;
	GByteArray *data;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (self), FALSE);

	if (value) {
		g_return_val_if_fail (g_utf8_validate (value, -1, NULL), FALSE);
		g_return_val_if_fail (   scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
		                      || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
		                      FALSE);
	}

	if (out_format)
		g_return_val_if_fail (*out_format == NM_SETTING_802_1X_CK_FORMAT_UNKNOWN, FALSE);

	priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	/* Clear out any previous private key blob */
	if (priv->phase2_private_key) {
		/* Try not to leave the private key around in memory */
		memset (priv->phase2_private_key, 0, priv->phase2_private_key->len);
		g_byte_array_free (priv->phase2_private_key, TRUE);
		priv->phase2_private_key = NULL;
	}

	g_free (priv->phase2_private_key_password);
	priv->phase2_private_key_password = NULL;

	if (!value)
		return TRUE;

	/* First verify private key password */
	data = crypto_get_private_key (value,
	                               password,
	                               &key_type,
	                               &format,
	                               error);
	if (!data) {
		/* As a special case for private keys, even if the decrypt fails,
		 * return the key's file type.
		 */
		if (out_format && crypto_is_pkcs12_file (value, NULL))
			*out_format = NM_SETTING_802_1X_CK_FORMAT_PKCS12;

		return FALSE;
	}
	memset (data->data, 0, data->len);
	g_byte_array_free (data, TRUE);

	format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
	data = crypto_load_and_verify_certificate (value, &format, error);
	if (data) {
		/* wpa_supplicant can only use raw x509 CA certs */
		switch (format) {
		case NM_CRYPTO_FILE_FORMAT_RAW_KEY:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_RAW_KEY;
			break;
		case NM_CRYPTO_FILE_FORMAT_X509:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_X509;
			break;
		case NM_CRYPTO_FILE_FORMAT_PKCS12:
			if (out_format)
				*out_format = NM_SETTING_802_1X_CK_FORMAT_PKCS12;
			break;
		default:
			g_byte_array_free (data, TRUE);
			data = NULL;
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
			break;
		}

		if (data) {
			if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) {
				priv->phase2_private_key = data;

				/* Always update the private key for blob + pkcs12 since the
				 * pkcs12 files are encrypted
				 */
				if (format == NM_CRYPTO_FILE_FORMAT_PKCS12)
					priv->phase2_private_key_password = g_strdup (password);
			} else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) {
				/* Add the path scheme tag to the front, then the fielname */
				priv->phase2_private_key = g_byte_array_sized_new (strlen (value) + strlen (SCHEME_PATH) + 1);
				g_byte_array_append (priv->phase2_private_key, (const guint8 *) SCHEME_PATH, strlen (SCHEME_PATH));
				g_byte_array_append (priv->phase2_private_key, (const guint8 *) value, strlen (value));
				g_byte_array_append (priv->phase2_private_key, (const guint8 *) "\0", 1);

				/* Always update the private key with paths since the key the
				 * cert refers to is encrypted.
				 */
				priv->phase2_private_key_password = g_strdup (password);
			} else
				g_assert_not_reached ();

			/* As required by NM and wpa_supplicant, set the client-cert
			 * property to the same PKCS#12 data.
			 */
			if (format == NM_CRYPTO_FILE_FORMAT_PKCS12) {
				if (priv->phase2_client_cert)
					g_byte_array_free (priv->phase2_client_cert, TRUE);
	
				priv->phase2_client_cert = g_byte_array_sized_new (priv->phase2_private_key->len);
				g_byte_array_append (priv->phase2_client_cert, priv->phase2_private_key->data, priv->phase2_private_key->len);
			}
		}
	} else {
		/* As a special case for private keys, even if the decrypt fails,
		 * return the key's file type.
		 */
		if (out_format && crypto_is_pkcs12_file (value, NULL))
			*out_format = NM_SETTING_802_1X_CK_FORMAT_PKCS12;
	}

	return priv->phase2_private_key != NULL;
}

/**
 * nm_setting_802_1x_set_phase2_private_key_from_file:
 * @setting: the #NMSetting8021x
 * @filename: the path of the "phase2" private key file (PEM, DER, or PKCS#12
 *   format).  Passing NULL clears the "phase2" private key.
 * @password: password used to decrypt the private key
 * @out_ck_type: on successful return, the type of the private key added
 * @error: on unsuccessful return, an error
 *
 * Reads a "phase 2" private key from disk and sets the
 * #NMSetting8021x:phase2-private-key property with the raw private key data.
 *
 * Private keys are used to authenticate the connecting client to the network
 * when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x
 * authentication method.
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_set_phase2_private_key() with
 *   the %NM_SETTING_802_1X_CK_SCHEME_BLOB scheme.
 *
 * Returns: TRUE if the operation succeeded, FALSE if it was unsuccessful
 **/
gboolean
nm_setting_802_1x_set_phase2_private_key_from_file (NMSetting8021x *setting,
                                                    const char *filename,
                                                    const char *password,
                                                    NMSetting8021xCKType *out_ck_type,
                                                    GError **error)
{
	gboolean success;
	NMSetting8021xCKFormat format = NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;

	success = nm_setting_802_1x_set_phase2_private_key (setting,
	                                                    filename,
	                                                    password,
	                                                    NM_SETTING_802_1X_CK_SCHEME_BLOB,
	                                                    &format,
	                                                    error);
	if (success && out_ck_type)
		*out_ck_type = ck_format_to_type (format);

	return success;
}

/**
 * nm_setting_802_1x_get_phase2_private_key_format:
 * @setting: the #NMSetting8021x
 *
 * Returns: the data format of the "phase 2" private key data stored in the
 *   #NMSetting8021x:phase2-private-key property
 **/
NMSetting8021xCKFormat
nm_setting_802_1x_get_phase2_private_key_format (NMSetting8021x *setting)
{
	NMSetting8021xPrivate *priv;
	const char *path;
	GError *error = NULL;

