File nm-probe-ca-cert.patch of Package NetworkManager.import5373

diff --git a/introspection/nm-device-wifi.xml b/introspection/nm-device-wifi.xml
index fb50762..ba3da8d 100644
--- a/introspection/nm-device-wifi.xml
+++ b/introspection/nm-device-wifi.xml
@@ -14,6 +14,18 @@
       </tp:docstring>
     </method>
 
+    <method name="ProbeCaCert">
+      <annotation name="org.freedesktop.DBus.GLib.CSymbol" value="impl_device_probe_ca_cert"/>
+      <arg name="ssid" type="ay" direction="in">
+        <tp:docstring>
+          The SSID of the AP to be probed
+        </tp:docstring>
+      </arg>
+      <tp:docstring>
+        Probe the CA certificate of the RADIUS server.
+      </tp:docstring>
+    </method>
+
     <property name="HwAddress" type="s" access="read">
       <tp:docstring>
         The active hardware address of the device.
@@ -81,6 +93,17 @@
         </tp:docstring>
     </signal>
 
+    <signal name="CaCertReceived">
+      <arg name="cert" type="a{ss}" tp:type="String_String_Map">
+        <tp:docstring>
+          The certificate of the RADIUS server
+        </tp:docstring>
+      </arg>
+        <tp:docstring>
+            Emitted when wpa_supplicant replies the CA certificate of the RADIUS server.
+        </tp:docstring>
+    </signal>
+
     <tp:flags name="NM_802_11_DEVICE_CAP" type="u">
       <tp:docstring>
         Flags describing the capabilities of a wireless device.
diff --git a/libnm-glib/libnm-glib.ver b/libnm-glib/libnm-glib.ver
index 1596afa..626d949 100644
--- a/libnm-glib/libnm-glib.ver
+++ b/libnm-glib/libnm-glib.ver
@@ -91,6 +91,7 @@ global:
 	nm_device_wifi_get_mode;
 	nm_device_wifi_get_type;
 	nm_device_wifi_new;
+	nm_device_wifi_probe_ca_cert;
 	nm_dhcp4_config_get_one_option;
 	nm_dhcp4_config_get_options;
 	nm_dhcp4_config_get_type;
diff --git a/libnm-glib/nm-device-wifi.c b/libnm-glib/nm-device-wifi.c
index 3d17023..bdb8737 100644
--- a/libnm-glib/nm-device-wifi.c
+++ b/libnm-glib/nm-device-wifi.c
@@ -78,6 +78,7 @@ enum {
 enum {
 	ACCESS_POINT_ADDED,
 	ACCESS_POINT_REMOVED,
+	CA_CERT_RECEIVED,
 
 	LAST_SIGNAL
 };
@@ -370,6 +371,25 @@ nm_device_wifi_get_access_point_by_path (NMDeviceWifi *device,
 	return ap;
 }
 
+gboolean
+nm_device_wifi_probe_ca_cert (NMDeviceWifi *device,
+                              const GByteArray *ssid)
+{
+	NMDeviceWifiPrivate *priv;
+	GError *error = NULL;
+
+	g_return_val_if_fail (NM_IS_DEVICE_WIFI (device), FALSE);
+
+	priv = NM_DEVICE_WIFI_GET_PRIVATE (device);
+
+	if (!org_freedesktop_NetworkManager_Device_Wireless_probe_ca_cert (priv->proxy, ssid, &error)) {
+		g_warning ("%s: error probe subject: %s", __func__, error->message);
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
 static void
 access_point_added_proxy (DBusGProxy *proxy, char *path, gpointer user_data)
 {
@@ -426,6 +446,14 @@ access_point_removed_proxy (DBusGProxy *proxy, char *path, gpointer user_data)
 }
 
 static void
+ca_cert_received_proxy (DBusGProxy *proxy, GHashTable *ca_cert, gpointer user_data)
+{
+	NMDeviceWifi *self = NM_DEVICE_WIFI (user_data);
+
+	g_signal_emit (self, signals[CA_CERT_RECEIVED], 0, ca_cert);
+}
+
+static void
 clean_up_aps (NMDeviceWifi *self, gboolean notify)
 {
 	NMDeviceWifiPrivate *priv;
@@ -635,6 +663,13 @@ constructor (GType type,
 						    G_CALLBACK (access_point_removed_proxy),
 						    object, NULL);
 
