2 * QEMU crypto TLS x509 credential support
4 * Copyright (c) 2015 Red Hat, Inc.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
21 #include "qemu/osdep.h"
22 #include "crypto/tlscredsx509.h"
23 #include "crypto/tlscredspriv.h"
24 #include "crypto/secret.h"
25 #include "qapi/error.h"
26 #include "qom/object_interfaces.h"
32 #include <gnutls/x509.h>
36 qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert
,
42 time_t now
= time(NULL
);
44 if (now
== ((time_t)-1)) {
45 error_setg_errno(errp
, errno
, "cannot get current time");
49 if (gnutls_x509_crt_get_expiration_time(cert
) < now
) {
52 "The CA certificate %s has expired" :
54 "The server certificate %s has expired" :
55 "The client certificate %s has expired")),
60 if (gnutls_x509_crt_get_activation_time(cert
) > now
) {
63 "The CA certificate %s is not yet active" :
65 "The server certificate %s is not yet active" :
66 "The client certificate %s is not yet active")),
75 #if LIBGNUTLS_VERSION_NUMBER >= 2
77 * The gnutls_x509_crt_get_basic_constraints function isn't
78 * available in GNUTLS 1.0.x branches. This isn't critical
79 * though, since gnutls_certificate_verify_peers2 will do
80 * pretty much the same check at runtime, so we can just
84 qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509
*creds
,
85 gnutls_x509_crt_t cert
,
93 status
= gnutls_x509_crt_get_basic_constraints(cert
, NULL
, NULL
, NULL
);
94 trace_qcrypto_tls_creds_x509_check_basic_constraints(
95 creds
, certFile
, status
);
97 if (status
> 0) { /* It is a CA cert */
99 error_setg(errp
, isServer
?
100 "The certificate %s basic constraints show a CA, "
101 "but we need one for a server" :
102 "The certificate %s basic constraints show a CA, "
103 "but we need one for a client",
107 } else if (status
== 0) { /* It is not a CA cert */
110 "The certificate %s basic constraints do not "
115 } else if (status
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
) {
116 /* Missing basicConstraints */
119 "The certificate %s is missing basic constraints "
124 } else { /* General error */
126 "Unable to query certificate %s basic constraints: %s",
127 certFile
, gnutls_strerror(status
));
137 qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509
*creds
,
138 gnutls_x509_crt_t cert
,
139 const char *certFile
,
144 unsigned int usage
= 0;
145 unsigned int critical
= 0;
147 status
= gnutls_x509_crt_get_key_usage(cert
, &usage
, &critical
);
148 trace_qcrypto_tls_creds_x509_check_key_usage(
149 creds
, certFile
, status
, usage
, critical
);
152 if (status
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
) {
153 usage
= isCA
? GNUTLS_KEY_KEY_CERT_SIGN
:
154 GNUTLS_KEY_DIGITAL_SIGNATURE
|GNUTLS_KEY_KEY_ENCIPHERMENT
;
157 "Unable to query certificate %s key usage: %s",
158 certFile
, gnutls_strerror(status
));
164 if (!(usage
& GNUTLS_KEY_KEY_CERT_SIGN
)) {
167 "Certificate %s usage does not permit "
168 "certificate signing", certFile
);
173 if (!(usage
& GNUTLS_KEY_DIGITAL_SIGNATURE
)) {
176 "Certificate %s usage does not permit digital "
177 "signature", certFile
);
181 if (!(usage
& GNUTLS_KEY_KEY_ENCIPHERMENT
)) {
184 "Certificate %s usage does not permit key "
185 "encipherment", certFile
);
196 qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509
*creds
,
197 gnutls_x509_crt_t cert
,
198 const char *certFile
,
204 unsigned int purposeCritical
;
205 unsigned int critical
;
208 bool allowClient