	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NM_SETTING_802_1X_CK_FORMAT_UNKNOWN);
	priv = NM_SETTING_802_1X_GET_PRIVATE (setting);

	if (!priv->phase2_private_key)
		return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;

	switch (nm_setting_802_1x_get_phase2_private_key_scheme (setting)) {
	case NM_SETTING_802_1X_CK_SCHEME_BLOB:
		if (crypto_is_pkcs12_data (priv->phase2_private_key))
			return NM_SETTING_802_1X_CK_FORMAT_PKCS12;
		return NM_SETTING_802_1X_CK_FORMAT_X509;
	case NM_SETTING_802_1X_CK_SCHEME_PATH:
		path = nm_setting_802_1x_get_phase2_private_key_path (setting);
		if (crypto_is_pkcs12_file (path, &error))
			return NM_SETTING_802_1X_CK_FORMAT_PKCS12;
		if (error) {
			/* Couldn't read the file or something */
			g_error_free (error);
			return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
		}
		return NM_SETTING_802_1X_CK_FORMAT_X509;
	default:
		break;
	}

	return NM_SETTING_802_1X_CK_FORMAT_UNKNOWN;
}

/**
 * nm_setting_802_1x_get_phase2_private_key_type:
 * @setting: the #NMSetting8021x
 *
 * Deprecated: 0.8: This function has been deprecated and should
 *   not be used in newly written code. Calling this function is
 *   equivalent to calling nm_setting_802_1x_get_phase2_private_key_format().
 *
 * Returns: the data format of the private key data stored in the
 *   #NMSetting8021x:phase2-private-key property
 **/
NMSetting8021xCKType
nm_setting_802_1x_get_phase2_private_key_type (NMSetting8021x *setting)
{
	return ck_format_to_type (nm_setting_802_1x_get_phase2_private_key_format (setting));
}

static void
need_secrets_password (NMSetting8021x *self,
                       GPtrArray *secrets,
                       gboolean phase2)
{
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	if (!priv->password || !strlen (priv->password))
		g_ptr_array_add (secrets, NM_SETTING_802_1X_PASSWORD);
}

static void
need_secrets_sim (NMSetting8021x *self,
                  GPtrArray *secrets,
                  gboolean phase2)
{
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	if (!priv->pin || !strlen (priv->pin))
		g_ptr_array_add (secrets, NM_SETTING_802_1X_PIN);
}

static gboolean
need_private_key_password (const GByteArray *blob,
                           const char *path,
                           const char *password)
{
	/* Private key password is only un-needed if the private key scheme is BLOB,
	 * because BLOB keys are decrypted by the settings service.  A private key
	 * password is required if the private key is PKCS#12 format, or if the
	 * private key scheme is PATH.
	 */
	if (path) {
		GByteArray *tmp;
		NMCryptoKeyType key_type = NM_CRYPTO_KEY_TYPE_UNKNOWN;
		NMCryptoFileFormat key_format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;

		/* check the password */
		tmp = crypto_get_private_key (path, password, &key_type, &key_format, NULL);
		if (tmp) {
			/* Decrypt/verify successful; password must be OK */
			g_byte_array_free (tmp, TRUE);
			return FALSE;
		}
	} else if (blob) {
		/* Non-PKCS#12 blob-scheme keys are already decrypted by their settings
		 * service, thus if the private key is not PKCS#12 format, a new password
		 * is not required.  If the PKCS#12 key can be decrypted with the given
		 * password, then we don't need a new password either.
		 */
		if (!crypto_is_pkcs12_data (blob) || crypto_verify_pkcs12 (blob, password, NULL))
			return FALSE;
	} else
		g_warning ("%s: unknown private key password scheme", __func__);

	return TRUE;
}

static void
need_secrets_tls (NMSetting8021x *self,
                  GPtrArray *secrets,
                  gboolean phase2)
{
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
	NMSetting8021xCKScheme scheme;
	const GByteArray *blob = NULL;
	const char *path = NULL;

	if (phase2) {
		if (!priv->phase2_private_key || !priv->phase2_private_key->len) {
			g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
			return;
		}

		scheme = nm_setting_802_1x_get_phase2_private_key_scheme (self);
		if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
			path = nm_setting_802_1x_get_phase2_private_key_path (self);
		else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
			blob = nm_setting_802_1x_get_phase2_private_key_blob (self);
		else {
			g_warning ("%s: unknown phase2 private key scheme %d", __func__, scheme);
			g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
			return;
		}

		if (need_private_key_password (blob, path, priv->phase2_private_key_password))
			g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
	} else {
		if (!priv->private_key || !priv->private_key->len) {
			g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY);
			return;
		}

		scheme = nm_setting_802_1x_get_private_key_scheme (self);
		if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
			path = nm_setting_802_1x_get_private_key_path (self);
		else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
			blob = nm_setting_802_1x_get_private_key_blob (self);
		else {
			g_warning ("%s: unknown private key scheme %d", __func__, scheme);
			g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY);
			return;
		}

		if (need_private_key_password (blob, path, priv->private_key_password))
			g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
	}
}

static gboolean
verify_tls (NMSetting8021x *self, gboolean phase2, GError **error)
{
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	if (phase2) {
		if (!priv->phase2_client_cert) {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
			             NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
			return FALSE;
		} else if (!priv->phase2_client_cert->len) {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
			return FALSE;
		}