+	dbus_g_proxy_add_signal (priv->proxy, "CaCertReceived",
+	                         DBUS_TYPE_G_MAP_OF_STRING,
+	                         G_TYPE_INVALID);
+	dbus_g_proxy_connect_signal (priv->proxy, "CaCertReceived",
+						    G_CALLBACK (ca_cert_received_proxy),
+						    object, NULL);
+
 	register_for_property_changed (NM_DEVICE_WIFI (object));
 
 	g_signal_connect (NM_DEVICE (object),
@@ -805,4 +840,22 @@ nm_device_wifi_class_init (NMDeviceWifiClass *device_class)
 				    g_cclosure_marshal_VOID__OBJECT,
 				    G_TYPE_NONE, 1,
 				    G_TYPE_OBJECT);
+
+	/**
+	 * NMDeviceWifi::ca-cert-received:
+	 * @device: the wifi device that received the signal
+	 * @subject: the subject of the RADIUS server
+	 * @hash: the hash of the RADIUS server
+	 *
+	 * Notifies that a certificate of a RADIUS server is sent back.
+	 **/
+	signals[CA_CERT_RECEIVED] =
+		g_signal_new ("ca-cert-received",
+				    G_OBJECT_CLASS_TYPE (object_class),
+				    G_SIGNAL_RUN_FIRST,
+				    G_STRUCT_OFFSET (NMDeviceWifiClass, ca_cert_received),
+				    NULL, NULL,
+				    g_cclosure_marshal_VOID__BOXED,
+				    G_TYPE_NONE, 1,
+				    G_TYPE_HASH_TABLE);
 }
diff --git a/libnm-glib/nm-device-wifi.h b/libnm-glib/nm-device-wifi.h
index 21f3558..fad2bb0 100644
--- a/libnm-glib/nm-device-wifi.h
+++ b/libnm-glib/nm-device-wifi.h
@@ -53,6 +53,7 @@ typedef struct {
 	/* Signals */
 	void (*access_point_added) (NMDeviceWifi *device, NMAccessPoint *ap);
 	void (*access_point_removed) (NMDeviceWifi *device, NMAccessPoint *ap);
+	void (*ca_cert_received) (NMDeviceWifi *device, GHashTable *ca_cert);
 
 	/* Padding for future expansion */
 	void (*_reserved1) (void);
@@ -60,7 +61,6 @@ typedef struct {
 	void (*_reserved3) (void);
 	void (*_reserved4) (void);
 	void (*_reserved5) (void);
-	void (*_reserved6) (void);
 } NMDeviceWifiClass;
 
 GType nm_device_wifi_get_type (void);
@@ -78,6 +78,8 @@ NMAccessPoint * nm_device_wifi_get_access_point_by_path (NMDeviceWifi *device,
                                                          const char *path);
 
 const GPtrArray *nm_device_wifi_get_access_points       (NMDeviceWifi *device);
+gboolean         nm_device_wifi_probe_ca_cert           (NMDeviceWifi *device,
+                                                         const GByteArray *ssid);
 
 G_END_DECLS
 
diff --git a/libnm-util/libnm-util.ver b/libnm-util/libnm-util.ver
index d477381..c5e09f2 100644
--- a/libnm-util/libnm-util.ver
+++ b/libnm-util/libnm-util.ver
@@ -40,6 +40,7 @@ global:
 	nm_setting_802_1x_get_ca_cert_blob;
 	nm_setting_802_1x_set_ca_cert_from_file;
 	nm_setting_802_1x_get_ca_cert_path;
+	nm_setting_802_1x_get_ca_cert_hash;
 	nm_setting_802_1x_get_ca_cert_scheme;
 	nm_setting_802_1x_set_ca_cert;
 	nm_setting_802_1x_get_ca_path;
diff --git a/libnm-util/nm-setting-8021x.c b/libnm-util/nm-setting-8021x.c
index a322aa7..a251a37 100644
--- a/libnm-util/nm-setting-8021x.c
+++ b/libnm-util/nm-setting-8021x.c
@@ -63,6 +63,7 @@
  **/
 
