Merge branch 'mcatanzaro/readable-private-key' into 'main'

gtlscertificate: make private key properties readable See merge request GNOME/glib!2087
author: Philip Withnall <philip@tecnocode.co.uk> 2021-06-16 11:01:40 +0000
committer: Philip Withnall <philip@tecnocode.co.uk> 2021-06-16 11:01:40 +0000
commit: f6fdc9b5f2a8f90937b36f2ebe55e98b9ee07139 (patch)
tree: 53bc28d420c50772174cfd0bbac3f1e2961c7e48
parent: 4d6dbe09049ee1a02fdb0aa3ae01c499dc033c27 (diff)
parent: 022ea47603de3465e4e80c0896af0485705d966a (diff)
download: glib-f6fdc9b5f2a8f90937b36f2ebe55e98b9ee07139.tar.gz
4 files changed, 74 insertions, 70 deletions
diff --git a/gio/gtlscertificate.c b/gio/gtlscertificate.c
index aadc562a6..cc4046c88 100644
--- a/gio/gtlscertificate.c
+++ b/gio/gtlscertificate.c
@@ -84,6 +84,8 @@ g_tls_certificate_get_property (GObject    *object,
 {
   switch (prop_id)
     {
+    case PROP_PRIVATE_KEY:
+    case PROP_PRIVATE_KEY_PEM:
     case PROP_PKCS11_URI:
     case PROP_PRIVATE_KEY_PKCS11_URI:
       /* Subclasses must override this property but this allows older backends to not fatally error */
@@ -154,17 +156,25 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
 							G_PARAM_CONSTRUCT_ONLY |
 							G_PARAM_STATIC_STRINGS));
   /**
-   * GTlsCertificate:private-key:
+   * GTlsCertificate:private-key: (nullable)
    *
    * The DER (binary) encoded representation of the certificate's
-   * private key, in either PKCS#1 format or unencrypted PKCS#8
-   * format. This property (or the #GTlsCertificate:private-key-pem
-   * property) can be set when constructing a key (eg, from a file),
-   * but cannot be read.
+   * private key, in either [PKCS \#1 format](https://datatracker.ietf.org/doc/html/rfc8017)
+   * or unencrypted [PKCS \#8 format.](https://datatracker.ietf.org/doc/html/rfc5208)
+   * PKCS \#8 format is supported since 2.32; earlier releases only
+   * support PKCS \#1. You can use the `openssl rsa` tool to convert
+   * PKCS \#8 keys to PKCS \#1.
    *
-   * PKCS#8 format is supported since 2.32; earlier releases only
-   * support PKCS#1. You can use the `openssl rsa`
-   * tool to convert PKCS#8 keys to PKCS#1.
+   * This property (or the #GTlsCertificate:private-key-pem property)
+   * can be set when constructing a key (for example, from a file).
+   * Since GLib 2.70, it is now also readable; however, be aware that if
+   * the private key is backed by a PKCS \#11 URI – for example, if it
+   * is stored on a smartcard – then this property will be %NULL. If so,
+   * the private key must be referenced via its PKCS \#11 URI,
+   * #GTlsCertificate:private-key-pkcs11-uri. You must check both
+   * properties to see if the certificate really has a private key.
+   * When this property is read, the output format will be unencrypted
+   * PKCS \#8.
    *
    * Since: 2.28
    */
@@ -173,22 +183,30 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
 						       P_("Private key"),
 						       P_("The DER representation of the certificate’s private key"),
 						       G_TYPE_BYTE_ARRAY,
-						       G_PARAM_WRITABLE |
+						       G_PARAM_READWRITE |
 						       G_PARAM_CONSTRUCT_ONLY |
 						       G_PARAM_STATIC_STRINGS));
   /**
-   * GTlsCertificate:private-key-pem:
+   * GTlsCertificate:private-key-pem: (nullable)
    *
    * The PEM (ASCII) encoded representation of the certificate's
-   * private key in either PKCS#1 format ("`BEGIN RSA PRIVATE
-   * KEY`") or unencrypted PKCS#8 format ("`BEGIN
-   * PRIVATE KEY`"). This property (or the
