[PATCH 5/7] virPKIValidateIdentity: Validate all concatenated certificates

From: Peter Krempa <pkrempa(a)redhat.com&gt; Since gnutls and thus by extension libvirt allows passing multiple certificates in one file by concatenating them, virt-pki-validate ought to validate the hostname of all of them, instead of only the first one to prevent issues when wrong certs are concatenated. Signed-off-by: Peter Krempa <pkrempa(a)redhat.com&gt; --- tools/virt-pki-validate.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/tools/virt-pki-validate.c b/tools/virt-pki-validate.c index e693ffaed6..a8ea396550 100644 --- a/tools/virt-pki-validate.c +++ b/tools/virt-pki-validate.c @@ -283,19 +283,29 @@ virPKIValidateIdentity(bool isServer, bool system, const char *path) } if (isServer) { - gnutls_x509_crt_t crt; + gnutls_x509_crt_t crts[16] = { 0 }; + size_t ncrts = 0; virValidateCheck(scope, "%s", _("Checking cert hostname match")); - if (!(crt = virNetTLSCertLoadFromFile(cert, true))) { + if (virNetTLSCertLoadListFromFile(cert, crts, 16, &ncrts) < 0) { virValidateFail(VIR_VALIDATE_FAIL, _("Unable to load %1$s: %2$s"), cert, virGetLastErrorMessage()); + ok = false; } else { g_autofree char *hostname = virGetHostname(); - int ret = gnutls_x509_crt_check_hostname(crt, hostname); - gnutls_x509_crt_deinit(crt); - if (!ret) { + bool mismatch = false; + size_t i; + + for (i = 0; i < ncrts; i++) { + if (gnutls_x509_crt_check_hostname(crts[i], hostname) == 0) + mismatch = true; + + gnutls_x509_crt_deinit(crts[i]); + } + + if (mismatch) { /* Only warning, since there can be valid reasons for mis-match */ virValidateFail(VIR_VALIDATE_WARN, _("Certificate %1$s owner does not match the hostname %2$s"), -- 2.50.0