 #define SCHEME_PATH "file://"
+#define SCHEME_HASH "hash://server/sha256/"
 
 /**
  * nm_setting_802_1x_error_quark:
@@ -383,6 +384,9 @@ get_cert_scheme (GByteArray *array)
 	if (   (array->len > strlen (SCHEME_PATH))
 	    && !memcmp (array->data, SCHEME_PATH, strlen (SCHEME_PATH)))
 		return NM_SETTING_802_1X_CK_SCHEME_PATH;
+	else if (   (array->len > strlen (SCHEME_HASH))
+	         && !memcmp (array->data, SCHEME_HASH, strlen (SCHEME_HASH)))
+		return NM_SETTING_802_1X_CK_SCHEME_HASH;
 
 	return NM_SETTING_802_1X_CK_SCHEME_BLOB;
 }
@@ -393,7 +397,8 @@ get_cert_scheme (GByteArray *array)
  *
  * Returns the scheme used to store the CA certificate.  If the returned scheme
  * is %NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_ca_cert_blob();
- * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path().
+ * if %NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path();
+ * if %NM_SETTING_802_1X_CK_SCHEME_HASH, use nm_setting_802_1x_get_ca_cert_hash().
  *
  * Returns: scheme used to store the CA certificate (blob or path)
  **/
@@ -481,6 +486,32 @@ nm_setting_802_1x_get_ca_cert_path (NMSetting8021x *setting)
 }
 
 /**
+ * nm_setting_802_1x_get_ca_cert_hash:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns the CA certificate path if the CA certificate is stored using the
+ * %NM_SETTING_802_1X_CK_SCHEME_HASH scheme.  Not all EAP methods use a
+ * CA certificate (LEAP for example), and those that can take advantage of the
+ * CA certificate allow it to be unset.  Note that lack of a CA certificate
+ * reduces security by allowing man-in-the-middle attacks, because the identity
+ * of the network cannot be confirmed by the client.
+ *
+ * Returns: hash of the RADIUS server
+ **/
+const char *
+nm_setting_802_1x_get_ca_cert_hash (NMSetting8021x *setting)
+{
+	NMSetting8021xCKScheme scheme;
+
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+	scheme = nm_setting_802_1x_get_ca_cert_scheme (setting);
+	g_return_val_if_fail (scheme == NM_SETTING_802_1X_CK_SCHEME_HASH, NULL);
+
+	return (const char *) (NM_SETTING_802_1X_GET_PRIVATE (setting)->ca_cert->data);
+}
+
+/**
  * nm_setting_802_1x_set_ca_cert:
  * @setting: the #NMSetting8021x
  * @value: when @scheme is set to either %NM_SETTING_802_1X_CK_SCHEME_PATH or
@@ -515,7 +546,8 @@ nm_setting_802_1x_set_ca_cert (NMSetting8021x *self,
 	if (value) {
 		g_return_val_if_fail (g_utf8_validate (value, -1, NULL), FALSE);
 		g_return_val_if_fail (   scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB
-		                      || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH,
+		                      || scheme == NM_SETTING_802_1X_CK_SCHEME_PATH
+		                      || scheme == NM_SETTING_802_1X_CK_SCHEME_HASH,
 		                      FALSE);
 	}
 
@@ -533,6 +565,16 @@ nm_setting_802_1x_set_ca_cert (NMSetting8021x *self,
 	if (!value)
 		return TRUE;
 