-   * #GTlsCertificate:private-key property) can be set when
-   * constructing a key (eg, from a file), but cannot be read.
+   * private key in either [PKCS \#1 format](https://datatracker.ietf.org/doc/html/rfc8017)
+   * ("`BEGIN RSA PRIVATE KEY`") or unencrypted
+   * [PKCS \#8 format](https://datatracker.ietf.org/doc/html/rfc5208)
+   * ("`BEGIN PRIVATE KEY`"). PKCS \#8 format is supported since 2.32;
+   * earlier releases only support PKCS \#1. You can use the `openssl rsa`
+   * tool to convert PKCS \#8 keys to PKCS \#1.
    *
-   * PKCS#8 format is supported since 2.32; earlier releases only
-   * support PKCS#1. You can use the `openssl rsa`
-   * tool to convert PKCS#8 keys to PKCS#1.
+   * This property (or the #GTlsCertificate:private-key property)
+   * can be set when constructing a key (for example, from a file).
+   * Since GLib 2.70, it is now also readable; however, be aware that if
+   * the private key is backed by a PKCS \#11 URI - for example, if it
+   * is stored on a smartcard - then this property will be %NULL. If so,
+   * the private key must be referenced via its PKCS \#11 URI,
+   * #GTlsCertificate:private-key-pkcs11-uri. You must check both
+   * properties to see if the certificate really has a private key.
+   * When this property is read, the output format will be unencrypted
+   * PKCS \#8.
    *
    * Since: 2.28
    */
@@ -197,7 +215,7 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
 							P_("Private key (PEM)"),
 							P_("The PEM representation of the certificate’s private key"),
 							NULL,
-							G_PARAM_WRITABLE |
+							G_PARAM_READWRITE |
 							G_PARAM_CONSTRUCT_ONLY |
 							G_PARAM_STATIC_STRINGS));
   /**
@@ -222,10 +240,10 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
   /**
    * GTlsCertificate:pkcs11-uri: (nullable)
    *
-   * A URI referencing the PKCS \#11 objects containing an X.509 certificate
-   * and optionally a private key.
+   * A URI referencing the [PKCS \#11](https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html)
+   * objects containing an X.509 certificate and optionally a private key.
    *
-   * If %NULL the certificate is either not backed by PKCS \#11 or the
+   * If %NULL, the certificate is either not backed by PKCS \#11 or the
    * #GTlsBackend does not support PKCS \#11.
    *
    * Since: 2.68
@@ -242,7 +260,8 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
   /**
    * GTlsCertificate:private-key-pkcs11-uri: (nullable)
    *
-   * A URI referencing a PKCS \#11 object containing a private key.
+   * A URI referencing a [PKCS \#11](https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html)
+   * object containing a private key.
    *
    * Since: 2.68
    */
@@ -754,7 +773,8 @@ g_tls_certificate_new_from_files (const gchar  *cert_file,
  * @private_key_pkcs11_uri: (nullable): A PKCS \#11 URI
  * @error: #GError for error reporting, or %NULL to ignore.
  *
- * Creates a #GTlsCertificate from a PKCS \#11 URI.
+ * Creates a #GTlsCertificate from a
+ * [PKCS \#11](https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html) URI.
  *
  * An example @pkcs11_uri would be `pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01`
  *
diff --git a/gio/tests/gtesttlsbackend.c b/gio/tests/gtesttlsbackend.c
index 1e07c1e5e..6c48c2394 100644
--- a/gio/tests/gtesttlsbackend.c
+++ b/gio/tests/gtesttlsbackend.c
@@ -407,12 +407,6 @@ g_test_tls_connection_initable_iface_init (GInitableIface  *iface)
   iface->init = g_test_tls_connection_initable_init;
 }
 
-const gchar *
-g_test_tls_connection_get_private_key_pem (GTlsCertificate *cert)
-{
-  return ((GTestTlsCertificate *)cert)->key_pem;
-}
-
 /* Test database type */
 
 typedef struct _GTestTlsDatabase      GTestTlsDatabase;
diff --git a/gio/tests/gtesttlsbackend.h b/gio/tests/gtesttlsbackend.h
index 11a8bf149..07948fddc 100644
--- a/gio/tests/gtesttlsbackend.h
+++ b/gio/tests/gtesttlsbackend.h
@@ -39,9 +39,6 @@ struct _GTestTlsBackendClass {
 
 GType _g_test_tls_backend_get_type       (void);
 
-const gchar *g_test_tls_connection_get_private_key_pem (GTlsCertificate *cert);
-
-
 G_END_DECLS
 
 #endif /* __G_TEST_TLS_BACKEND_H__ */
diff --git a/gio/tests/tls-certificate.c b/gio/tests/tls-certificate.c
index d0a908530..2995b1028 100644
--- a/gio/tests/tls-certificate.c
+++ b/gio/tests/tls-certificate.c
@@ -40,7 +40,7 @@ pem_parser (const Reference *ref)
   gchar *pem;
   gsize pem_len = 0;
   gchar *parsed_cert_pem = NULL;
-  const gchar *parsed_key_pem = NULL;
+  gchar *parsed_key_pem = NULL;
   GError *error = NULL;
 
   /* Check PEM parsing in certificate, private key order. */
@@ -55,13 +55,12 @@ pem_parser (const Reference *ref)
 
   g_object_get (cert,
       "certificate-pem", &parsed_cert_pem,
+      "private-key-pem", &parsed_key_pem,
       NULL);
-  parsed_key_pem = g_test_tls_connection_get_private_key_pem (cert);
   g_assert_cmpstr (parsed_cert_pem, ==, ref->cert_pems[0]);
-  g_free (parsed_cert_pem);
-  parsed_cert_pem = NULL;
+  g_clear_pointer (&parsed_cert_pem, g_free);
   g_assert_cmpstr (parsed_key_pem, ==, ref->key_pem);
-  parsed_key_pem = NULL;
+  g_clear_pointer (&parsed_key_pem, g_free);
 
   g_object_unref (cert);
 
@@ -89,13 +88,12 @@ pem_parser (const Reference *ref)
 
   g_object_get (cert,
       "certificate-pem", &parsed_cert_pem,
+      "private-key-pem", &parsed_key_pem,
       NULL);
-  parsed_key_pem = g_test_tls_connection_get_private_key_pem (cert);
   g_assert_cmpstr (parsed_cert_pem, ==, ref->cert_pems[0]);
-  g_free (parsed_cert_pem);
-  parsed_cert_pem = NULL;
+  g_clear_pointer (&parsed_cert_pem, g_free);
   g_assert_cmpstr (parsed_key_pem, ==, ref->key_pem);
-  parsed_key_pem = NULL;
+  g_clear_pointer (&parsed_key_pem, g_free);
 
   g_free (pem);
   g_object_unref (cert);
@@ -111,11 +109,10 @@ pem_parser (const Reference *ref)
 
   g_object_get (cert,
       "certificate-pem", &parsed_cert_pem,
+      "private-key-pem", &parsed_key_pem,
       NULL);
-  parsed_key_pem = g_test_tls_connection_get_private_key_pem (cert);
   g_assert_cmpstr (parsed_cert_pem, ==, ref->cert_pems[0]);
-  g_free (parsed_cert_pem);
-  parsed_cert_pem = NULL;
+  g_clear_pointer (&parsed_cert_pem, g_free);
   g_assert_null (parsed_key_pem);
 
   g_free (pem);
@@ -141,7 +138,7 @@ pem_parser_handles_chain (const Reference *ref)
   GTlsCertificate *original_cert;
   gchar *pem;
   gchar *parsed_cert_pem = NULL;
-  const gchar *parsed_key_pem = NULL;
+  gchar *parsed_key_pem = NULL;
   GError *error = NULL;
 
