libnm: move dependency to libnm-crypto out of libnm-core's "nm-utils.c"

libnm-core is also used by the daemon, thus currently dragging in libnm-crypto there. But could we ever drop that dependency? One use of the libnm-crypto is in functions like nm_utils_file_is_certificate() in "nm-utils.h". These are part of the public API of libnm. But this is not used by the daemon. Move it to "libnm-client-core" to be closer to where it's actually used. As we have unit tests in "libnm-core-impl/tests" that test this function, those unit tests also would need to move to "libnm-client-impl". Instead, add the actual implementation of these function to "libnm-crypto" and test it there. This patch moves forward declarations from public header "nm-utils.h" to "nm-client.h". Arguably, "nm-client.h" is not a great name, but we don't have a general purpose header in "libnm-client-public", so use this. Note that libnm users can only include <NetworkManager.h> and including individual files is not supported (and even prevented). Thus moving the declarations won't break any users.
2022-03-18 21:33:20 +01:00
parent 901787e06f
commit 723e1fc76f
7 changed files with 121 additions and 99 deletions
--- a/src/libnm-client-impl/nm-libnm-utils.c
+++ b/src/libnm-client-impl/nm-libnm-utils.c
@@ -10,7 +10,9 @@
 #include "libnm-glib-aux/nm-time-utils.h"
 #include "libnm-core-aux-intern/nm-common-macros.h"
 #include "libnm-crypto/nm-crypto.h"
 #include "nm-object.h"
 #include "nm-utils.h"
 /*****************************************************************************/
@@ -914,3 +916,58 @@ nm_utils_print(int output_mode, const char *msg)
    else
        g_return_if_reached();
 }
 /*****************************************************************************/
 /**
 * nm_utils_file_is_certificate:
 * @filename: name of the file to test
 *
 * Tests if @filename has a valid extension for an X.509 certificate file
 * (".cer", ".crt", ".der", or ".pem"), and contains a certificate in a format
 * recognized by NetworkManager.
 *
 * Returns: %TRUE if the file is a certificate, %FALSE if it is not
 **/
 gboolean
 nm_utils_file_is_certificate(const char *filename)
 {
    g_return_val_if_fail(filename != NULL, FALSE);
    return nm_crypto_utils_file_is_certificate(filename);
 }
 /**
 * nm_utils_file_is_private_key:
 * @filename: name of the file to test
 * @out_encrypted: (out): on return, whether the file is encrypted
 *
 * Tests if @filename has a valid extension for an X.509 private key file
 * (".der", ".key", ".pem", or ".p12"), and contains a private key in a format
 * recognized by NetworkManager.
 *
 * Returns: %TRUE if the file is a private key, %FALSE if it is not
 **/
 gboolean
 nm_utils_file_is_private_key(const char *filename, gboolean *out_encrypted)
 {
    g_return_val_if_fail(filename != NULL, FALSE);
    return nm_crypto_utils_file_is_private_key(filename, out_encrypted);
 }
 /**
 * nm_utils_file_is_pkcs12:
 * @filename: name of the file to test
 *
 * Tests if @filename is a PKCS#<!-- -->12 file.
 *
 * Returns: %TRUE if the file is PKCS#<!-- -->12, %FALSE if it is not
 **/
 gboolean
 nm_utils_file_is_pkcs12(const char *filename)
 {
    g_return_val_if_fail(filename != NULL, FALSE);
    return nm_crypto_is_pkcs12_file(filename, NULL);
 }
--- a/src/libnm-client-public/nm-client.h
+++ b/src/libnm-client-public/nm-client.h
@@ -496,6 +496,10 @@ gboolean nm_client_dbus_set_property_finish(NMClient *client, GAsyncResult *resu
 NM_AVAILABLE_IN_1_30
 void nm_utils_print(int output_mode, const char *msg);
 gboolean nm_utils_file_is_certificate(const char *filename);
 gboolean nm_utils_file_is_private_key(const char *filename, gboolean *out_encrypted);
 gboolean nm_utils_file_is_pkcs12(const char *filename);
 G_END_DECLS
 #endif /* __NM_CLIENT_H__ */
--- a/src/libnm-core-impl/nm-utils.c
+++ b/src/libnm-core-impl/nm-utils.c
@@ -17,7 +17,6 @@
 #include <linux/pkt_sched.h>
 #include <linux/if_infiniband.h>
 #include "libnm-crypto/nm-crypto.h"
 #include "libnm-glib-aux/nm-uuid.h"
 #include "libnm-glib-aux/nm-json-aux.h"
 #include "libnm-glib-aux/nm-str-buf.h"
@@ -3083,94 +3082,6 @@ nm_utils_uuid_generate(void)
 /*****************************************************************************/
 static gboolean
 file_has_extension(const char *filename, const char *extensions[])
 {
    const char *ext;
    gsize       i;
    ext = strrchr(filename, '.');
    if (!ext)
        return FALSE;
    for (i = 0; extensions[i]; i++) {
        if (!g_ascii_strcasecmp(ext, extensions[i]))
            return TRUE;
    }
    return FALSE;
 }
 /**
 * nm_utils_file_is_certificate:
 * @filename: name of the file to test
 *
 * Tests if @filename has a valid extension for an X.509 certificate file
 * (".cer", ".crt", ".der", or ".pem"), and contains a certificate in a format
 * recognized by NetworkManager.