+	if (scheme == NM_SETTING_802_1X_CK_SCHEME_HASH) {
+		int length = strlen (value);
+		if (!g_str_has_prefix (value, SCHEME_HASH))
+			return FALSE;
+		data = g_byte_array_sized_new (length + 1);
+		g_byte_array_append (data, (guint8 *) value, length + 1);
+		priv->ca_cert = data;
+		return TRUE;
+	}
+
 	data = crypto_load_and_verify_certificate (value, &format, error);
 	if (data) {
 		/* wpa_supplicant can only use raw x509 CA certs */
@@ -2802,6 +2844,13 @@ verify_cert (GByteArray *array, const char *prop_name, GError **error)
 				return TRUE;
 		}
 		break;
+	case NM_SETTING_802_1X_CK_SCHEME_HASH:
+		/* For hash-based schemes, verify that the has is zero-terminated */
+		if (array->data[array->len - 1] == '\0') {
+			if (g_str_has_prefix ((char *)array->data, SCHEME_HASH))
+				return TRUE;
+		}
+		break;
 	default:
 		break;
 	}
diff --git a/libnm-util/nm-setting-8021x.h b/libnm-util/nm-setting-8021x.h
index 930c1da..151b309 100644
--- a/libnm-util/nm-setting-8021x.h
+++ b/libnm-util/nm-setting-8021x.h
@@ -40,7 +40,8 @@ typedef enum {
 typedef enum {
 	NM_SETTING_802_1X_CK_SCHEME_UNKNOWN = 0,
 	NM_SETTING_802_1X_CK_SCHEME_BLOB,
-	NM_SETTING_802_1X_CK_SCHEME_PATH
+	NM_SETTING_802_1X_CK_SCHEME_PATH,
+	NM_SETTING_802_1X_CK_SCHEME_HASH
 } NMSetting8021xCKScheme;
 
 #define NM_TYPE_SETTING_802_1X            (nm_setting_802_1x_get_type ())
@@ -152,6 +153,7 @@ const char *      nm_setting_802_1x_get_phase2_ca_path               (NMSetting8
 NMSetting8021xCKScheme nm_setting_802_1x_get_ca_cert_scheme          (NMSetting8021x *setting);
 const GByteArray *     nm_setting_802_1x_get_ca_cert_blob            (NMSetting8021x *setting);
 const char *           nm_setting_802_1x_get_ca_cert_path            (NMSetting8021x *setting);
+const char *           nm_setting_802_1x_get_ca_cert_hash            (NMSetting8021x *setting);
 gboolean               nm_setting_802_1x_set_ca_cert                 (NMSetting8021x *setting,
                                                                       const char *value,
                                                                       NMSetting8021xCKScheme scheme,
diff --git a/marshallers/nm-marshal.list b/marshallers/nm-marshal.list
index 359fbed..10efbe7 100644
--- a/marshallers/nm-marshal.list
+++ b/marshallers/nm-marshal.list
@@ -26,4 +26,5 @@ BOOLEAN:VOID
 VOID:STRING,BOOLEAN
 VOID:STRING,OBJECT,POINTER
 VOID:BOOLEAN,UINT
-
+VOID:INT,STRING,STRING
+VOID:INT,STRING,STRING,BOXED
diff --git a/src/nm-device-wifi.c b/src/nm-device-wifi.c
index b09d112..48c8725 100644
--- a/src/nm-device-wifi.c
+++ b/src/nm-device-wifi.c
@@ -55,10 +55,14 @@
 #include "nm-setting-ip4-config.h"
 #include "nm-setting-ip6-config.h"
 #include "nm-system.h"
+#include "nm-dbus-glib-types.h"
 
 static gboolean impl_device_get_access_points (NMDeviceWifi *device,
                                                GPtrArray **aps,
                                                GError **err);
+static gboolean impl_device_probe_ca_cert (NMDeviceWifi *device,
+                                           GByteArray *ssid,
+                                           GError **err);
 
 #include "nm-device-wifi-glue.h"
 
@@ -98,6 +102,7 @@ enum {
 	HIDDEN_AP_FOUND,
 	PROPERTIES_CHANGED,
 	SCANNING_ALLOWED,
+	CA_CERT_RECEIVED,
 
 	LAST_SIGNAL
 };
@@ -108,6 +113,7 @@ typedef enum {
 	NM_WIFI_ERROR_CONNECTION_NOT_WIRELESS = 0,
 	NM_WIFI_ERROR_CONNECTION_INVALID,
 	NM_WIFI_ERROR_CONNECTION_INCOMPATIBLE,
+	NM_WIFI_ERROR_INVALID_CA_PROBE,
 } NMWifiError;
 
 #define NM_WIFI_ERROR (nm_wifi_error_quark ())
@@ -134,6 +140,7 @@ typedef struct Supplicant {
 	guint iface_scan_results_id;
 	guint iface_con_state_id;
 	guint iface_notify_scanning_id;
+	guint iface_cert_id;
 
