e2f65ce12a
Add support for PKCS#12 private keys (bgo #558982) * libnm-util/crypto.c libnm-util/crypto.h - (parse_old_openssl_key_file): rename from parse_key_file(); adapt to take a GByteArray instead of a filename - (file_to_g_byte_array): handle private key files too - (decrypt_key): take a GByteArray rather than data + len - (crypto_get_private_key_data): refactor crypto_get_private_key() into one function that takes a filename, and one that takes raw data; detect pkcs#12 files as well - (crypto_load_and_verify_certificate): detect file type - (crypto_is_pkcs12_data, crypto_is_pkcs12_file): add pkcs#12 detection functions * libnm-util/crypto_gnutls.c - (crypto_decrypt): take GByteArray rather than data + len; fix a bug whereby tail padding was incorrectly handled, leading to erroneous successes when trying to decrypt the data - (crypto_verify_cert): rework somewhat - (crypto_verify_pkcs12): validate pkcs#12 keys * libnm-util/crypto_nss.c - (crypto_init): enable various pkcs#12 ciphers - (crypto_decrypt): take a GByteArray rather than data + len - (crypto_verify_cert): clean up - (crypto_verify_pkcs12): validate pkcs#12 keys * libnm-util/test-crypto.c - Handle pkcs#12 keys * libnm-util/nm-setting-8021x.c libnm-util/nm-setting-8021x.h libnm-util/libnm-util.ver - Add two new properties, 'private-key-password' and 'phase2-private-key-password', to be used in conjunction with pkcs#12 keys - (nm_setting_802_1x_set_ca_cert_from_file, nm_setting_802_1x_set_client_cert_from_file, nm_setting_802_1x_set_phase2_ca_cert_from_file, nm_setting_802_1x_set_phase2_client_from_file): return certificate type - (nm_setting_802_1x_get_private_key_password, nm_setting_802_1x_get_phase2_private_key_password): return private key passwords - (nm_setting_802_1x_set_private_key_from_file, nm_setting_802_1x_set_phase2_private_key_from_file): set the private key from a file, and update the private key password at the same time - (nm_setting_802_1x_get_private_key_type, nm_setting_802_1x_get_phase2_private_key_type): return the private key type * src/supplicant-manager/nm-supplicant-settings-verify.c - Whitelist private key passwords * src/supplicant-manager/nm-supplicant-config.c - (nm_supplicant_config_add_setting_8021x): for pkcs#12 private keys, add the private key password to the supplicant config, but do not add the client certificate (as required by wpa_supplicant) git-svn-id: http://svn-archive.gnome.org/svn/NetworkManager/trunk@4280 4912f4e0-d625-0410-9fb7-b9a5a253dbdc
119 lines
4.0 KiB
C
119 lines
4.0 KiB
C
/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
|
|
|
|
/*
|
|
* Dan Williams <dcbw@redhat.com>
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, write to the
|
|
* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
* Boston, MA 02110-1301 USA.
|
|
*
|
|
* (C) Copyright 2007 - 2008 Red Hat, Inc.
|
|
*/
|
|
|
|
#include <glib.h>
|
|
|
|
#define MD5_HASH_LEN 20
|
|
#define CIPHER_DES_EDE3_CBC "DES-EDE3-CBC"
|
|
#define CIPHER_DES_CBC "DES-CBC"
|
|
|
|
enum {
|
|
NM_CRYPTO_ERR_NONE = 0,
|
|
NM_CRYPTO_ERR_INIT_FAILED,
|
|
NM_CRYPTO_ERR_CANT_READ_FILE,
|
|
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
|
|
NM_CRYPTO_ERR_CERT_FORMAT_INVALID,
|
|
NM_CRYPTO_ERR_DECODE_FAILED,
|
|
NM_CRYPTO_ERR_OUT_OF_MEMORY,
|
|
NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE,
|
|
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
|
|
NM_CRYPTO_ERR_RAW_IV_INVALID,
|
|
NM_CRYPTO_ERR_MD5_INIT_FAILED,
|
|
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
|
|
NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
|
|
NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
|
|
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
|
|
NM_CRYPTO_ERR_INVALID_PASSWORD,
|
|
};
|
|
|
|
typedef enum {
|
|
NM_CRYPTO_KEY_TYPE_UNKNOWN = 0,
|
|
NM_CRYPTO_KEY_TYPE_RSA,
|
|
NM_CRYPTO_KEY_TYPE_DSA,
|
|
NM_CRYPTO_KEY_TYPE_ENCRYPTED
|
|
} NMCryptoKeyType;
|
|
|
|
typedef enum {
|
|
NM_CRYPTO_FILE_FORMAT_UNKNOWN = 0,
|
|
NM_CRYPTO_FILE_FORMAT_X509,
|
|
NM_CRYPTO_FILE_FORMAT_RAW_KEY,
|
|
NM_CRYPTO_FILE_FORMAT_PKCS12
|
|
} NMCryptoFileFormat;
|
|
|
|
#define NM_CRYPTO_ERROR _nm_crypto_error_quark ()
|
|
GQuark _nm_crypto_error_quark (void);
|
|
|
|
gboolean crypto_init (GError **error);
|
|
|
|
void crypto_deinit (void);
|
|
|
|
GByteArray * crypto_get_private_key_data (GByteArray *contents,
|
|
const char *password,
|
|
NMCryptoKeyType *out_key_type,
|
|
NMCryptoFileFormat *out_file_format,
|
|
GError **error);
|
|
|
|
GByteArray * crypto_get_private_key (const char *file,
|
|
const char *password,
|
|
NMCryptoKeyType *out_key_type,
|
|
NMCryptoFileFormat *out_file_format,
|
|
GError **error);
|
|
|
|
GByteArray * crypto_load_and_verify_certificate (const char *file,
|
|
NMCryptoFileFormat *out_file_format,
|
|
GError **error);
|
|
|
|
gboolean crypto_is_pkcs12_file (const char *file);
|
|
|
|
gboolean crypto_is_pkcs12_data (const GByteArray *data);
|
|
|
|
|
|
/* Internal utils API bits for crypto providers */
|
|
|
|
gboolean crypto_md5_hash (const char *salt,
|
|
const gsize salt_len,
|
|
const char *password,
|
|
gsize password_len,
|
|
char *buffer,
|
|
gsize buflen,
|
|
GError **error);
|
|
|
|
char * crypto_decrypt (const char *cipher,
|
|
int key_type,
|
|
GByteArray *data,
|
|
const char *iv,
|
|
const gsize iv_len,
|
|
const char *key,
|
|
const gsize key_len,
|
|
gsize *out_len,
|
|
GError **error);
|
|
|
|
NMCryptoFileFormat crypto_verify_cert (const unsigned char *data,
|
|
gsize len,
|
|
GError **error);
|
|
|
|
gboolean crypto_verify_pkcs12 (const GByteArray *data,
|
|
const char *password,
|
|
GError **error);
|
|
|