		/* If the private key is PKCS#12, check that it matches the client cert */
		if (priv->phase2_private_key && crypto_is_pkcs12_data (priv->phase2_private_key)) {
			if (priv->phase2_private_key->len != priv->phase2_client_cert->len) {
				g_set_error (error,
				             NM_SETTING_802_1X_ERROR,
				             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
				             NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
				return FALSE;
			}

			if (memcmp (priv->phase2_private_key->data,
			            priv->phase2_client_cert->data,
			            priv->phase2_private_key->len)) {
				g_set_error (error,
				             NM_SETTING_802_1X_ERROR,
				             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
				             NM_SETTING_802_1X_PHASE2_CLIENT_CERT);
				return FALSE;
			}
		}
	} else {
		if (!priv->client_cert) {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
			             NM_SETTING_802_1X_CLIENT_CERT);
			return FALSE;
		} else if (!priv->client_cert->len) {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_CLIENT_CERT);
			return FALSE;
		}

		/* If the private key is PKCS#12, check that it matches the client cert */
		if (priv->private_key && crypto_is_pkcs12_data (priv->private_key)) {
			if (priv->private_key->len != priv->client_cert->len) {
				g_set_error (error,
				             NM_SETTING_802_1X_ERROR,
				             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
				             NM_SETTING_802_1X_CLIENT_CERT);
				return FALSE;
			}

			if (memcmp (priv->private_key->data,
			            priv->client_cert->data,
			            priv->private_key->len)) {
				g_set_error (error,
				             NM_SETTING_802_1X_ERROR,
				             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
				             NM_SETTING_802_1X_CLIENT_CERT);
				return FALSE;
			}
		}
	}

	return TRUE;
}

static gboolean
verify_ttls (NMSetting8021x *self, gboolean phase2, GError **error)
{
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	if (   (!priv->identity || !strlen (priv->identity))
	    && (!priv->anonymous_identity || !strlen (priv->anonymous_identity))) {
		if (!priv->identity) {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
			             NM_SETTING_802_1X_IDENTITY);
		} else if (!strlen (priv->identity)) {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_IDENTITY);
		} else if (!priv->anonymous_identity) {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
			             NM_SETTING_802_1X_ANONYMOUS_IDENTITY);
		} else {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_ANONYMOUS_IDENTITY);
		}
		return FALSE;
	}

	if (   (!priv->phase2_auth || !strlen (priv->phase2_auth))
	    && (!priv->phase2_autheap || !strlen (priv->phase2_autheap))) {
		if (!priv->phase2_auth) {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
			             NM_SETTING_802_1X_PHASE2_AUTH);
		} else if (!strlen (priv->phase2_auth)) {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_PHASE2_AUTH);
		} else if (!priv->phase2_autheap) {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
			             NM_SETTING_802_1X_PHASE2_AUTHEAP);
		} else {
			g_set_error (error,
			             NM_SETTING_802_1X_ERROR,
			             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
			             NM_SETTING_802_1X_PHASE2_AUTHEAP);
		}
		return FALSE;
	}

	return TRUE;
}

static gboolean
verify_identity (NMSetting8021x *self, gboolean phase2, GError **error)
{
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	if (!priv->identity) {
		g_set_error (error,
		             NM_SETTING_802_1X_ERROR,
		             NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
		             NM_SETTING_802_1X_IDENTITY);
	} else if (!strlen (priv->identity)) {
		g_set_error (error,
		             NM_SETTING_802_1X_ERROR,
		             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
		             NM_SETTING_802_1X_IDENTITY);
	}

	return TRUE;
}

/* Implemented below... */
static void need_secrets_phase2 (NMSetting8021x *self,
                                 GPtrArray *secrets,
                                 gboolean phase2);


typedef void (*EAPMethodNeedSecretsFunc) (NMSetting8021x *self,
                                          GPtrArray *secrets,
                                          gboolean phase2);

typedef gboolean (*EAPMethodValidateFunc)(NMSetting8021x *self,
                                          gboolean phase2,
                                          GError **error);

typedef struct {
	const char *method;
	EAPMethodNeedSecretsFunc ns_func;
	EAPMethodValidateFunc v_func;
} EAPMethodsTable;

static EAPMethodsTable eap_methods_table[] = {
	{ "leap", need_secrets_password, verify_identity },
	{ "md5", need_secrets_password, verify_identity },
	{ "pap", need_secrets_password, verify_identity },
	{ "chap", need_secrets_password, verify_identity },
	{ "mschap", need_secrets_password, verify_identity },
	{ "mschapv2", need_secrets_password, verify_identity },
	{ "fast", need_secrets_password, verify_identity },
	{ "tls", need_secrets_tls, verify_tls },
	{ "peap", need_secrets_phase2, verify_ttls },
	{ "ttls", need_secrets_phase2, verify_ttls },
	{ "sim", need_secrets_sim, NULL },
	{ "gtc", need_secrets_password, verify_identity },
	{ "otp", NULL, NULL },  // FIXME: implement
	{ NULL, NULL, NULL }
};

static void
need_secrets_phase2 (NMSetting8021x *self,
                     GPtrArray *secrets,
                     gboolean phase2)
{
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
	char *method = NULL;
	int i;

	g_return_if_fail (phase2 == FALSE);

	/* Check phase2_auth and phase2_autheap */
	method = priv->phase2_auth;
	if (!method && priv->phase2_autheap)
		method = priv->phase2_autheap;

	if (!method) {
		g_warning ("Couldn't find EAP method.");
		g_assert_not_reached();
		return;
	}

	/* Ask the configured phase2 method if it needs secrets */
	for (i = 0; eap_methods_table[i].method; i++) {
		if (eap_methods_table[i].ns_func == NULL)
			continue;
		if (!strcmp (eap_methods_table[i].method, method)) {
			(*eap_methods_table[i].ns_func) (self, secrets, TRUE);
			break;
		}
	}
}


static GPtrArray *
need_secrets (NMSetting *setting)
{
	NMSetting8021x *self = NM_SETTING_802_1X (setting);
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
	GSList *iter;
	GPtrArray *secrets;
	gboolean eap_method_found = FALSE;

	secrets = g_ptr_array_sized_new (4);