 	/* Timeouts and idles */
 	guint iface_con_error_cb_id;
@@ -259,6 +266,8 @@ nm_wifi_error_get_type (void)
 			ENUM_ENTRY (NM_WIFI_ERROR_CONNECTION_INVALID, "ConnectionInvalid"),
 			/* Connection does not apply to this device. */
 			ENUM_ENTRY (NM_WIFI_ERROR_CONNECTION_INCOMPATIBLE, "ConnectionIncompatible"),
+			/* CA Probe was not valid. */
+			ENUM_ENTRY (NM_WIFI_ERROR_INVALID_CA_PROBE, "InvalidCaProbe"),
 			{ 0, 0, 0 }
 		};
 		etype = g_enum_register_static ("NMWifiError", values);
@@ -1449,6 +1458,85 @@ impl_device_get_access_points (NMDeviceWifi *self,
 	return TRUE;
 }
 
+static void
+supplicant_iface_certification_cb (NMSupplicantInterface * iface,
+                                   const gint   depth,
+                                   const char * subject,
+                                   const char * hash,
+                                   NMDeviceWifi * self)
+{
+	NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE (self);
+	GHashTable *ca_cert;
+	char *data;
+
+	nm_log_info (LOGD_WIFI_SCAN, "Got Server Certificate: depth %d, subject %s, hash %s", depth, subject, hash);
+
+	if (depth != 0)
+		return;
+
+	ca_cert = g_hash_table_new_full (g_str_hash, g_str_equal, NULL, g_free);
+	if (subject) {
+		data = g_strdup (subject);
+		g_hash_table_insert (ca_cert, "subject", data);
+	}
+	if (hash) {
+		data = g_strdup (hash);
+		g_hash_table_insert (ca_cert, "hash", data);
+	}
+
+	g_signal_emit (self, signals[CA_CERT_RECEIVED], 0, ca_cert);
+
+	g_hash_table_destroy (ca_cert);
+
+	if (priv->supplicant.iface_cert_id > 0) {
+		g_signal_handler_disconnect (priv->supplicant.iface, priv->supplicant.iface_cert_id);
+		priv->supplicant.iface_cert_id = 0;
+	}
+
+	nm_supplicant_interface_disconnect (iface);
+}
+
+static gboolean
+impl_device_probe_ca_cert (NMDeviceWifi *self,
+                           GByteArray *ssid,
+                           GError **err)
+{
+	NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE (self);
+	NMSupplicantConfig *config = NULL;
+	guint id;
+	gboolean ret = FALSE;
+
+	config = nm_supplicant_config_probe_new (ssid);
+	if (!config)
+		goto error;
+
+	/* Hook up signal handler to capture certification signal */
+	id = g_signal_connect (priv->supplicant.iface,
+	                       "certification",
+	                       G_CALLBACK (supplicant_iface_certification_cb),
+	                       self);
+	priv->supplicant.iface_cert_id = id;
+
+	if (!nm_supplicant_interface_set_config (priv->supplicant.iface, config))
+		goto error;
+
+	ret = TRUE;
+
+error:
+	if (!ret) {
+		g_set_error_literal (err,
+		                     NM_WIFI_ERROR,
+		                     NM_WIFI_ERROR_INVALID_CA_PROBE,
+		                     "Couldn't probe CA Certificate");
+		if (priv->supplicant.iface_cert_id) {
+			g_signal_handler_disconnect (priv->supplicant.iface, priv->supplicant.iface_cert_id);
+			priv->supplicant.iface_cert_id = 0;
+		}
+	}
+
+	return ret;
+}
+
 /*
  * nm_device_get_mode
  *
@@ -4084,6 +4172,16 @@ nm_device_wifi_class_init (NMDeviceWifiClass *klass)
 		              _nm_marshal_BOOLEAN__VOID,
 		              G_TYPE_BOOLEAN, 0);
 
