We'll want to access these paths from outside the TLS context code, so split them into a standalone file. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/rpc/meson.build | 6 +- src/rpc/virnettlsconfig.c | 202 +++++++++++++++++++++++++++++++++++++ src/rpc/virnettlsconfig.h | 68 +++++++++++++ src/rpc/virnettlscontext.c | 70 ++----------- 4 files changed, 285 insertions(+), 61 deletions(-) create mode 100644 src/rpc/virnettlsconfig.c create mode 100644 src/rpc/virnettlsconfig.h diff --git a/src/rpc/meson.build b/src/rpc/meson.build index 9d98bc6259..d11d532d0f 100644 --- a/src/rpc/meson.build +++ b/src/rpc/meson.build @@ -1,6 +1,10 @@ gendispatch_prog = find_program('gendispatch.pl') -socket_sources = [ +tlsconfig_sources = [ + files('virnettlsconfig.c'), +] + +socket_sources = tlsconfig_sources + [ 'virnettlscontext.c', 'virnetsocket.c', ] diff --git a/src/rpc/virnettlsconfig.c b/src/rpc/virnettlsconfig.c new file mode 100644 index 0000000000..d020083d6a --- /dev/null +++ b/src/rpc/virnettlsconfig.c @@ -0,0 +1,202 @@ +/* + * virnettlsconfig.c: TLS x509 configuration helpers + * + * Copyright (C) 2010-2024 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#include <config.h> + +#include "virnettlsconfig.h" +#include "virlog.h" +#include "virutil.h" + +#define VIR_FROM_THIS VIR_FROM_RPC + +VIR_LOG_INIT("rpc.nettlscontext"); + +char *virNetTLSConfigUserPKIBaseDir(void) +{ + g_autofree char *userdir = virGetUserDirectory(); + + return g_strdup_printf("%s/.pki/libvirt", userdir); +} + +static void virNetTLSConfigTrust(const char *cacertdir, + const char *cacrldir, + char **cacert, + char **cacrl) +{ + if (!*cacert) + *cacert = g_strdup_printf("%s/%s", cacertdir, "cacert.pem"); + if (!*cacrl) + *cacrl = g_strdup_printf("%s/%s", cacrldir, "cacrl.pem"); + + VIR_DEBUG("TLS CA cert %s", *cacert); + VIR_DEBUG("TLS CA CRL %s", *cacrl); +} + +static void virNetTLSConfigIdentity(int isServer, + const char *certdir, + const char *keydir, + char **cert, + char **key) +{ + if (!*key) + *key = g_strdup_printf("%s/%s", keydir, + isServer ? "serverkey.pem" : "clientkey.pem"); + if (!*cert) + *cert = g_strdup_printf("%s/%s", certdir, + isServer ? "servercert.pem" : "clientcert.pem"); + + VIR_DEBUG("TLS key %s", *key); + VIR_DEBUG("TLS cert %s", *cert); +} + +void virNetTLSConfigCustomTrust(const char *pkipath, + char **cacert, + char **cacrl) +{ + VIR_DEBUG("Locating trust chain in custom dir %s", pkipath); + virNetTLSConfigTrust(pkipath, + pkipath, + cacert, + cacrl); +} + +void virNetTLSConfigUserTrust(char **cacert, + char **cacrl) +{ + g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir(); + + VIR_DEBUG("Locating trust chain in user dir %s", pkipath); + + virNetTLSConfigTrust(pkipath, + pkipath, + cacert, + cacrl); +} + +void virNetTLSConfigSystemTrust(char **cacert, + char **cacrl) +{ + VIR_DEBUG("Locating trust chain in system dir %s", LIBVIRT_PKI_DIR); + + virNetTLSConfigTrust(LIBVIRT_CACERT_DIR, + LIBVIRT_CACRL_DIR, + cacert, + cacrl); +} + +void virNetTLSConfigCustomIdentity(const char *pkipath, + int isServer, + char **cert, + char **key) +{ + VIR_DEBUG("Locating creds in custom dir %s", pkipath); + virNetTLSConfigIdentity(isServer, + pkipath, + pkipath, + cert, + key); +} + +void virNetTLSConfigUserIdentity(int isServer, + char **cert, + char **key) +{ + g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir(); + + VIR_DEBUG("Locating creds in user dir %s", pkipath); + + virNetTLSConfigIdentity(isServer, + pkipath, + pkipath, + cert, + key); +} + +void virNetTLSConfigSystemIdentity(int isServer, + char **cert, + char **key) +{ + VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR); + + virNetTLSConfigIdentity(isServer, + LIBVIRT_CERT_DIR, + LIBVIRT_KEY_DIR, + cert, + key); +} + +void virNetTLSConfigCustomCreds(const char *pkipath, + int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key) +{ + VIR_DEBUG("Locating creds in custom dir %s", pkipath); + virNetTLSConfigTrust(pkipath, + pkipath, + cacert, + cacrl); + virNetTLSConfigIdentity(isServer, + pkipath, + pkipath, + cert, + key); +} + +void virNetTLSConfigUserCreds(int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key) +{ + g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir(); + + VIR_DEBUG("Locating creds in user dir %s", pkipath); + + virNetTLSConfigTrust(pkipath, + pkipath, + cacert, + cacrl); + virNetTLSConfigIdentity(isServer, + pkipath, + pkipath, + cert, + key); +} + +void virNetTLSConfigSystemCreds(int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key) +{ + VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR); + + virNetTLSConfigTrust(LIBVIRT_CACERT_DIR, + LIBVIRT_CACRL_DIR, + cacert, + cacrl); + virNetTLSConfigIdentity(isServer, + LIBVIRT_CERT_DIR, + LIBVIRT_KEY_DIR, + cert, + key); +} diff --git a/src/rpc/virnettlsconfig.h b/src/rpc/virnettlsconfig.h new file mode 100644 index 0000000000..797b3e3ac5 --- /dev/null +++ b/src/rpc/virnettlsconfig.h @@ -0,0 +1,68 @@ +/* + * virnettlsconfig.h: TLS x509 configuration helpers + * + * Copyright (C) 2010-2024 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "configmake.h" + +#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki" +#define LIBVIRT_CACERT_DIR LIBVIRT_PKI_DIR "/CA" +#define LIBVIRT_CACRL_DIR LIBVIRT_PKI_DIR "/CA" +#define LIBVIRT_KEY_DIR LIBVIRT_PKI_DIR "/libvirt/private" +#define LIBVIRT_CERT_DIR LIBVIRT_PKI_DIR "/libvirt" + +char *virNetTLSConfigUserPKIBaseDir(void); + +void virNetTLSConfigCustomTrust(const char *pkipath, + char **cacert, + char **cacrl); +void virNetTLSConfigUserTrust(char **cacert, + char **cacrl); +void virNetTLSConfigSystemTrust(char **cacert, + char **cacrl); + +void virNetTLSConfigCustomIdentity(const char *pkipath, + int isServer, + char **cert, + char **key); +void virNetTLSConfigUserIdentity(int isServer, + char **cert, + char **key); +void virNetTLSConfigSystemIdentity(int isServer, + char **cert, + char **key); + + +void virNetTLSConfigCustomCreds(const char *pkipath, + int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key); +void virNetTLSConfigUserCreds(int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key); +void virNetTLSConfigSystemCreds(int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key); diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index dc60244927..4223043bc9 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -27,6 +27,7 @@ #include <gnutls/x509.h> #include "virnettlscontext.h" +#include "virnettlsconfig.h" #include "virstring.h" #include "viralloc.h" @@ -36,15 +37,6 @@ #include "virlog.h" #include "virprobe.h" #include "virthread.h" -#include "configmake.h" - -#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki" -#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem" -#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem" -#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem" -#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem" -#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem" -#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem" #define VIR_FROM_THIS VIR_FROM_RPC @@ -721,9 +713,6 @@ static int virNetTLSContextLocateCredentials(const char *pkipath, char **cert, char **key) { - char *userdir = NULL; - char *user_pki_path = NULL; - *cacert = NULL; *cacrl = NULL; *key = NULL; @@ -736,33 +725,13 @@ static int virNetTLSContextLocateCredentials(const char *pkipath, * files actually exist there */ if (pkipath) { - VIR_DEBUG("Told to use TLS credentials in %s", pkipath); - *cacert = g_strdup_printf("%s/%s", pkipath, "cacert.pem"); - *cacrl = g_strdup_printf("%s/%s", pkipath, "cacrl.pem"); - *key = g_strdup_printf("%s/%s", pkipath, - isServer ? "serverkey.pem" : "clientkey.pem"); - - *cert = g_strdup_printf("%s/%s", pkipath, - isServer ? "servercert.pem" : "clientcert.pem"); + virNetTLSConfigCustomCreds(pkipath, isServer, + cacert, cacrl, + cert, key); } else if (tryUserPkiPath) { - /* Check to see if $HOME/.pki contains at least one of the - * files and if so, use that - */ - userdir = virGetUserDirectory(); - - user_pki_path = g_strdup_printf("%s/.pki/libvirt", userdir); - - VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_path); - - *cacert = g_strdup_printf("%s/%s", user_pki_path, "cacert.pem"); - - *cacrl = g_strdup_printf("%s/%s", user_pki_path, "cacrl.pem"); - - *key = g_strdup_printf("%s/%s", user_pki_path, - isServer ? "serverkey.pem" : "clientkey.pem"); - - *cert = g_strdup_printf("%s/%s", user_pki_path, - isServer ? "servercert.pem" : "clientcert.pem"); + virNetTLSConfigUserCreds(isServer, + cacert, cacrl, + cert, key); /* * If some of the files can't be found, fallback @@ -782,28 +751,9 @@ static int virNetTLSContextLocateCredentials(const char *pkipath, } } - /* No explicit path, or user path didn't exist, so - * fallback to global defaults - */ - if (!*cacert) { - VIR_DEBUG("Using default TLS CA certificate path"); - *cacert = g_strdup(LIBVIRT_CACERT); - } - - if (!*cacrl) { - VIR_DEBUG("Using default TLS CA revocation list path"); - *cacrl = g_strdup(LIBVIRT_CACRL); - } - - if (!*key && !*cert) { - VIR_DEBUG("Using default TLS key/certificate path"); - *key = g_strdup(isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY); - - *cert = g_strdup(isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTCERT); - } - - VIR_FREE(user_pki_path); - VIR_FREE(userdir); + virNetTLSConfigSystemCreds(isServer, + cacert, cacrl, + cert, key); return 0; } -- 2.43.0

The TLS cert validation logic will be reused for the new impl of the virt-pki-validate tool. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- po/POTFILES | 1 + src/rpc/meson.build | 1 + src/rpc/virnettlscert.c | 553 +++++++++++++++++++++++++++++++++++++ src/rpc/virnettlscert.h | 42 +++ src/rpc/virnettlscontext.c | 535 +---------------------------------- 5 files changed, 606 insertions(+), 526 deletions(-) create mode 100644 src/rpc/virnettlscert.c create mode 100644 src/rpc/virnettlscert.h diff --git a/po/POTFILES b/po/POTFILES index 4ad7e19e08..0f68c652eb 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -219,6 +219,7 @@ src/rpc/virnetserverprogram.c src/rpc/virnetserverservice.c src/rpc/virnetsocket.c src/rpc/virnetsshsession.c +src/rpc/virnettlscert.c src/rpc/virnettlscontext.c src/secret/secret_driver.c src/security/security_apparmor.c diff --git a/src/rpc/meson.build b/src/rpc/meson.build index d11d532d0f..8bdbf5c88f 100644 --- a/src/rpc/meson.build +++ b/src/rpc/meson.build @@ -2,6 +2,7 @@ gendispatch_prog = find_program('gendispatch.pl') tlsconfig_sources = [ files('virnettlsconfig.c'), + files('virnettlscert.c'), ] socket_sources = tlsconfig_sources + [ diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c new file mode 100644 index 0000000000..2e1e4c56d5 --- /dev/null +++ b/src/rpc/virnettlscert.c @@ -0,0 +1,553 @@ +/* + * virnettlscert.c: TLS x509 certificate helpers + * + * Copyright (C) 2010-2024 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#include <config.h> + +#include "virnettlscert.h" + +#include "viralloc.h" +#include "virfile.h" +#include "virlog.h" +#include "virerror.h" + +#define VIR_FROM_THIS VIR_FROM_NONE + +VIR_LOG_INIT("rpc.nettlscert"); + +static int virNetTLSCertCheckTimes(gnutls_x509_crt_t cert, + const char *certFile, + bool isServer, + bool isCA) +{ + time_t now; + + if ((now = time(NULL)) == ((time_t)-1)) { + virReportSystemError(errno, "%s", + _("cannot get current time")); + return -1; + } + + if (gnutls_x509_crt_get_expiration_time(cert) < now) { + virReportError(VIR_ERR_SYSTEM_ERROR, + (isCA ? + _("The CA certificate %1$s has expired") : + (isServer ? + _("The server certificate %1$s has expired") : + _("The client certificate %1$s has expired"))), + certFile); + return -1; + } + + if (gnutls_x509_crt_get_activation_time(cert) > now) { + virReportError(VIR_ERR_SYSTEM_ERROR, + (isCA ? + _("The CA certificate %1$s is not yet active") : + (isServer ? + _("The server certificate %1$s is not yet active") : + _("The client certificate %1$s is not yet active"))), + certFile); + return -1; + } + + return 0; +} + + +static int virNetTLSCertCheckBasicConstraints(gnutls_x509_crt_t cert, + const char *certFile, + bool isServer, + bool isCA) +{ + int status; + + status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL); + VIR_DEBUG("Cert %s basic constraints %d", certFile, status); + + if (status > 0) { /* It is a CA cert */ + if (!isCA) { + virReportError(VIR_ERR_SYSTEM_ERROR, isServer ? + _("The certificate %1$s basic constraints show a CA, but we need one for a server") : + _("The certificate %1$s basic constraints show a CA, but we need one for a client"), + certFile); + return -1; + } + } else if (status == 0) { /* It is not a CA cert */ + if (isCA) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("The certificate %1$s basic constraints do not show a CA"), + certFile); + return -1; + } + } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* Missing basicConstraints */ + if (isCA) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("The certificate %1$s is missing basic constraints for a CA"), + certFile); + return -1; + } + } else { /* General error */ + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to query certificate %1$s basic constraints %2$s"), + certFile, gnutls_strerror(status)); + return -1; + } + + return 0; +} + + +static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert, + const char *certFile, + bool isCA) +{ + int status; + unsigned int usage = 0; + unsigned int critical = 0; + + status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical); + + VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical); + if (status < 0) { + if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN : + GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT; + } else { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to query certificate %1$s key usage %2$s"), + certFile, gnutls_strerror(status)); + return -1; + } + } + + if (isCA) { + if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) { + if (critical) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %1$s usage does not permit certificate signing"), + certFile); + return -1; + } else { + VIR_WARN("Certificate %s usage does not permit certificate signing", + certFile); + } + } + } else { + if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { + if (critical) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %1$s usage does not permit digital signature"), + certFile); + return -1; + } else { + VIR_WARN("Certificate %s usage does not permit digital signature", + certFile); + } + } + if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { + if (critical) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %1$s usage does not permit key encipherment"), + certFile); + return -1; + } else { + VIR_WARN("Certificate %s usage does not permit key encipherment", + certFile); + } + } + } + + return 0; +} + + +static int virNetTLSCertCheckKeyPurpose(gnutls_x509_crt_t cert, + const char *certFile, + bool isServer) +{ + int status; + size_t i; + unsigned int purposeCritical; + unsigned int critical; + char *buffer = NULL; + size_t size; + bool allowClient = false, allowServer = false; + + critical = 0; + for (i = 0; ; i++) { + size = 0; + status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL); + + if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + VIR_DEBUG("No key purpose data available at slot %zu", i); + + /* If there is no data at all, then we must allow client/server to pass */ + if (i == 0) + allowServer = allowClient = true; + break; + } + if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to query certificate %1$s key purpose %2$s"), + certFile, gnutls_strerror(status)); + return -1; + } + + buffer = g_new0(char, size); + status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, &purposeCritical); + if (status < 0) { + VIR_FREE(buffer); + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to query certificate %1$s key purpose %2$s"), + certFile, gnutls_strerror(status)); + return -1; + } + if (purposeCritical) + critical = true; + + VIR_DEBUG("Key purpose %d %s critical %u", status, buffer, purposeCritical); + if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) { + allowServer = true; + } else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) { + allowClient = true; + } else if (STRNEQ(buffer, GNUTLS_KP_ANY)) { + allowServer = allowClient = true; + } + + VIR_FREE(buffer); + } + + if (isServer) { + if (!allowServer) { + if (critical) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %1$s purpose does not allow use for with a TLS server"), + certFile); + return -1; + } else { + VIR_WARN("Certificate %s purpose does not allow use for with a TLS server", + certFile); + } + } + } else { + if (!allowClient) { + if (critical) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %1$s purpose does not allow use for with a TLS client"), + certFile); + return -1; + } else { + VIR_WARN("Certificate %s purpose does not allow use for with a TLS client", + certFile); + } + } + } + + return 0; +} + +/* Check DN is on tls_allowed_dn_list. */ +static int +virNetTLSCertCheckDNACL(const char *dname, + const char *const *wildcards) +{ + while (*wildcards) { + if (g_pattern_match_simple(*wildcards, dname)) + return 1; + + wildcards++; + } + + /* Log the client's DN for debugging */ + VIR_DEBUG("Failed ACL check for client DN '%s'", dname); + + /* This is the most common error: make it informative. */ + virReportError(VIR_ERR_SYSTEM_ERROR, "%s", + _("Client's Distinguished Name is not on the list of allowed clients (tls_allowed_dn_list). Use 'virt-pki-query-dn clientcert.pem' to view the Distinguished Name field in the client certificate, or run this daemon with --verbose option.")); + return 0; +} + + +static int +virNetTLSCertCheckDN(gnutls_x509_crt_t cert, + const char *certFile, + const char *hostname, + const char *dname, + const char *const *acl) +{ + if (acl && dname && + virNetTLSCertCheckDNACL(dname, acl) <= 0) + return -1; + + if (hostname && + !gnutls_x509_crt_check_hostname(cert, hostname)) { + virReportError(VIR_ERR_RPC, + _("Certificate %1$s owner does not match the hostname %2$s"), + certFile, hostname); + return -1; + } + + return 0; +} + + +static int virNetTLSCertCheck(gnutls_x509_crt_t cert, + const char *certFile, + bool isServer, + bool isCA) +{ + if (virNetTLSCertCheckTimes(cert, certFile, isServer, isCA) < 0) + return -1; + + if (virNetTLSCertCheckBasicConstraints(cert, certFile, isServer, isCA) < 0) + return -1; + + if (virNetTLSCertCheckKeyUsage(cert, certFile, isCA) < 0) + return -1; + + if (!isCA && + virNetTLSCertCheckKeyPurpose(cert, certFile, isServer) < 0) + return -1; + + return 0; +} + + +static int virNetTLSCertCheckPair(gnutls_x509_crt_t cert, + const char *certFile, + gnutls_x509_crt_t *cacerts, + size_t ncacerts, + const char *cacertFile, + bool isServer) +{ + unsigned int status; + + if (gnutls_x509_crt_list_verify(&cert, 1, + cacerts, ncacerts, + NULL, 0, + 0, &status) < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, isServer ? + _("Unable to verify server certificate %1$s against CA certificate %2$s") : + _("Unable to verify client certificate %1$s against CA certificate %2$s"), + certFile, cacertFile); + return -1; + } + + if (status != 0) { + const char *reason = _("Invalid certificate"); + + if (status & GNUTLS_CERT_INVALID) + reason = _("The certificate is not trusted."); + + if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) + reason = _("The certificate hasn't got a known issuer."); + + if (status & GNUTLS_CERT_REVOKED) + reason = _("The certificate has been revoked."); + + if (status & GNUTLS_CERT_INSECURE_ALGORITHM) + reason = _("The certificate uses an insecure algorithm"); + + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Our own certificate %1$s failed validation against %2$s: %3$s"), + certFile, cacertFile, reason); + return -1; + } + + return 0; +} + + +gnutls_x509_crt_t virNetTLSCertLoadFromFile(const char *certFile, + bool isServer) +{ + gnutls_datum_t data; + gnutls_x509_crt_t cert = NULL; + g_autofree char *buf = NULL; + int ret = -1; + + VIR_DEBUG("isServer %d certFile %s", + isServer, certFile); + + if (gnutls_x509_crt_init(&cert) < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, "%s", + _("Unable to initialize certificate")); + goto cleanup; + } + + if (virFileReadAll(certFile, (1<<16), &buf) < 0) + goto cleanup; + + data.data = (unsigned char *)buf; + data.size = strlen(buf); + + if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, isServer ? + _("Unable to import server certificate %1$s") : + _("Unable to import client certificate %1$s"), + certFile); + goto cleanup; + } + + ret = 0; + + cleanup: + if (ret != 0) { + g_clear_pointer(&cert, gnutls_x509_crt_deinit); + } + return cert; +} + + +static int virNetTLSCertLoadCAListFromFile(const char *certFile, + gnutls_x509_crt_t *certs, + unsigned int certMax, + size_t *ncerts) +{ + gnutls_datum_t data; + g_autofree char *buf = NULL; + + *ncerts = 0; + VIR_DEBUG("certFile %s", certFile); + + if (virFileReadAll(certFile, (1<<16), &buf) < 0) + return -1; + + data.data = (unsigned char *)buf; + data.size = strlen(buf); + + if (gnutls_x509_crt_list_import(certs, &certMax, &data, GNUTLS_X509_FMT_PEM, 0) < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to import CA certificate list %1$s"), + certFile); + return -1; + } + *ncerts = certMax; + + return 0; +} + + +#define MAX_CERTS 16 +int virNetTLSCertSanityCheck(bool isServer, + const char *cacertFile, + const char *certFile) +{ + gnutls_x509_crt_t cert = NULL; + gnutls_x509_crt_t cacerts[MAX_CERTS] = { 0 }; + size_t ncacerts = 0; + size_t i; + int ret = -1; + + if ((access(certFile, R_OK) == 0) && + !(cert = virNetTLSCertLoadFromFile(certFile, isServer))) + goto cleanup; + if ((access(cacertFile, R_OK) == 0) && + virNetTLSCertLoadCAListFromFile(cacertFile, cacerts, + MAX_CERTS, &ncacerts) < 0) + goto cleanup; + + if (cert && + virNetTLSCertCheck(cert, certFile, isServer, false) < 0) + goto cleanup; + + for (i = 0; i < ncacerts; i++) { + if (virNetTLSCertCheck(cacerts[i], cacertFile, isServer, true) < 0) + goto cleanup; + } + + if (cert && ncacerts && + virNetTLSCertCheckPair(cert, certFile, cacerts, ncacerts, cacertFile, isServer) < 0) + goto cleanup; + + ret = 0; + + cleanup: + if (cert) + gnutls_x509_crt_deinit(cert); + for (i = 0; i < ncacerts; i++) + gnutls_x509_crt_deinit(cacerts[i]); + return ret; +} + +int virNetTLSCertValidateCA(gnutls_x509_crt_t cert, + bool isServer) +{ + if (virNetTLSCertCheckTimes(cert, "[session]", + isServer, true) < 0) { + return -1; + } + return 0; +} + +char *virNetTLSCertValidate(gnutls_x509_crt_t cert, + bool isServer, + const char *hostname, + const char *const *x509dnACL) +{ + size_t dnamesize = 256; + g_autofree char *dname = g_new0(char, dnamesize); + int ret; + + if (virNetTLSCertCheckTimes(cert, "[session]", + isServer, false) < 0) { + return NULL; + } + + ret = gnutls_x509_crt_get_dn(cert, dname, &dnamesize); + if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { + VIR_DEBUG("Reallocating dname to fit %zu bytes", dnamesize); + dname = g_realloc(dname, dnamesize); + ret = gnutls_x509_crt_get_dn(cert, dname, &dnamesize); + } + if (ret != 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Failed to get certificate %1$s distinguished name: %2$s"), + "[session]", gnutls_strerror(ret)); + return NULL; + } + + VIR_DEBUG("Peer DN is %s", dname); + + if (virNetTLSCertCheckDN(cert, "[session]", hostname, + dname, x509dnACL) < 0) { + return NULL; + } + + /* !isServer, since on the client, we're validating the + * server's cert, and on the server, the client's cert + */ + if (virNetTLSCertCheckBasicConstraints(cert, "[session]", + !isServer, false) < 0) { + return NULL; + } + + if (virNetTLSCertCheckKeyUsage(cert, "[session]", + false) < 0) { + return NULL; + } + + /* !isServer - as above */ + if (virNetTLSCertCheckKeyPurpose(cert, "[session]", + !isServer) < 0) { + return NULL; + } + + return g_steal_pointer(&dname); +} diff --git a/src/rpc/virnettlscert.h b/src/rpc/virnettlscert.h new file mode 100644 index 0000000000..0ac511a141 --- /dev/null +++ b/src/rpc/virnettlscert.h @@ -0,0 +1,42 @@ +/* + * virnettlscert.h: TLS x509 certificate helpers + * + * Copyright (C) 2010-2024 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> +#include <gnutls/x509.h> + +#include "internal.h" + +int virNetTLSCertSanityCheck(bool isServer, + const char *cacertFile, + const char *certFile); + +int virNetTLSCertValidateCA(gnutls_x509_crt_t cert, + bool isServer); + +char *virNetTLSCertValidate(gnutls_x509_crt_t cert, + bool isServer, + const char *hostname, + const char *const *x509dnACL); + +gnutls_x509_crt_t virNetTLSCertLoadFromFile(const char *certFile, + bool isServer); diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index a56abee009..e8023133b4 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -28,6 +28,7 @@ #include "virnettlscontext.h" #include "virnettlsconfig.h" +#include "virnettlscert.h" #include "virstring.h" #include "viralloc.h" @@ -110,466 +111,6 @@ static void virNetTLSLog(int level G_GNUC_UNUSED, } -static int virNetTLSContextCheckCertTimes(gnutls_x509_crt_t cert, - const char *certFile, - bool isServer, - bool isCA) -{ - time_t now; - - if ((now = time(NULL)) == ((time_t)-1)) { - virReportSystemError(errno, "%s", - _("cannot get current time")); - return -1; - } - - if (gnutls_x509_crt_get_expiration_time(cert) < now) { - virReportError(VIR_ERR_SYSTEM_ERROR, - (isCA ? - _("The CA certificate %1$s has expired") : - (isServer ? - _("The server certificate %1$s has expired") : - _("The client certificate %1$s has expired"))), - certFile); - return -1; - } - - if (gnutls_x509_crt_get_activation_time(cert) > now) { - virReportError(VIR_ERR_SYSTEM_ERROR, - (isCA ? - _("The CA certificate %1$s is not yet active") : - (isServer ? - _("The server certificate %1$s is not yet active") : - _("The client certificate %1$s is not yet active"))), - certFile); - return -1; - } - - return 0; -} - - -static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert, - const char *certFile, - bool isServer, - bool isCA) -{ - int status; - - status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL); - VIR_DEBUG("Cert %s basic constraints %d", certFile, status); - - if (status > 0) { /* It is a CA cert */ - if (!isCA) { - virReportError(VIR_ERR_SYSTEM_ERROR, isServer ? - _("The certificate %1$s basic constraints show a CA, but we need one for a server") : - _("The certificate %1$s basic constraints show a CA, but we need one for a client"), - certFile); - return -1; - } - } else if (status == 0) { /* It is not a CA cert */ - if (isCA) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("The certificate %1$s basic constraints do not show a CA"), - certFile); - return -1; - } - } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* Missing basicConstraints */ - if (isCA) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("The certificate %1$s is missing basic constraints for a CA"), - certFile); - return -1; - } - } else { /* General error */ - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Unable to query certificate %1$s basic constraints %2$s"), - certFile, gnutls_strerror(status)); - return -1; - } - - return 0; -} - - -static int virNetTLSContextCheckCertKeyUsage(gnutls_x509_crt_t cert, - const char *certFile, - bool isCA) -{ - int status; - unsigned int usage = 0; - unsigned int critical = 0; - - status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical); - - VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical); - if (status < 0) { - if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN : - GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT; - } else { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Unable to query certificate %1$s key usage %2$s"), - certFile, gnutls_strerror(status)); - return -1; - } - } - - if (isCA) { - if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) { - if (critical) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Certificate %1$s usage does not permit certificate signing"), - certFile); - return -1; - } else { - VIR_WARN("Certificate %s usage does not permit certificate signing", - certFile); - } - } - } else { - if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { - if (critical) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Certificate %1$s usage does not permit digital signature"), - certFile); - return -1; - } else { - VIR_WARN("Certificate %s usage does not permit digital signature", - certFile); - } - } - if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { - if (critical) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Certificate %1$s usage does not permit key encipherment"), - certFile); - return -1; - } else { - VIR_WARN("Certificate %s usage does not permit key encipherment", - certFile); - } - } - } - - return 0; -} - - -static int virNetTLSContextCheckCertKeyPurpose(gnutls_x509_crt_t cert, - const char *certFile, - bool isServer) -{ - int status; - size_t i; - unsigned int purposeCritical; - unsigned int critical; - char *buffer = NULL; - size_t size; - bool allowClient = false, allowServer = false; - - critical = 0; - for (i = 0; ; i++) { - size = 0; - status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL); - - if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - VIR_DEBUG("No key purpose data available at slot %zu", i); - - /* If there is no data at all, then we must allow client/server to pass */ - if (i == 0) - allowServer = allowClient = true; - break; - } - if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Unable to query certificate %1$s key purpose %2$s"), - certFile, gnutls_strerror(status)); - return -1; - } - - buffer = g_new0(char, size); - status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, &purposeCritical); - if (status < 0) { - VIR_FREE(buffer); - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Unable to query certificate %1$s key purpose %2$s"), - certFile, gnutls_strerror(status)); - return -1; - } - if (purposeCritical) - critical = true; - - VIR_DEBUG("Key purpose %d %s critical %u", status, buffer, purposeCritical); - if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) { - allowServer = true; - } else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) { - allowClient = true; - } else if (STRNEQ(buffer, GNUTLS_KP_ANY)) { - allowServer = allowClient = true; - } - - VIR_FREE(buffer); - } - - if (isServer) { - if (!allowServer) { - if (critical) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Certificate %1$s purpose does not allow use for with a TLS server"), - certFile); - return -1; - } else { - VIR_WARN("Certificate %s purpose does not allow use for with a TLS server", - certFile); - } - } - } else { - if (!allowClient) { - if (critical) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Certificate %1$s purpose does not allow use for with a TLS client"), - certFile); - return -1; - } else { - VIR_WARN("Certificate %s purpose does not allow use for with a TLS client", - certFile); - } - } - } - - return 0; -} - -/* Check DN is on tls_allowed_dn_list. */ -static int -virNetTLSContextCheckCertDNACL(const char *dname, - const char *const *wildcards) -{ - while (*wildcards) { - if (g_pattern_match_simple(*wildcards, dname)) - return 1; - - wildcards++; - } - - /* Log the client's DN for debugging */ - VIR_DEBUG("Failed ACL check for client DN '%s'", dname); - - /* This is the most common error: make it informative. */ - virReportError(VIR_ERR_SYSTEM_ERROR, "%s", - _("Client's Distinguished Name is not on the list of allowed clients (tls_allowed_dn_list). Use 'virt-pki-query-dn clientcert.pem' to view the Distinguished Name field in the client certificate, or run this daemon with --verbose option.")); - return 0; -} - - -static int -virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert, - const char *certFile, - const char *hostname, - const char *dname, - const char *const *acl) -{ - if (acl && dname && - virNetTLSContextCheckCertDNACL(dname, acl) <= 0) - return -1; - - if (hostname && - !gnutls_x509_crt_check_hostname(cert, hostname)) { - virReportError(VIR_ERR_RPC, - _("Certificate %1$s owner does not match the hostname %2$s"), - certFile, hostname); - return -1; - } - - return 0; -} - - -static int virNetTLSContextCheckCert(gnutls_x509_crt_t cert, - const char *certFile, - bool isServer, - bool isCA) -{ - if (virNetTLSContextCheckCertTimes(cert, certFile, - isServer, isCA) < 0) - return -1; - - if (virNetTLSContextCheckCertBasicConstraints(cert, certFile, - isServer, isCA) < 0) - return -1; - - if (virNetTLSContextCheckCertKeyUsage(cert, certFile, - isCA) < 0) - return -1; - - if (!isCA && - virNetTLSContextCheckCertKeyPurpose(cert, certFile, - isServer) < 0) - return -1; - - return 0; -} - - -static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert, - const char *certFile, - gnutls_x509_crt_t *cacerts, - size_t ncacerts, - const char *cacertFile, - bool isServer) -{ - unsigned int status; - - if (gnutls_x509_crt_list_verify(&cert, 1, - cacerts, ncacerts, - NULL, 0, - 0, &status) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, isServer ? - _("Unable to verify server certificate %1$s against CA certificate %2$s") : - _("Unable to verify client certificate %1$s against CA certificate %2$s"), - certFile, cacertFile); - return -1; - } - - if (status != 0) { - const char *reason = _("Invalid certificate"); - - if (status & GNUTLS_CERT_INVALID) - reason = _("The certificate is not trusted."); - - if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) - reason = _("The certificate hasn't got a known issuer."); - - if (status & GNUTLS_CERT_REVOKED) - reason = _("The certificate has been revoked."); - - if (status & GNUTLS_CERT_INSECURE_ALGORITHM) - reason = _("The certificate uses an insecure algorithm"); - - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Our own certificate %1$s failed validation against %2$s: %3$s"), - certFile, cacertFile, reason); - return -1; - } - - return 0; -} - - -static gnutls_x509_crt_t virNetTLSContextLoadCertFromFile(const char *certFile, - bool isServer) -{ - gnutls_datum_t data; - gnutls_x509_crt_t cert = NULL; - g_autofree char *buf = NULL; - int ret = -1; - - VIR_DEBUG("isServer %d certFile %s", - isServer, certFile); - - if (gnutls_x509_crt_init(&cert) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, "%s", - _("Unable to initialize certificate")); - goto cleanup; - } - - if (virFileReadAll(certFile, (1<<16), &buf) < 0) - goto cleanup; - - data.data = (unsigned char *)buf; - data.size = strlen(buf); - - if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, isServer ? - _("Unable to import server certificate %1$s") : - _("Unable to import client certificate %1$s"), - certFile); - goto cleanup; - } - - ret = 0; - - cleanup: - if (ret != 0) { - g_clear_pointer(&cert, gnutls_x509_crt_deinit); - } - return cert; -} - - -static int virNetTLSContextLoadCACertListFromFile(const char *certFile, - gnutls_x509_crt_t *certs, - unsigned int certMax, - size_t *ncerts) -{ - gnutls_datum_t data; - g_autofree char *buf = NULL; - - *ncerts = 0; - VIR_DEBUG("certFile %s", certFile); - - if (virFileReadAll(certFile, (1<<16), &buf) < 0) - return -1; - - data.data = (unsigned char *)buf; - data.size = strlen(buf); - - if (gnutls_x509_crt_list_import(certs, &certMax, &data, GNUTLS_X509_FMT_PEM, 0) < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Unable to import CA certificate list %1$s"), - certFile); - return -1; - } - *ncerts = certMax; - - return 0; -} - - -#define MAX_CERTS 16 -static int virNetTLSContextSanityCheckCredentials(bool isServer, - const char *cacertFile, - const char *certFile) -{ - gnutls_x509_crt_t cert = NULL; - gnutls_x509_crt_t cacerts[MAX_CERTS] = { 0 }; - size_t ncacerts = 0; - size_t i; - int ret = -1; - - if ((access(certFile, R_OK) == 0) && - !(cert = virNetTLSContextLoadCertFromFile(certFile, isServer))) - goto cleanup; - if ((access(cacertFile, R_OK) == 0) && - virNetTLSContextLoadCACertListFromFile(cacertFile, cacerts, - MAX_CERTS, &ncacerts) < 0) - goto cleanup; - - if (cert && - virNetTLSContextCheckCert(cert, certFile, isServer, false) < 0) - goto cleanup; - - for (i = 0; i < ncacerts; i++) { - if (virNetTLSContextCheckCert(cacerts[i], cacertFile, isServer, true) < 0) - goto cleanup; - } - - if (cert && ncacerts && - virNetTLSContextCheckCertPair(cert, certFile, cacerts, ncacerts, cacertFile, isServer) < 0) - goto cleanup; - - ret = 0; - - cleanup: - if (cert) - gnutls_x509_crt_deinit(cert); - for (i = 0; i < ncacerts; i++) - gnutls_x509_crt_deinit(cacerts[i]); - return ret; -} - - static int virNetTLSContextLoadCredentials(virNetTLSContext *ctxt, bool isServer, const char *cacert, @@ -683,7 +224,7 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert, } if (sanityCheckCert && - virNetTLSContextSanityCheckCredentials(isServer, cacert, cert) < 0) + virNetTLSCertSanityCheck(isServer, cacert, cert) < 0) goto error; if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0) @@ -846,7 +387,7 @@ int virNetTLSContextReloadForServer(virNetTLSContext *ctxt, goto error; } - if (virNetTLSContextSanityCheckCredentials(true, cacert, cert)) + if (virNetTLSCertSanityCheck(true, cacert, cert)) goto error; if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, key)) @@ -876,65 +417,6 @@ virNetTLSContext *virNetTLSContextNewClient(const char *cacert, sanityCheckCert, requireValidCert, false); } -static int virNetTLSContextCertValidateCA(gnutls_x509_crt_t cert, - bool isServer) -{ - if (virNetTLSContextCheckCertTimes(cert, "[session]", isServer, true) < 0) - return -1; - - return 0; -} - -static char *virNetTLSContextCertValidate(gnutls_x509_crt_t cert, - bool isServer, - const char *hostname, - const char *const *x509dnACL) -{ - size_t dnamesize = 256; - g_autofree char *dname = g_new0(char, dnamesize); - int ret; - - if (virNetTLSContextCheckCertTimes(cert, "[session]", - isServer, false) < 0) - return NULL; - - ret = gnutls_x509_crt_get_dn(cert, dname, &dnamesize); - if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { - VIR_DEBUG("Reallocating dname to fit %zu bytes", dnamesize); - dname = g_realloc(dname, dnamesize); - ret = gnutls_x509_crt_get_dn(cert, dname, &dnamesize); - } - if (ret != 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Failed to get certificate %1$s distinguished name: %2$s"), - "[session]", gnutls_strerror(ret)); - return NULL; - } - - VIR_DEBUG("Peer DN is %s", dname); - - if (virNetTLSContextCheckCertDN(cert, "[session]", hostname, - dname, x509dnACL) < 0) - return NULL; - - /* !isServer, since on the client, we're validating the - * server's cert, and on the server, the client's cert - */ - if (virNetTLSContextCheckCertBasicConstraints(cert, "[session]", - !isServer, false) < 0) - return NULL; - - if (virNetTLSContextCheckCertKeyUsage(cert, "[session]", - false) < 0) - return NULL; - - /* !isServer - as above */ - if (virNetTLSContextCheckCertKeyPurpose(cert, "[session]", - !isServer) < 0) - return NULL; - - return g_steal_pointer(&dname); -} static int virNetTLSContextValidCertificate(virNetTLSContext *ctxt, virNetTLSSession *sess) @@ -1005,15 +487,16 @@ static int virNetTLSContextValidCertificate(virNetTLSContext *ctxt, } if (i == 0) { - if (!(sess->x509dname = virNetTLSContextCertValidate(cert, - sess->isServer, - sess->hostname, - ctxt->x509dnACL))) { + if (!(sess->x509dname = virNetTLSCertValidate(cert, + sess->isServer, + sess->hostname, + ctxt->x509dnACL))) { gnutls_x509_crt_deinit(cert); goto authdeny; } } else { - if (virNetTLSContextCertValidateCA(cert, sess->isServer) < 0) { + if (virNetTLSCertValidateCA(cert, + sess->isServer) < 0) { gnutls_x509_crt_deinit(cert); goto authdeny; } -- 2.43.0

When first writing the manpage in commit 3decd4f9f1b55000770f4203f98438b6f791256d Author: Daniel P. Berrangé <berrange@redhat.com> Date: Wed Sep 16 14:42:57 2009 +0100 Make pki_check.sh into an installed & supported tool I incorrectly credited Richard, instead of Daniel, who was the author per commit 62442d578d123de37ab27ae139f1270fc02e837c Author: Daniel Veillard <veillard@redhat.com> Date: Thu Jul 12 15:47:19 2007 +0000 * docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- docs/manpages/virt-pki-validate.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/manpages/virt-pki-validate.rst b/docs/manpages/virt-pki-validate.rst index 063448f48b..53d5fbe269 100644 --- a/docs/manpages/virt-pki-validate.rst +++ b/docs/manpages/virt-pki-validate.rst @@ -48,7 +48,7 @@ failure a non-zero status will be set. AUTHOR ====== -Richard Jones +Daniel Veillard BUGS -- 2.43.0

These tools never supported passing an argument to --version, this is a copy+paste mistake from virsh, which did support an argument. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- tools/virt-login-shell-helper.c | 2 +- tools/virt-pki-query-dn.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/virt-login-shell-helper.c b/tools/virt-login-shell-helper.c index 1627ba85e5..cb59b5dec0 100644 --- a/tools/virt-login-shell-helper.c +++ b/tools/virt-login-shell-helper.c @@ -180,7 +180,7 @@ main(int argc, char **argv) struct option opt[] = { { "help", no_argument, NULL, 'h' }, - { "version", optional_argument, NULL, 'V' }, + { "version", no_argument, NULL, 'V' }, { NULL, 0, NULL, 0 }, }; if (virInitialize() < 0) { diff --git a/tools/virt-pki-query-dn.c b/tools/virt-pki-query-dn.c index c8196e32e3..5bf6717c4f 100644 --- a/tools/virt-pki-query-dn.c +++ b/tools/virt-pki-query-dn.c @@ -62,7 +62,7 @@ main(int argc, struct option opt[] = { { "help", no_argument, NULL, 'h' }, - { "version", optional_argument, NULL, 'v' }, + { "version", no_argument, NULL, 'v' }, { NULL, 0, NULL, 0 }, }; -- 2.43.0

The virt-pki-validate tool is currently a shell script. We have a general goal of eliminating use of shell in the project. By doing a new implementation in C, we can also make use of our more thorough sanity checking code to validate the certificate setup. This new implementation the same output format as the host validation tool for a more consistent user experiance. It also eliminates the requirement to have certtool installed on libvirt hosts, which has been an issue for Fedora flatpak packages since certtool isn't in the default platform runtime. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- docs/manpages/virt-pki-validate.rst | 4 +- libvirt.spec.in | 2 - po/POTFILES | 1 + tools/meson.build | 30 ++- tools/virt-pki-validate.c | 309 ++++++++++++++++++++++++++++ tools/virt-pki-validate.in | 295 -------------------------- 6 files changed, 337 insertions(+), 304 deletions(-) create mode 100644 tools/virt-pki-validate.c delete mode 100644 tools/virt-pki-validate.in diff --git a/docs/manpages/virt-pki-validate.rst b/docs/manpages/virt-pki-validate.rst index 53d5fbe269..cf17bad790 100644 --- a/docs/manpages/virt-pki-validate.rst +++ b/docs/manpages/virt-pki-validate.rst @@ -48,7 +48,7 @@ failure a non-zero status will be set. AUTHOR ====== -Daniel Veillard +Daniel Veillard, Daniel P. Berrangé BUGS @@ -70,7 +70,7 @@ Alternatively, you may report bugs to your software distributor / vendor. COPYRIGHT ========= -Copyright (C) 2006-2012 by Red Hat, Inc. +Copyright (C) 2006-2024 by Red Hat, Inc. LICENSE diff --git a/libvirt.spec.in b/libvirt.spec.in index 244e5e824c..2570c2458a 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1032,8 +1032,6 @@ capabilities of VirtualBox %package client Summary: Client side utilities of the libvirt library Requires: libvirt-libs = %{version}-%{release} -# Needed by virt-pki-validate script. -Requires: gnutls-utils # Ensure smooth upgrades Obsoletes: libvirt-bash-completion < 7.3.0 diff --git a/po/POTFILES b/po/POTFILES index cb73d07904..4bfbb91164 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -391,6 +391,7 @@ tools/virt-host-validate-qemu.c tools/virt-host-validate.c tools/virt-login-shell-helper.c tools/virt-pki-query-dn.c +tools/virt-pki-validate.c tools/virt-validate-common.c tools/vsh-table.c tools/vsh.c diff --git a/tools/meson.build b/tools/meson.build index feb6b7c3ad..a58f5d4175 100644 --- a/tools/meson.build +++ b/tools/meson.build @@ -255,13 +255,33 @@ configure_file( install_mode: 'rwxr-xr-x', ) -configure_file( - input: 'virt-pki-validate.in', - output: '@BASENAME@', - configuration: tools_conf, +executable( + 'virt-pki-validate', + tlsconfig_sources + [ + 'virt-validate-common.c', + 'virt-pki-validate.c', + ], + dependencies: [ + glib_dep, + gnutls_dep, + ], + include_directories: [ + libvirt_inc, + src_inc_dir, + top_inc_dir, + util_inc_dir, + rpc_inc_dir, + ], + link_args: ( + libvirt_relro + + libvirt_no_indirect + + libvirt_no_undefined + ), + link_with: [ + libvirt_lib + ], install: true, install_dir: bindir, - install_mode: 'rwxr-xr-x', ) executable( diff --git a/tools/virt-pki-validate.c b/tools/virt-pki-validate.c new file mode 100644 index 0000000000..556664dd29 --- /dev/null +++ b/tools/virt-pki-validate.c @@ -0,0 +1,309 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include <config.h> +#include "internal.h" + +#include <getopt.h> +#include <stdio.h> +#include <stdlib.h> + +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#include "virgettext.h" +#include "virfile.h" +#include "virnettlsconfig.h" +#include "virnettlscert.h" +#include "virutil.h" +#include "virt-validate-common.h" + +static bool +virPKIValidateFile(const char *file, + uid_t owner, + gid_t group, + mode_t mode) +{ + struct stat sb; + if (stat(file, &sb) < 0) + return false; + + if (sb.st_uid != owner || + sb.st_gid != group) + return false; + + return (sb.st_mode & 0777) == mode; +} + +#define FILE_REQUIRE_EXISTS(scope, path, message, hint, ...) \ + do { \ + virValidateCheck(scope, "%s", message); \ + if (!virFileExists(path)) { \ + virValidateFail(VIR_VALIDATE_FAIL, hint, __VA_ARGS__); \ + ok = false; \ + goto done; \ + } else { \ + virValidatePass(); \ + } \ + } while (0) + +#define FILE_REQUIRE_ACCESS(scope, path, message, uid, gid, mode, hint, ...) \ + do { \ + virValidateCheck(scope, "%s", message); \ + if (!virPKIValidateFile(path, uid, gid, mode)) { \ + virValidateFail(VIR_VALIDATE_FAIL, hint, __VA_ARGS__); \ + ok = false; \ + } else { \ + virValidatePass(); \ + } \ + } while (0) + +static bool +virPKIValidateTrust(void) +{ + g_autofree char *cacert = NULL, *cacrl = NULL; + bool ok = true; + + virNetTLSConfigSystemTrust(&cacert, + &cacrl); + + FILE_REQUIRE_EXISTS("TRUST", + LIBVIRT_PKI_DIR, + _("Checking if system PKI dir exists"), + _("The system PKI dir %1$s is usually installed as part of the base filesystem or openssl packages"), + LIBVIRT_PKI_DIR); + + FILE_REQUIRE_ACCESS("TRUST", + LIBVIRT_PKI_DIR, + _("Checking system PKI dir access"), + 0, 0, 0755, + _("The system PKI dir %1$s must be accessible to all users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_PKI_DIR, LIBVIRT_PKI_DIR); + + + FILE_REQUIRE_EXISTS("TRUST", + LIBVIRT_CACERT_DIR, + _("Checking if system CA dir exists"), + _("The system CA dir %1$s is usually installed as part of the base filesystem or openssl packages"), + LIBVIRT_CACERT_DIR); + + FILE_REQUIRE_ACCESS("TRUST", + LIBVIRT_CACERT_DIR, + _("Checking system CA dir access"), + 0, 0, 0755, + _("The system CA dir %1$s must be accessible to all users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_CACERT_DIR, LIBVIRT_CACERT_DIR); + + FILE_REQUIRE_EXISTS("TRUST", + cacert, + _("Checking if CA cert exists"), + _("The machine cannot act as a client or server. See https://libvirt.org/kbase/tlscerts.html#setting-up-a-certificate-authority-c... on how to install %1$s"), + cacert); + + FILE_REQUIRE_ACCESS("TRUST", + cacert, + _("Checking CA cert access"), + 0, 0, 0644, + _("The CA certificate %1$s must be accessible to all users. As root run: chown root.root %2$s; chmod 0644 %3$s"), + cacert, cacert, cacert); + + done: + return ok; +} + +static bool +virPKIValidateIdentity(bool isServer) +{ + g_autofree char *cacert = NULL, *cacrl = NULL; + g_autofree char *cert = NULL, *key = NULL; + bool ok = true; + const char *scope = isServer ? "SERVER" : "CLIENT"; + + virNetTLSConfigSystemTrust(&cacert, + &cacrl); + virNetTLSConfigSystemIdentity(isServer, + &cert, + &key); + + FILE_REQUIRE_EXISTS(scope, + LIBVIRT_CERT_DIR, + _("Checking if system cert dir exists"), + _("The system cert dir %1$s is usually installed as part of the libvirt package"), + LIBVIRT_CERT_DIR); + + FILE_REQUIRE_ACCESS(scope, + LIBVIRT_CERT_DIR, + _("Checking system cert dir access"), + 0, 0, 0755, + _("The system cert dir %1$s must be accessible to all users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_PKI_DIR, LIBVIRT_PKI_DIR); + + FILE_REQUIRE_EXISTS(scope, + LIBVIRT_KEY_DIR, + _("Checking if system key dir exists"), + _("The system key dir %1$s is usually installed as part of the libvirt package"), + LIBVIRT_KEY_DIR); + + FILE_REQUIRE_ACCESS(scope, + LIBVIRT_KEY_DIR, + _("Checking system key dir access"), + 0, 0, 0755, + _("The system key dir %1$s must be accessible to all users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_KEY_DIR, LIBVIRT_PKI_DIR); + + FILE_REQUIRE_EXISTS(scope, + key, + _("Checking if key exists"), + isServer ? + _("The machine cannot act as a server. See https://libvirt.org/kbase/tlscerts.html#issuing-server-certificates on how to regenerate %1$s") : + _("The machine cannot act as a client. See https://libvirt.org/kbase/tlscerts.html#issuing-client-certificates on how to regenerate %1$s"), + key); + + FILE_REQUIRE_ACCESS(scope, + key, + _("Checking key access"), + 0, 0, isServer ? 0600 : 0644, + isServer ? + _("The server key %1$s must not be accessible to unprivileged users. As root run: chown root.root %2$s; chmod 0600 %3$s") : + _("The client key %1$s must be accessible to all users. As root run: chown root.root %2$s; chmod 0644 %3$s"), + key, key, key); + + FILE_REQUIRE_EXISTS(scope, + cert, + _("Checking if cert exists"), + isServer ? + _("The machine cannot act as a server. See https://libvirt.org/kbase/tlscerts.html#issuing-server-certificates on how to regenerate %1$s") : + _("The machine cannot act as a client. See https://libvirt.org/kbase/tlscerts.html#issuing-client-certificates on how to regenerate %1$s"), + cert); + + FILE_REQUIRE_ACCESS(scope, + cert, + _("Checking cert access"), + 0, 0, 0644, + isServer ? + _("The server cert %1$s must be accessible to all users. As root run: chown root.root %2$s; chmod 0644 %3$s") : + _("The client cert %1$s must be accessible to all users. As root run: chown root.root %2$s; chmod 0644 %3$s"), + cert, cert, cert); + + virValidateCheck(scope, "%s", _("Checking cert properties")); + + if (virNetTLSCertSanityCheck(isServer, + cacert, + cert) < 0) { + virValidateFail(VIR_VALIDATE_FAIL, "%s", + virGetLastErrorMessage()); + ok = false; + } else { + virValidatePass(); + } + + if (isServer) { + gnutls_x509_crt_t crt; + + virValidateCheck(scope, "%s", _("Checking cert hostname match")); + + if (!(crt = virNetTLSCertLoadFromFile(cert, true))) { + virValidateFail(VIR_VALIDATE_FAIL, + _("Unable to load %1$s: %2$s"), + cert, virGetLastErrorMessage()); + } else { + g_autofree char *hostname = virGetHostname(); + int ret = gnutls_x509_crt_check_hostname(crt, hostname); + gnutls_x509_crt_deinit(crt); + if (!ret) { + /* Only warning, since there can be valid reasons for mis-match */ + virValidateFail(VIR_VALIDATE_WARN, + _("Certificate %1$s owner does not match the hostname %2$s"), + cert, hostname); + ok = false; + } else { + virValidatePass(); + } + } + } + + done: + return ok; +} + + +static void +print_usage(const char *progname, + FILE *out) +{ + fprintf(out, + _("Usage:\n" + " %1$s { -v | -h } [TRUST|SERVER|CLIENT]\n" + "\n" + "Validate TLS certificate configuration\n" + "\n" + "options:\n" + " -h | --help display this help and exit\n" + " -v | --version output version information and exit\n"), + progname); +} + +int main(int argc, char **argv) +{ + const char *scope = NULL; + bool quiet = false; + int arg = 0; + bool ok = true; + const char *progname = argv[0]; + struct option opt[] = { + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'v' }, + { NULL, 0, NULL, 0 }, + }; + + if (virGettextInitialize() < 0) + return EXIT_FAILURE; + + while ((arg = getopt_long(argc, argv, "hvsup:", opt, NULL)) != -1) { + switch (arg) { + case 'v': + printf("%s\n", PACKAGE_VERSION); + return EXIT_SUCCESS; + + case 'h': + print_usage(progname, stdout); + return EXIT_SUCCESS; + + case 'q': + quiet = true; + break; + + case '?': + default: + print_usage(progname, stderr); + return EXIT_FAILURE; + } + } + + if ((argc - optind) > 2) { + fprintf(stderr, _("%1$s: too many command line arguments\n"), argv[0]); + print_usage(progname, stderr); + return EXIT_FAILURE; + } + + if (argc > 1) + scope = argv[optind]; + + virValidateSetQuiet(quiet); + + if ((!scope || g_str_equal(scope, "trust")) && + !virPKIValidateTrust()) + ok = false; + if ((!scope || g_str_equal(scope, "server")) && + !virPKIValidateIdentity(true)) + ok = false; + if ((!scope || g_str_equal(scope, "client")) && + !virPKIValidateIdentity(false)) + ok = false; + + if (!ok) + return EXIT_FAILURE; + + return EXIT_SUCCESS; +} diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in deleted file mode 100644 index c77daa9862..0000000000 --- a/tools/virt-pki-validate.in +++ /dev/null @@ -1,295 +0,0 @@ -#!