From 7712a50a4c3dfecda6b6401ba5a9dff52a583ecb Mon Sep 17 00:00:00 2001

From: Debarshi Ray <debarshir@gnome.org>

Date: Wed, 15 Mar 2017 20:23:43 +0100

Subject: [PATCH 1/5] tls-verifier: Handle GNUTLS_CERT_REVOKED

... by mapping it to TP_TLS_CERTIFICATE_REJECT_REASON_REVOKED.

https://bugzilla.gnome.org/show_bug.cgi?id=780160

---

 libempathy/empathy-tls-verifier.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c

index fcbc559b3f97..8f80b4372de1 100644

--- a/libempathy/empathy-tls-verifier.c

+++ b/libempathy/empathy-tls-verifier.c

@@ -98,6 +98,8 @@ verification_output_to_reason (gint res,

         *reason = TP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;

       else if (verify_output & GNUTLS_CERT_EXPIRED)

         *reason = TP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;

+      else if (verify_output & GNUTLS_CERT_REVOKED)

+        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_REVOKED;

       else

         *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;

-- 

2.14.4

From 8c5dc77f406308b77b4a6c7274ff8096091267a6 Mon Sep 17 00:00:00 2001

From: Debarshi Ray <debarshir@gnome.org>

Date: Mon, 20 Mar 2017 19:20:11 +0100

Subject: [PATCH 2/5] tests: Fix comment

The existing comment was mistakenly copied from

test_certificate_verify_success_with_full_chain.

This test case is about a certificate that has been pinned against a

specific peer. The mock TLS connection doesn't have the full chain,

but just the leaf-level certificate that has been pinned.

https://bugzilla.gnome.org/show_bug.cgi?id=780160

---

 tests/empathy-tls-test.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/empathy-tls-test.c b/tests/empathy-tls-test.c

index 91b05761f9b9..0752e1b328c5 100644

--- a/tests/empathy-tls-test.c

+++ b/tests/empathy-tls-test.c

@@ -654,8 +654,8 @@ test_certificate_verify_success_with_pinned (Test *test,

   };

   /*

-   * In this test the mock TLS connection has a full certificate

-   * chain. We look for an anchor certificate in the chain.

+   * In this test the mock TLS connection has a certificate that has

+   * been pinned for the test-server.empathy.gnome.org peer.

    */

   test->mock = mock_tls_certificate_new_and_register (test->dbus,

-- 

2.14.4

From 6fe06a78a7538cefa2333b180d58b330325796ab Mon Sep 17 00:00:00 2001

From: Debarshi Ray <debarshir@gnome.org>

Date: Mon, 20 Mar 2017 19:31:39 +0100

Subject: [PATCH 3/5] tests: Actually test that hostnames of pinned

 certificates are verified

This test case is about ensuring that a pinned certificate won't be

validated if the wrong hostname is used.

If we don't add the pinned certificate to our database, then checks for

pinning are going to fail regardless of the hostname being used. The

correct certificate-hostname pair needs to be in the database to ensure

that the hostnames are being matched as advertised.

https://bugzilla.gnome.org/show_bug.cgi?id=780160

---

 tests/empathy-tls-test.c | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/empathy-tls-test.c b/tests/empathy-tls-test.c

index 0752e1b328c5..422909e7cc2a 100644

--- a/tests/empathy-tls-test.c

+++ b/tests/empathy-tls-test.c

@@ -695,7 +695,8 @@ test_certificate_verify_pinned_wrong_host (Test *test,

   test->mock = mock_tls_certificate_new_and_register (test->dbus,

           "server-cert.cer", NULL);

-  /* Note that we're not adding any place to find root certs */

+  /* We add the collabora directory with the collabora root */

+  add_certificate_to_mock (test, "server-cert.cer", "test-server.empathy.gnome.org");

   ensure_certificate_proxy (test);

-- 

2.14.4

From f07492434449bcdd74a61aa74596884ef5700d88 Mon Sep 17 00:00:00 2001

From: Debarshi Ray <debarshir@gnome.org>

Date: Wed, 15 Mar 2017 20:24:08 +0100

Subject: [PATCH 4/5] tls-verifier: Use GIO to verify the chain of TLS

 certificates

Gcr has its own hand rolled code to complete the certificate chain and

validate it, which predates the equivalent functionality in GIO. These

days, GIO's GnuTLS backend is a better option because it defers to

GnuTLS to do the right thing. It benefits automatically from any

improvements made to GnuTLS itself.