+	signals[CA_CERT_RECEIVED] =
+		g_signal_new ("ca-cert-received",
+		              G_OBJECT_CLASS_TYPE (object_class),
+		              G_SIGNAL_RUN_FIRST,
+		              G_STRUCT_OFFSET (NMDeviceWifiClass, ca_cert_received),
+		              NULL, NULL,
+		              g_cclosure_marshal_VOID__BOXED,
+		              G_TYPE_NONE, 1,
+		              DBUS_TYPE_G_MAP_OF_STRING);
+
 	dbus_g_object_type_install_info (G_TYPE_FROM_CLASS (klass), &dbus_glib_nm_device_wifi_object_info);
 
 	dbus_g_error_domain_register (NM_WIFI_ERROR, NULL, NM_TYPE_WIFI_ERROR);
diff --git a/src/nm-device-wifi.h b/src/nm-device-wifi.h
index 31ac5ad..eb12f5e 100644
--- a/src/nm-device-wifi.h
+++ b/src/nm-device-wifi.h
@@ -77,6 +77,7 @@ struct _NMDeviceWifiClass
 	void (*hidden_ap_found)      (NMDeviceWifi *device, NMAccessPoint *ap);
 	void (*properties_changed)   (NMDeviceWifi *device, GHashTable *properties);
 	gboolean (*scanning_allowed) (NMDeviceWifi *device);
+	void (*ca_cert_received)     (NMDeviceWifi *device, GHashTable *ca_cert);
 };
 
 
diff --git a/src/supplicant-manager/nm-supplicant-config.c b/src/supplicant-manager/nm-supplicant-config.c
index 4e3ecab..4512c3d 100644
--- a/src/supplicant-manager/nm-supplicant-config.c
+++ b/src/supplicant-manager/nm-supplicant-config.c
@@ -173,6 +173,25 @@ nm_supplicant_config_add_option (NMSupplicantConfig *self,
 	return nm_supplicant_config_add_option_with_type (self, key, value, len, TYPE_INVALID, secret);
 }
 
+NMSupplicantConfig *
+nm_supplicant_config_probe_new (GByteArray *ssid)
+{
+	NMSupplicantConfig *probe_config;
+
+	if (!ssid)
+		return NULL;
+
+	probe_config = (NMSupplicantConfig *)g_object_new (NM_TYPE_SUPPLICANT_CONFIG, NULL);
+
+	nm_supplicant_config_add_option (probe_config, "ssid", (char *)ssid->data, ssid->len, FALSE);
+	nm_supplicant_config_add_option (probe_config, "key_mgmt", "WPA-EAP", -1, FALSE);
+	nm_supplicant_config_add_option (probe_config, "eap", "TTLS PEAP TLS", -1, FALSE);
+	nm_supplicant_config_add_option (probe_config, "identity", " ", -1, FALSE);
+	nm_supplicant_config_add_option (probe_config, "ca_cert", "probe://", -1, FALSE);
+
+	return probe_config;
+}
+
 static gboolean
 nm_supplicant_config_add_blob (NMSupplicantConfig *self,
                                const char *key,
@@ -836,6 +855,11 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
 		if (!add_string_val (self, path, "ca_cert", FALSE, FALSE))
 			return FALSE;
 		break;
+	case NM_SETTING_802_1X_CK_SCHEME_HASH:
+		path = nm_setting_802_1x_get_ca_cert_hash (setting);
+		if (!add_string_val (self, path, "ca_cert", FALSE, FALSE))
+			return FALSE;
+		break;
 	default:
 		break;
 	}
diff --git a/src/supplicant-manager/nm-supplicant-config.h b/src/supplicant-manager/nm-supplicant-config.h
index dad23e2..135ed88 100644
--- a/src/supplicant-manager/nm-supplicant-config.h
+++ b/src/supplicant-manager/nm-supplicant-config.h
@@ -52,6 +52,8 @@ GType nm_supplicant_config_get_type (void);
 
 NMSupplicantConfig *nm_supplicant_config_new (void);
 