 *
 * Returns: %TRUE if the file is a certificate, %FALSE if it is not
 **/
 gboolean
 nm_utils_file_is_certificate(const char *filename)
 {
    const char        *extensions[] = {".der", ".pem", ".crt", ".cer", NULL};
    NMCryptoFileFormat file_format;
    g_return_val_if_fail(filename != NULL, FALSE);
    if (!file_has_extension(filename, extensions))
        return FALSE;
    if (!nm_crypto_load_and_verify_certificate(filename, &file_format, NULL, NULL))
        return FALSE;
    return file_format = NM_CRYPTO_FILE_FORMAT_X509;
 }
 /**
 * nm_utils_file_is_private_key:
 * @filename: name of the file to test
 * @out_encrypted: (out): on return, whether the file is encrypted
 *
 * Tests if @filename has a valid extension for an X.509 private key file
 * (".der", ".key", ".pem", or ".p12"), and contains a private key in a format
 * recognized by NetworkManager.
 *
 * Returns: %TRUE if the file is a private key, %FALSE if it is not
 **/
 gboolean
 nm_utils_file_is_private_key(const char *filename, gboolean *out_encrypted)
 {
    const char *extensions[] = {".der", ".pem", ".p12", ".key", NULL};
    g_return_val_if_fail(filename != NULL, FALSE);
    NM_SET_OUT(out_encrypted, FALSE);
    if (!file_has_extension(filename, extensions))
        return FALSE;
    return nm_crypto_verify_private_key(filename, NULL, out_encrypted, NULL)
           != NM_CRYPTO_FILE_FORMAT_UNKNOWN;
 }
 /**
 * nm_utils_file_is_pkcs12:
 * @filename: name of the file to test
 *
 * Tests if @filename is a PKCS#<!-- -->12 file.
 *
 * Returns: %TRUE if the file is PKCS#<!-- -->12, %FALSE if it is not
 **/
 gboolean
 nm_utils_file_is_pkcs12(const char *filename)
 {
    g_return_val_if_fail(filename != NULL, FALSE);
    return nm_crypto_is_pkcs12_file(filename, NULL);
 }
 /*****************************************************************************/
 gboolean
 _nm_utils_check_file(const char               *filename,
                     gint64                    check_owner,
--- a/src/libnm-core-impl/tests/test-crypto.c
+++ b/src/libnm-core-impl/tests/test-crypto.c
@@ -92,7 +92,7 @@ test_cert(gconstpointer test_data)
    nmtst_assert_success(success, error);
    g_assert_cmpint(format, ==, NM_CRYPTO_FILE_FORMAT_X509);
-    g_assert(nm_utils_file_is_certificate(path));
+    g_assert(nm_crypto_utils_file_is_certificate(path));
 }
 static void
@@ -106,7 +106,7 @@ test_load_private_key(const char *path,
    gs_unref_bytes GBytes *array        = NULL;
    GError                *error        = NULL;
-    g_assert(nm_utils_file_is_private_key(path, &is_encrypted));
+    g_assert(nm_crypto_utils_file_is_private_key(path, &is_encrypted));
    g_assert(is_encrypted);
    array = nmtst_crypto_decrypt_openssl_private_key(path, password, &key_type, &error);
@@ -146,7 +146,7 @@ test_load_pkcs12(const char *path, const char *password, int expected_error)
    gboolean           is_encrypted = FALSE;
    GError            *error        = NULL;
-    g_assert(nm_utils_file_is_private_key(path, NULL));
+    g_assert(nm_crypto_utils_file_is_private_key(path, NULL));
    format = nm_crypto_verify_private_key(path, password, &is_encrypted, &error);
    if (expected_error != -1) {
@@ -167,7 +167,7 @@ test_load_pkcs12_no_password(const char *path)
    gboolean           is_encrypted = FALSE;
    GError            *error        = NULL;
-    g_assert(nm_utils_file_is_private_key(path, NULL));