However, GIO doesn't support certificate pinning. Gcr continues to

provide that feature.

Note:

(a) We don't set "certificate-hostname" when we encounter

TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH. The resulting loss

of verbosity in EmpathyTLSDialog is balanced by no longer relying on a

specific encryption library.

(b) glib-networking doesn't differentiate between

GNUTLS_CERT_SIGNER_NOT_FOUND and GNUTLS_CERT_SIGNER_NOT_CA. Hence, we

club them together as TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED and we

no longer return TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED.

(c) Unlike Gcr, GnuTLS doesn't seem to provide a way to load a PKCS#11

module that's built into the code, as opposed to being a shared object.

This makes it hard for us to load our mock PKCS#11 module. Therefore,

we have disabled the test case that relies on using PKCS#11 storage to

complete the certificate chain.

Bump required GLib version to 2.48. We really do need 2.48 because we

rely on the improvements to GIO's GnuTLS backend.

https://bugzilla.gnome.org/show_bug.cgi?id=780160

---

 configure.ac                      |   6 +-

 libempathy/empathy-tls-verifier.c | 419 ++++++++++++++++++--------------------

 libempathy/empathy-tls-verifier.h |   3 +

 tests/empathy-tls-test.c          |  35 +++-

 4 files changed, 232 insertions(+), 231 deletions(-)

diff --git a/configure.ac b/configure.ac

index a427eba3af56..cd6f371de799 100644

--- a/configure.ac

+++ b/configure.ac

@@ -37,9 +37,9 @@ AC_COPYRIGHT([

 FOLKS_REQUIRED=0.9.5

 GNUTLS_REQUIRED=2.8.5

-GLIB_REQUIRED=2.37.6

-AC_DEFINE(GLIB_VERSION_MIN_REQUIRED, GLIB_VERSION_2_30, [Ignore post 2.30 deprecations])

-AC_DEFINE(GLIB_VERSION_MAX_ALLOWED, GLIB_VERSION_2_38, [Prevent post 2.38 APIs])

+GLIB_REQUIRED=2.48.0

+AC_DEFINE(GLIB_VERSION_MIN_REQUIRED, GLIB_VERSION_2_48, [Ignore post 2.48 deprecations])

+AC_DEFINE(GLIB_VERSION_MAX_ALLOWED, GLIB_VERSION_2_48, [Prevent post 2.48 APIs])

 GTK_REQUIRED=3.9.4

 AC_DEFINE(GDK_VERSION_MIN_REQUIRED, GDK_VERSION_3_8, [Ignore post 3.8 deprecations])

diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c

index 8f80b4372de1..a8306bb569ea 100644

--- a/libempathy/empathy-tls-verifier.c

+++ b/libempathy/empathy-tls-verifier.c

@@ -1,7 +1,9 @@

 /*

  * empathy-tls-verifier.c - Source for EmpathyTLSVerifier

  * Copyright (C) 2010 Collabora Ltd.

+ * Copyright (C) 2017 Red Hat, Inc.

  * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>

+ * @author Debarshi Ray <debarshir@gnome.org>

  * @author Stef Walter <stefw@collabora.co.uk>

  *

  * This library is free software; you can redistribute it and/or

@@ -43,6 +45,8 @@ enum {

 };

 typedef struct {

+  GTlsCertificate *g_certificate;

+  GTlsDatabase *database;

   TpTLSCertificate *certificate;

   gchar *hostname;

   gchar **reference_identities;

@@ -53,135 +57,86 @@ typedef struct {

   gboolean dispose_run;

 } EmpathyTLSVerifierPriv;

-static gboolean

-verification_output_to_reason (gint res,

-    guint verify_output,

-    TpTLSCertificateRejectReason *reason)

+static GTlsCertificate *

+tls_certificate_new_from_der (GPtrArray *data, GError **error)

 {

-  gboolean retval = TRUE;

+  GTlsBackend *tls_backend;

+  GTlsCertificate *cert = NULL;

+  GTlsCertificate *issuer = NULL;

+  GTlsCertificate *retval = NULL;

+  GType tls_certificate_type;