+NMSupplicantConfig *nm_supplicant_config_probe_new (GByteArray *ssid);
+
 guint32 nm_supplicant_config_get_ap_scan (NMSupplicantConfig *self);
 
 void nm_supplicant_config_set_ap_scan (NMSupplicantConfig *self,
diff --git a/src/supplicant-manager/nm-supplicant-interface.c b/src/supplicant-manager/nm-supplicant-interface.c
index a65a458..9c3ac52 100644
--- a/src/supplicant-manager/nm-supplicant-interface.c
+++ b/src/supplicant-manager/nm-supplicant-interface.c
@@ -80,6 +80,7 @@ enum {
 	SCAN_RESULTS,      /* scan results returned from supplicant */
 	CONNECTION_STATE,  /* link state of the device's connection */
 	CONNECTION_ERROR,  /* an error occurred during a connection request */
+	CERTIFICATION,     /* Got RADIUS server certificate */
 	LAST_SIGNAL
 };
 static guint nm_supplicant_interface_signals[LAST_SIGNAL] = { 0 };
@@ -489,6 +490,14 @@ nm_supplicant_interface_class_init (NMSupplicantInterfaceClass *klass)
 		              NULL, NULL,
 		              _nm_marshal_VOID__STRING_STRING,
 		              G_TYPE_NONE, 2, G_TYPE_STRING, G_TYPE_STRING);
+	nm_supplicant_interface_signals[CERTIFICATION] =
+		g_signal_new ("certification",
+		              G_OBJECT_CLASS_TYPE (object_class),
+		              G_SIGNAL_RUN_LAST,
+		              G_STRUCT_OFFSET (NMSupplicantInterfaceClass, certification),
+		              NULL, NULL,
+		              _nm_marshal_VOID__INT_STRING_STRING,
+		              G_TYPE_NONE, 3, G_TYPE_INT, G_TYPE_STRING, G_TYPE_STRING);
 }
 
 static void
@@ -784,6 +793,22 @@ nm_supplicant_interface_get_scanning (NMSupplicantInterface *self)
 }
 
 static void
+wpas_iface_handle_certification (DBusGProxy      *proxy,
+                                 const int        depth,
+                                 const char      *str_subject,
+                                 const char      *str_hash,
+				 const GPtrArray *cert_hex_array,
+                                 gpointer user_data)
+{
+	g_signal_emit (user_data,
+	               nm_supplicant_interface_signals[CERTIFICATION],
+	               0,
+	               depth,
+	               str_subject,
+	               str_hash);
+}
+
+static void
 nm_supplicant_interface_add_cb (DBusGProxy *proxy, DBusGProxyCall *call_id, gpointer user_data)
 {
 	NMSupplicantInfo *info = (NMSupplicantInfo *) user_data;
@@ -843,6 +868,17 @@ nm_supplicant_interface_add_cb (DBusGProxy *proxy, DBusGProxyCall *call_id, gpoi
 		                             info->interface,
 		                             NULL);
 
+		dbus_g_object_register_marshaller (_nm_marshal_VOID__INT_STRING_STRING_BOXED,
+		                                   G_TYPE_NONE,
+		                                   G_TYPE_INT, G_TYPE_STRING, G_TYPE_STRING, DBUS_TYPE_G_UCHAR_ARRAY,
+		                                   G_TYPE_INVALID);
+		dbus_g_proxy_add_signal (priv->iface_proxy, "Certification", G_TYPE_INT, G_TYPE_STRING, G_TYPE_STRING, DBUS_TYPE_G_UCHAR_ARRAY, G_TYPE_INVALID);
+
+		dbus_g_proxy_connect_signal (priv->iface_proxy, "Certification",
+		                             G_CALLBACK (wpas_iface_handle_certification),
+		                             info->interface,
+		                             NULL);
+
 		/* Interface added to the supplicant; get its initial state. */
 		wpas_iface_get_state (info->interface);
 		wpas_iface_get_scanning (info->interface);
diff --git a/src/supplicant-manager/nm-supplicant-interface.h b/src/supplicant-manager/nm-supplicant-interface.h
index bee5436..24cd261 100644
--- a/src/supplicant-manager/nm-supplicant-interface.h
+++ b/src/supplicant-manager/nm-supplicant-interface.h
@@ -112,6 +112,12 @@ typedef struct {
 	void (*connection_error) (NMSupplicantInterface * iface,
 	                          const char * name,
 	                          const char * message);
+
+	/* got the RADIUS server certificate */
+	void (*certification) (NMSupplicantInterface * iface,
+	                       const gint   depth,
+	                       const char * subject,
+	                       const char * hash);
 } NMSupplicantInterfaceClass;