2 * QEMU crypto TLS x509 credential support
4 * Copyright (c) 2015 Red Hat, Inc.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
21 #include "qemu/osdep.h"
22 #include "crypto/tlscredsx509.h"
23 #include "tlscredspriv.h"
24 #include "crypto/secret.h"
25 #include "qapi/error.h"
26 #include "qemu/module.h"
27 #include "qom/object_interfaces.h"
33 #include <gnutls/x509.h>
37 qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert
,
43 time_t now
= time(NULL
);
45 if (now
== ((time_t)-1)) {
46 error_setg_errno(errp
, errno
, "cannot get current time");
50 if (gnutls_x509_crt_get_expiration_time(cert
) < now
) {
53 "The CA certificate %s has expired" :
55 "The server certificate %s has expired" :
56 "The client certificate %s has expired")),
61 if (gnutls_x509_crt_get_activation_time(cert
) > now
) {
64 "The CA certificate %s is not yet active" :
66 "The server certificate %s is not yet active" :
67 "The client certificate %s is not yet active")),
77 qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509
*creds
,
78 gnutls_x509_crt_t cert
,
86 status
= gnutls_x509_crt_get_basic_constraints(cert
, NULL
, NULL
, NULL
);
87 trace_qcrypto_tls_creds_x509_check_basic_constraints(
88 creds
, certFile
, status
);
90 if (status
> 0) { /* It is a CA cert */
92 error_setg(errp
, isServer
?
93 "The certificate %s basic constraints show a CA, "
94 "but we need one for a server" :
95 "The certificate %s basic constraints show a CA, "
96 "but we need one for a client",
100 } else if (status
== 0) { /* It is not a CA cert */
103 "The certificate %s basic constraints do not "
108 } else if (status
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
) {
109 /* Missing basicConstraints */
112 "The certificate %s is missing basic constraints "
117 } else { /* General error */
119 "Unable to query certificate %s basic constraints: %s",
120 certFile
, gnutls_strerror(status
));
129 qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509
*creds
,
130 gnutls_x509_crt_t cert
,
131 const char *certFile
,
136 unsigned int usage
= 0;
137 unsigned int critical
= 0;
139 status
= gnutls_x509_crt_get_key_usage(cert
, &usage
, &critical
);
140 trace_qcrypto_tls_creds_x509_check_key_usage(
141 creds
, certFile
, status
, usage
, critical
);
144 if (status
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
) {
145 usage
= isCA
? GNUTLS_KEY_KEY_CERT_SIGN
:
146 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
;
149 "Unable to query certificate %s key usage: %s",
150 certFile
, gnutls_strerror(status
));
156 if (!(usage
& GNUTLS_KEY_KEY_CERT_SIGN
)) {
159 "Certificate %s usage does not permit "
160 "certificate signing", certFile
);
165 if (!(usage
& GNUTLS_KEY_DIGITAL_SIGNATURE
)) {
168 "Certificate %s usage does not permit digital "
169 "signature", certFile
);
173 if (!(usage
& GNUTLS_KEY_KEY_ENCIPHERMENT
)) {
176 "Certificate %s usage does not permit key "
177 "encipherment", certFile
);
188 qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509
*creds
,
189 gnutls_x509_crt_t cert
,
190 const char *certFile
,
196 unsigned int purposeCritical
;
197 unsigned int critical
;
200 bool allowClient
= false, allowServer
= false;
205 status
= gnutls_x509_crt_get_key_purpose_oid(cert
, i
, buffer
,
208 if (status
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
) {
210 /* If there is no data at all, then we must allow
211 client/server to pass */
213 allowServer
= allowClient
= true;
217 if (status
!= GNUTLS_E_SHORT_MEMORY_BUFFER
) {
219 "Unable to query certificate %s key purpose: %s",
220 certFile
, gnutls_strerror(status
));
224 buffer
= g_new0(char, size
);
226 status
= gnutls_x509_crt_get_key_purpose_oid(cert
, i
, buffer
,
227 &size
, &purposeCritical
);
230 trace_qcrypto_tls_creds_x509_check_key_purpose(
231 creds
, certFile
, status
, "<none>", purposeCritical
);
234 "Unable to query certificate %s key purpose: %s",
235 certFile
, gnutls_strerror(status
));
238 trace_qcrypto_tls_creds_x509_check_key_purpose(
239 creds
, certFile
, status
, buffer
, purposeCritical
);
240 if (purposeCritical
) {
244 if (g_str_equal(buffer
, GNUTLS_KP_TLS_WWW_SERVER
)) {
246 } else if (g_str_equal(buffer
, GNUTLS_KP_TLS_WWW_CLIENT
)) {
248 } else if (g_str_equal(buffer
, GNUTLS_KP_ANY
)) {
249 allowServer
= allowClient
= true;
260 "Certificate %s purpose does not allow "
261 "use with a TLS server", certFile
);
269 "Certificate %s purpose does not allow use "
270 "with a TLS client", certFile
);
281 qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509
*creds
,
282 gnutls_x509_crt_t cert
,
283 const char *certFile
,
288 if (qcrypto_tls_creds_check_cert_times(cert
, certFile
,
294 if (qcrypto_tls_creds_check_cert_basic_constraints(creds
,
301 if (qcrypto_tls_creds_check_cert_key_usage(creds
,
308 qcrypto_tls_creds_check_cert_key_purpose(creds
,
310 isServer
, errp
) < 0) {
319 qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t cert
,
320 const char *certFile
,
321 gnutls_x509_crt_t
*cacerts
,
323 const char *cacertFile
,
329 if (gnutls_x509_crt_list_verify(&cert
, 1,
333 error_setg(errp
, isServer
?