	/* Ask each configured EAP method if it needs secrets */
	for (iter = priv->eap; iter && !eap_method_found; iter = g_slist_next (iter)) {
		const char *method = (const char *) iter->data;
		int i;

		for (i = 0; eap_methods_table[i].method; i++) {
			if (eap_methods_table[i].ns_func == NULL)
				continue;
			if (!strcmp (eap_methods_table[i].method, method)) {
				(*eap_methods_table[i].ns_func) (self, secrets, FALSE);

				/* Only break out of the outer loop if this EAP method
				 * needed secrets.
				 */
				if (secrets->len > 0)
					eap_method_found = TRUE;
				break;
			}
		}
	}

	if (secrets->len == 0) {
		g_ptr_array_free (secrets, TRUE);
		secrets = NULL;
	}

	return secrets;
}

static gboolean
verify_cert (GByteArray *array, const char *prop_name, GError **error)
{
	if (!array)
		return TRUE;

	switch (get_cert_scheme (array)) {
	case NM_SETTING_802_1X_CK_SCHEME_BLOB:
		return TRUE;
	case NM_SETTING_802_1X_CK_SCHEME_PATH:
		/* For path-based schemes, verify that the path is zero-terminated */
		if (array->data[array->len - 1] == '\0') {
			/* And ensure it's UTF-8 valid too so we can pass it through
			 * D-Bus and stuff like that.
			 */
			if (g_utf8_validate ((const char *) (array->data + strlen (SCHEME_PATH)), -1, NULL))
				return TRUE;
		}
		break;
	default:
		break;
	}

	g_set_error (error,
	             NM_SETTING_802_1X_ERROR,
	             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
	             "%s", prop_name);
	return FALSE;
}

static gboolean
verify (NMSetting *setting, GSList *all_settings, GError **error)
{
	NMSetting8021x *self = NM_SETTING_802_1X (setting);
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);
	const char *valid_eap[] = { "leap", "md5", "tls", "peap", "ttls", "sim", "fast", NULL };
	const char *valid_phase1_peapver[] = { "0", "1", NULL };
	const char *valid_phase1_peaplabel[] = { "0", "1", NULL };
	const char *valid_phase1_fast_pac[] = { "0", "1", "2", "3", NULL };
	const char *valid_phase2_auth[] = { "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", "tls", NULL };
	const char *valid_phase2_autheap[] = { "md5", "mschapv2", "otp", "gtc", "tls", NULL };
	GSList *iter;

	if (error)
		g_return_val_if_fail (*error == NULL, FALSE);

	if (!priv->eap) {
		g_set_error (error,
		             NM_SETTING_802_1X_ERROR,
		             NM_SETTING_802_1X_ERROR_MISSING_PROPERTY,
		             NM_SETTING_802_1X_EAP);
		return FALSE;
	}

	if (!_nm_utils_string_slist_validate (priv->eap, valid_eap)) {
		g_set_error (error,
		             NM_SETTING_802_1X_ERROR,
		             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
		             NM_SETTING_802_1X_EAP);
		return FALSE;
	}

	/* Ask each configured EAP method if its valid */
	for (iter = priv->eap; iter; iter = g_slist_next (iter)) {
		const char *method = (const char *) iter->data;
		int i;

		for (i = 0; eap_methods_table[i].method; i++) {
			if (eap_methods_table[i].v_func == NULL)
				continue;
			if (!strcmp (eap_methods_table[i].method, method)) {
				if (!(*eap_methods_table[i].v_func) (self, FALSE, error))
					return FALSE;
				break;
			}
		}
	}

	if (priv->phase1_peapver && !_nm_utils_string_in_list (priv->phase1_peapver, valid_phase1_peapver)) {
		g_set_error (error,
		             NM_SETTING_802_1X_ERROR,
		             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
		             NM_SETTING_802_1X_PHASE1_PEAPVER);
		return FALSE;
	}

	if (priv->phase1_peaplabel && !_nm_utils_string_in_list (priv->phase1_peaplabel, valid_phase1_peaplabel)) {
		g_set_error (error,
		             NM_SETTING_802_1X_ERROR,
		             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
		             NM_SETTING_802_1X_PHASE1_PEAPLABEL);
		return FALSE;
	}

	if (priv->phase1_fast_provisioning && !_nm_utils_string_in_list (priv->phase1_fast_provisioning, valid_phase1_fast_pac)) {
		g_set_error (error,
		             NM_SETTING_802_1X_ERROR,
		             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
		             NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING);
		return FALSE;
	}

	if (priv->phase2_auth && !_nm_utils_string_in_list (priv->phase2_auth, valid_phase2_auth)) {
		g_set_error (error,
		             NM_SETTING_802_1X_ERROR,
		             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
		             NM_SETTING_802_1X_PHASE2_AUTH);
		return FALSE;
	}

	if (priv->phase2_autheap && !_nm_utils_string_in_list (priv->phase2_autheap, valid_phase2_autheap)) {
		g_set_error (error,
		             NM_SETTING_802_1X_ERROR,
		             NM_SETTING_802_1X_ERROR_INVALID_PROPERTY,
		             NM_SETTING_802_1X_PHASE2_AUTHEAP);
		return FALSE;
	}

	if (!verify_cert (priv->ca_cert, NM_SETTING_802_1X_CA_CERT, error))
		return FALSE;
	if (!verify_cert (priv->phase2_ca_cert, NM_SETTING_802_1X_PHASE2_CA_CERT, error))
		return FALSE;

	if (!verify_cert (priv->client_cert, NM_SETTING_802_1X_CLIENT_CERT, error))
		return FALSE;
	if (!verify_cert (priv->phase2_client_cert, NM_SETTING_802_1X_PHASE2_CLIENT_CERT, error))
		return FALSE;

	if (!verify_cert (priv->private_key, NM_SETTING_802_1X_PRIVATE_KEY, error))
		return FALSE;
	if (!verify_cert (priv->phase2_private_key, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, error))
		return FALSE;

