2 * QEMU crypto TLS x509 credential support
4 * Copyright (c) 2015 Red Hat, Inc.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
21 #include "crypto/tlscredsx509.h"
22 #include "crypto/tlscredspriv.h"
23 #include "qom/object_interfaces.h"
29 #include <gnutls/x509.h>
33 qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert
,
39 time_t now
= time(NULL
);
41 if (now
== ((time_t)-1)) {
42 error_setg_errno(errp
, errno
, "cannot get current time");
46 if (gnutls_x509_crt_get_expiration_time(cert
) < now
) {
49 "The CA certificate %s has expired" :
51 "The server certificate %s has expired" :
52 "The client certificate %s has expired")),
57 if (gnutls_x509_crt_get_activation_time(cert
) > now
) {
60 "The CA certificate %s is not yet active" :
62 "The server certificate %s is not yet active" :
63 "The client certificate %s is not yet active")),
72 #if LIBGNUTLS_VERSION_NUMBER >= 2
74 * The gnutls_x509_crt_get_basic_constraints function isn't
75 * available in GNUTLS 1.0.x branches. This isn't critical
76 * though, since gnutls_certificate_verify_peers2 will do
77 * pretty much the same check at runtime, so we can just
81 qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509
*creds
,
82 gnutls_x509_crt_t cert
,
90 status
= gnutls_x509_crt_get_basic_constraints(cert
, NULL
, NULL
, NULL
);
91 trace_qcrypto_tls_creds_x509_check_basic_constraints(
92 creds
, certFile
, status
);
94 if (status
> 0) { /* It is a CA cert */
96 error_setg(errp
, isServer
?
97 "The certificate %s basic constraints show a CA, "
98 "but we need one for a server" :
99 "The certificate %s basic constraints show a CA, "
100 "but we need one for a client",
104 } else if (status
== 0) { /* It is not a CA cert */
107 "The certificate %s basic constraints do not "
112 } else if (status
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
) {
113 /* Missing basicConstraints */
116 "The certificate %s is missing basic constraints "
121 } else { /* General error */
123 "Unable to query certificate %s basic constraints: %s",
124 certFile
, gnutls_strerror(status
));
134 qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509
*creds
,
135 gnutls_x509_crt_t cert
,
136 const char *certFile
,
141 unsigned int usage
= 0;
142 unsigned int critical
= 0;
144 status
= gnutls_x509_crt_get_key_usage(cert
, &usage
, &critical
);
145 trace_qcrypto_tls_creds_x509_check_key_usage(
146 creds
, certFile
, status
, usage
, critical
);
149 if (status
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
) {
150 usage
= isCA
? GNUTLS_KEY_KEY_CERT_SIGN
:
151 GNUTLS_KEY_DIGITAL_SIGNATURE
|GNUTLS_KEY_KEY_ENCIPHERMENT
;
154 "Unable to query certificate %s key usage: %s",
155 certFile
, gnutls_strerror(status
));
161 if (!(usage
& GNUTLS_KEY_KEY_CERT_SIGN
)) {
164 "Certificate %s usage does not permit "
165 "certificate signing", certFile
);
170 if (!(usage
& GNUTLS_KEY_DIGITAL_SIGNATURE
)) {
173 "Certificate %s usage does not permit digital "
174 "signature", certFile
);
178 if (!(usage
& GNUTLS_KEY_KEY_ENCIPHERMENT
)) {
181 "Certificate %s usage does not permit key "
182 "encipherment", certFile
);
193 qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509
*creds
,
194 gnutls_x509_crt_t cert
,
195 const char *certFile
,
201 unsigned int purposeCritical
;
202 unsigned int critical
;
205 bool allowClient
= false, allowServer
= false;
210 status
= gnutls_x509_crt_get_key_purpose_oid(cert
, i
, buffer
,
213 if (status
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
) {
215 /* If there is no data at all, then we must allow
216 client/server to pass */
218 allowServer
= allowClient
= true;
222 if (status
!= GNUTLS_E_SHORT_MEMORY_BUFFER
) {
224 "Unable to query certificate %s key purpose: %s",
225 certFile
, gnutls_strerror(status
));
229 buffer
= g_new0(char, size
);
231 status
= gnutls_x509_crt_get_key_purpose_oid(cert
, i
, buffer
,
232 &size
, &purposeCritical
);
235 trace_qcrypto_tls_creds_x509_check_key_purpose(
236 creds
, certFile
, status
, "<none>", purposeCritical
);
239 "Unable to query certificate %s key purpose: %s",
240 certFile
, gnutls_strerror(status
));
243 trace_qcrypto_tls_creds_x509_check_key_purpose(
244 creds
, certFile
, status
, buffer
, purposeCritical
);
245 if (purposeCritical
) {
249 if (g_str_equal(buffer
, GNUTLS_KP_TLS_WWW_SERVER
)) {
251 } else if (g_str_equal(buffer
, GNUTLS_KP_TLS_WWW_CLIENT
)) {
253 } else if (g_str_equal(buffer
, GNUTLS_KP_ANY
)) {
254 allowServer
= allowClient
= true;
264 "Certificate %s purpose does not allow "
265 "use with a TLS server", certFile
);
273 "Certificate %s purpose does not allow use "
274 "with a TLS client", certFile
);
285 qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509
*creds
,
286 gnutls_x509_crt_t cert
,
287 const char *certFile
,
292 if (qcrypto_tls_creds_check_cert_times(cert
, certFile
,
298 #if LIBGNUTLS_VERSION_NUMBER >= 2
299 if (qcrypto_tls_creds_check_cert_basic_constraints(creds
,
307 if (qcrypto_tls_creds_check_cert_key_usage(creds
,
314 qcrypto_tls_creds_check_cert_key_purpose(creds
,
316 isServer
, errp
) < 0) {
325 qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t cert
,
326 const char *certFile
,
327 gnutls_x509_crt_t
*cacerts
,
329 const char *cacertFile
,
335 if (gnutls_x509_crt_list_verify(&cert
, 1,
339 error_setg(errp
, isServer
?
340 "Unable to verify server certificate %s against "
341 "CA certificate %s" :
342 "Unable to verify client certificate %s against "
344 certFile
, cacertFile
);
349 const char *reason
= "Invalid certificate";
351 if (status
& GNUTLS_CERT_INVALID
) {
352 reason
= "The certificate is not trusted";
355 if (status
& GNUTLS_CERT_SIGNER_NOT_FOUND
) {
356 reason
= "The certificate hasn't got a known issuer";
359 if (status
& GNUTLS_CERT_REVOKED
) {
360 reason
= "The certificate has been revoked";
363 #ifndef GNUTLS_1_0_COMPAT
364 if (status
& GNUTLS_CERT_INSECURE_ALGORITHM
) {
365 reason
= "The certificate uses an insecure algorithm";
370 "Our own certificate %s failed validation against %s: %s",
371 certFile
, cacertFile
, reason
);
379 static gnutls_x509_crt_t
380 qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509
*creds
,
381 const char *certFile
,
386 gnutls_x509_crt_t cert
= NULL
;
392 trace_qcrypto_tls_creds_x509_load_cert(creds
, isServer
, certFile
);
394 if (gnutls_x509_crt_init(&cert
) < 0) {
395 error_setg(errp
, "Unable to initialize certificate");
399 if (!g_file_get_contents(certFile
, &buf
, &buflen
, &gerr
)) {
400 error_setg(errp
, "Cannot load CA cert list %s: %s",
401 certFile
, gerr
->message
);
406 data
.data
= (unsigned char *)buf
;
407 data
.size
= strlen(buf
);
409 if (gnutls_x509_crt_import(cert
, &data
, GNUTLS_X509_FMT_PEM
) < 0) {
410 error_setg(errp
, isServer
?
411 "Unable to import server certificate %s" :
412 "Unable to import client certificate %s",
421 gnutls_x509_crt_deinit(cert
);
430 qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509
*creds
,
431 const char *certFile
,
432 gnutls_x509_crt_t
*certs
,
433 unsigned int certMax
,
444 trace_qcrypto_tls_creds_x509_load_cert_list(creds
, certFile
);
446 if (!g_file_get_contents(certFile
, &buf
, &buflen
, &gerr
)) {
447 error_setg(errp
, "Cannot load CA cert list %s: %s",
448 certFile
, gerr
->message
);
453 data
.data
= (unsigned char *)buf
;
454 data
.size
= strlen(buf
);
456 if (gnutls_x509_crt_list_import(certs
, &certMax
, &data
,
457 GNUTLS_X509_FMT_PEM
, 0) < 0) {
459 "Unable to import CA certificate list %s",
475 qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509
*creds
,
477 const char *cacertFile
,
478 const char *certFile
,
481 gnutls_x509_crt_t cert
= NULL
;
482 gnutls_x509_crt_t cacerts
[MAX_CERTS
];
487 memset(cacerts
, 0, sizeof(cacerts
));
489 access(certFile
, R_OK
) == 0) {
490 cert
= qcrypto_tls_creds_load_cert(creds
,
497 if (access(cacertFile
, R_OK
) == 0) {
498 if (qcrypto_tls_creds_load_ca_cert_list(creds
,
500 MAX_CERTS
, &ncacerts
,
507 qcrypto_tls_creds_check_cert(creds
,
508 cert
, certFile
, isServer
,
513 for (i
= 0; i
< ncacerts
; i
++) {
514 if (qcrypto_tls_creds_check_cert(creds
,
515 cacerts
[i
], cacertFile
,
516 isServer
, true, errp
) < 0) {
521 if (cert
&& ncacerts
&&
522 qcrypto_tls_creds_check_cert_pair(cert
, certFile
, cacerts
,
523 ncacerts
, cacertFile
,
524 isServer
, errp
) < 0) {
532 gnutls_x509_crt_deinit(cert
);
534 for (i
= 0; i
< ncacerts
; i
++) {
535 gnutls_x509_crt_deinit(cacerts
[i
]);
542 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509
*creds
,
545 char *cacert
= NULL
, *cacrl
= NULL
, *cert
= NULL
,
546 *key
= NULL
, *dhparams
= NULL
;
550 trace_qcrypto_tls_creds_x509_load(creds
,
551 creds
->parent_obj
.dir
? creds
->parent_obj
.dir
: "<nodir>");
553 if (creds
->parent_obj
.endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
) {
554 if (qcrypto_tls_creds_get_path(&creds
->parent_obj
,
555 QCRYPTO_TLS_CREDS_X509_CA_CERT
,
556 true, &cacert
, errp
) < 0 ||
557 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
558 QCRYPTO_TLS_CREDS_X509_CA_CRL
,
559 false, &cacrl
, errp
) < 0 ||
560 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
561 QCRYPTO_TLS_CREDS_X509_SERVER_CERT
,
562 true, &cert
, errp
) < 0 ||
563 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
564 QCRYPTO_TLS_CREDS_X509_SERVER_KEY
,
565 true, &key
, errp
) < 0 ||
566 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
567 QCRYPTO_TLS_CREDS_DH_PARAMS
,
568 false, &dhparams
, errp
) < 0) {
572 if (qcrypto_tls_creds_get_path(&creds
->parent_obj
,
573 QCRYPTO_TLS_CREDS_X509_CA_CERT
,
574 true, &cacert
, errp
) < 0 ||
575 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
576 QCRYPTO_TLS_CREDS_X509_CLIENT_CERT
,
577 false, &cert
, errp
) < 0 ||
578 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
579 QCRYPTO_TLS_CREDS_X509_CLIENT_KEY
,
580 false, &key
, errp
) < 0) {
585 if (creds
->sanityCheck
&&
586 qcrypto_tls_creds_x509_sanity_check(creds
,
587 creds
->parent_obj
.endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
,
588 cacert
, cert
, errp
) < 0) {
592 ret
= gnutls_certificate_allocate_credentials(&creds
->data
);
594 error_setg(errp
, "Cannot allocate credentials: '%s'",
595 gnutls_strerror(ret
));
599 ret
= gnutls_certificate_set_x509_trust_file(creds
->data
,
601 GNUTLS_X509_FMT_PEM
);
603 error_setg(errp
, "Cannot load CA certificate '%s': %s",
604 cacert
, gnutls_strerror(ret
));
608 if (cert
!= NULL
&& key
!= NULL
) {
609 ret
= gnutls_certificate_set_x509_key_file(creds
->data
,
611 GNUTLS_X509_FMT_PEM
);
613 error_setg(errp
, "Cannot load certificate '%s' & key '%s': %s",
614 cert
, key
, gnutls_strerror(ret
));
620 ret
= gnutls_certificate_set_x509_crl_file(creds
->data
,
622 GNUTLS_X509_FMT_PEM
);
624 error_setg(errp
, "Cannot load CRL '%s': %s",
625 cacrl
, gnutls_strerror(ret
));
630 if (creds
->parent_obj
.endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
) {
631 if (qcrypto_tls_creds_get_dh_params_file(&creds
->parent_obj
, dhparams
,
632 &creds
->parent_obj
.dh_params
,
636 gnutls_certificate_set_dh_params(creds
->data
,
637 creds
->parent_obj
.dh_params
);
652 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509
*creds
)
655 gnutls_certificate_free_credentials(creds
->data
);
658 if (creds
->parent_obj
.dh_params
) {
659 gnutls_dh_params_deinit(creds
->parent_obj
.dh_params
);
660 creds
->parent_obj
.dh_params
= NULL
;
665 #else /* ! CONFIG_GNUTLS */
669 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509
*creds G_GNUC_UNUSED
,
672 error_setg(errp
, "TLS credentials support requires GNUTLS");
677 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509
*creds G_GNUC_UNUSED
)
683 #endif /* ! CONFIG_GNUTLS */
687 qcrypto_tls_creds_x509_prop_set_loaded(Object
*obj
,
691 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
694 qcrypto_tls_creds_x509_load(creds
, errp
);
696 qcrypto_tls_creds_x509_unload(creds
);
705 qcrypto_tls_creds_x509_prop_get_loaded(Object
*obj
,
706 Error
**errp G_GNUC_UNUSED
)
708 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
710 return creds
->data
!= NULL
;
714 #else /* ! CONFIG_GNUTLS */
718 qcrypto_tls_creds_x509_prop_get_loaded(Object
*obj G_GNUC_UNUSED
,
719 Error
**errp G_GNUC_UNUSED
)
725 #endif /* ! CONFIG_GNUTLS */
729 qcrypto_tls_creds_x509_prop_set_sanity(Object
*obj
,
731 Error
**errp G_GNUC_UNUSED
)
733 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
735 creds
->sanityCheck
= value
;
740 qcrypto_tls_creds_x509_prop_get_sanity(Object
*obj
,
741 Error
**errp G_GNUC_UNUSED
)
743 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
745 return creds
->sanityCheck
;
750 qcrypto_tls_creds_x509_complete(UserCreatable
*uc
, Error
**errp
)
752 object_property_set_bool(OBJECT(uc
), true, "loaded", errp
);
757 qcrypto_tls_creds_x509_init(Object
*obj
)
759 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
761 creds
->sanityCheck
= true;
763 object_property_add_bool(obj
, "loaded",
764 qcrypto_tls_creds_x509_prop_get_loaded
,
765 qcrypto_tls_creds_x509_prop_set_loaded
,
767 object_property_add_bool(obj
, "sanity-check",
768 qcrypto_tls_creds_x509_prop_get_sanity
,
769 qcrypto_tls_creds_x509_prop_set_sanity
,
775 qcrypto_tls_creds_x509_finalize(Object
*obj
)
777 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
779 qcrypto_tls_creds_x509_unload(creds
);
784 qcrypto_tls_creds_x509_class_init(ObjectClass
*oc
, void *data
)
786 UserCreatableClass
*ucc
= USER_CREATABLE_CLASS(oc
);
788 ucc
->complete
= qcrypto_tls_creds_x509_complete
;
792 static const TypeInfo qcrypto_tls_creds_x509_info
= {
793 .parent
= TYPE_QCRYPTO_TLS_CREDS
,
794 .name
= TYPE_QCRYPTO_TLS_CREDS_X509
,
795 .instance_size
= sizeof(QCryptoTLSCredsX509
),
796 .instance_init
= qcrypto_tls_creds_x509_init
,
797 .instance_finalize
= qcrypto_tls_creds_x509_finalize
,
798 .class_size
= sizeof(QCryptoTLSCredsX509Class
),
799 .class_init
= qcrypto_tls_creds_x509_class_init
,
800 .interfaces
= (InterfaceInfo
[]) {
801 { TYPE_USER_CREATABLE
},
808 qcrypto_tls_creds_x509_register_types(void)
810 type_register_static(&qcrypto_tls_creds_x509_info
);
814 type_init(qcrypto_tls_creds_x509_register_types
);