Skip to content

Draft: gnutls: make gnutls tls certificate derivable and expose copy vfunc

MARTINSONS Frederic requested to merge fmartinsons/glib-networking:fm/rfc-gnutls-certificate-subclass into master

Hello,

this is more a request for comment than a true merge request. I'll give more context below on why I need this kind of evolution.

I have several embedded OS with different TPM chips (1.2 and 2.0). I need to perform HTTPS request and sign certificate with these TPM chips. For that, I have a wrapping library around trousers (for TPM 1.2) and tpm2-tss (for TPM2.0) which allow me to abstract the different chip and offer simple API to sign certificate. For making HTTPS request, I use libsoup and so , glib-networking for the TLS part.

The problem I faced is to interfacing glib-networking with my TPM library. The only solution I found for the moment is to patch glib-networking to make GTlsCertificateGnutls type derivable (and export code a shared library with a header). Doing so allow me to create a new type in my lib that inherit GTlsCertificateGnutls and overload g_tls_certificate_gnutls_copy in order for me to call gnutls_privkey_import_ext3 to provide custom signing function that will use my TPMs.

Long story short, I carried these patches for years across every glib-networking upgrade I made and I would like to ask here if there better (cleaner) solution in order to fulfill this case.

Note that gnutls has limited support of TPM (restricted to TPM 1.2) and suggest to use other lib like CHAPS or opencryptopki, seems either stalled or deprecated so I didn't go this way.

Hope this suggestion will find echo and that we can discuss better discussion (and possible support of TPM inside glib-networking)

Rereading this makes me think that a better way would be to use pkcs11 api of glib/glib-networking but I would like to have your advices anyway.

Thank you very much !

Edited by MARTINSONS Frederic

Merge request reports