X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmoonshot-id.vala;h=513b993357d6ca96166695740c4b69a97994e34c;hb=29fe8cd1eff5964712c87d001587412c0d1a5e03;hp=2e0af57af34986f9871a7abe1e75af26644927f0;hpb=5b68b364f2c62fa43111b5a53c7040d34205ba20;p=moonshot-ui.git diff --git a/src/moonshot-id.vala b/src/moonshot-id.vala index 2e0af57..513b993 100644 --- a/src/moonshot-id.vala +++ b/src/moonshot-id.vala @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011-2014, JANET(UK) + * Copyright (c) 2011-2016, JANET(UK) * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -29,145 +29,420 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ + +using Gee; + +extern char* get_cert_valid_before(uchar* inbuf, int inlen, char* outbuf, int outlen); + + +// A TrustAnchor object can be imported or installed via the API, but cannot +// be modified by the user, other than being cleared. Hence the fields are read-only. public class TrustAnchor : Object { - public string ca_cert {get; set; default = "";} - public string subject {get; set; default = "";} - public string subject_alt {get; set; default = "";} - public string server_cert {get; set; default = "";} - public int Compare(TrustAnchor other) - { - if (this.ca_cert != other.ca_cert) - return 1; - if (this.subject != other.subject) - return 1; - if (this.subject_alt != other.subject_alt) - return 1; - if (this.server_cert != other.server_cert) - return 1; - return 0; - } + private static const string CERT_HEADER = "-----BEGIN CERTIFICATE-----"; + private static const string CERT_FOOTER = "-----END CERTIFICATE-----"; + + public enum TrustAnchorType { + EMPTY, + CA_CERT, + SERVER_CERT + } + + private string _ca_cert = ""; + private string _subject = ""; + private string _subject_alt = ""; + private string _server_cert = ""; + private string _datetime_added = ""; + + private static string fixup (string s) { + return (s == null ? "" : s.strip()); + } + + public TrustAnchor(string ca_cert, string server_cert, string subject, string subject_alt) { + _ca_cert = fixup(ca_cert); + _server_cert = fixup(server_cert); + _subject = fixup(subject); + _subject_alt = fixup(subject_alt); + + // If we're reading from store, this will be overridden (see set_datetime_added) + _datetime_added = ""; + + // Work around a Portal bug that littered some credential files with this cruft. + string cruft = +""""""; + _ca_cert = _ca_cert.replace(cruft, ""); + } + + public TrustAnchor.empty() { + } + + + public string ca_cert { + get { + return _ca_cert; + } + } + + public string subject { + get { + return _subject; + } + } + + public string subject_alt { + get { + return _subject_alt; + } + } + + + public string server_cert { + get { + return _server_cert; + } + } + + public string datetime_added { + get { + return _datetime_added; + } + } + + public bool is_empty() { + return ca_cert == "" && server_cert == ""; + } + + public TrustAnchorType get_anchor_type() { + return (server_cert != "" ? TrustAnchorType.SERVER_CERT + : (ca_cert != "" ? TrustAnchorType.CA_CERT : TrustAnchorType.EMPTY)); + } + + internal void set_datetime_added(string datetime) { + _datetime_added = fixup(datetime); + } + + internal static string format_datetime_now() { + DateTime now = new DateTime.now_utc(); + string dt = now.format("%b %d %T %Y %Z"); + return dt; + } + + internal void update_server_fingerprint(string fingerprint) { + this._server_cert = fingerprint; + string ta_datetime_added = TrustAnchor.format_datetime_now(); + this.set_datetime_added(ta_datetime_added); + } + + public int Compare(TrustAnchor other) + { + if (this.ca_cert != other.ca_cert) { + // IdCard.logger.trace("TrustAnchor.Compare: this.ca_cert='%s'; other.ca_cert='%s'".printf(this.ca_cert, other.ca_cert)); + return 1; + } + if (this.subject != other.subject) { + // IdCard.logger.trace("TrustAnchor.Compare: this.subject='%s'; other.subject='%s'".printf(this.subject, other.subject)); + return 1; + } + if (this.subject_alt != other.subject_alt) { + // IdCard.logger.trace("TrustAnchor.Compare: this.subject_alt='%s'; other.subject_alt='%s'".printf(this.subject_alt, other.subject_alt)); + return 1; + } + if (this.server_cert != other.server_cert) { + // IdCard.logger.trace("TrustAnchor.Compare: this.server_cert=%s'; other.server_cert='%s'".printf(this.server_cert, other.server_cert)); + return 1; + } + + // Do not compare the datetime_added fields; it's not essential. + + return 0; + } + + public string? get_expiration_date(out string? err_out=null) + { + if (&err_out != null) { + err_out = null; + } + + if (this.ca_cert == "") { + if (&err_out != null) { + err_out = "Trust anchor does not have a ca_certificate"; + return null; + } + } + + string cert = this.ca_cert; + cert.chomp(); + + uchar[] binary = Base64.decode(cert); + IdCard.logger.trace("get_expiration_date: encoded length=%d; decoded length=%d".printf(cert.length, binary.length)); + + char buf[64]; + string err = (string) get_cert_valid_before(binary, binary.length, buf, 64); + if (err != "") { + IdCard.logger.error(@"get_expiration_date: get_cert_valid_before returned '$err'"); + if (&err_out != null) { + err_out = err; + } + return null; + } + + string date = (string) buf; + IdCard.logger.trace(@"get_expiration_date: get_cert_valid_before returned '$date'"); + + return date; + } } + public struct Rule { - public string pattern; - public string always_confirm; - public int Compare(Rule other) { - if (this.pattern != other.pattern) - return 1; - if (this.always_confirm != other.always_confirm) - return 1; - return 0; - } + public string pattern; + public string always_confirm; + public int Compare(Rule other) { + if (this.pattern != other.pattern) + return 1; + if (this.always_confirm != other.always_confirm) + return 1; + return 0; + } } public class IdCard : Object { - public const string NO_IDENTITY = "No Identity"; + internal static MoonshotLogger logger = get_logger("IdCard"); - private string _nai; - - public string display_name { get; set; default = ""; } + public const string NO_IDENTITY = "No Identity"; + + private string _username = ""; + private string _issuer = ""; + + public string display_name { get; set; default = ""; } - public string username { get; set; default = ""; } + public string username { + public get { + return _username; + } + public set { + _username = value; + update_nai(); + } + } + + public string issuer { + public get { + return _issuer; + } + public set { + _issuer = value; + update_nai(); + } + } + + private void update_nai() { + _nai = username + "@" + issuer; + } + #if GNOME_KEYRING - private unowned string _password; - public string password { - get { - return (_password!=null) ? _password : ""; - } - set { - if (_password != null) { - GnomeKeyring.memory_free((void *)_password); - _password = null; - } - if (value != null) - _password = GnomeKeyring.memory_strdup(value); - } - } + private unowned string _password; + public string password { + get { + return (_password!=null) ? _password : ""; + } + set { + if (_password != null) { + GnomeKeyring.memory_free((void *)_password); + _password = null; + } + if (value != null) + _password = GnomeKeyring.memory_strdup(value); + } + } #else - public string password { get; set; default = null; } + public string password { get; set; default = null; } #endif - public string issuer { get; set; default = ""; } - - public Rule[] rules {get; set; default = {};} - public string[] services { get; set; default = {}; } - public bool temporary {get; set; default = false; } + private Rule[] _rules = new Rule[0]; + public Rule[] rules { + get {return _rules;} + internal set {_rules = value ?? new Rule[0] ;} + } + + private ArrayList _services = new ArrayList(); + + internal ArrayList services { + get {return _services;} + } + + // Returns the list of services as a string, using the given separator. + internal string get_services_string(string sep) { + if (_services.is_empty) { + return ""; + } + + // ArrayList.to_array() seems to be unreliable -- it causes segfaults + // semi-randomly. (Possibly because it returns an unowned ref?) + // return string.joinv(sep, _services.to_array()); + // + // This problem may be related to the one noted elsewhere as the + // "Centos vala array property bug". + + string[] svcs = new string[_services.size]; + for (int i = 0; i < _services.size; i++) { + svcs[i] = _services[i]; + } + + return string.joinv(sep, svcs); + } + + internal void