   /* Check that a chain with exactly three certificates is returned */
@@ -156,14 +153,14 @@ pem_parser_handles_chain (const Reference *ref)
 
   g_object_get (cert,
       "certificate-pem", &parsed_cert_pem,
+      "private-key-pem", &parsed_key_pem,
       NULL);
   g_assert_cmpstr (parsed_cert_pem, ==, ref->cert_pems[0]);
   g_clear_pointer (&parsed_cert_pem, g_free);
 
   /* Make sure the private key was parsed */
-  parsed_key_pem = g_test_tls_connection_get_private_key_pem (cert);
   g_assert_cmpstr (parsed_key_pem, ==, ref->key_pem);
-  parsed_key_pem = NULL;
+  g_clear_pointer (&parsed_key_pem, g_free);
 
   /* Now test the second cert */
   issuer = g_tls_certificate_get_issuer (cert);
@@ -175,12 +172,12 @@ pem_parser_handles_chain (const Reference *ref)
 
   g_object_get (cert,
       "certificate-pem", &parsed_cert_pem,
+      "private-key-pem", &parsed_key_pem,
       NULL);
   g_assert_cmpstr (parsed_cert_pem, ==, ref->cert_pems[1]);
   g_clear_pointer (&parsed_cert_pem, g_free);
 
   /* Only the first cert should have a private key */
-  parsed_key_pem = g_test_tls_connection_get_private_key_pem (cert);
   g_assert_null (parsed_key_pem);
 
   /* Now test the final cert */
@@ -190,11 +187,11 @@ pem_parser_handles_chain (const Reference *ref)
 
   g_object_get (cert,
       "certificate-pem", &parsed_cert_pem,
+      "private-key-pem", &parsed_key_pem,
       NULL);
   g_assert_cmpstr (parsed_cert_pem, ==, ref->cert_pems[2]);
   g_clear_pointer (&parsed_cert_pem, g_free);
 
-  parsed_key_pem = g_test_tls_connection_get_private_key_pem (cert);
   g_assert_null (parsed_key_pem);
 
   g_object_unref (original_cert);
@@ -237,7 +234,7 @@ from_file (const Reference *ref)
 {
   GTlsCertificate *cert;
   gchar *parsed_cert_pem = NULL;
-  const gchar *parsed_key_pem = NULL;
+  gchar *parsed_key_pem = NULL;
   GError *error = NULL;
 
   cert = g_tls_certificate_new_from_file (g_test_get_filename (G_TEST_DIST, "cert-tests", "key-cert.pem", NULL),
@@ -247,13 +244,12 @@ from_file (const Reference *ref)
 
   g_object_get (cert,
       "certificate-pem", &parsed_cert_pem,
+      "private-key-pem", &parsed_key_pem,
       NULL);
-  parsed_key_pem = g_test_tls_connection_get_private_key_pem (cert);
   g_assert_cmpstr (parsed_cert_pem, ==, ref->cert_pems[0]);
-  g_free (parsed_cert_pem);
-  parsed_cert_pem = NULL;
+  g_clear_pointer (&parsed_cert_pem, g_free);
   g_assert_cmpstr (parsed_key_pem, ==, ref->key_pem);
-  parsed_key_pem = NULL;
+  g_clear_pointer (&parsed_key_pem, g_free);
 
   g_object_unref (cert);
 }
@@ -263,7 +259,7 @@ from_files (const Reference *ref)
 {
   GTlsCertificate *cert;
   gchar *parsed_cert_pem = NULL;
-  const gchar *parsed_key_pem = NULL;
+  gchar *parsed_key_pem = NULL;
   GError *error = NULL;
 
   cert = g_tls_certificate_new_from_files (g_test_get_filename (G_TEST_DIST, "cert-tests", "cert1.pem", NULL),
@@ -274,13 +270,12 @@ from_files (const Reference *ref)
 