+  gint i;

-  g_assert (reason != NULL);

+  g_return_val_if_fail (error == NULL || *error == NULL, NULL);

-  if (res != GNUTLS_E_SUCCESS)

-    {

-      retval = FALSE;

+  tls_backend = g_tls_backend_get_default ();

+  tls_certificate_type = g_tls_backend_get_certificate_type (tls_backend);

-      /* the certificate is not structurally valid */

-      switch (res)

-        {

-        case GNUTLS_E_INSUFFICIENT_CREDENTIALS:

-          *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;

-          break;

-        case GNUTLS_E_CONSTRAINT_ERROR:

-          *reason = TP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED;

-          break;

-        default:

-          *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;

-          break;

-        }

-

-      goto out;

+  for (i = (gint) data->len - 1; i >= 0; --i)

+    {

+      GArray *cert_data;

+

+      cert_data = g_ptr_array_index (data, i);

+      cert = g_initable_new (tls_certificate_type,

+          NULL,

+          error,

+          "certificate", (GByteArray *) cert_data,

+          "issuer", issuer,

+          NULL);

+

+      if (cert == NULL)

+        goto out;

+

+      g_clear_object (&issuer);

+      issuer = g_object_ref (cert);

+      g_clear_object (&cert);

     }

-  /* the certificate is structurally valid, check for other errors. */

-  if (verify_output & GNUTLS_CERT_INVALID)

-    {

-      retval = FALSE;

-

-      if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND)

-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;

-      else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA)

-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;

-      else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM)

-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;

-      else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED)

-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;

-      else if (verify_output & GNUTLS_CERT_EXPIRED)

-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;

-      else if (verify_output & GNUTLS_CERT_REVOKED)

-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_REVOKED;

-      else

-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;

+  g_assert_null (cert);

+  g_assert_true (G_IS_TLS_CERTIFICATE (issuer));

-      goto out;

-    }

+  retval = g_object_ref (issuer);

  out:

+  g_clear_object (&cert);

+  g_clear_object (&issuer);

   return retval;

 }

-static void

-build_certificate_list_for_gnutls (GcrCertificateChain *chain,

-        gnutls_x509_crt_t **list,

-        guint *n_list,

-        gnutls_x509_crt_t **anchors,

-        guint *n_anchors)

+static TpTLSCertificateRejectReason

+verification_output_to_reason (GTlsCertificateFlags flags)

 {

-  GcrCertificate *cert;

-  guint idx, length;

-  gnutls_x509_crt_t *retval;

-  gnutls_x509_crt_t gcert;

-  gnutls_datum_t datum;

-  gsize n_data;

-

-  g_assert (list);

-  g_assert (n_list);

-  g_assert (anchors);

-  g_assert (n_anchors);

+  TpTLSCertificateRejectReason retval;

-  *list = *anchors = NULL;

-  *n_list = *n_anchors = 0;

+  g_assert (flags != 0);

-  length = gcr_certificate_chain_get_length (chain);

-  retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * length);

-

-  /* Convert the main body of the chain to gnutls */

-  for (idx = 0; idx < length; ++idx)

-    {

-      cert = gcr_certificate_chain_get_certificate (chain, idx);

-      datum.data = (gpointer)gcr_certificate_get_der_data (cert, &n_data);

-      datum.size = n_data;

-

-      gnutls_x509_crt_init (&gcert);

-      if (gnutls_x509_crt_import (gcert, &datum, GNUTLS_X509_FMT_DER) < 0)

-        g_return_if_reached ();

-

-      retval[idx] = gcert;

-    }

-

-  *list = retval;

-  *n_list = length;

-

-  /* See if we have an anchor */

-  if (gcr_certificate_chain_get_status (chain) ==

-          GCR_CERTIFICATE_CHAIN_ANCHORED)

+  switch (flags)

     {

-      cert = gcr_certificate_chain_get_anchor (chain);

-      g_return_if_fail (cert);

-

-      datum.data = (gpointer)gcr_certificate_get_der_data (cert, &n_data);

-      datum.size = n_data;

-

-      gnutls_x509_crt_init (&gcert);

-      if (gnutls_x509_crt_import (gcert, &datum, GNUTLS_X509_FMT_DER) < 0)

-        g_return_if_reached ();

-

-      retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * 1);

