IdentityManagerApp parent_app;
string userid;
string realm;
- string ca_hash;
+ string fingerprint;
public bool confirmed = false;
TrustAnchorConfirmationCallback callback = null;
public TrustAnchorConfirmationRequest(IdentityManagerApp parent_app,
string userid,
string realm,
- string ca_hash)
+ string fingerprint)
{
this.parent_app = parent_app;
this.userid = userid;
this.realm = realm;
- this.ca_hash = ca_hash;
+ this.fingerprint = fingerprint;
}
public void set_callback(owned TrustAnchorConfirmationCallback cb)
return false;
}
- if (card.trust_anchor.server_cert == ca_hash) {
+ logger.trace("execute: expected cert='%s'; fingerprint='%s'".printf(card.trust_anchor.server_cert, fingerprint));
+ if (card.trust_anchor.server_cert == fingerprint) {
logger.trace(@"execute: Fingerprint for $nai matches stored value; returning true.");
return_confirmation(true);
return false;
}
- var dialog = new TrustAnchorDialog(card, userid, realm, ca_hash);
+ if (parent_app.headless) {
+ logger.trace(@"execute: Running in headless mode; returning false.");
+ return_confirmation(false);
+ return false;
+ }
+
+ var dialog = new TrustAnchorDialog(card, userid, realm, fingerprint);
var response = dialog.run();
dialog.destroy();
bool is_confirmed = (response == ResponseType.OK);
if (is_confirmed) {
logger.trace(@"execute: Fingerprint confirmed; updating stored value.");
- card.trust_anchor.update_server_fingerprint(ca_hash);
+ card.trust_anchor.update_server_fingerprint(fingerprint);
parent_app.model.update_card(card);
}
public TrustAnchorDialog(IdCard card,
string userid,
string realm,
- string ca_hash)
+ string fingerprint)
{
- string server_ta_label_text = null;
+ string server_ta_label_text = _("Server's trust anchor certificate (SHA-256 fingerprint):");
this.set_title(_("Trust Anchor"));
this.set_modal(true);
this.add_buttons(_("Cancel"), ResponseType.CANCEL,
_("Confirm"), ResponseType.OK);
- this.set_default_response(ResponseType.OK);
+ this.set_default_response(ResponseType.CANCEL);
var content_area = this.get_content_area();
((Box) content_area).set_spacing(12);
string label_markup;
if (card.trust_anchor.server_cert == "") {
- label_markup = "<span font-weight='heavy'>" + _("You are using this identity for the first time with the following trust anchor:") + "</span>";
+ label_markup = "<span font-weight='heavy'>"
+ + _("You are using this identity for the first time with the following trust anchor:") + "</span>";
}
else {
// The server's fingerprint isn't what we're expecting this server to provide.
- label_markup = "<span font-weight='heavy'>" + _("WARNING: This connection may not be secure! ")
- + _("The server's trust anchor does not match the expected trust anchor for this server.")
+ label_markup = "<span font-weight='heavy'>" +
+ _("WARNING: The certificate we received for the authentication server for %s").printf(card.issuer)
+ + _(" is different than expected. Either the server certificate has changed, or an")
+ + _(" attack may be underway. If you proceed to the wrong server, your login credentials may be compromised.")
+ "</span>";
-
- server_ta_label_text = _("Server's trust anchor (SHA-256 fingerprint) :");
}
dialog_label.set_markup(label_markup);
var realm_label = new Label(_("Realm: ") + realm);
realm_label.set_alignment(0, 0.5f);
- Label confirm_label = new Label(_("Please confirm that this is the correct trust anchor."));
+ string confirm_text = _("\nPlease check with your realm administrator for the correct fingerprint")
+ + _(" for your authentication server. If it matches the above fingerprint,")
+ + _(" confirm the change. If not, then cancel.");
+
+ Label confirm_label = new Label(confirm_text);
confirm_label.set_alignment(0, 0.5f);
+ confirm_label.set_line_wrap(true);
+ confirm_label.set_width_chars(60);
- var trust_anchor_display = make_ta_fingerprint_widget(ca_hash, server_ta_label_text);
+ var trust_anchor_display = make_ta_fingerprint_widget(fingerprint, server_ta_label_text);
var vbox = new VBox(false, 0);
vbox.set_border_width(6);
vbox.pack_start(trust_anchor_display, true, true, 0);
vbox.pack_start(confirm_label, true, true, 12);
- if (card.trust_anchor.server_cert != "") {
- var expected_ta_display = make_ta_fingerprint_widget(card.trust_anchor.server_cert,
- _("Expected trust anchor (SHA-256 fingerprint) :"));
- vbox.pack_start(expected_ta_display, true, true, 0);
- }
-
((Container) content_area).add(vbox);
this.set_border_width(6);