2 * QEMU crypto TLS x509 credential support
4 * Copyright (c) 2015 Red Hat, Inc.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
21 #include "qemu/osdep.h"
22 #include "crypto/tlscredsx509.h"
23 #include "tlscredspriv.h"
24 #include "crypto/secret.h"
25 #include "qapi/error.h"
26 #include "qemu/module.h"
27 #include "qom/object_interfaces.h"
33 #include <gnutls/gnutls.h>
34 #include <gnutls/x509.h>
38 qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert,
44 time_t now = time(NULL);
46 if (now == ((time_t)-1)) {
47 error_setg_errno(errp, errno, "cannot get current time");
51 if (gnutls_x509_crt_get_expiration_time(cert) < now) {
54 "The CA certificate %s has expired" :
56 "The server certificate %s has expired" :
57 "The client certificate %s has expired")),
62 if (gnutls_x509_crt_get_activation_time(cert) > now) {
65 "The CA certificate %s is not yet active" :
67 "The server certificate %s is not yet active" :
68 "The client certificate %s is not yet active")),
78 qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
79 gnutls_x509_crt_t cert,
87 status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
88 trace_qcrypto_tls_creds_x509_check_basic_constraints(
89 creds, certFile, status);
91 if (status > 0) { /* It is a CA cert */
93 error_setg(errp, isServer ?
94 "The certificate %s basic constraints show a CA, "
95 "but we need one for a server" :
96 "The certificate %s basic constraints show a CA, "
97 "but we need one for a client",
101 } else if (status == 0) { /* It is not a CA cert */
104 "The certificate %s basic constraints do not "
109 } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
110 /* Missing basicConstraints */
113 "The certificate %s is missing basic constraints "
118 } else { /* General error */
120 "Unable to query certificate %s basic constraints: %s",
121 certFile, gnutls_strerror(status));
130 qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 *creds,
131 gnutls_x509_crt_t cert,
132 const char *certFile,
137 unsigned int usage = 0;
138 unsigned int critical = 0;
140 status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
141 trace_qcrypto_tls_creds_x509_check_key_usage(
142 creds, certFile, status, usage, critical);
145 if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
146 usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
147 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT;
150 "Unable to query certificate %s key usage: %s",
151 certFile, gnutls_strerror(status));
157 if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
160 "Certificate %s usage does not permit "
161 "certificate signing", certFile);
166 if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
169 "Certificate %s usage does not permit digital "
170 "signature", certFile);
174 if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
177 "Certificate %s usage does not permit key "
178 "encipherment", certFile);
189 qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509 *creds,
190 gnutls_x509_crt_t cert,
191 const char *certFile,
197 unsigned int purposeCritical;
198 unsigned int critical;
201 bool allowClient = false, allowServer = false;
206 status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
209 if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
211 /* If there is no data at all, then we must allow
212 client/server to pass */
214 allowServer = allowClient = true;
218 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
220 "Unable to query certificate %s key purpose: %s",
221 certFile, gnutls_strerror(status));
225 buffer = g_new0(char, size);
227 status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
228 &size, &purposeCritical);
231 trace_qcrypto_tls_creds_x509_check_key_purpose(
232 creds, certFile, status, "<none>", purposeCritical);
235 "Unable to query certificate %s key purpose: %s",
236 certFile, gnutls_strerror(status));
239 trace_qcrypto_tls_creds_x509_check_key_purpose(
240 creds, certFile, status, buffer, purposeCritical);
241 if (purposeCritical) {
245 if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
247 } else if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
249 } else if (g_str_equal(buffer, GNUTLS_KP_ANY)) {
250 allowServer = allowClient = true;
261 "Certificate %s purpose does not allow "
262 "use with a TLS server", certFile);
270 "Certificate %s purpose does not allow use "
271 "with a TLS client", certFile);
282 qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds,
283 gnutls_x509_crt_t cert,
284 const char *certFile,
289 if (qcrypto_tls_creds_check_cert_times(cert, certFile,
295 if (qcrypto_tls_creds_check_cert_basic_constraints(creds,
302 if (qcrypto_tls_creds_check_cert_key_usage(creds,
309 qcrypto_tls_creds_check_cert_key_purpose(creds,
311 isServer, errp) < 0) {
320 qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t cert,
321 const char *certFile,
322 gnutls_x509_crt_t *cacerts,
324 const char *cacertFile,
330 if (gnutls_x509_crt_list_verify(&cert, 1,
334 error_setg(errp, isServer ?
335 "Unable to verify server certificate %s against "
336 "CA certificate %s" :
337 "Unable to verify client certificate %s against "
339 certFile, cacertFile);
344 const char *reason = "Invalid certificate";
346 if (status & GNUTLS_CERT_INVALID) {
347 reason = "The certificate is not trusted";
350 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
351 reason = "The certificate hasn't got a known issuer";
354 if (status & GNUTLS_CERT_REVOKED) {
355 reason = "The certificate has been revoked";
358 if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
359 reason = "The certificate uses an insecure algorithm";
363 "Our own certificate %s failed validation against %s: %s",
364 certFile, cacertFile, reason);
372 static gnutls_x509_crt_t
373 qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509 *creds,
374 const char *certFile,
379 gnutls_x509_crt_t cert = NULL;
380 g_autofree char *buf = NULL;
386 trace_qcrypto_tls_creds_x509_load_cert(creds, isServer, certFile);
388 err = gnutls_x509_crt_init(&cert);
390 error_setg(errp, "Unable to initialize certificate: %s",
391 gnutls_strerror(err));
395 if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
396 error_setg(errp, "Cannot load CA cert list %s: %s",
397 certFile, gerr->message);
402 data.data = (unsigned char *)buf;
403 data.size = strlen(buf);
405 err = gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM);
407 error_setg(errp, isServer ?
408 "Unable to import server certificate %s: %s" :
409 "Unable to import client certificate %s: %s",
411 gnutls_strerror(err));
419 gnutls_x509_crt_deinit(cert);
427 qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509 *creds,
428 const char *certFile,
429 gnutls_x509_crt_t *certs,
430 unsigned int certMax,
435 g_autofree char *buf = NULL;
440 trace_qcrypto_tls_creds_x509_load_cert_list(creds, certFile);
442 if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
443 error_setg(errp, "Cannot load CA cert list %s: %s",
444 certFile, gerr->message);
449 data.data = (unsigned char *)buf;
450 data.size = strlen(buf);
452 if (gnutls_x509_crt_list_import(certs, &certMax, &data,
453 GNUTLS_X509_FMT_PEM, 0) < 0) {
455 "Unable to import CA certificate list %s",
467 qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds,
469 const char *cacertFile,
470 const char *certFile,
473 gnutls_x509_crt_t cert = NULL;
474 gnutls_x509_crt_t cacerts[MAX_CERTS];
479 memset(cacerts, 0, sizeof(cacerts));
481 access(certFile, R_OK) == 0) {
482 cert = qcrypto_tls_creds_load_cert(creds,
489 if (access(cacertFile, R_OK) == 0) {
490 if (qcrypto_tls_creds_load_ca_cert_list(creds,
492 MAX_CERTS, &ncacerts,
499 qcrypto_tls_creds_check_cert(creds,
500 cert, certFile, isServer,
505 for (i = 0; i < ncacerts; i++) {
506 if (qcrypto_tls_creds_check_cert(creds,
507 cacerts[i], cacertFile,
508 isServer, true, errp) < 0) {
513 if (cert && ncacerts &&
514 qcrypto_tls_creds_check_cert_pair(cert, certFile, cacerts,
515 ncacerts, cacertFile,
516 isServer, errp) < 0) {
524 gnutls_x509_crt_deinit(cert);
526 for (i = 0; i < ncacerts; i++) {
527 gnutls_x509_crt_deinit(cacerts[i]);
534 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