-      retval[0] = gcert;

-      *anchors = retval;

-      *n_anchors = 1;

+      case G_TLS_CERTIFICATE_UNKNOWN_CA:

+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;

+        break;

+      case G_TLS_CERTIFICATE_BAD_IDENTITY:

+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH;

+        break;

+      case G_TLS_CERTIFICATE_NOT_ACTIVATED:

+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;

+        break;

+      case G_TLS_CERTIFICATE_EXPIRED:

+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;

+        break;

+      case G_TLS_CERTIFICATE_REVOKED:

+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_REVOKED;

+        break;

+      case G_TLS_CERTIFICATE_INSECURE:

+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;

+        break;

+      case G_TLS_CERTIFICATE_GENERIC_ERROR:

+      default:

+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;

+        break;

     }

-}

-static void

-free_certificate_list_for_gnutls (gnutls_x509_crt_t *list,

-        guint n_list)

-{

-  guint idx;

-

-  for (idx = 0; idx < n_list; idx++)

-    gnutls_x509_crt_deinit (list[idx]);

-  g_free (list);

+  return retval;

 }

 static void

@@ -193,6 +148,7 @@ complete_verification (EmpathyTLSVerifier *self)

   g_simple_async_result_complete_in_idle (priv->verify_result);

+  g_clear_object (&priv->g_certificate);

   tp_clear_object (&priv->verify_result);

 }

@@ -209,6 +165,7 @@ abort_verification (EmpathyTLSVerifier *self,

       reason);

   g_simple_async_result_complete_in_idle (priv->verify_result);

+  g_clear_object (&priv->g_certificate);

   tp_clear_object (&priv->verify_result);

 }

@@ -221,142 +178,137 @@ debug_certificate (GcrCertificate *cert)

 }

 static void

-debug_certificate_chain (GcrCertificateChain *chain)

+verify_chain_cb (GObject *object,

+        GAsyncResult *res,

+        gpointer user_data)

 {

-    GEnumClass *enum_class;

-    GEnumValue *enum_value;

-    gint idx, length;

-    GcrCertificate *cert;

-

-    enum_class = G_ENUM_CLASS

-            (g_type_class_peek (GCR_TYPE_CERTIFICATE_CHAIN_STATUS));

-    enum_value = g_enum_get_value (enum_class,

-            gcr_certificate_chain_get_status (chain));

-    length = gcr_certificate_chain_get_length (chain);

-    DEBUG ("Certificate chain: length %u status %s",

-            length, enum_value ? enum_value->value_nick : "XXX");

-

-    for (idx = 0; idx < length; ++idx)

-      {

-        cert = gcr_certificate_chain_get_certificate (chain, idx);

-        debug_certificate (cert);

-      }

-}

+  GError *error = NULL;

-static void

-perform_verification (EmpathyTLSVerifier *self,

-        GcrCertificateChain *chain)

-{

-  gboolean ret = FALSE;

-  TpTLSCertificateRejectReason reason =

-    TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;

-  gnutls_x509_crt_t *list, *anchors;

-  guint n_list, n_anchors;

-  guint verify_output;

-  gint res;

+  GTlsCertificateFlags flags;

+  GTlsDatabase *tls_database = G_TLS_DATABASE (object);

   gint i;

-  gboolean matched = FALSE;

+  EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (user_data);

   EmpathyTLSVerifierPriv *priv = GET_PRIV (self);

-  DEBUG ("Performing verification");

-  debug_certificate_chain (chain);

-

-  list = anchors = NULL;

-  n_list = n_anchors = 0;

-

-  /*

-   * If the first certificate is an pinned certificate then we completely

-   * ignore the rest of the verification process.