334 "Unable to verify server certificate %s against "
335 "CA certificate %s" :
336 "Unable to verify client certificate %s against "
338 certFile
, cacertFile
);
343 const char *reason
= "Invalid certificate";
345 if (status
& GNUTLS_CERT_INVALID
) {
346 reason
= "The certificate is not trusted";
349 if (status
& GNUTLS_CERT_SIGNER_NOT_FOUND
) {
350 reason
= "The certificate hasn't got a known issuer";
353 if (status
& GNUTLS_CERT_REVOKED
) {
354 reason
= "The certificate has been revoked";
357 #ifndef GNUTLS_1_0_COMPAT
358 if (status
& GNUTLS_CERT_INSECURE_ALGORITHM
) {
359 reason
= "The certificate uses an insecure algorithm";
364 "Our own certificate %s failed validation against %s: %s",
365 certFile
, cacertFile
, reason
);
373 static gnutls_x509_crt_t
374 qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509
*creds
,
375 const char *certFile
,
380 gnutls_x509_crt_t cert
= NULL
;
381 g_autofree
char *buf
= NULL
;
387 trace_qcrypto_tls_creds_x509_load_cert(creds
, isServer
, certFile
);
389 err
= gnutls_x509_crt_init(&cert
);
391 error_setg(errp
, "Unable to initialize certificate: %s",
392 gnutls_strerror(err
));
396 if (!g_file_get_contents(certFile
, &buf
, &buflen
, &gerr
)) {
397 error_setg(errp
, "Cannot load CA cert list %s: %s",
398 certFile
, gerr
->message
);
403 data
.data
= (unsigned char *)buf
;
404 data
.size
= strlen(buf
);
406 err
= gnutls_x509_crt_import(cert
, &data
, GNUTLS_X509_FMT_PEM
);
408 error_setg(errp
, isServer
?
409 "Unable to import server certificate %s: %s" :
410 "Unable to import client certificate %s: %s",
412 gnutls_strerror(err
));
420 gnutls_x509_crt_deinit(cert
);
428 qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509
*creds
,
429 const char *certFile
,
430 gnutls_x509_crt_t
*certs
,
431 unsigned int certMax
,
436 g_autofree
char *buf
= NULL
;
441 trace_qcrypto_tls_creds_x509_load_cert_list(creds
, certFile
);
443 if (!g_file_get_contents(certFile
, &buf
, &buflen
, &gerr
)) {
444 error_setg(errp
, "Cannot load CA cert list %s: %s",
445 certFile
, gerr
->message
);
450 data
.data
= (unsigned char *)buf
;
451 data
.size
= strlen(buf
);
453 if (gnutls_x509_crt_list_import(certs
, &certMax
, &data
,
454 GNUTLS_X509_FMT_PEM
, 0) < 0) {
456 "Unable to import CA certificate list %s",
468 qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509
*creds
,
470 const char *cacertFile
,
471 const char *certFile
,
474 gnutls_x509_crt_t cert
= NULL
;
475 gnutls_x509_crt_t cacerts
[MAX_CERTS
];
480 memset(cacerts
, 0, sizeof(cacerts
));
482 access(certFile
, R_OK
) == 0) {
483 cert
= qcrypto_tls_creds_load_cert(creds
,
490 if (access(cacertFile
, R_OK
) == 0) {
491 if (qcrypto_tls_creds_load_ca_cert_list(creds
,
493 MAX_CERTS
, &ncacerts
,
500 qcrypto_tls_creds_check_cert(creds
,
501 cert
, certFile
, isServer
,
506 for (i
= 0; i
< ncacerts
; i
++) {
507 if (qcrypto_tls_creds_check_cert(creds
,
508 cacerts
[i
], cacertFile
,
509 isServer
, true, errp
) < 0) {
514 if (cert
&& ncacerts
&&
515 qcrypto_tls_creds_check_cert_pair(cert
, certFile
, cacerts
,
516 ncacerts
, cacertFile
,
517 isServer
, errp
) < 0) {
525 gnutls_x509_crt_deinit(cert
);
527 for (i
= 0; i
< ncacerts
; i
++) {
