2 * QEMU crypto TLS x509 credential support
4 * Copyright (c) 2015 Red Hat, Inc.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
21 #include "crypto/tlscredsx509.h"
22 #include "crypto/tlscredspriv.h"
23 #include "qom/object_interfaces.h"
29 #include <gnutls/x509.h>
33 qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert,
39 time_t now = time(NULL);
41 if (now == ((time_t)-1)) {
42 error_setg_errno(errp, errno, "cannot get current time");
46 if (gnutls_x509_crt_get_expiration_time(cert) < now) {
49 "The CA certificate %s has expired" :
51 "The server certificate %s has expired" :
52 "The client certificate %s has expired")),
57 if (gnutls_x509_crt_get_activation_time(cert) > now) {
60 "The CA certificate %s is not yet active" :
62 "The server certificate %s is not yet active" :
63 "The client certificate %s is not yet active")),
72 #if LIBGNUTLS_VERSION_NUMBER >= 2
74 * The gnutls_x509_crt_get_basic_constraints function isn't
75 * available in GNUTLS 1.0.x branches. This isn't critical
76 * though, since gnutls_certificate_verify_peers2 will do
77 * pretty much the same check at runtime, so we can just
81 qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
82 gnutls_x509_crt_t cert,
90 status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
91 trace_qcrypto_tls_creds_x509_check_basic_constraints(
92 creds, certFile, status);
94 if (status > 0) { /* It is a CA cert */
96 error_setg(errp, isServer ?
97 "The certificate %s basic constraints show a CA, "
98 "but we need one for a server" :
99 "The certificate %s basic constraints show a CA, "
100 "but we need one for a client",
104 } else if (status == 0) { /* It is not a CA cert */
107 "The certificate %s basic constraints do not "
112 } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
113 /* Missing basicConstraints */
116 "The certificate %s is missing basic constraints "
121 } else { /* General error */
123 "Unable to query certificate %s basic constraints: %s",
124 certFile, gnutls_strerror(status));
134 qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 *creds,
135 gnutls_x509_crt_t cert,
136 const char *certFile,
141 unsigned int usage = 0;
142 unsigned int critical = 0;
144 status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
145 trace_qcrypto_tls_creds_x509_check_key_usage(
146 creds, certFile, status, usage, critical);
149 if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
150 usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
151 GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
154 "Unable to query certificate %s key usage: %s",
155 certFile, gnutls_strerror(status));
161 if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
164 "Certificate %s usage does not permit "
165 "certificate signing", certFile);
170 if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
173 "Certificate %s usage does not permit digital "
174 "signature", certFile);
178 if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
181 "Certificate %s usage does not permit key "
182 "encipherment", certFile);
193 qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509 *creds,
194 gnutls_x509_crt_t cert,
195 const char *certFile,
201 unsigned int purposeCritical;
202 unsigned int critical;
205 bool allowClient = false, allowServer = false;
210 status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
213 if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
215 /* If there is no data at all, then we must allow
216 client/server to pass */
218 allowServer = allowClient = true;
222 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
224 "Unable to query certificate %s key purpose: %s",
225 certFile, gnutls_strerror(status));
229 buffer = g_new0(char, size);
231 status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
232 &size, &purposeCritical);
235 trace_qcrypto_tls_creds_x509_check_key_purpose(
236 creds, certFile, status, "<none>", purposeCritical);
239 "Unable to query certificate %s key purpose: %s",
240 certFile, gnutls_strerror(status));
243 trace_qcrypto_tls_creds_x509_check_key_purpose(
244 creds, certFile, status, buffer, purposeCritical);
245 if (purposeCritical) {
249 if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
251 } else if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
253 } else if (g_str_equal(buffer, GNUTLS_KP_ANY)) {
254 allowServer = allowClient = true;
264 "Certificate %s purpose does not allow "
265 "use with a TLS server", certFile);
273 "Certificate %s purpose does not allow use "
274 "with a TLS client", certFile);
285 qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds,
286 gnutls_x509_crt_t cert,
287 const char *certFile,
292 if (qcrypto_tls_creds_check_cert_times(cert, certFile,
298 #if LIBGNUTLS_VERSION_NUMBER >= 2
299 if (qcrypto_tls_creds_check_cert_basic_constraints(creds,
307 if (qcrypto_tls_creds_check_cert_key_usage(creds,
314 qcrypto_tls_creds_check_cert_key_purpose(creds,
316 isServer, errp) < 0) {
325 qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t cert,
326 const char *certFile,
327 gnutls_x509_crt_t *cacerts,
329 const char *cacertFile,
335 if (gnutls_x509_crt_list_verify(&cert, 1,
339 error_setg(errp, isServer ?
