Re: [libvirt] [PATCH] Add sanity checking of basic contraints, key purpose & key usage

Gnutls requires that certificates have basic constraints present to be used as a CA certificate. OpenSSL doesn't add this data by default, so add a sanity check to catch this situation. Also validate that the key usage and key purpose constraints contain correct data * src/rpc/virnettlscontext.c: Add sanity checking of certificate constraints --- src/rpc/virnettlscontext.c | 130 ++++++++++++++++++++++++++++++++++++++++++-- 1 files changed, 126 insertions(+), 4 deletions(-)

@@ -145,6 +154,117 @@ static gnutls_x509_crt_t virNetTLSContextSanityCheckCert(bool isServer, goto cleanup; } + status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL); + VIR_DEBUG("Cert %s basic constraints %d", certFile, status); + + if (status > 0) { /* It is a CA cert */ + if (!isCA) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("The certificate %s basic constraints show a CA, but we need one for a %s"), + certFile, isServer ? "server" : "client");

+ + if (usage & GNUTLS_KEY_KEY_CERT_SIGN) { + if (!isCA) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %s usage is for certificate signing, but wanted a %s certificate"), + certFile, isServer ? "server" : "client");

+ + VIR_DEBUG("Key purpose %d %s", status, buffer); + if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) { + if (isCA || !isServer) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %s purpose is TLS server, but wanted a %s certificate"), + certFile, isCA ? "CA" : "TLS client");

+ goto cleanup; + } + } else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) { + if (isCA || isServer) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %s purpose is TLS client, but wanted a %s certificate"), + certFile, isCA ? "CA" : "TLS server"); + goto cleanup; + } + } else if (STRNEQ(buffer, GNUTLS_KP_ANY)) { + virNetError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %s purpose is wrong, wanted a %s certificate"), + certFile, isCA ? "CA" : (isServer ? "TLS server" : "TLS client"));