+  /* FIXME: g_tls_database_verify_chain doesn't set the GError if the

+   * certificate chain couldn't be verified. See:

+   * https://bugzilla.gnome.org/show_bug.cgi?id=780310

    */

-  if (gcr_certificate_chain_get_status (chain) == GCR_CERTIFICATE_CHAIN_PINNED)

+  flags = g_tls_database_verify_chain_finish (tls_database, res, &error);

+  if (flags != 0)

     {

-      DEBUG ("Found pinned certificate for %s", priv->hostname);

-      complete_verification (self);

-      goto out;

-  }

-

-  build_certificate_list_for_gnutls (chain, &list, &n_list,

-          &anchors, &n_anchors);

-  if (list == NULL || n_list == 0) {

-      g_warn_if_reached ();

-      abort_verification (self, TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN);

-      goto out;

-  }

+      TpTLSCertificateRejectReason reason;

-  verify_output = 0;

-  res = gnutls_x509_crt_list_verify (list, n_list, anchors, n_anchors,

-           NULL, 0, 0, &verify_output);

-  ret = verification_output_to_reason (res, verify_output, &reason);

+      /* We don't pass the identity to g_tls_database_verify. */

+      g_assert_false (flags & G_TLS_CERTIFICATE_BAD_IDENTITY);

-  DEBUG ("Certificate verification gave result %d with reason %u", ret,

+      reason = verification_output_to_reason (flags);

+      DEBUG ("Certificate verification gave flags %d with reason %u",

+          (gint) flags,

           reason);

-  if (!ret) {

       abort_verification (self, reason);

+      g_clear_error (&error);

       goto out;

-  }

+    }

-  /* now check if the certificate matches one of the reference identities. */

-  if (priv->reference_identities != NULL)

+  for (i = 0; priv->reference_identities[i] != NULL; i++)

     {

-      for (i = 0, matched = FALSE; priv->reference_identities[i] != NULL; ++i)

-        {

-          if (gnutls_x509_crt_check_hostname (list[0],

-                  priv->reference_identities[i]) == 1)

-            {

-              matched = TRUE;

-              break;

-            }

-        }

+      GSocketConnectable *identity = NULL;

+

+      identity = g_network_address_new (priv->reference_identities[i], 0);

+      flags = g_tls_certificate_verify (priv->g_certificate, identity, NULL);

+

+      g_object_unref (identity);

+      if (flags == 0)

+        break;

     }

-  if (!matched)

+  if (flags != 0)

     {

-      gchar *certified_hostname;

+      TpTLSCertificateRejectReason reason;

+

+      g_assert_cmpint (flags, ==, G_TLS_CERTIFICATE_BAD_IDENTITY);

+

+      reason = verification_output_to_reason (flags);

+      DEBUG ("Certificate verification gave flags %d with reason %u",

+          (gint) flags,

+          reason);

-      certified_hostname = empathy_get_x509_certificate_hostname (list[0]);

-      tp_asv_set_string (priv->details,

-          "expected-hostname", priv->hostname);

-      tp_asv_set_string (priv->details,

-          "certificate-hostname", certified_hostname);

+      /* FIXME: We don't set "certificate-hostname" because

+       * GTlsCertificate doesn't expose the hostname used in the

+       * certificate. We will temporarily lose some verbosity in

+       * EmpathyTLSDialog, but that's balanced by no longer

+       * relying on a specific encryption library.

+       */

+      tp_asv_set_string (priv->details, "expected-hostname", priv->hostname);

-      DEBUG ("Hostname mismatch: got %s but expected %s",

-          certified_hostname, priv->hostname);

+      DEBUG ("Hostname mismatch: expected %s", priv->hostname);

-      g_free (certified_hostname);

-      abort_verification (self,

-              TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH);

+      abort_verification (self, reason);

       goto out;

     }

-  DEBUG ("Hostname matched");

+  DEBUG ("Verified certificate chain");

   complete_verification (self);

- out:

-  free_certificate_list_for_gnutls (list, n_list);

-  free_certificate_list_for_gnutls (anchors, n_anchors);

+out:

+  /* Matches ref when starting verify chain */

+  g_object_unref (self);

 }

 static void

-perform_verification_cb (GObject *object,

-        GAsyncResult *res,

-        gpointer user_data)

+is_certificate_pinned_cb (GObject *object,

+    GAsyncResult *res,

+    gpointer user_data)

 {

   GError *error = NULL;

-

-  GcrCertificateChain *chain = GCR_CERTIFICATE_CHAIN (object);

+  GPtrArray *cert_data;

   EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (user_data);

+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);

+

+  if (gcr_trust_is_certificate_pinned_finish (res, &error))

+    {

+      DEBUG ("Found pinned certificate for %s", priv->hostname);

+      complete_verification (self);

+      goto out;