340 "Unable to verify server certificate %s against "
341 "CA certificate %s" :
342 "Unable to verify client certificate %s against "
344 certFile, cacertFile);
349 const char *reason = "Invalid certificate";
351 if (status & GNUTLS_CERT_INVALID) {
352 reason = "The certificate is not trusted";
355 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
356 reason = "The certificate hasn't got a known issuer";
359 if (status & GNUTLS_CERT_REVOKED) {
360 reason = "The certificate has been revoked";
363 #ifndef GNUTLS_1_0_COMPAT
364 if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
365 reason = "The certificate uses an insecure algorithm";
370 "Our own certificate %s failed validation against %s: %s",
371 certFile, cacertFile, reason);
379 static gnutls_x509_crt_t
380 qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509 *creds,
381 const char *certFile,
386 gnutls_x509_crt_t cert = NULL;
392 trace_qcrypto_tls_creds_x509_load_cert(creds, isServer, certFile);
394 if (gnutls_x509_crt_init(&cert) < 0) {
395 error_setg(errp, "Unable to initialize certificate");
399 if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
400 error_setg(errp, "Cannot load CA cert list %s: %s",
401 certFile, gerr->message);
406 data.data = (unsigned char *)buf;
407 data.size = strlen(buf);
409 if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) {
410 error_setg(errp, isServer ?
411 "Unable to import server certificate %s" :
412 "Unable to import client certificate %s",
421 gnutls_x509_crt_deinit(cert);
430 qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509 *creds,
431 const char *certFile,
432 gnutls_x509_crt_t *certs,
433 unsigned int certMax,
444 trace_qcrypto_tls_creds_x509_load_cert_list(creds, certFile);
446 if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
447 error_setg(errp, "Cannot load CA cert list %s: %s",
448 certFile, gerr->message);
453 data.data = (unsigned char *)buf;
454 data.size = strlen(buf);
456 if (gnutls_x509_crt_list_import(certs, &certMax, &data,
457 GNUTLS_X509_FMT_PEM, 0) < 0) {
459 "Unable to import CA certificate list %s",
475 qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds,
477 const char *cacertFile,
478 const char *certFile,
481 gnutls_x509_crt_t cert = NULL;
482 gnutls_x509_crt_t cacerts[MAX_CERTS];
487 memset(cacerts, 0, sizeof(cacerts));
488 if (access(certFile, R_OK) == 0) {
489 cert = qcrypto_tls_creds_load_cert(creds,
496 if (access(cacertFile, R_OK) == 0) {
497 if (qcrypto_tls_creds_load_ca_cert_list(creds,
499 MAX_CERTS, &ncacerts,
506 qcrypto_tls_creds_check_cert(creds,
507 cert, certFile, isServer,
512 for (i = 0; i < ncacerts; i++) {
513 if (qcrypto_tls_creds_check_cert(creds,
514 cacerts[i], cacertFile,
515 isServer, true, errp) < 0) {
520 if (cert && ncacerts &&
521 qcrypto_tls_creds_check_cert_pair(cert, certFile, cacerts,
522 ncacerts, cacertFile,
523 isServer, errp) < 0) {
531 gnutls_x509_crt_deinit(cert);
533 for (i = 0; i < ncacerts; i++) {
534 gnutls_x509_crt_deinit(cacerts[i]);
541 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
544 char *cacert = NULL, *cacrl = NULL, *cert = NULL,
545 *key = NULL, *dhparams = NULL;
549 trace_qcrypto_tls_creds_x509_load(creds,
550 creds->parent_obj.dir ? creds->parent_obj.dir : "<nodir>");
552 if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
553 if (qcrypto_tls_creds_get_path(&creds->parent_obj,
554 QCRYPTO_TLS_CREDS_X509_CA_CERT,
555 true, &cacert, errp) < 0 ||
556 qcrypto_tls_creds_get_path(&creds->parent_obj,
557 QCRYPTO_TLS_CREDS_X509_CA_CRL,
558 false, &cacrl, errp) < 0 ||
559 qcrypto_tls_creds_get_path(&creds->parent_obj,
560 QCRYPTO_TLS_CREDS_X509_SERVER_CERT,
561 true, &cert, errp) < 0 ||
562 qcrypto_tls_creds_get_path(&creds->parent_obj,
563 QCRYPTO_TLS_CREDS_X509_SERVER_KEY,
564 true, &key, errp) < 0 ||
565 qcrypto_tls_creds_get_path(&creds->parent_obj,
566 QCRYPTO_TLS_CREDS_DH_PARAMS,
567 false, &dhparams, errp) < 0) {
571 if (qcrypto_tls_creds_get_path(&creds->parent_obj,
572 QCRYPTO_TLS_CREDS_X509_CA_CERT,
573 true, &cacert, errp) < 0 ||
574 qcrypto_tls_creds_get_path(&creds->parent_obj,
575 QCRYPTO_TLS_CREDS_X509_CLIENT_CERT,
576 false, &cert, errp) < 0 ||
