From faed200b2b3a7247f1fb082271ff05423219ba82 Mon Sep 17 00:00:00 2001 From: Lubomir Rintel Date: Mon, 19 Dec 2016 12:48:49 +0100 Subject: [PATCH] keyfile: add support for pkcs11: URI scheme --- libnm-core/nm-keyfile-internal.h | 4 +++- libnm-core/nm-keyfile-reader.c | 10 ++++++++ libnm-core/nm-keyfile-writer.c | 23 ++++++++++++++----- .../plugins/keyfile/nms-keyfile-writer.c | 3 +++ 4 files changed, 33 insertions(+), 7 deletions(-) diff --git a/libnm-core/nm-keyfile-internal.h b/libnm-core/nm-keyfile-internal.h index 1bf24be8d0..30c6c200d6 100644 --- a/libnm-core/nm-keyfile-internal.h +++ b/libnm-core/nm-keyfile-internal.h @@ -29,8 +29,9 @@ /*****************************************************************************/ -#define NM_KEYFILE_CERT_SCHEME_PREFIX_BLOB "data:;base64," #define NM_KEYFILE_CERT_SCHEME_PREFIX_PATH "file://" +#define NM_KEYFILE_CERT_SCHEME_PREFIX_PKCS11 "pkcs11:" +#define NM_KEYFILE_CERT_SCHEME_PREFIX_BLOB "data:;base64," char *nm_keyfile_detect_unqualified_path_scheme (const char *base_dir, gconstpointer pdata, @@ -147,6 +148,7 @@ typedef struct { NMSetting8021xCKFormat (*format_func) (NMSetting8021x *setting); const char * (*path_func) (NMSetting8021x *setting); GBytes * (*blob_func) (NMSetting8021x *setting); + const char * (*uri_func) (NMSetting8021x *setting); } NMKeyfileWriteTypeDataCert; diff --git a/libnm-core/nm-keyfile-reader.c b/libnm-core/nm-keyfile-reader.c index 4403b8a256..3fa4de7c01 100644 --- a/libnm-core/nm-keyfile-reader.c +++ b/libnm-core/nm-keyfile-reader.c @@ -961,6 +961,16 @@ handle_as_scheme (KeyfileReaderInfo *info, GBytes *bytes, NMSetting *setting, co } return TRUE; } + if ( data_len >= NM_STRLEN (NM_KEYFILE_CERT_SCHEME_PREFIX_PKCS11) + && g_str_has_prefix (data, NM_KEYFILE_CERT_SCHEME_PREFIX_PKCS11)) { + if (nm_setting_802_1x_check_cert_scheme (data, data_len + 1, NULL) == NM_SETTING_802_1X_CK_SCHEME_PKCS11) { + g_object_set (setting, key, bytes, NULL); + } else { + handle_warn (info, key, NM_KEYFILE_WARN_SEVERITY_WARN, + _("invalid PKCS#11 URI \"%s\""), data); + } + return TRUE; + } if ( data_len > NM_STRLEN (NM_KEYFILE_CERT_SCHEME_PREFIX_BLOB) && g_str_has_prefix (data, NM_KEYFILE_CERT_SCHEME_PREFIX_BLOB)) { const char *cdata = data + NM_STRLEN (NM_KEYFILE_CERT_SCHEME_PREFIX_BLOB); diff --git a/libnm-core/nm-keyfile-writer.c b/libnm-core/nm-keyfile-writer.c index 92869a2c0c..dfcdb3d4ed 100644 --- a/libnm-core/nm-keyfile-writer.c +++ b/libnm-core/nm-keyfile-writer.c @@ -380,6 +380,7 @@ typedef struct ObjectType { NMSetting8021xCKFormat (*format_func) (NMSetting8021x *setting); const char * (*path_func) (NMSetting8021x *setting); GBytes * (*blob_func) (NMSetting8021x *setting); + const char * (*uri_func) (NMSetting8021x *setting); } ObjectType; static const ObjectType objtypes[10] = { @@ -388,42 +389,48 @@ static const ObjectType objtypes[10] = { nm_setting_802_1x_get_ca_cert_scheme, NULL, nm_setting_802_1x_get_ca_cert_path, - nm_setting_802_1x_get_ca_cert_blob }, + nm_setting_802_1x_get_ca_cert_blob, + nm_setting_802_1x_get_ca_cert_uri }, { NM_SETTING_802_1X_PHASE2_CA_CERT, "inner-ca-cert", nm_setting_802_1x_get_phase2_ca_cert_scheme, NULL, nm_setting_802_1x_get_phase2_ca_cert_path, - nm_setting_802_1x_get_phase2_ca_cert_blob }, + nm_setting_802_1x_get_phase2_ca_cert_blob, + nm_setting_802_1x_get_phase2_ca_cert_uri }, { NM_SETTING_802_1X_CLIENT_CERT, "client-cert", nm_setting_802_1x_get_client_cert_scheme, NULL, nm_setting_802_1x_get_client_cert_path, - nm_setting_802_1x_get_client_cert_blob }, + nm_setting_802_1x_get_client_cert_blob, + nm_setting_802_1x_get_client_cert_uri }, { NM_SETTING_802_1X_PHASE2_CLIENT_CERT, "inner-client-cert", nm_setting_802_1x_get_phase2_client_cert_scheme, NULL, nm_setting_802_1x_get_phase2_client_cert_path, - nm_setting_802_1x_get_phase2_client_cert_blob }, + nm_setting_802_1x_get_phase2_client_cert_blob, + nm_setting_802_1x_get_phase2_client_cert_uri }, { NM_SETTING_802_1X_PRIVATE_KEY, "private-key", nm_setting_802_1x_get_private_key_scheme, nm_setting_802_1x_get_private_key_format, nm_setting_802_1x_get_private_key_path, - nm_setting_802_1x_get_private_key_blob }, + nm_setting_802_1x_get_private_key_blob, + nm_setting_802_1x_get_private_key_uri }, { NM_SETTING_802_1X_PHASE2_PRIVATE_KEY, "inner-private-key", nm_setting_802_1x_get_phase2_private_key_scheme, nm_setting_802_1x_get_phase2_private_key_format, nm_setting_802_1x_get_phase2_private_key_path, - nm_setting_802_1x_get_phase2_private_key_blob }, + nm_setting_802_1x_get_phase2_private_key_blob, + nm_setting_802_1x_get_phase2_private_key_uri }, { NULL }, }; @@ -487,6 +494,9 @@ cert_writer_default (NMConnection *connection, nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, val); g_free (val); g_free (blob_base64); + } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) { + nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, + cert_data->uri_func (cert_data->setting)); } else { /* scheme_func() returns UNKNOWN in all other cases. The only valid case * where a scheme is allowed to be UNKNOWN, is unsetting the value. In this @@ -524,6 +534,7 @@ cert_writer (KeyfileWriterInfo *info, type_data.format_func = objtype->format_func; type_data.path_func = objtype->path_func; type_data.blob_func = objtype->blob_func; + type_data.uri_func = objtype->uri_func; if (info->handler) { if (info->handler (info->connection, diff --git a/src/settings/plugins/keyfile/nms-keyfile-writer.c b/src/settings/plugins/keyfile/nms-keyfile-writer.c index 380d695b27..95897db38a 100644 --- a/src/settings/plugins/keyfile/nms-keyfile-writer.c +++ b/src/settings/plugins/keyfile/nms-keyfile-writer.c @@ -94,6 +94,9 @@ cert_writer (NMConnection *connection, accepted_path = tmp = g_strconcat (NM_KEYFILE_CERT_SCHEME_PREFIX_PATH, path, NULL); nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, accepted_path); g_free (tmp); + } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) { + nm_keyfile_plugin_kf_set_string (file, setting_name, cert_data->property_name, + cert_data->uri_func (cert_data->setting)); } else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) { GBytes *blob; const guint8 *blob_data;