update_services(string[] services) { + _services.clear(); + + // Doesn't exist in older versions of libgee: + // _services.add_all_array(services); - public TrustAnchor trust_anchor { get; set; default = new TrustAnchor (); } + if (services != null) { + foreach (string s in services) { + _services.add(s); + } + } + } + + internal void update_services_from_list(ArrayList services) { + if (services == this._services) { + // Don't try to update from self. + return; + } + + _services.clear(); + + if (services != null) { + _services.add_all(services); + } + } + + + public bool temporary {get; set; default = false; } + + private TrustAnchor _trust_anchor = new TrustAnchor.empty(); + public TrustAnchor trust_anchor { + get { + return _trust_anchor; + } + } + + // For use by storage implementations. + internal void set_trust_anchor_from_store(TrustAnchor ta) { + _trust_anchor = ta; + } + + internal void clear_trust_anchor() { + _trust_anchor = new TrustAnchor.empty(); + } - public unowned string nai { get { _nai = username + "@" + issuer; return _nai;}} - - public bool store_password { get; set; default = false; } - - public bool IsNoIdentity() - { - return (display_name == NO_IDENTITY); - } - - public enum DiffFlags { - DISPLAY_NAME, - USERNAME, - PASSWORD, - ISSUER, - RULES, - SERVICES, - TRUST_ANCHOR; - } - - public int Compare(IdCard other) - { - int diff = 0; - if (this.display_name != other.display_name) - diff |= 1 << DiffFlags.DISPLAY_NAME; - if (this.username != other.username) - diff |= 1 << DiffFlags.USERNAME; - if (this.password != other.password) - diff |= 1 << DiffFlags.PASSWORD; - if (this.issuer != other.issuer) - diff |= 1 << DiffFlags.ISSUER; - if (CompareRules(this.rules, other.rules)!=0) - diff |= 1 << DiffFlags.RULES; - if (CompareStringArray(this.services, other.services)!=0) - diff |= 1 << DiffFlags.SERVICES; - if (this.trust_anchor.Compare(other.trust_anchor)!=0) - diff |= 1 << DiffFlags.TRUST_ANCHOR; - stdout.printf("Diff Flags: %x\n", diff); - return diff; - } - - public static IdCard NewNoIdentity() - { - IdCard card = new IdCard(); - card.display_name = NO_IDENTITY; - return card; - } - - ~IdCard() { - password = null; - } + public string nai { public get; private set;} + + public bool store_password { get; set; default = false; } + + // uuid is currently used only for debugging. Must be unique, even between cards with same nai and display name. + public string uuid { + public get {return _uuid;} + } + private string _uuid = generate_uuid(); + + internal static string generate_uuid() { + uint32 rand1 = Random.next_int(); + uint32 rand2 = Random.next_int(); + return "%08X.%08X::%s".printf(rand1, rand2, TrustAnchor.format_datetime_now()); + } + + public bool is_no_identity() + { + return (display_name == NO_IDENTITY); + } + + public enum DiffFlags { + DISPLAY_NAME, + USERNAME, + PASSWORD, + ISSUER, + RULES, + SERVICES, + TRUST_ANCHOR; + } + + public int Compare(IdCard other) + { + int diff = 0; + if (this.display_name != other.display_name) + diff |= 1 << DiffFlags.DISPLAY_NAME; + + if (this.username != other.username) + diff |= 1 << DiffFlags.USERNAME; + + if (this.password != other.password) + diff |= 1 << DiffFlags.PASSWORD; + + if (this.issuer != other.issuer) + diff |= 1 << DiffFlags.ISSUER; + + if (CompareRules(this.rules, other.rules)!=0) + diff |= 1 << DiffFlags.RULES; + + if (CompareStringArrayList(this._services, other._services)!=0) + diff |= 1 << DiffFlags.SERVICES; + + if (this.trust_anchor.Compare(other.trust_anchor)!=0) + diff |= 1 << DiffFlags.TRUST_ANCHOR; + + // stdout.printf("Diff Flags: %x\n", diff); + if (this.display_name == other.display_name && diff != 0) { + logger.trace("Compare: Two IDs with display_name '%s', but diff_flags=%0x".printf(this.display_name, diff)); + } + return diff; + } + + public static IdCard NewNoIdentity() + { + IdCard card = new IdCard(); + card.display_name = NO_IDENTITY; + card._nai = ""; + return card; + } + + ~IdCard() { + password = null; + } + + internal void add_rule(Rule rule) { + _rules += rule; + } } public int CompareRules(Rule[] a, Rule[] b) { - if (a.length != b.length) - return 1; - for (int i=0; i a, ArrayList b) { - if (a.length != b.length) - return 1; - for (int i=0; i