+    }

+

+  /* error is set only when there is an actual failure. It won't be

+   * set, if it successfully determined that the ceritificate was not

+   * pinned. */

+  if (error != NULL)

+    {

+      DEBUG ("Failed to determine if certificate is pinned: %s",

+          error->message);

+      g_clear_error (&error);

+    }

-  /* Even if building the chain fails, try verifying what we have */

-  if (!gcr_certificate_chain_build_finish (chain, res, &error))

+  cert_data = tp_tls_certificate_get_cert_data (priv->certificate);

+  priv->g_certificate = tls_certificate_new_from_der (cert_data, &error);

+  if (error != NULL)

     {

-      DEBUG ("Building of certificate chain failed: %s", error->message);

+      DEBUG ("Verification of certificate chain failed: %s", error->message);

+

+      abort_verification (self, TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN);

       g_clear_error (&error);

+      goto out;

     }

-  perform_verification (self, chain);

+  DEBUG ("Performing verification");

+

+  g_tls_database_verify_chain_async (priv->database,

+      priv->g_certificate,

+      G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER,

+      NULL,

+      NULL,

+      G_TLS_DATABASE_VERIFY_NONE,

+      NULL,

+      verify_chain_cb,

+      g_object_ref (self));

-  /* Matches ref when staring chain build */

+out:

+  /* Matches ref when starting is certificate pinned */

   g_object_unref (self);

 }

@@ -420,6 +372,8 @@ empathy_tls_verifier_dispose (GObject *object)

   priv->dispose_run = TRUE;

+  g_clear_object (&priv->g_certificate);

+  g_clear_object (&priv->database);

   tp_clear_object (&priv->certificate);

   G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object);

@@ -443,10 +397,14 @@ static void

 empathy_tls_verifier_init (EmpathyTLSVerifier *self)

 {

   EmpathyTLSVerifierPriv *priv;

+  GTlsBackend *tls_backend;

   priv = self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,

       EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv);

   priv->details = tp_asv_new (NULL, NULL);

+

+  tls_backend = g_tls_backend_get_default ();

+  priv->database = g_tls_backend_get_default_database (tls_backend);

 }

 static void

@@ -503,16 +461,15 @@ empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,

     GAsyncReadyCallback callback,

     gpointer user_data)

 {

-  GcrCertificateChain *chain;

   GcrCertificate *cert;

   GPtrArray *cert_data;

   GArray *data;

-  guint idx;

   EmpathyTLSVerifierPriv *priv = GET_PRIV (self);

   DEBUG ("Starting verification");

   g_return_if_fail (priv->verify_result == NULL);

+  g_return_if_fail (priv->g_certificate == NULL);

   cert_data = tp_tls_certificate_get_cert_data (priv->certificate);

   g_return_if_fail (cert_data);

@@ -520,19 +477,22 @@ empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,

   priv->verify_result = g_simple_async_result_new (G_OBJECT (self),

       callback, user_data, NULL);

-  /* Create a certificate chain */

-  chain = gcr_certificate_chain_new ();

-  for (idx = 0; idx < cert_data->len; ++idx) {

-    data = g_ptr_array_index (cert_data, idx);

-    cert = gcr_simple_certificate_new ((guchar *) data->data, data->len);

-    gcr_certificate_chain_add (chain, cert);

-    g_object_unref (cert);

-  }

+  /* The first certificate in the chain is for the host */

+  data = g_ptr_array_index (cert_data, 0);

+  cert = gcr_simple_certificate_new ((gpointer) data->data,

+      (gsize) data->len);

+

+  DEBUG ("Checking if certificate is pinned:");

+  debug_certificate (cert);

-  gcr_certificate_chain_build_async (chain, GCR_PURPOSE_SERVER_AUTH, priv->hostname, 0,

-          NULL, perform_verification_cb, g_object_ref (self));

+  gcr_trust_is_certificate_pinned_async (cert,

+      GCR_PURPOSE_SERVER_AUTH,

+      priv->hostname,

+      NULL,

+      is_certificate_pinned_cb,

+      g_object_ref (self));

-  g_object_unref (chain);

+  g_object_unref (cert);

 }

 gboolean

@@ -567,6 +527,21 @@ empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,

   return TRUE;

 }

+void empathy_tls_verifier_set_database (EmpathyTLSVerifier *self,

+    GTlsDatabase *database)

+{