After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 636257 - Usable trust storage
Usable trust storage
Status: RESOLVED FIXED
Product: gnome-keyring
Classification: Core
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: GNOME keyring maintainer(s)
GNOME keyring maintainer(s)
Depends on:
Blocks: 636258
 
 
Reported: 2010-12-01 22:25 UTC by Stef Walter
Modified: 2010-12-24 15:56 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Stef Walter 2010-12-01 22:25:32 UTC
Implementation of trust assertions (mostly done), testing, and merging with master.

Trust assertions are a concept for storing bits of information about trust exceptions, crls, and trust anchors in a generic way.

http://stef.thewalter.net/2010/10/about-trust-assertions.html

Implementation is taking place on the trust-store branch.
Comment 1 Stef Walter 2010-12-12 02:24:10 UTC
Specification which describes what's going on is here:

http://people.collabora.co.uk/~stefw/trust-assertions.html

libgcr documentation:

http://people.collabora.co.uk/~stefw/gcr-docs/

Implementation is pretty much done. And is on the trust-store branch. Some notes:

 * Using terminology of 'pinned certificate' instead of certificate exception.
   Pinned certificates are used when a user overrides the normal trust
   for things like self-signed certificates. A pinned certificate is always
   for a specific host. More details in the spec above.
 * Added a GcrCertificateChain class to libgcr for building X.509 certificate
   chains and looking up anchors, pinned certs, etc.
 * Add GkrPkcs11Certificate to libgcr for looking up certificates in the pkcs11
   store based on the issuer of another certificate.
 * Split out the trust assertion spec constants into its own header: pkcs11x.h
 * Better functions in libgcr for managing which pkcs11 modules are used by
   the library.
 * gnome-keyring now finds the root CA certificates by default in configure.
   Before this was turned off by default.
 * Fix up lots of libgcr documentation.
 * Single file includes for libgcr, where only including <gcr/gcr.h> is allowed.
 * Add gcr_certificate_is_issuer() to check if a certificate is another
   certificate's issuer.
 * Added gcr_trust_xxxx() functions for looking up trust assertions.
 * Renamed old user store PKCS#11 module to gnome2-store, since that's where
   it would store its data.
 * Added xdg-store PKCS#11 module which stores data in $XDG_DATA_HOME. For now
   only stores trust assertions.

Still missing, however I think these should be handled separately:

 * The gnome-keyring tool should be able to inspect, add, remove trust assertions.
 * No support for lookup of negative trust assertions.
 * No support yet for CRLs

Please let me know if you see anything amiss, or something is broken.
Comment 2 Stef Walter 2010-12-13 17:29:54 UTC
Changed to use term 'distrust' instead of 'untrust' as suggested by Yaron on the mailing list.
Comment 3 Stef Walter 2010-12-13 20:41:57 UTC
Fixed a bunch of memory leaks in the new gcr functionality, some old, some new.

commit 54488eab6da95b325f2b15965bc355b6848aa535
Author: Stef Walter <stefw@collabora.co.uk>
Date:   Mon Dec 13 19:38:34 2010 +0000

    [gcr] Fix memory leaks in trust lookup tests.

commit 5273a8e0562587158037bed9b26292ef9c8873a8
Author: Stef Walter <stefw@collabora.co.uk>
Date:   Mon Dec 13 19:38:13 2010 +0000

    [gcr] Fix memory leaks in async functions.
    
    g_async_result_get_source_object() refs its result.

commit 42f78db0c04f11e8603ad979955403beae50af27
Author: Stef Walter <stefw@collabora.co.uk>
Date:   Mon Dec 13 19:37:19 2010 +0000

    [gcr] Fix memory leaks in certificate chain code.
Comment 4 Stef Walter 2010-12-24 14:10:02 UTC
This has now been merged into master and is part of 2.91.4.
Comment 5 Stef Walter 2010-12-24 15:56:33 UTC
Further progress will be tracked by these bugs:

bug #637961
bug #637964
bug #637966