Support TLS certificate pinning when GCR can't find usable PKCS#11 slots (!80) · Merge requests · GNOME / Geary

Michael Gratton requested to merge wip/20-cert-pinning into master Jan 10, 2019

This fixes Geary being unable to pin TLS certificates using GCR after gnome-keyring stopped advertising its PKCS11 module (see gcr#10 and gnome-keyring#20 (closed)), circa GNOME 3.28. To work around, this merge introduces a new CertificateManager class to provide a high-level API for cert pinning, a custom GLib.TlsDatabase that wraps the default database and supports pinning certs both in-memory and on disk. It also adds checks after initialising GCR to ensure it appears to be able to support cert pinning, and only uses GCR if so, falling back to on-disk storage if not.

Fixes #20 (closed)

Support TLS certificate pinning when GCR can't find usable PKCS#11 slots

Merge request reports