+    g_assert(nm_crypto_utils_file_is_private_key(path, NULL));
    /* We should still get a valid returned crypto file format */
    format = nm_crypto_verify_private_key(path, NULL, &is_encrypted, &error);
@@ -201,7 +201,7 @@ test_load_pkcs8(const char *path, const char *password, int expected_error)
    gboolean           is_encrypted = FALSE;
    GError            *error        = NULL;
-    g_assert(nm_utils_file_is_private_key(path, NULL));
+    g_assert(nm_crypto_utils_file_is_private_key(path, NULL));
    format = nm_crypto_verify_private_key(path, password, &is_encrypted, &error);
    if (expected_error != -1) {
@@ -285,7 +285,7 @@ test_key_decrypted(gconstpointer test_data)
    path = g_build_filename(TEST_CERT_DIR, file, NULL);
-    g_assert(nm_utils_file_is_private_key(path, &is_encrypted));
+    g_assert(nm_crypto_utils_file_is_private_key(path, &is_encrypted));
    g_assert(!is_encrypted);
    g_free(path);
--- a/src/libnm-core-public/nm-utils.h
+++ b/src/libnm-core-public/nm-utils.h
@@ -111,10 +111,6 @@ GPtrArray *nm_utils_ip_routes_from_variant(GVariant *value, int family);
 char *nm_utils_uuid_generate(void);
 gboolean nm_utils_file_is_certificate(const char *filename);
 gboolean nm_utils_file_is_private_key(const char *filename, gboolean *out_encrypted);
 gboolean nm_utils_file_is_pkcs12(const char *filename);
 typedef gboolean (*NMUtilsFileSearchInPathsPredicate)(const char *filename, gpointer user_data);
 struct stat;
--- a/src/libnm-crypto/nm-crypto.c
+++ b/src/libnm-crypto/nm-crypto.c
@@ -1042,3 +1042,54 @@ nmtst_crypto_rsa_key_encrypt(const guint8 *data,
    NM_SET_OUT(out_password, g_strdup(tmp_password));
    return nm_secret_buf_to_gbytes_take(ret, ret_len);
 }
 /*****************************************************************************/
 static gboolean
 file_has_extension(const char *filename, const char *extensions[])
 {
    const char *ext;
    gsize       i;
    ext = strrchr(filename, '.');
    if (!ext)
        return FALSE;
    for (i = 0; extensions[i]; i++) {
        if (!g_ascii_strcasecmp(ext, extensions[i]))
            return TRUE;
    }
    return FALSE;
 }
 gboolean
 nm_crypto_utils_file_is_certificate(const char *filename)
 {
    const char        *extensions[] = {".der", ".pem", ".crt", ".cer", NULL};
    NMCryptoFileFormat file_format;
    nm_assert(filename);
    if (!file_has_extension(filename, extensions))
        return FALSE;
    if (!nm_crypto_load_and_verify_certificate(filename, &file_format, NULL, NULL))
        return FALSE;
    return file_format = NM_CRYPTO_FILE_FORMAT_X509;
 }
 gboolean
 nm_crypto_utils_file_is_private_key(const char *filename, gboolean *out_encrypted)
 {
    const char *extensions[] = {".der", ".pem", ".p12", ".key", NULL};
    nm_assert(filename);
    NM_SET_OUT(out_encrypted, FALSE);
    if (!file_has_extension(filename, extensions))
        return FALSE;
    return nm_crypto_verify_private_key(filename, NULL, out_encrypted, NULL)
           != NM_CRYPTO_FILE_FORMAT_UNKNOWN;
 }
--- a/src/libnm-crypto/nm-crypto.h
+++ b/src/libnm-crypto/nm-crypto.h
@@ -93,4 +93,7 @@ guint8 *nmtst_crypto_make_des_aes_key(NMCryptoCipherType cipher,
 /*****************************************************************************/
 gboolean nm_crypto_utils_file_is_certificate(const char *filename);
 gboolean nm_crypto_utils_file_is_private_key(const char *filename, gboolean *out_encrypted);
 #endif /* __NM_CRYPTO_H__ */