[PATCH V3 7/7] gnutls: Load application-defined key types by URL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Chrome OS supports the notion of hardware-bound system keys, but it
doesn't provide APIs that can be called directly by GnuTLS or p11kit.
Instead, the application's NaCl module needs to pass certificate
queries and signing requests back to JavaScript code that invokes the
chrome.platformKeys APIs.  This is implemented by registering a custom
handler for URLs starting with the (somewhat arbitrarily chosen) "app:"
prefix.

libopenconnect does not currently recognize these URLs.  Change it to
query GnuTLS to figure out whether a handler has been registered, and
if so, treat it just like a system key.

Signed-off-by: Kevin Cernekee <cernekee at gmail.com>
---
 configure.ac | 2 ++
 gnutls.c     | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/configure.ac b/configure.ac
index ff381a0..6b7926b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -379,6 +379,8 @@ if test "$with_gnutls" = "yes"; then
 		 [AC_DEFINE(HAVE_GNUTLS_PUBKEY_EXPORT2, 1, [autoheader sucks donkey balls])], [])
     AC_CHECK_FUNC(gnutls_x509_crt_set_pin_function,
 		 [AC_DEFINE(HAVE_GNUTLS_X509_CRT_SET_PIN_FUNCTION, 1, [From GnuTLS 3.1.0])], [])
+    AC_CHECK_FUNC(gnutls_url_is_supported,
+		 [AC_DEFINE(HAVE_GNUTLS_URL_IS_SUPPORTED, 1, [From GnuTLS 3.1.0])], [])
     AC_CHECK_FUNC(gnutls_system_key_add_x509,
 		 [AC_DEFINE(HAVE_GNUTLS_SYSTEM_KEYS, 1, [From GnuTLS 3.4.0])], [])
     if test "$with_openssl" = "" || test "$with_openssl" = "no"; then
diff --git a/gnutls.c b/gnutls.c
index 338f7a7..fde1f40 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1001,8 +1001,16 @@ static int load_certificate(struct openconnect_info *vpninfo)
 
 	key_is_p11 = !strncmp(vpninfo->sslkey, "pkcs11:", 7);
 	cert_is_p11 = !strncmp(vpninfo->cert, "pkcs11:", 7);
+
+#ifdef HAVE_GNUTLS_URL_IS_SUPPORTED
+	/* GnuTLS returns true for pkcs11:, tpmkey:, system:, and custom URLs. */
+	key_is_sys = !key_is_p11 && gnutls_url_is_supported(vpninfo->sslkey);
+	cert_is_sys = !cert_is_p11 && gnutls_url_is_supported(vpninfo->cert);
+#else
+	/* Fallback for GnuTLS < 3.1.0. */
 	key_is_sys = !strncmp(vpninfo->sslkey, "system:", 7);
 	cert_is_sys = !strncmp(vpninfo->cert, "system:", 7);
+#endif
 
 #ifndef HAVE_GNUTLS_SYSTEM_KEYS
 	if (key_is_sys || cert_is_sys) {
-- 
1.9.1
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux