[libvirt] [PATCH 1/2] virsh: flexibility in CA cert and user cert/key
Allow the CA certificate to come from the user's home directory or from the global location independently of the client certificate/key pair. Mostly for the case when each user on a system has their own cert/key pair but the system as a whole shares the same CA. Signed-off-by: Doug Goldstein <cardoe@gentoo.org> --- src/remote/remote_driver.c | 19 ++++++++++++------- 1 files changed, 12 insertions(+), 7 deletions(-) diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 4c3bdf3..9965d38 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -1222,21 +1222,26 @@ initialize_gnutls(char *pkipath, int flags) "clientcert.pem")) < 0) goto out_of_memory; - /* Use default location as long as one of CA certificate, + /* Use the default location of the CA certificate if it + * cannot be found in $HOME/.pki/libvirt + */ + if (!virFileExists(libvirt_cacert)) { + VIR_FREE(libvirt_cacert); + + libvirt_cacert = strdup(LIBVIRT_CACERT); + if (!libvirt_cacert) goto out_of_memory; + } + + /* Use default location as long as one of * client key, and client certificate cannot be found in * $HOME/.pki/libvirt, we don't want to make user confused * with one file is here, the other is there. */ - if (!virFileExists(libvirt_cacert) || - !virFileExists(libvirt_clientkey) || + if (!virFileExists(libvirt_clientkey) || !virFileExists(libvirt_clientcert)) { - VIR_FREE(libvirt_cacert); VIR_FREE(libvirt_clientkey); VIR_FREE(libvirt_clientcert); - libvirt_cacert = strdup(LIBVIRT_CACERT); - if (!libvirt_cacert) goto out_of_memory; - libvirt_clientkey = strdup(LIBVIRT_CLIENTKEY); if (!libvirt_clientkey) goto out_of_memory; -- 1.7.5.rc3
On Fri, May 6, 2011 at 10:00 AM, Doug Goldstein <cardoe@gentoo.org> wrote:
Allow the CA certificate to come from the user's home directory or from the global location independently of the client certificate/key pair.
Mostly for the case when each user on a system has their own cert/key pair but the system as a whole shares the same CA.
Signed-off-by: Doug Goldstein <cardoe@gentoo.org> --- src/remote/remote_driver.c | 19 ++++++++++++------- 1 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 4c3bdf3..9965d38 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -1222,21 +1222,26 @@ initialize_gnutls(char *pkipath, int flags) "clientcert.pem")) < 0) goto out_of_memory;
- /* Use default location as long as one of CA certificate, + /* Use the default location of the CA certificate if it + * cannot be found in $HOME/.pki/libvirt + */ + if (!virFileExists(libvirt_cacert)) { + VIR_FREE(libvirt_cacert); + + libvirt_cacert = strdup(LIBVIRT_CACERT); + if (!libvirt_cacert) goto out_of_memory; + } + + /* Use default location as long as one of * client key, and client certificate cannot be found in * $HOME/.pki/libvirt, we don't want to make user confused * with one file is here, the other is there. */ - if (!virFileExists(libvirt_cacert) || - !virFileExists(libvirt_clientkey) || + if (!virFileExists(libvirt_clientkey) || !virFileExists(libvirt_clientcert)) { - VIR_FREE(libvirt_cacert); VIR_FREE(libvirt_clientkey); VIR_FREE(libvirt_clientcert);
- libvirt_cacert = strdup(LIBVIRT_CACERT); - if (!libvirt_cacert) goto out_of_memory; - libvirt_clientkey = strdup(LIBVIRT_CLIENTKEY); if (!libvirt_clientkey) goto out_of_memory;
-- 1.7.5.rc3
Bump. -- Doug Goldstein
On Fri, May 06, 2011 at 10:00:53AM -0500, Doug Goldstein wrote:
Allow the CA certificate to come from the user's home directory or from the global location independently of the client certificate/key pair.
Mostly for the case when each user on a system has their own cert/key pair but the system as a whole shares the same CA.
Signed-off-by: Doug Goldstein <cardoe@gentoo.org> --- src/remote/remote_driver.c | 19 ++++++++++++------- 1 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 4c3bdf3..9965d38 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -1222,21 +1222,26 @@ initialize_gnutls(char *pkipath, int flags) "clientcert.pem")) < 0) goto out_of_memory;
- /* Use default location as long as one of CA certificate, + /* Use the default location of the CA certificate if it + * cannot be found in $HOME/.pki/libvirt + */ + if (!virFileExists(libvirt_cacert)) { + VIR_FREE(libvirt_cacert); + + libvirt_cacert = strdup(LIBVIRT_CACERT); + if (!libvirt_cacert) goto out_of_memory; + } + + /* Use default location as long as one of * client key, and client certificate cannot be found in * $HOME/.pki/libvirt, we don't want to make user confused * with one file is here, the other is there. */ - if (!virFileExists(libvirt_cacert) || - !virFileExists(libvirt_clientkey) || + if (!virFileExists(libvirt_clientkey) || !virFileExists(libvirt_clientcert)) { - VIR_FREE(libvirt_cacert); VIR_FREE(libvirt_clientkey); VIR_FREE(libvirt_clientcert);
- libvirt_cacert = strdup(LIBVIRT_CACERT); - if (!libvirt_cacert) goto out_of_memory; - libvirt_clientkey = strdup(LIBVIRT_CLIENTKEY); if (!libvirt_clientkey) goto out_of_memory;
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 05/10/2011 03:44 AM, Daniel P. Berrange wrote:
On Fri, May 06, 2011 at 10:00:53AM -0500, Doug Goldstein wrote:
Allow the CA certificate to come from the user's home directory or from the global location independently of the client certificate/key pair.
ACK
Pushed. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
participants (3)
-
Daniel P. Berrange -
Doug Goldstein -
Eric Blake