577 qcrypto_tls_creds_get_path(&creds->parent_obj,
578 QCRYPTO_TLS_CREDS_X509_CLIENT_KEY,
579 false, &key, errp) < 0) {
584 if (creds->sanityCheck &&
585 qcrypto_tls_creds_x509_sanity_check(creds,
586 creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
587 cacert, cert, errp) < 0) {
591 ret = gnutls_certificate_allocate_credentials(&creds->data);
593 error_setg(errp, "Cannot allocate credentials: '%s'",
594 gnutls_strerror(ret));
598 ret = gnutls_certificate_set_x509_trust_file(creds->data,
600 GNUTLS_X509_FMT_PEM);
602 error_setg(errp, "Cannot load CA certificate '%s': %s",
603 cacert, gnutls_strerror(ret));
607 if (cert != NULL && key != NULL) {
608 ret = gnutls_certificate_set_x509_key_file(creds->data,
610 GNUTLS_X509_FMT_PEM);
612 error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
613 cert, key, gnutls_strerror(ret));
619 ret = gnutls_certificate_set_x509_crl_file(creds->data,
621 GNUTLS_X509_FMT_PEM);
623 error_setg(errp, "Cannot load CRL '%s': %s",
624 cacrl, gnutls_strerror(ret));
629 if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
630 if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhparams,
631 &creds->parent_obj.dh_params,
635 gnutls_certificate_set_dh_params(creds->data,
636 creds->parent_obj.dh_params);
651 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds)
654 gnutls_certificate_free_credentials(creds->data);
657 if (creds->parent_obj.dh_params) {
658 gnutls_dh_params_deinit(creds->parent_obj.dh_params);
659 creds->parent_obj.dh_params = NULL;
664 #else /* ! CONFIG_GNUTLS */
668 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED,
671 error_setg(errp, "TLS credentials support requires GNUTLS");
676 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED)
682 #endif /* ! CONFIG_GNUTLS */
686 qcrypto_tls_creds_x509_prop_set_loaded(Object *obj,
690 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
693 qcrypto_tls_creds_x509_load(creds, errp);
695 qcrypto_tls_creds_x509_unload(creds);
704 qcrypto_tls_creds_x509_prop_get_loaded(Object *obj,
705 Error **errp G_GNUC_UNUSED)
707 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
709 return creds->data != NULL;
713 #else /* ! CONFIG_GNUTLS */
717 qcrypto_tls_creds_x509_prop_get_loaded(Object *obj G_GNUC_UNUSED,
718 Error **errp G_GNUC_UNUSED)
724 #endif /* ! CONFIG_GNUTLS */
728 qcrypto_tls_creds_x509_prop_set_sanity(Object *obj,
730 Error **errp G_GNUC_UNUSED)
732 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
734 creds->sanityCheck = value;
739 qcrypto_tls_creds_x509_prop_get_sanity(Object *obj,
740 Error **errp G_GNUC_UNUSED)
742 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
744 return creds->sanityCheck;
749 qcrypto_tls_creds_x509_complete(UserCreatable *uc, Error **errp)
751 object_property_set_bool(OBJECT(uc), true, "loaded", errp);
756 qcrypto_tls_creds_x509_init(Object *obj)
758 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
760 creds->sanityCheck = true;
762 object_property_add_bool(obj, "loaded",
763 qcrypto_tls_creds_x509_prop_get_loaded,
764 qcrypto_tls_creds_x509_prop_set_loaded,
766 object_property_add_bool(obj, "sanity-check",
767 qcrypto_tls_creds_x509_prop_get_sanity,
768 qcrypto_tls_creds_x509_prop_set_sanity,
774 qcrypto_tls_creds_x509_finalize(Object *obj)
776 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
778 qcrypto_tls_creds_x509_unload(creds);
783 qcrypto_tls_creds_x509_class_init(ObjectClass *oc, void *data)
785 UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
787 ucc->complete = qcrypto_tls_creds_x509_complete;
791 static const TypeInfo qcrypto_tls_creds_x509_info = {
792 .parent = TYPE_QCRYPTO_TLS_CREDS,
793 .name = TYPE_QCRYPTO_TLS_CREDS_X509,
794 .instance_size = sizeof(QCryptoTLSCredsX509),
795 .instance_init = qcrypto_tls_creds_x509_init,
796 .instance_finalize = qcrypto_tls_creds_x509_finalize,
797 .class_size = sizeof(QCryptoTLSCredsX509Class),
798 .class_init = qcrypto_tls_creds_x509_class_init,
799 .interfaces = (InterfaceInfo[]) {
800 { TYPE_USER_CREATABLE },
807 qcrypto_tls_creds_x509_register_types(void)
809 type_register_static(&qcrypto_tls_creds_x509_info);
813 type_init(qcrypto_tls_creds_x509_register_types);
projects / qemu.git / blob