[PATCH V3 7/7] gnutls: Load application-defined key types by URL

Kevin Cernekee cernekee at gmail.com
Wed May 4 21:40:09 PDT 2016 

Chrome OS supports the notion of hardware-bound system keys, but it
doesn't provide APIs that can be called directly by GnuTLS or p11kit.
Instead, the application's NaCl module needs to pass certificate
queries and signing requests back to JavaScript code that invokes the
chrome.platformKeys APIs.  This is implemented by registering a custom
handler for URLs starting with the (somewhat arbitrarily chosen) "app:"
prefix.

libopenconnect does not currently recognize these URLs.  Change it to
query GnuTLS to figure out whether a handler has been registered, and
if so, treat it just like a system key.

Signed-off-by: Kevin Cernekee <cernekee at gmail.com>
---
 configure.ac | 2 ++
 gnutls.c     | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/configure.ac b/configure.ac
index ff381a0..6b7926b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -379,6 +379,8 @@ if test "$with_gnutls" = "yes"; then
 		 [AC_DEFINE(HAVE_GNUTLS_PUBKEY_EXPORT2, 1, [autoheader sucks donkey balls])], [])
     AC_CHECK_FUNC(gnutls_x509_crt_set_pin_function,
 		 [AC_DEFINE(HAVE_GNUTLS_X509_CRT_SET_PIN_FUNCTION, 1, [From GnuTLS 3.1.0])], [])
+    AC_CHECK_FUNC(gnutls_url_is_supported,
+		 [AC_DEFINE(HAVE_GNUTLS_URL_IS_SUPPORTED, 1, [From GnuTLS 3.1.0])], [])
     AC_CHECK_FUNC(gnutls_system_key_add_x509,
 		 [AC_DEFINE(HAVE_GNUTLS_SYSTEM_KEYS, 1, [From GnuTLS 3.4.0])], [])
     if test "$with_openssl" = "" || test "$with_openssl" = "no"; then
diff --git a/gnutls.c b/gnutls.c
index 338f7a7..fde1f40 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1001,8 +1001,16 @@ static int load_certificate(struct openconnect_info *vpninfo)
 
 	key_is_p11 = !strncmp(vpninfo->sslkey, "pkcs11:", 7);
 	cert_is_p11 = !strncmp(vpninfo->cert, "pkcs11:", 7);
+
+#ifdef HAVE_GNUTLS_URL_IS_SUPPORTED
+	/* GnuTLS returns true for pkcs11:, tpmkey:, system:, and custom URLs. */
+	key_is_sys = !key_is_p11 && gnutls_url_is_supported(vpninfo->sslkey);
+	cert_is_sys = !cert_is_p11 && gnutls_url_is_supported(vpninfo->cert);
+#else
+	/* Fallback for GnuTLS < 3.1.0. */
 	key_is_sys = !strncmp(vpninfo->sslkey, "system:", 7);
 	cert_is_sys = !strncmp(vpninfo->cert, "system:", 7);
+#endif
 
 #ifndef HAVE_GNUTLS_SYSTEM_KEYS
 	if (key_is_sys || cert_is_sys) {
-- 
1.9.1

More information about the openconnect-devel mailing list