	/* FIXME: finish */

	return TRUE;
}

static void
nm_setting_802_1x_init (NMSetting8021x *setting)
{
	g_object_set (setting, NM_SETTING_NAME, NM_SETTING_802_1X_SETTING_NAME, NULL);
}

static void
finalize (GObject *object)
{
	NMSetting8021x *self = NM_SETTING_802_1X (object);
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (self);

	/* Strings first. g_free() already checks for NULLs so we don't have to */

	g_free (priv->identity);
	g_free (priv->anonymous_identity);
	g_free (priv->ca_path);
	g_free (priv->phase1_peapver);
	g_free (priv->phase1_peaplabel);
	g_free (priv->phase1_fast_provisioning);
	g_free (priv->phase2_auth);
	g_free (priv->phase2_autheap);
	g_free (priv->phase2_ca_path);
	g_free (priv->password);

	nm_utils_slist_free (priv->eap, g_free);

	if (priv->ca_cert)
		g_byte_array_free (priv->ca_cert, TRUE);
	if (priv->client_cert)
		g_byte_array_free (priv->client_cert, TRUE);
	if (priv->private_key)
		g_byte_array_free (priv->private_key, TRUE);
	g_free (priv->private_key_password);
	if (priv->phase2_ca_cert)
		g_byte_array_free (priv->phase2_ca_cert, TRUE);
	if (priv->phase2_client_cert)
		g_byte_array_free (priv->phase2_client_cert, TRUE);
	if (priv->phase2_private_key)
		g_byte_array_free (priv->phase2_private_key, TRUE);
	g_free (priv->phase2_private_key_password);

	G_OBJECT_CLASS (nm_setting_802_1x_parent_class)->finalize (object);
}

static GByteArray *
set_cert_prop_helper (const GValue *value, const char *prop_name, GError **error)
{
	gboolean valid;
	GByteArray *data = NULL;

	data = g_value_dup_boxed (value);
	/* Verify the new data */
	if (data) {
		valid = verify_cert (data, prop_name, error);
		if (!valid) {
			g_byte_array_free (data, TRUE);
			data = NULL;
		}
	}
	return data;
}

static void
set_property (GObject *object, guint prop_id,
		    const GValue *value, GParamSpec *pspec)
{
	NMSetting8021x *setting = NM_SETTING_802_1X (object);
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (setting);
	GError *error = NULL;

	switch (prop_id) {
	case PROP_EAP:
		nm_utils_slist_free (priv->eap, g_free);
		priv->eap = g_value_dup_boxed (value);
		break;
	case PROP_IDENTITY:
		g_free (priv->identity);
		priv->identity = g_value_dup_string (value);
		break;
	case PROP_ANONYMOUS_IDENTITY:
		g_free (priv->anonymous_identity);
		priv->anonymous_identity = g_value_dup_string (value);
		break;
	case PROP_CA_CERT:
		if (priv->ca_cert) {
			g_byte_array_free (priv->ca_cert, TRUE);
			priv->ca_cert = NULL;
		}
		priv->ca_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_CA_CERT, &error);
		if (error) {
			g_warning ("Error setting certificate (invalid data): (%d) %s",
			           error->code, error->message);
			g_error_free (error);
		}
		break;
	case PROP_CA_PATH:
		g_free (priv->ca_path);
		priv->ca_path = g_value_dup_string (value);
		break;
	case PROP_CLIENT_CERT:
		if (priv->client_cert) {
			g_byte_array_free (priv->client_cert, TRUE);
			priv->client_cert = NULL;
		}
		priv->client_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_CLIENT_CERT, &error);
		if (error) {
			g_warning ("Error setting certificate (invalid data): (%d) %s",
			           error->code, error->message);
			g_error_free (error);
		}
		break;
	case PROP_PHASE1_PEAPVER:
		g_free (priv->phase1_peapver);
		priv->phase1_peapver = g_value_dup_string (value);
		break;
	case PROP_PHASE1_PEAPLABEL:
		g_free (priv->phase1_peaplabel);
		priv->phase1_peaplabel = g_value_dup_string (value);
		break;
	case PROP_PHASE1_FAST_PROVISIONING:
		g_free (priv->phase1_fast_provisioning);
		priv->phase1_fast_provisioning = g_value_dup_string (value);
		break;
	case PROP_PHASE2_AUTH:
		g_free (priv->phase2_auth);
		priv->phase2_auth = g_value_dup_string (value);
		break;
	case PROP_PHASE2_AUTHEAP:
		g_free (priv->phase2_autheap);
		priv->phase2_autheap = g_value_dup_string (value);
		break;
	case PROP_PHASE2_CA_CERT:
		if (priv->phase2_ca_cert) {
			g_byte_array_free (priv->phase2_ca_cert, TRUE);
			priv->phase2_ca_cert = NULL;
		}
		priv->phase2_ca_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_PHASE2_CA_CERT, &error);
		if (error) {
			g_warning ("Error setting certificate (invalid data): (%d) %s",
			           error->code, error->message);
			g_error_free (error);
		}
		break;
	case PROP_PHASE2_CA_PATH:
		g_free (priv->phase2_ca_path);
		priv->phase2_ca_path = g_value_dup_string (value);
		break;
	case PROP_PHASE2_CLIENT_CERT:
		if (priv->phase2_client_cert) {
			g_byte_array_free (priv->phase2_client_cert, TRUE);
			priv->phase2_client_cert = NULL;
		}
		priv->phase2_client_cert = set_cert_prop_helper (value, NM_SETTING_802_1X_PHASE2_CLIENT_CERT, &error);
		if (error) {
			g_warning ("Error setting certificate (invalid data): (%d) %s",
			           error->code, error->message);
			g_error_free (error);
		}
		break;
	case PROP_PASSWORD:
		g_free (priv->password);
		priv->password = g_value_dup_string (value);
		break;
	case PROP_PRIVATE_KEY:
		if (priv->private_key) {
			g_byte_array_free (priv->private_key, TRUE);
			priv->private_key = NULL;
		}
		priv->private_key = set_cert_prop_helper (value, NM_SETTING_802_1X_PRIVATE_KEY, &error);
		if (error) {
			g_warning ("Error setting private key (invalid data): (%d) %s",
			           error->code, error->message);
			g_error_free (error);
		}
		break;
	case PROP_PRIVATE_KEY_PASSWORD:
		g_free (priv->private_key_password);
		priv->private_key_password = g_value_dup_string (value);
		break;
	case PROP_PHASE2_PRIVATE_KEY:
		if (priv->phase2_private_key) {
			g_byte_array_free (priv->phase2_private_key, TRUE);
			priv->phase2_private_key = NULL;
		}
		priv->phase2_private_key = set_cert_prop_helper (value, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, &error);
		if (error) {
			g_warning ("Error setting private key (invalid data): (%d) %s",
			           error->code, error->message);
			g_error_free (error);
		}
		break;
	case PROP_PHASE2_PRIVATE_KEY_PASSWORD:
		g_free (priv->phase2_private_key_password);
		priv->phase2_private_key_password = g_value_dup_string (value);
		break;
	case PROP_SYSTEM_CA_CERTS:
		priv->system_ca_certs = g_value_get_boolean (value);
		break;
	default:
		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
		break;
	}
}