528 gnutls_x509_crt_deinit(cacerts
[i
]);
535 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509
*creds
,
538 char *cacert
= NULL
, *cacrl
= NULL
, *cert
= NULL
,
539 *key
= NULL
, *dhparams
= NULL
;
543 trace_qcrypto_tls_creds_x509_load(creds
,
544 creds
->parent_obj
.dir
? creds
->parent_obj
.dir
: "<nodir>");
546 if (creds
->parent_obj
.endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
) {
547 if (qcrypto_tls_creds_get_path(&creds
->parent_obj
,
548 QCRYPTO_TLS_CREDS_X509_CA_CERT
,
549 true, &cacert
, errp
) < 0 ||
550 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
551 QCRYPTO_TLS_CREDS_X509_CA_CRL
,
552 false, &cacrl
, errp
) < 0 ||
553 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
554 QCRYPTO_TLS_CREDS_X509_SERVER_CERT
,
555 true, &cert
, errp
) < 0 ||
556 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
557 QCRYPTO_TLS_CREDS_X509_SERVER_KEY
,
558 true, &key
, errp
) < 0 ||
559 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
560 QCRYPTO_TLS_CREDS_DH_PARAMS
,
561 false, &dhparams
, errp
) < 0) {
565 if (qcrypto_tls_creds_get_path(&creds
->parent_obj
,
566 QCRYPTO_TLS_CREDS_X509_CA_CERT
,
567 true, &cacert
, errp
) < 0 ||
568 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
569 QCRYPTO_TLS_CREDS_X509_CLIENT_CERT
,
570 false, &cert
, errp
) < 0 ||
571 qcrypto_tls_creds_get_path(&creds
->parent_obj
,
572 QCRYPTO_TLS_CREDS_X509_CLIENT_KEY
,
573 false, &key
, errp
) < 0) {
578 if (creds
->sanityCheck
&&
579 qcrypto_tls_creds_x509_sanity_check(creds
,
580 creds
->parent_obj
.endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
,
581 cacert
, cert
, errp
) < 0) {
585 ret
= gnutls_certificate_allocate_credentials(&creds
->data
);
587 error_setg(errp
, "Cannot allocate credentials: '%s'",
588 gnutls_strerror(ret
));
592 ret
= gnutls_certificate_set_x509_trust_file(creds
->data
,
594 GNUTLS_X509_FMT_PEM
);
596 error_setg(errp
, "Cannot load CA certificate '%s': %s",
597 cacert
, gnutls_strerror(ret
));
601 if (cert
!= NULL
&& key
!= NULL
) {
602 char *password
= NULL
;
603 if (creds
->passwordid
) {
604 password
= qcrypto_secret_lookup_as_utf8(creds
->passwordid
,
610 ret
= gnutls_certificate_set_x509_key_file2(creds
->data
,
617 error_setg(errp
, "Cannot load certificate '%s' & key '%s': %s",
618 cert
, key
, gnutls_strerror(ret
));
624 ret
= gnutls_certificate_set_x509_crl_file(creds
->data
,
626 GNUTLS_X509_FMT_PEM
);
628 error_setg(errp
, "Cannot load CRL '%s': %s",
629 cacrl
, gnutls_strerror(ret
));
634 if (creds
->parent_obj
.endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
) {
635 if (qcrypto_tls_creds_get_dh_params_file(&creds
->parent_obj
, dhparams
,
636 &creds
->parent_obj
.dh_params
,
640 gnutls_certificate_set_dh_params(creds
->data
,
641 creds
->parent_obj
.dh_params
);
656 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509
*creds
)
659 gnutls_certificate_free_credentials(creds
->data
);
662 if (creds
->parent_obj
.dh_params
) {
663 gnutls_dh_params_deinit(creds
->parent_obj
.dh_params
);
664 creds
->parent_obj
.dh_params
= NULL
;
669 #else /* ! CONFIG_GNUTLS */
673 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509
*creds G_GNUC_UNUSED
,
676 error_setg(errp
, "TLS credentials support requires GNUTLS");
681 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509
*creds G_GNUC_UNUSED
)
687 #endif /* ! CONFIG_GNUTLS */
691 qcrypto_tls_creds_x509_prop_set_loaded(Object
*obj
,
695 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
697 qcrypto_tls_creds_x509_unload(creds
);
699 qcrypto_tls_creds_x509_load(creds
, errp
);
708 qcrypto_tls_creds_x509_prop_get_loaded(Object
*obj
,
709 Error
**errp G_GNUC_UNUSED
)
711 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
713 return creds
->data
!= NULL
;
717 #else /* ! CONFIG_GNUTLS */
721 qcrypto_tls_creds_x509_prop_get_loaded(Object
*obj G_GNUC_UNUSED
,
722 Error
**errp G_GNUC_UNUSED
)
728 #endif /* ! CONFIG_GNUTLS */
732 qcrypto_tls_creds_x509_prop_set_sanity(Object
*obj
,
734 Error
**errp G_GNUC_UNUSED
)
736 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
738 creds
->sanityCheck
= value
;
743 qcrypto_tls_creds_x509_prop_set_passwordid(Object
*obj
,
745 Error
**errp G_GNUC_UNUSED
)
747 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
749 creds
->passwordid
= g_strdup(value
);
754 qcrypto_tls_creds_x509_prop_get_passwordid(Object
*obj
,
755 Error
**errp G_GNUC_UNUSED
)
757 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
759 return g_strdup(creds
->passwordid
);
764 qcrypto_tls_creds_x509_prop_get_sanity(Object
*obj
,
765 Error
**errp G_GNUC_UNUSED
)
767 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
769 return creds
->sanityCheck
;
774 qcrypto_tls_creds_x509_complete(UserCreatable
*uc
, Error
**errp
)
776 object_property_set_bool(OBJECT(uc
), "loaded", true, errp
);
781 qcrypto_tls_creds_x509_init(Object
*obj
)
783 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
785 creds
->sanityCheck
= true;
790 qcrypto_tls_creds_x509_finalize(Object
*obj
)
792 QCryptoTLSCredsX509
*creds
= QCRYPTO_TLS_CREDS_X509(obj
);
794 g_free(creds
->passwordid
);
795 qcrypto_tls_creds_x509_unload(creds
);
800 qcrypto_tls_creds_x509_class_init(ObjectClass
*oc
, void *data
)
802 UserCreatableClass
*ucc
= USER_CREATABLE_CLASS(oc
);
804 ucc
->complete
= qcrypto_tls_creds_x509_complete
;
806 object_class_property_add_bool(oc
, "loaded",
807 qcrypto_tls_creds_x509_prop_get_loaded
,
808 qcrypto_tls_creds_x509_prop_set_loaded
);
809 object_class_property_add_bool(oc
, "sanity-check",
810 qcrypto_tls_creds_x509_prop_get_sanity
,
811 qcrypto_tls_creds_x509_prop_set_sanity
);
812 object_class_property_add_str(oc
, "passwordid",
813 qcrypto_tls_creds_x509_prop_get_passwordid
,
814 qcrypto_tls_creds_x509_prop_set_passwordid
);
818 static const TypeInfo qcrypto_tls_creds_x509_info
= {
819 .parent
= TYPE_QCRYPTO_TLS_CREDS
,
820 .name
= TYPE_QCRYPTO_TLS_CREDS_X509
,
821 .instance_size
= sizeof(QCryptoTLSCredsX509
),
822 .instance_init
= qcrypto_tls_creds_x509_init
,
823 .instance_finalize
= qcrypto_tls_creds_x509_finalize
,
824 .class_size
= sizeof(QCryptoTLSCredsX509Class
),
825 .class_init
= qcrypto_tls_creds_x509_class_init
,
826 .interfaces
= (InterfaceInfo
[]) {
827 { TYPE_USER_CREATABLE
},
834 qcrypto_tls_creds_x509_register_types(void)
836 type_register_static(&qcrypto_tls_creds_x509_info
);
840 type_init(qcrypto_tls_creds_x509_register_types
);