[PATCH] Load "app:" keys by URL
Kevin Cernekee
cernekee at gmail.com
Sun Apr 24 22:50:50 PDT 2016
Chrome OS supports the notion of hardware-bound system keys, but it
doesn't provide APIs that can be called directly by GnuTLS or p11kit.
Instead, the application's NaCl module needs to pass certificate
queries and signing requests back to JavaScript code that invokes the
chrome.platformKeys APIs. This is implemented by registering a handler
for URLs starting with the (somewhat arbitrarily chosen) "app:" prefix:
https://chromium.googlesource.com/apps/nacl-openconnect/+/22dc518480bdf366f04f00c2ea5850cd680ad986/crypto.cc
https://chromium.googlesource.com/apps/nacl-openconnect/+/22dc518480bdf366f04f00c2ea5850cd680ad986/background.js#158
Allow openconnect to recognize these URLs and handle them through the
same code paths as "system:" URLs.
Signed-off-by: Kevin Cernekee <cernekee at gmail.com>
---
gnutls.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/gnutls.c b/gnutls.c
index 2a93dac8ac3e..11a1da18a109 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1001,8 +1001,10 @@ static int load_certificate(struct openconnect_info *vpninfo)
key_is_p11 = !strncmp(vpninfo->sslkey, "pkcs11:", 7);
cert_is_p11 = !strncmp(vpninfo->cert, "pkcs11:", 7);
- key_is_sys = !strncmp(vpninfo->sslkey, "system:", 7);
- cert_is_sys = !strncmp(vpninfo->cert, "system:", 7);
+ key_is_sys = !strncmp(vpninfo->sslkey, "system:", 7) ||
+ !strncmp(vpninfo->sslkey, "app:", 4);
+ cert_is_sys = !strncmp(vpninfo->cert, "system:", 7) ||
+ !strncmp(vpninfo->cert, "app:", 4);
#ifndef HAVE_GNUTLS_SYSTEM_KEYS
if (key_is_sys || cert_is_sys) {
--
2.8.1
More information about the openconnect-devel
mailing list