static void
get_property (GObject *object, guint prop_id,
		    GValue *value, GParamSpec *pspec)
{
	NMSetting8021x *setting = NM_SETTING_802_1X (object);
	NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE (setting);

	switch (prop_id) {
	case PROP_EAP:
		g_value_set_boxed (value, priv->eap);
		break;
	case PROP_IDENTITY:
		g_value_set_string (value, priv->identity);
		break;
	case PROP_ANONYMOUS_IDENTITY:
		g_value_set_string (value, priv->anonymous_identity);
		break;
	case PROP_CA_CERT:
		g_value_set_boxed (value, priv->ca_cert);
		break;
	case PROP_CA_PATH:
		g_value_set_string (value, priv->ca_path);
		break;
	case PROP_CLIENT_CERT:
		g_value_set_boxed (value, priv->client_cert);
		break;
	case PROP_PHASE1_PEAPVER:
		g_value_set_string (value, priv->phase1_peapver);
		break;
	case PROP_PHASE1_PEAPLABEL:
		g_value_set_string (value, priv->phase1_peaplabel);
		break;
	case PROP_PHASE1_FAST_PROVISIONING:
		g_value_set_string (value, priv->phase1_fast_provisioning);
		break;
	case PROP_PHASE2_AUTH:
		g_value_set_string (value, priv->phase2_auth);
		break;
	case PROP_PHASE2_AUTHEAP:
		g_value_set_string (value, priv->phase2_autheap);
		break;
	case PROP_PHASE2_CA_CERT:
		g_value_set_boxed (value, priv->phase2_ca_cert);
		break;
	case PROP_PHASE2_CA_PATH:
		g_value_set_string (value, priv->phase2_ca_path);
		break;
	case PROP_PHASE2_CLIENT_CERT:
		g_value_set_boxed (value, priv->phase2_client_cert);
		break;
	case PROP_PASSWORD:
		g_value_set_string (value, priv->password);
		break;
	case PROP_PRIVATE_KEY:
		g_value_set_boxed (value, priv->private_key);
		break;
	case PROP_PRIVATE_KEY_PASSWORD:
		g_value_set_string (value, priv->private_key_password);
		break;
	case PROP_PHASE2_PRIVATE_KEY:
		g_value_set_boxed (value, priv->phase2_private_key);
		break;
	case PROP_PHASE2_PRIVATE_KEY_PASSWORD:
		g_value_set_string (value, priv->phase2_private_key_password);
		break;
	case PROP_SYSTEM_CA_CERTS:
		g_value_set_boolean (value, priv->system_ca_certs);
		break;
	default:
		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
		break;
	}
}

static void
nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
{
	GObjectClass *object_class = G_OBJECT_CLASS (setting_class);
	NMSettingClass *parent_class = NM_SETTING_CLASS (setting_class);
	GError *error = NULL;

	g_type_class_add_private (setting_class, sizeof (NMSetting8021xPrivate));

	/* virtual methods */
	object_class->set_property = set_property;
	object_class->get_property = get_property;
	object_class->finalize     = finalize;

	parent_class->verify         = verify;
	parent_class->need_secrets   = need_secrets;