= false, allowServer
= false;
213 status
= gnutls_x509_crt_get_key_purpose_oid(cert
, i
, buffer
,
216 if (status
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
) {
218 /* If there is no data at all, then we must allow
219 client/server to pass */
221 allowServer
= allowClient
= true;
225 if (status
!= GNUTLS_E_SHORT_MEMORY_BUFFER
) {
227 "Unable to query certificate %s key purpose: %s",
228 certFile
, gnutls_strerror(status
));
232 buffer
= g_new0(char, size
);
234 status
= gnutls_x509_crt_get_key_purpose_oid(cert
, i
, buffer
,
235 &size
, &purposeCritical
);
238 trace_qcrypto_tls_creds_x509_check_key_purpose(
239 creds
, certFile
, status
, "<none>", purposeCritical
);
242 "Unable to query certificate %s key purpose: %s",
243 certFile
, gnutls_strerror(status
));
246 trace_qcrypto_tls_creds_x509_check_key_purpose(
247 creds
, certFile
, status
, buffer
, purposeCritical
);
248 if (purposeCritical
) {
252 if (g_str_equal(buffer
, GNUTLS_KP_TLS_WWW_SERVER
)) {
254 } else if (g_str_equal(buffer
, GNUTLS_KP_TLS_WWW_CLIENT
)) {
256 } else if (g_str_equal(buffer
, GNUTLS_KP_ANY
)) {
257 allowServer
= allowClient
= true;
268 "Certificate %s purpose does not allow "
269 "use with a TLS server", certFile
);
277 "Certificate %s purpose does not allow use "
278 "with a TLS client", certFile
);
289 qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509
*creds
,
290 gnutls_x509_crt_t cert
,
291 const char *certFile
,
296 if (qcrypto_tls_creds_check_cert_times(cert
, certFile
,
302 #if LIBGNUTLS_VERSION_NUMBER >= 2
303 if (qcrypto_tls_creds_check_cert_basic_constraints(creds
,
311 if (qcrypto_tls_creds_check_cert_key_usage(creds
,
318 qcrypto_tls_creds_check_cert_key_purpose(creds
,
320 isServer
, errp
) < 0) {
329 qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t cert
,
330 const char *certFile
,
331 gnutls_x509_crt_t
*cacerts
,
333 const char *cacertFile
,
339 if (gnutls_x509_crt_list_verify(&cert
, 1,
343 error_setg(errp
, isServer
?
344 "Unable to verify server certificate %s against "
345 "CA certificate %s" :
346 "Unable to verify client certificate %s against "
348 certFile
, cacertFile
);
353 const char *reason
= "Invalid certificate";
355 if (status
& GNUTLS_CERT_INVALID
) {
356 reason
= "The certificate is not trusted";
359 if (status
& GNUTLS_CERT_SIGNER_NOT_FOUND
) {
360 reason
= "The certificate hasn't got a known issuer";
363 if (status
& GNUTLS_CERT_REVOKED
) {
364 reason
= "The certificate has been revoked";
367 #ifndef GNUTLS_1_0_COMPAT
368 if (status
& GNUTLS_CERT_INSECURE_ALGORITHM
) {
369 reason
= "The certificate uses an insecure algorithm";
374 "Our own certificate %s failed validation against %s: %s",
375 certFile
, cacertFile
, reason
);
383 static gnutls_x509_crt_t
384 qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509
*creds
,
385 const char *certFile
,
390 gnutls_x509_crt_t cert
= NULL
;
397 trace_qcrypto_tls_creds_x509_load_cert(creds
, isServer
, certFile
);
399 err
= gnutls_x509_crt_init(&cert
);
401 error_setg(errp
, "Unable to initialize certificate: %s",
402 gnutls_strerror(err
));
406 if (!g_file_get_contents(certFile
, &buf
, &buflen
, &gerr
)) {
407 error_setg(errp
, "Cannot load CA cert list %s: %s",
408 certFile
, gerr
->message
);
413 data
.data
= (unsigned char *)buf
;
414 data
.size
= strlen(buf
);
416 err
= gnutls_x509_crt_import(cert
, &data
, GNUTLS_X509_FMT_PEM
);
418 error_setg(errp
, isServer
?
419 "Unable to import server certificate %s: %s" :
420 "Unable to import client certificate %s: %s",
422 gnutls_strerror(err
));
430 gnutls_x509_crt_deinit(cert
);
439 qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509
*creds
,
440 const char *certFile
,
441 gnutls_x509_crt_t
*certs
,
442 unsigned int certMax
,
453 trace_qcrypto_tls_creds_x509_load_cert_list(creds
, certFile
);
455 if (!g_file_get_contents(certFile
, &buf
, &buflen
, &gerr
)) {
456 error_setg(errp
, "Cannot load CA cert list %s: %s",
457 certFile
, gerr
->message
);
462 data
.data
= (unsigned char *)buf
;
463 data
.size
= strlen(buf
);
465 if (gnutls_x509_crt_list_import(certs
, &certMax
, &data
,
466 GNUTLS_X509_FMT_PEM
, 0) < 0) {
468 "Unable to import CA certificate list %s",
484 qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509
*creds
,
486 const char *cacertFile
,
487 const char *certFile
,
490 gnutls_x509_crt_t cert
= NULL
;
491 gnutls_x509_crt_t cacerts
[MAX_CERTS
];
496 memset(cacerts
, 0, sizeof(cacerts
));
498 access(certFile
, R_OK
) == 0) {
499 cert
= qcrypto_tls_creds_load_cert(creds
,
506 if (access(cacertFile
, R_OK
) == 0) {
507 if (qcrypto_tls_creds_load_ca_cert_list(creds
,
509 MAX_CERTS
, &ncacerts
,
516 qcrypto_tls_creds_check_cert(creds
,
517 cert
, certFile
, isServer
,
522 for (i
= 0; i
< ncacerts
; i
++) {
523 if (qcrypto_tls_creds_check_cert(creds
,
524 cacerts
[i
], cacertFile
,
525 isServer
, true, errp
) < 0) {
530 if (cert
&& ncacerts
&&
531 qcrypto_tls_creds_check_cert_pair(cert
, certFile
, cacerts
,
532 ncacerts
, cacertFile
,
533 isServer
, errp
) < 0) {
541 gnutls_x509_crt_deinit(cert
);
543 for (i
= 0; i
< ncacerts
; i
++) {
544 gnutls_x509_crt_deinit(cacerts
[i
]);
551 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509
*creds
,
554 char *cacert
= NULL
, *cacrl
= NULL
, *cert
= NULL
,
555 *key
= NULL
, *dhparams
= NULL
;
559 trace_qcrypto_tls_creds_x509_load(creds
,
560 creds
->parent_obj
.dir
? creds
->parent_obj
.dir
: "<nodir>");
562 if (creds
->parent_obj
.endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
) {
563 if (qcrypto_tls_creds_get_path(&creds
->parent_obj
,
564 QCRYPTO_TLS_CREDS_X509_CA_CERT
,
565 true, &cacert
, errp
) < 0 ||
566 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
567 QCRYPTO_TLS_CREDS_X509_CA_CRL
,
568 false, &cacrl
, errp
) < 0 ||
569 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
570 QCRYPTO_TLS_CREDS_X509_SERVER_CERT
,
571 true, &cert
, errp
) < 0 ||
572 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
573 QCRYPTO_TLS_CREDS_X509_SERVER_KEY
,
574 true, &key
, errp
) < 0 ||
575 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
576 QCRYPTO_TLS_CREDS_DH_PARAMS
,
577 false, &dhparams
, errp
) < 0) {
581 if (qcrypto_tls_creds_get_path(&creds
->parent_obj
,
582 QCRYPTO_TLS_CREDS_X509_CA_CERT
,
583 true, &cacert
, errp
) < 0 ||
584 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
585 QCRYPTO_TLS_CREDS_X509_CLIENT_CERT
,
586 false, &cert
, errp
) < 0 ||
587 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
588 QCRYPTO_TLS_CREDS_X509_CLIENT_KEY
,
589 false, &key
, errp
) < 0) {
594 if (creds
->sanityCheck
&&
595 qcrypto_tls_creds_x509_sanity_check(creds
,
596 creds
->parent_obj
.endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
,
597 cacert
, cert
, errp
) < 0) {
601 ret
= gnutls_certificate_allocate_credentials(&creds
->data
);
603 error_setg(errp
, "Cannot allocate credentials: '%s'",
604 gnutls_strerror(ret
));
608 ret
= gnutls_certificate_set_x509_trust_file(creds
->data
,
610 GNUTLS_X509_FMT_PEM
);
612 error_setg(errp
, "Cannot load CA certificate '%s': %s",
613 cacert
, gnutls_strerror(ret
));
617 if (cert
!= NULL
&& key
!= NULL
) {
618 #if GNUTLS_VERSION_NUMBER >= 0x030111
619 char *password
= NULL
;
620 if (creds
->passwordid
) {
621 password
= qcrypto_secret_lookup_as_utf8(creds
->passwordid
,
627 ret
= gnutls_certificate_set_x509_key_file2(creds
->data
,
633 #else /* GNUTLS_VERSION_NUMBER < 0x030111 */
634 if (creds
->passwordid
) {
635 error_setg(errp
, "PKCS8 decryption requires GNUTLS >= 3.1.11");
638 ret
= gnutls_certificate_set_x509_key_file(creds
->data
,
640 GNUTLS_X509_FMT_PEM
);
641 #endif /* GNUTLS_VERSION_NUMBER < 0x030111 */