/bin/sh -# -# This shell script checks the TLS certificates and options needed -# for the secure client/server support of libvirt as documented at -# https://libvirt.org/kbase/tlscerts.html -# -# Copyright (C) 2009-2013 Red Hat, Inc. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library. If not, see -# <http://www.gnu.org/licenses/>. -# -# Daniel Veillard <veillard@redhat.com> -# - -case $1 in - -h | --h | --he | --hel | --help) - cat <<EOF -Usage: - $0 [OPTION] - -Options: - -h | --help Display program help - -V | --version Display program version -EOF - exit ;; - -V | --v | --ve | --ver | --vers | --versi | --versio | --version) - cat <<EOF -$0 (libvirt) @VERSION@ -EOF - exit ;; - --) shift ;; - -) # Not an option but an argument; it gets rejected later - ;; - -*) - echo "$0: unrecognized option '$1'" >&2 - exit 1 ;; -esac - -if test $# != 0; then - echo "$0: unrecognized argument '$1'" >&2 - exit 1 -fi - -USER=`who am i | awk '{ print $1 }'` -SERVER=1 -CLIENT=1 -PORT=16514 -# -# First get certtool -# -CERTOOL=`which certtool 2>/dev/null` -if [ ! -x "$CERTOOL" ] -then - echo "Could not locate the certtool program" - echo "make sure the gnutls-utils (or gnutls-bin) package is installed" - exit 1 -fi -echo Found "$CERTOOL" - -# -# Check the directory structure -# -SYSCONFDIR="@sysconfdir@" -PKI="$SYSCONFDIR/pki" -if [ ! -d "$PKI" ] -then - echo the $PKI directory is missing, it is usually - echo installed as part of the filesystem or openssl packages - exit 1 -fi - -if [ ! -r "$PKI" ] -then - echo the $PKI directory is not readable by $USER - echo "as root do: chmod a+rx $PKI" - exit 1 -fi -if [ ! -x "$PKI" ] -then - echo the $PKI directory is not listable by $USER - echo "as root do: chmod a+rx $PKI" - exit 1 -fi - -CA="$PKI/CA" -if [ ! -d "$CA" ] -then - echo the $CA directory is missing, it is usually - echo installed as part of the or openssl package - exit 1 -fi - -if [ ! -r "$CA" ] -then - echo the $CA directory is not readable by $USER - echo "as root do: chmod a+rx $CA" - exit 1 -fi -if [ ! -x "$CA" ] -then - echo the $CA directory is not listable by $USER - echo "as root do: chmod a+rx $CA" - exit 1 -fi - -LIBVIRT="$PKI/libvirt" -if [ ! -d "$LIBVIRT" ] -then - echo the $LIBVIRT directory is missing, it is usually - echo installed by the libvirt package - echo "as root do: mkdir -m 755 $LIBVIRT ; chown root:root $LIBVIRT" - exit 1 -fi - -if [ ! -r "$LIBVIRT" ] -then - echo the $LIBVIRT directory is not readable by $USER - echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT" - exit 1 -fi -if [ ! -x "$LIBVIRT" ] -then - echo the $LIBVIRT directory is not listable by $USER - echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT" - exit 1 -fi - -LIBVIRTP="$LIBVIRT/private" -if [ ! -d "$LIBVIRTP" ] -then - echo the $LIBVIRTP directory is missing, it is usually - echo installed by the libvirt package - echo "as root do: mkdir -m 755 $LIBVIRTP ; chown root:root $LIBVIRTP" - exit 1 -fi - -if [ ! -r "$LIBVIRTP" ] -then - echo the $LIBVIRTP directory is not readable by $USER - echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP" - exit 1 -fi -if [ ! -x "$LIBVIRTP" ] -then - echo the $LIBVIRTP directory is not listable by $USER - echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP" - exit 1 -fi - -# -# Now check the certificates -# First the CA certificate -# -if [ ! -f "$CA/cacert.pem" ] -then - echo the CA certificate $CA/cacert.pem is missing while it - echo should be installed on both client and servers - echo "see https://libvirt.org/kbase/tlscerts.html#setting-up-a-certificate-authority-c..." - echo on how to install it - exit 1 -fi -if [ ! -r "$CA/cacert.pem" ] -then - echo the CA certificate $CA/cacert.pem is not readable by $USER - echo "as root do: chmod 644 $CA/cacert.pem" - exit 1 -fi -sed_get_org='/Issuer:/ { - s/.*Issuer:.*CN=// - s/,.*// - p -}' -ORG=`"$CERTOOL" -i --infile "$CA/cacert.pem" | sed -n "$sed_get_org"` -if [ "$ORG" = "" ] -then - echo the CA certificate $CA/cacert.pem does not define the organization - echo it should probably regenerated - echo "see https://libvirt.org/kbase/tlscerts.html#setting-up-a-certificate-authority-c..." - echo on how to regenerate it - exit 1 -fi -echo Found CA certificate $CA/cacert.pem for $ORG - -# Second the client certificates - -if [ -f "$LIBVIRT/clientcert.pem" ] -then - if [ ! -r "$LIBVIRT/clientcert.pem" ] - then - echo Client certificate $LIBVIRT/clientcert.pem should be world readable - echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem" - else - C_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'` - if [ "$ORG" != "$C_ORG" ] - then - echo The CA certificate and the client certificate do not match - echo CA organization: $ORG - echo Client organization: $C_ORG - fi - CLIENT=`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep Subject: | sed 's+.*CN=\(.[^,]*\).*+\1+'` - echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT - if [ ! -e "$LIBVIRTP/clientkey.pem" ] - then - echo Missing client private key $LIBVIRTP/clientkey.pem - else - echo Found client private key $LIBVIRTP/clientkey.pem - OWN=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $3 }'` - # The substr($1, 1, 10) gets rid of acl and xattr markers - MOD=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print substr($1, 1, 10) }'` - if [ "$OWN" != "root" ] - then - echo The client private key should be owned by root - echo "as root do: chown root $LIBVIRTP/clientkey.pem" - fi - if [ "$MOD" != "-rw-r--r--" ] - then - echo The client private key need to be read by client tools - echo "as root do: chmod 644 $LIBVIRTP/clientkey.pem" - fi - fi - - fi -else - echo Did not find "$LIBVIRT/clientcert.pem" client certificate - echo The machine cannot act as a client - echo "see https://libvirt.org/kbase/tlscerts.html#issuing-client-certificates" - echo on how to regenerate it - CLIENT=0 -fi - -# Third the server certificates - -if [ -f "$LIBVIRT/servercert.pem" ] -then - if [ ! -r "$LIBVIRT/servercert.pem" ] - then - echo Server certificate $LIBVIRT/servercert.pem should be world readable - echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644 $LIBVIRT/servercert.pem" - else - S_ORG=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*O=\([^,]*\).*+\1+'` - if [ "$ORG" != "$S_ORG" ] - then - echo The CA certificate and the server certificate do not match - echo CA organization: $ORG - echo Server organization: $S_ORG - fi - S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=\([^,]*\).*+\1+'` - if test "$S_HOST" != "`hostname -s`" && test "$S_HOST" != "`hostname`" - then - echo The server certificate does not seem to match the host name - echo hostname: '"'`hostname`'"' - echo Server certificate CN: '"'$S_HOST'"' - fi - echo Found server certificate $LIBVIRT/servercert.pem for $S_HOST - if [ ! -e "$LIBVIRTP/serverkey.pem" ] - then - echo Missing server private key $LIBVIRTP/serverkey.pem - else - echo Found server private key $LIBVIRTP/serverkey.pem - OWN=`ls -l "$LIBVIRTP/serverkey.pem" | awk '{ print $3 }'` - # The substr($1, 1, 10) gets rid of acl and xattr markers - MOD=`ls -l "$LIBVIRTP/serverkey.pem" | awk '{ print substr($1, 1, 10) }'` - if [ "$OWN" != "root" ] - then - echo The server private key should be owned by root - echo "as root do: chown root $LIBVIRTP/serverkey.pem" - fi - if [ "$MOD" != "-rw-------" ] - then - echo The server private key need to be read only by root - echo "as root do: chmod 600 $LIBVIRTP/serverkey.pem" - fi - fi - - fi -else - echo Did not find $LIBVIRT/servercert.pem server certificate - echo The machine cannot act as a server - echo "see https://libvirt.org/kbase/tlscerts.html#issuing-server-certificates" - echo on how to regenerate it - SERVER=0 -fi - -exit 0 -- 2.43.0