General Description

Pidgin doesn't currently do any certificate verification for SSL. In order to properly do this and ensure security, a certificate manager (something like Mozilla's) needs to be added.

This is William Ehlhardt's project for Summer of Code

Branch: im.pidgin.soc.2007.certmgr

Issues

Resolved Issues

• It looks like PKCS12 (the certificate import/export format) is supported by both libNSS and GnuTLS.

TODO

• General paranoia
• Look at how the SILC prpl does its key management, especially the organization of the API used to check certs and interact with the user to verify them.
• Add some way of passing useful error messages back up out of the SSL interface (23 May)
• Fix purple_ssl_init in sslconn.c; it doesn't do anything (23 May)
  • Talking to nosnilmot suggests that this ought to just be removed outright (24 May)
• Figure out libNSS everything. (25 May)
• Why am I getting single-byte serial numbers from servers? (25 May)
• Work out how to use Glib functions for time checking on certificates.

Tasks done

• Figure out how to get key fingerprints out of GnuTLS (25 May, 25 May))

Status

25 May 2007

Divergence point reached. With the addition of purple_base16_encode_chunked, my changes will force at least a minor version increment. Slapped some code into the GnuTLS SSL plugin and looked at the certificate characteristics coming back. But why am I getting single-byte serial number values back? How large should these serial numbers be?

23 May 2007

Using "Document the SSL interface as it exists now" as an excuse to build a branch and learn Doxygen

17 May 2007

Reading documentation. Lots of it.