   g_object_get (cert,
       "certificate-pem", &parsed_cert_pem,
+      "private-key-pem", &parsed_key_pem,
       NULL);
-  parsed_key_pem = g_test_tls_connection_get_private_key_pem (cert);
   g_assert_cmpstr (parsed_cert_pem, ==, ref->cert_pems[0]);
-  g_free (parsed_cert_pem);
-  parsed_cert_pem = NULL;
+  g_clear_pointer (&parsed_cert_pem, g_free);
   g_assert_cmpstr (parsed_key_pem, ==, ref->key_pem);
-  parsed_key_pem = NULL;
+  g_clear_pointer (&parsed_key_pem, g_free);
 
   g_object_unref (cert);
 
@@ -332,7 +327,7 @@ from_files_crlf (const Reference *ref)
 {
   GTlsCertificate *cert;
   gchar *parsed_cert_pem = NULL;
-  const gchar *parsed_key_pem = NULL;
+  gchar *parsed_key_pem = NULL;
   GError *error = NULL;
 
   cert = g_tls_certificate_new_from_files (g_test_get_filename (G_TEST_DIST, "cert-tests", "cert-crlf.pem", NULL),
@@ -343,13 +338,12 @@ from_files_crlf (const Reference *ref)
 
   g_object_get (cert,
       "certificate-pem", &parsed_cert_pem,
+      "private-key-pem", &parsed_key_pem,
       NULL);
-  parsed_key_pem = g_test_tls_connection_get_private_key_pem (cert);
   g_assert_cmpstr (parsed_cert_pem, ==, ref->cert_crlf_pem);
-  g_free (parsed_cert_pem);
-  parsed_cert_pem = NULL;
+  g_clear_pointer (&parsed_cert_pem, g_free);
   g_assert_cmpstr (parsed_key_pem, ==, ref->key_crlf_pem);
-  parsed_key_pem = NULL;
+  g_clear_pointer (&parsed_key_pem, g_free);
 
   g_object_unref (cert);
 }
@@ -359,7 +353,7 @@ from_files_pkcs8 (const Reference *ref)
 {
   GTlsCertificate *cert;
   gchar *parsed_cert_pem = NULL;
-  const gchar *parsed_key_pem = NULL;
+  gchar *parsed_key_pem = NULL;
   GError *error = NULL;
 
   cert = g_tls_certificate_new_from_files (g_test_get_filename (G_TEST_DIST, "cert-tests", "cert1.pem", NULL),
@@ -370,13 +364,12 @@ from_files_pkcs8 (const Reference *ref)
 
   g_object_get (cert,
       "certificate-pem", &parsed_cert_pem,
+      "private-key-pem", &parsed_key_pem,
       NULL);
-  parsed_key_pem = g_test_tls_connection_get_private_key_pem (cert);
   g_assert_cmpstr (parsed_cert_pem, ==, ref->cert_pems[0]);
-  g_free (parsed_cert_pem);
-  parsed_cert_pem = NULL;
+  g_clear_pointer (&parsed_cert_pem, g_free);
   g_assert_cmpstr (parsed_key_pem, ==, ref->key8_pem);
-  parsed_key_pem = NULL;
+  g_clear_pointer (&parsed_key_pem, g_free);
 
   g_object_unref (cert);
 }
author	Philip Withnall <philip@tecnocode.co.uk>	2021-06-16 11:01:40 +0000
committer	Philip Withnall <philip@tecnocode.co.uk>	2021-06-16 11:01:40 +0000
commit	f6fdc9b5f2a8f90937b36f2ebe55e98b9ee07139 (patch)
tree	53bc28d420c50772174cfd0bbac3f1e2961c7e48
parent	4d6dbe09049ee1a02fdb0aa3ae01c499dc033c27 (diff)
parent	022ea47603de3465e4e80c0896af0485705d966a (diff)
download	glib-f6fdc9b5f2a8f90937b36f2ebe55e98b9ee07139.tar.gz