[PATCH 6/7] virNetTLSCertSanityCheck: Validate all concatenated certs
From: Peter Krempa <pkrempa(a)redhat.com>
Similarly to how we iterate the list of CAs in the concatenated bundle
there's a possibility of the server/client certificates to be
concatenated as well.
If for some case the first certificate is okay but the further one have
e.g. invalid signatures the validation code would not reject them but
we'd encounter failures later when gnutls tries to use them.
Iterate also the client/server certs rather than just the CAs.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/rpc/virnettlscert.c | 29 +++++++++++++++++------------
1 file changed, 17 insertions(+), 12 deletions(-)
diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
index 3efc4f0716..2724f55bbe 100644
--- a/src/rpc/virnettlscert.c
+++ b/src/rpc/virnettlscert.c
@@ -442,38 +442,43 @@ int virNetTLSCertSanityCheck(bool isServer,
const char *cacertFile,
const char *certFile)
{
- gnutls_x509_crt_t cert = NULL;
+ gnutls_x509_crt_t certs[MAX_CERTS] = { 0 };
+ size_t ncerts = 0;
gnutls_x509_crt_t cacerts[MAX_CERTS] = { 0 };
size_t ncacerts = 0;
size_t i;
int ret = -1;
if ((access(certFile, R_OK) == 0) &&
- !(cert = virNetTLSCertLoadFromFile(certFile, isServer)))
+ virNetTLSCertLoadListFromFile(certFile, certs, MAX_CERTS, &ncerts) < 0)
goto cleanup;
+
if ((access(cacertFile, R_OK) == 0) &&
virNetTLSCertLoadListFromFile(cacertFile, cacerts,
MAX_CERTS, &ncacerts) < 0)
goto cleanup;
- if (cert &&
- virNetTLSCertCheck(cert, certFile, isServer, false) < 0)
- goto cleanup;
-
for (i = 0; i < ncacerts; i++) {
- if (virNetTLSCertCheck(cacerts[i], cacertFile, isServer, true) < 0)
+ g_autofree char *cacertid = g_strdup_printf("%s[%zu]", cacertFile, i);
+ if (virNetTLSCertCheck(cacerts[i], cacertid, isServer, true) < 0)
goto cleanup;
}
- if (cert && ncacerts &&
- virNetTLSCertCheckPair(cert, certFile, cacerts, ncacerts, cacertFile, isServer)
< 0)
- goto cleanup;
+ for (i = 0; i < ncerts; i++) {
+ g_autofree char *certid = g_strdup_printf("%s[%zu]", certFile, i);
+ if (virNetTLSCertCheck(certs[i], certid, isServer, false) < 0)
+ goto cleanup;
+
+ if (ncacerts &&
+ virNetTLSCertCheckPair(certs[i], certid, cacerts, ncacerts, cacertFile,
isServer) < 0)
+ goto cleanup;
+ }
ret = 0;
cleanup:
- if (cert)
- gnutls_x509_crt_deinit(cert);
+ for (i = 0; i < ncerts; i++)
+ gnutls_x509_crt_deinit(certs[i]);
for (i = 0; i < ncacerts; i++)
gnutls_x509_crt_deinit(cacerts[i]);
return ret;
--
2.50.0