	/* Properties */

	/**
	 * NMSetting8021x:eap:
	 *
	 * The allowed EAP method to be used when authenticating to the network with
	 * 802.1x.  Valid methods are: "leap", "md5", "tls", "peap", "ttls", and
	 * "fast".  Each method requires different configuration using the
	 * properties of this object; refer to wpa_supplicant documentation for the
	 * allowed combinations.
	 **/
	g_object_class_install_property
		(object_class, PROP_EAP,
		 _nm_param_spec_specialized (NM_SETTING_802_1X_EAP,
							   "EAP",
							   "EAP",
							   DBUS_TYPE_G_LIST_OF_STRING,
							   G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:identity:
	 *
	 * Identity string for EAP authentication methods.  Often the user's
	 * user or login name.
	 **/
	g_object_class_install_property
		(object_class, PROP_IDENTITY,
		 g_param_spec_string (NM_SETTING_802_1X_IDENTITY,
						  "Identity",
						  "Identity",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:anonymous-identity:
	 *
	 * Anonymous identity string for EAP authentication methods.  Used as the
	 * unencrypted identity with EAP types that support different tunelled
	 * identity like EAP-TTLS.
	 **/
	g_object_class_install_property
		(object_class, PROP_ANONYMOUS_IDENTITY,
		 g_param_spec_string (NM_SETTING_802_1X_ANONYMOUS_IDENTITY,
						  "Anonymous identity",
						  "Anonymous identity",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:ca-cert:
	 *
	 * Raw X.509 CA certificate data if used by the EAP method specified in the
	 * #NMSetting8021x:eap property.  Can be unset even if the EAP method
	 * supports CA certificates, but this allows man-in-the-middle attacks and
	 * is NOT recommended.  This property is cleared when the
	 * #NMSetting8021x:ca-cert-path property is set since the two are mutually
	 * exclusive.
	 **/
	g_object_class_install_property
		(object_class, PROP_CA_CERT,
		 _nm_param_spec_specialized (NM_SETTING_802_1X_CA_CERT,
							   "CA certificate",
							   "CA certificate",
							   DBUS_TYPE_G_UCHAR_ARRAY,
							   G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:ca-path:
	 *
	 * Path to a directory containing PEM or DER formatted certificates to be
	 * added to the verification chain in addition to the certificate specified
	 * in either of the #NMSetting8021x:ca-cert or #NMSetting8021x:ca-cert-path
	 * properties.
	 **/
	g_object_class_install_property
		(object_class, PROP_CA_PATH,
		 g_param_spec_string (NM_SETTING_802_1X_CA_PATH,
						  "CA path",
						  "CA path",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:client-cert:
	 *
	 * Raw X.509 client certificate data if used by the EAP method specified in
	 * the #NMSetting8021x:eap property.  Currently only EAP-TLS supports client
	 * certificates.  This property is cleared when the
	 * #NMSetting8021x:client-cert-path property is set since the two are mutually
	 * exclusive.
	 **/
	g_object_class_install_property
		(object_class, PROP_CLIENT_CERT,
		 _nm_param_spec_specialized (NM_SETTING_802_1X_CLIENT_CERT,
							   "Client certificate",
							   "Client certificate",
							   DBUS_TYPE_G_UCHAR_ARRAY,
							   G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:phase1-peapver:
	 *
	 * Forces which PEAP version is used when PEAP is set as the EAP method in
	 * the #NMSetting8021x:eap property.  When unset, the version reported by
	 * the server will be used.  Sometimes when using older RADIUS servers, it
	 * is necessary to force the client to use a particular PEAP version.  To do
	 * so, this property may be set to "0" or "1" to force that specific PEAP
	 * version.
	 **/
	g_object_class_install_property
		(object_class, PROP_PHASE1_PEAPVER,
		 g_param_spec_string (NM_SETTING_802_1X_PHASE1_PEAPVER,
						  "Phase1 PEAPVER",
						  "Phase1 PEAPVER",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:phase1-peaplabel:
	 *
	 * Forces use of the new PEAP label during key derivation.  Some RADIUS
	 * servers may require forcing the new PEAP label to interoperate with
	 * PEAPv1.  Set to "1" to force use of the new PEAP label.  See the
	 * wpa_supplicant documentation for more details.
	 **/
	g_object_class_install_property
		(object_class, PROP_PHASE1_PEAPLABEL,
		 g_param_spec_string (NM_SETTING_802_1X_PHASE1_PEAPLABEL,
						  "Phase1 PEAP label",
						  "Phase1 PEAP label",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:phase1-fast-provisioning:
	 *
	 * Enables or disables in-line provisioning of EAP-FAST credentials when
	 * FAST is specified as the EAP method in the #NMSetting8021x:eap property.
	 * Recognized values are "0" (disabled), "1" (allow unauthenticated
	 * provisioning), "2" (allow authenticated provisioning), and "3" (allow
	 * both authenticated and unauthenticated provisioning).
	 **/
	g_object_class_install_property
		(object_class, PROP_PHASE1_FAST_PROVISIONING,
		 g_param_spec_string (NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING,
						  "Phase1 fast provisioning",
						  "Phase1 fast provisioning",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:phase2-auth:
	 *
	 * Specifies the allowed "phase 2" inner non-EAP authentication methods when
	 * an EAP method that uses an inner TLS tunnel is specified in the
	 * #NMSetting8021x:eap property.  Recognized non-EAP phase2 methods are
	 * "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls".
	 **/
	g_object_class_install_property
		(object_class, PROP_PHASE2_AUTH,
		 g_param_spec_string (NM_SETTING_802_1X_PHASE2_AUTH,
						  "Phase2 auth",
						  "Phase2 auth",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:phase2-autheap:
	 *
	 * Specifies the allowed "phase 2" inner EAP-based authentication methods
	 * when an EAP method that uses an inner TLS tunnel is specified in the
	 * #NMSetting8021x:eap property.  Recognized EAP-based phase2 methods are
	 * "md5", "mschapv2", "otp", "gtc", and "tls".
	 **/
	g_object_class_install_property
		(object_class, PROP_PHASE2_AUTHEAP,
		 g_param_spec_string (NM_SETTING_802_1X_PHASE2_AUTHEAP,
						  "Phase2 autheap",
						  "Phase2 autheap",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:phase2-ca-cert:
	 *
	 * Raw X.509 CA certificate data if used by the authentication method
	 * specified in the #NMSetting8021x:phase2-auth or
	 * #NMSetting8021x:phase2-autheap properties.  Can be unset even if the
	 * authentication method supports CA certificates, but this allows
	 * man-in-the-middle attacks and is NOT recommended.  This property is
	 * cleared when the #NMSetting8021x:phase2-ca-cert-path property is set
	 * since the two are mutually exclusive.
	 **/
	g_object_class_install_property
		(object_class, PROP_PHASE2_CA_CERT,
		 _nm_param_spec_specialized (NM_SETTING_802_1X_PHASE2_CA_CERT,
							   "Phase2 CA certificate",
							   "Phase2 CA certificate",
							   DBUS_TYPE_G_UCHAR_ARRAY,
							   G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:phase2-ca-path:
	 *
	 * Path to a directory containing PEM or DER formatted certificates to be
	 * added to the verification chain in addition to the certificate specified
	 * in either of the #NMSetting8021x:phase2-ca-cert or
	 * #NMSetting8021x:phase2-ca-cert-path properties.
	 **/
	g_object_class_install_property
		(object_class, PROP_PHASE2_CA_PATH,
		 g_param_spec_string (NM_SETTING_802_1X_PHASE2_CA_PATH,
						  "Phase2 auth CA path",
						  "Phase2 auth CA path",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:phase2-client-cert:
	 *
	 * Raw X.509 client certificate data if used by the authentication method
	 * specified in the #NMSetting8021x:phase2-auth or
	 * #NMSetting8021x:phase2-autheap properties.  Currently only TLS supports
	 * client certificates.  This property is cleared when the
	 * #NMSetting8021x:phase2-client-cert-path property is set since the two are
	 * mutually exclusive.
	 **/
	g_object_class_install_property
		(object_class, PROP_PHASE2_CLIENT_CERT,
		 _nm_param_spec_specialized (NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
							   "Phase2 client certificate",
							   "Phase2 client certificate",
							   DBUS_TYPE_G_UCHAR_ARRAY,
							   G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));