643 error_setg(errp
, "Cannot load certificate '%s' & key '%s': %s",
644 cert
, key
, gnutls_strerror(ret
));
650 ret
= gnutls_certificate_set_x509_crl_file(creds
->data
,
652 GNUTLS_X509_FMT_PEM
);
654 error_setg(errp
, "Cannot load CRL '%s': %s",
655 cacrl
, gnutls_strerror(ret
));
660 if (creds
->parent_obj
.endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
) {
661 if (qcrypto_tls_creds_get_dh_params_file(&creds
->parent_obj
, dhparams
,
662 &creds
->parent_obj
.dh_params
,
666 gnutls_certificate_set_dh_params(creds
->data
,
667 creds
->parent_obj
.dh_params
);
682 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509
*creds
)
685 gnutls_certificate_free_credentials(creds
->data
);
688 if (creds
->parent_obj
.dh_params
) {
689 gnutls_dh_params_deinit(creds
->parent_obj
.dh_params
);
690 creds
->parent_obj
.dh_params
= NULL
;
695 #else /* ! CONFIG_GNUTLS */
699 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509
*creds G_GNUC_UNUSED
,
702 error_setg(errp
, "TLS credentials support requires GNUTLS");
707 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509
*creds G_GNUC_UNUSED
)
713 #endif /* ! CONFIG_GNUTLS */
717 qcrypto_tls_creds_x509_prop_set_loaded(Object
*obj
,
721 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
724 qcrypto_tls_creds_x509_load(creds
, errp
);
726 qcrypto_tls_creds_x509_unload(creds
);
735 qcrypto_tls_creds_x509_prop_get_loaded(Object
*obj
,
736 Error
**errp G_GNUC_UNUSED
)
738 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
740 return creds
->data
!= NULL
;
744 #else /* ! CONFIG_GNUTLS */
748 qcrypto_tls_creds_x509_prop_get_loaded(Object
*obj G_GNUC_UNUSED
,
749 Error
**errp G_GNUC_UNUSED
)
755 #endif /* ! CONFIG_GNUTLS */
759 qcrypto_tls_creds_x509_prop_set_sanity(Object
*obj
,
761 Error
**errp G_GNUC_UNUSED
)
763 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
765 creds
->sanityCheck
= value
;
770 qcrypto_tls_creds_x509_prop_set_passwordid(Object
*obj
,
772 Error
**errp G_GNUC_UNUSED
)
774 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
776 creds
->passwordid
= g_strdup(value
);
781 qcrypto_tls_creds_x509_prop_get_passwordid(Object
*obj
,
782 Error
**errp G_GNUC_UNUSED
)
784 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
786 return g_strdup(creds
->passwordid
);
791 qcrypto_tls_creds_x509_prop_get_sanity(Object
*obj
,
792 Error
**errp G_GNUC_UNUSED
)
794 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
796 return creds
->sanityCheck
;
801 qcrypto_tls_creds_x509_complete(UserCreatable
*uc
, Error
**errp
)
803 object_property_set_bool(OBJECT(uc
), true, "loaded", errp
);
808 qcrypto_tls_creds_x509_init(Object
*obj
)
810 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
812 creds
->sanityCheck
= true;
817 qcrypto_tls_creds_x509_finalize(Object
*obj
)
819 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
821 g_free(creds
->passwordid
);
822 qcrypto_tls_creds_x509_unload(creds
);
827 qcrypto_tls_creds_x509_class_init(ObjectClass
*oc
, void *data
)
829 UserCreatableClass
*ucc
= USER_CREATABLE_CLASS(oc
);
831 ucc
->complete
= qcrypto_tls_creds_x509_complete
;
833 object_class_property_add_bool(oc
, "loaded",
834 qcrypto_tls_creds_x509_prop_get_loaded
,
835 qcrypto_tls_creds_x509_prop_set_loaded
,
837 object_class_property_add_bool(oc
, "sanity-check",
838 qcrypto_tls_creds_x509_prop_get_sanity
,
839 qcrypto_tls_creds_x509_prop_set_sanity
,
841 object_class_property_add_str(oc
, "passwordid",
842 qcrypto_tls_creds_x509_prop_get_passwordid
,
843 qcrypto_tls_creds_x509_prop_set_passwordid
,
848 static const TypeInfo qcrypto_tls_creds_x509_info
= {
849 .parent
= TYPE_QCRYPTO_TLS_CREDS
,
850 .name
= TYPE_QCRYPTO_TLS_CREDS_X509
,
851 .instance_size
= sizeof(QCryptoTLSCredsX509
),
852 .instance_init
= qcrypto_tls_creds_x509_init
,
853 .instance_finalize
= qcrypto_tls_creds_x509_finalize
,
854 .class_size
= sizeof(QCryptoTLSCredsX509Class
),
855 .class_init
= qcrypto_tls_creds_x509_class_init
,
856 .interfaces
= (InterfaceInfo
[]) {
857 { TYPE_USER_CREATABLE
},
864 qcrypto_tls_creds_x509_register_types(void)
866 type_register_static(&qcrypto_tls_creds_x509_info
);
870 type_init(qcrypto_tls_creds_x509_register_types
);