Gnutls requires that certificates have basic constraints present to be used as a CA certificate. OpenSSL doesn't add this data by default, so add a sanity check to catch this situation. Also validate that the key usage and key purpose constraints contain correct data * src/rpc/virnettlscontext.c: Add sanity checking of certificate constraints --- src/rpc/virnettlscontext.c | 130 ++++++++++++++++++++++++++++++++++++++++++-- 1 files changed, 126 insertions(+), 4 deletions(-) diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 6a06565..7f088d2 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -98,6 +98,7 @@ static void virNetTLSLog(int level, const char *str) { static gnutls_x509_crt_t virNetTLSContextSanityCheckCert(bool isServer, + bool isCA, const char *certFile) { gnutls_datum_t data; @@ -105,6 +106,14 @@ static gnutls_x509_crt_t virNetTLSContextSanityCheckCert(bool isServer, char *buf = NULL; int ret = -1; time_t now; + int status; + int i; + char *buffer = NULL; + size_t size; + unsigned int usage; + + VIR_DEBUG("isServer %d isCA %d certFile %s", + isServer, isCA, certFile); if ((now = time(NULL)) == ((time_t)-1)) { virReportSystemError(errno, "%s", @@ -145,6 +154,117 @@ static gnutls_x509_crt_t virNetTLSContextSanityCheckCert(bool isServer, goto cleanup; } + status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL); + VIR_DEBUG("Cert %s basic constraints %d", certFile, status); + + if (status > 0) { /* It is a CA cert */ + if (!isCA) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("The certificate %s basic constraints show a CA, but we need one for a %s"), + certFile, isServer ? "server" : "client"); + goto cleanup; + } + } else if (status == 0) { /* It is not a CA cert */ + if (isCA) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("The certificate %s basic constraints do not show a CA"), + certFile); + goto cleanup; + } + } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* Missing basicConstraints */ + if (isCA) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("The certificate %s is missing basic constraints for a CA"), + certFile); + goto cleanup; + } + } else { /* General error */ + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Unable to query certificate %s basic constraints %s"), + certFile, gnutls_strerror(status)); + goto cleanup; + } + + status = gnutls_x509_crt_get_key_usage(cert, &usage, NULL); + + VIR_DEBUG("Cert %s key usage status %d usage %d", certFile, status, usage); + if (status < 0) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Unable to query certificate %s basic constraints %s"), + certFile, gnutls_strerror(status)); + goto cleanup; + } + + if (usage & GNUTLS_KEY_KEY_CERT_SIGN) { + if (!isCA) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %s usage is for certificate signing, but wanted a %s certificate"), + certFile, isServer ? "server" : "client"); + goto cleanup; + } + } else { + if (isCA) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %s usage is for not certificate signing"), + certFile); + goto cleanup; + } + } + + for (i = 0 ; ; i++) { + size = 0; + status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL); + + if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + VIR_DEBUG("No key purpose data available, skipping checks"); + break; + } + if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Unable to query certificate %s key purpose %s"), + certFile, gnutls_strerror(status)); + goto cleanup; + } + + if (VIR_ALLOC_N(buffer, size) < 0) { + virReportOOMError(); + goto cleanup; + } + + status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL); + if (status < 0) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Unable to query certificate %s key purpose %s"), + certFile, gnutls_strerror(status)); + goto cleanup; + } + + VIR_DEBUG("Key purpose %d %s", status, buffer); + if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) { + if (isCA || !isServer) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %s purpose is TLS server, but wanted a %s certificate"), + certFile, isCA ? "CA" : "TLS client"); + goto cleanup; + } + } else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) { + if (isCA || isServer) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %s purpose is TLS client, but wanted a %s certificate"), + certFile, isCA ? "CA" : "TLS server"); + goto cleanup; + } + } else if (STRNEQ(buffer, GNUTLS_KP_ANY)) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %s purpose is wrong, wanted a %s certificate"), + certFile, isCA ? "CA" : (isServer ? "TLS server" : "TLS client")); + goto cleanup; + } + + VIR_FREE(buffer); + } + + ret = 0; cleanup: @@ -152,6 +272,7 @@ cleanup: gnutls_x509_crt_deinit(cert); cert = NULL; } + VIR_FREE(buffer); VIR_FREE(buf); return cert; } @@ -167,11 +288,11 @@ static int virNetTLSContextSanityCheckCredentials(bool isServer, unsigned int status; if (access(certFile, R_OK) == 0) { - if (!(cert = virNetTLSContextSanityCheckCert(isServer, certFile))) + if (!(cert = virNetTLSContextSanityCheckCert(isServer, false, certFile))) goto cleanup; } if (access(cacertFile, R_OK) == 0) { - if (!(cacert = virNetTLSContextSanityCheckCert(isServer, cacertFile))) + if (!(cacert = virNetTLSContextSanityCheckCert(isServer, true, cacertFile))) goto cleanup; } @@ -343,9 +464,10 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert, goto error; } - if (virNetTLSContextSanityCheckCredentials(isServer, cacert, cert) < 0) + if (requireValidCert && + virNetTLSContextSanityCheckCredentials(isServer, cacert, cert) < 0) goto error; - + if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0) goto error; -- 1.7.4.4