	/**
	 * NMSetting8021x:password:
	 *
	 * Password used for EAP authentication methods.
	 **/
	g_object_class_install_property
		(object_class, PROP_PASSWORD,
		 g_param_spec_string (NM_SETTING_802_1X_PASSWORD,
						  "Password",
						  "Password",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET));

	/**
	 * NMSetting8021x:private-key:
	 *
	 * When X.509 private keys are used by the EAP method specified in the
	 * #NMSetting8021x:eap property, contains the raw decrypted X.509 key
	 * data.  When PKCS#12 format private keys are used, contains the PCKS#12
	 * data (which is encrypted) and the #NMSetting8021x:private-key-password
	 * property must also be set to the password used to decrypt the PKCS#12
	 * certificate and key.  Currently only TLS supports private keys.  When
	 * PKCS#12 format private keys are used, the #NMSetting8021x:client-cert
	 * must also be set to the same value.
	 *
	 * This property is cleared when the #NMSetting8021x:private-key-path
	 * property is set since the two are mutually exclusive.
	 **/
	g_object_class_install_property
		(object_class, PROP_PRIVATE_KEY,
		 _nm_param_spec_specialized (NM_SETTING_802_1X_PRIVATE_KEY,
							   "Private key",
							   "Private key",
							   DBUS_TYPE_G_UCHAR_ARRAY,
							   G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET));

	/**
	 * NMSetting8021x:private-key-password:
	 *
	 * The password used to decrypt the private key specified by
	 * #NMSetting8021x:private-key or #NMSetting8021x:private-key-path
	 **/
	g_object_class_install_property
		(object_class, PROP_PRIVATE_KEY_PASSWORD,
		 g_param_spec_string (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD,
						  "Private key password",
						  "Private key password",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET));

	/**
	 * NMSetting8021x:phase2-private-key:
	 *
	 * Private key data used by "phase 2" inner authentication methods.
	 *
	 * When X.509 private keys are used by the authentication method specified
	 * by the #NMSetting8021x:phase2-auth or #NMSetting8021x:phase2-autheap
	 * properties, contains the raw decrypted X.509 key data.  When PKCS#12
	 * format private keys are used, contains the PCKS#12 data (which is
	 * encrypted) and the #NMSetting8021x:private-key-password property must
	 * also be set to the password used to decrypt the PKCS#12 certificate and
	 * key.  Currently only TLS supports private keys.  When PKCS#12 format
	 * private keys are used, the #NMSetting8021x:phase2-client-cert must also
	 * be set to the same value.
	 *
	 * This property is cleared when the #NMSetting8021x:phase2-private-key-path
	 * property is set since the two are mutually exclusive.
	 **/
	g_object_class_install_property
		(object_class, PROP_PHASE2_PRIVATE_KEY,
		 _nm_param_spec_specialized (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY,
							   "Phase2 private key",
							   "Phase2 private key",
							   DBUS_TYPE_G_UCHAR_ARRAY,
							   G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET));

	/**
	 * NMSetting8021x:phase2-private-key-password:
	 *
	 * The password used to decrypt the private key specified by
	 * #NMSetting8021x:phase2-private-key or
	 * #NMSetting8021x:phase2-private-key-path
	 **/
	g_object_class_install_property
		(object_class, PROP_PHASE2_PRIVATE_KEY_PASSWORD,
		 g_param_spec_string (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD,
						  "Phase2 private key password",
						  "Phase2 private key password",
						  NULL,
						  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE | NM_SETTING_PARAM_SECRET));

	/**
	 * NMSetting8021x:system-ca-certs:
	 *
	 * When TRUE, overrides #NMSetting8021x:ca-path and
	 * #NMSetting8021x:phase2-ca-path properties using the system CA directory
	 * specified and configure time with the --system-ca-path switch.  The
	 * certificates in this directory are added to the verification chain in
	 * addition to any certificates specified by the #NMSetting8021x:ca-cert,
	 * #NMSetting8021x:ca-cert-path, #NMSetting8021x:phase2-ca-cert and
	 * #NMSetting8021x:phase2-ca-cert-path properties.
	 **/
	g_object_class_install_property
		(object_class, PROP_SYSTEM_CA_CERTS,
		 g_param_spec_boolean (NM_SETTING_802_1X_SYSTEM_CA_CERTS,
							   "Use system CA certificates",
							   "Use system CA certificates",
							   FALSE,
							   G_PARAM_READWRITE | G_PARAM_CONSTRUCT | NM_SETTING_PARAM_SERIALIZE));

	/* Initialize crypto lbrary. */
	if (!nm_utils_init (&error)) {
		g_warning ("Couldn't initilize nm-utils/crypto system: %d %s",
		           error->code, error->message);
		g_error_free (error);
	}

}