537 char *cacert = NULL, *cacrl = NULL, *cert = NULL,
538 *key = NULL, *dhparams = NULL;
542 trace_qcrypto_tls_creds_x509_load(creds,
543 creds->parent_obj.dir ? creds->parent_obj.dir : "<nodir>");
545 if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
546 if (qcrypto_tls_creds_get_path(&creds->parent_obj,
547 QCRYPTO_TLS_CREDS_X509_CA_CERT,
548 true, &cacert, errp) < 0 ||
549 qcrypto_tls_creds_get_path(&creds->parent_obj,
550 QCRYPTO_TLS_CREDS_X509_CA_CRL,
551 false, &cacrl, errp) < 0 ||
552 qcrypto_tls_creds_get_path(&creds->parent_obj,
553 QCRYPTO_TLS_CREDS_X509_SERVER_CERT,
554 true, &cert, errp) < 0 ||
555 qcrypto_tls_creds_get_path(&creds->parent_obj,
556 QCRYPTO_TLS_CREDS_X509_SERVER_KEY,
557 true, &key, errp) < 0 ||
558 qcrypto_tls_creds_get_path(&creds->parent_obj,
559 QCRYPTO_TLS_CREDS_DH_PARAMS,
560 false, &dhparams, errp) < 0) {
564 if (qcrypto_tls_creds_get_path(&creds->parent_obj,
565 QCRYPTO_TLS_CREDS_X509_CA_CERT,
566 true, &cacert, errp) < 0 ||
567 qcrypto_tls_creds_get_path(&creds->parent_obj,
568 QCRYPTO_TLS_CREDS_X509_CLIENT_CERT,
569 false, &cert, errp) < 0 ||
570 qcrypto_tls_creds_get_path(&creds->parent_obj,
571 QCRYPTO_TLS_CREDS_X509_CLIENT_KEY,
572 false, &key, errp) < 0) {
577 if (creds->sanityCheck &&
578 qcrypto_tls_creds_x509_sanity_check(creds,
579 creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
580 cacert, cert, errp) < 0) {
584 ret = gnutls_certificate_allocate_credentials(&creds->data);
586 error_setg(errp, "Cannot allocate credentials: '%s'",
587 gnutls_strerror(ret));
591 ret = gnutls_certificate_set_x509_trust_file(creds->data,
593 GNUTLS_X509_FMT_PEM);
595 error_setg(errp, "Cannot load CA certificate '%s': %s",
596 cacert, gnutls_strerror(ret));
600 if (cert != NULL && key != NULL) {
601 char *password = NULL;
602 if (creds->passwordid) {
603 password = qcrypto_secret_lookup_as_utf8(creds->passwordid,
609 ret = gnutls_certificate_set_x509_key_file2(creds->data,
616 error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
617 cert, key, gnutls_strerror(ret));
623 ret = gnutls_certificate_set_x509_crl_file(creds->data,
625 GNUTLS_X509_FMT_PEM);
627 error_setg(errp, "Cannot load CRL '%s': %s",
628 cacrl, gnutls_strerror(ret));
633 if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
634 if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhparams,
635 &creds->parent_obj.dh_params,
639 gnutls_certificate_set_dh_params(creds->data,
640 creds->parent_obj.dh_params);
655 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds)
658 gnutls_certificate_free_credentials(creds->data);
661 if (creds->parent_obj.dh_params) {
662 gnutls_dh_params_deinit(creds->parent_obj.dh_params);
663 creds->parent_obj.dh_params = NULL;
668 #else /* ! CONFIG_GNUTLS */
672 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED,
675 error_setg(errp, "TLS credentials support requires GNUTLS");
680 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED)
686 #endif /* ! CONFIG_GNUTLS */
690 qcrypto_tls_creds_x509_complete(UserCreatable *uc, Error **errp)
692 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(uc);
694 qcrypto_tls_creds_x509_load(creds, errp);
702 qcrypto_tls_creds_x509_prop_get_loaded(Object *obj,
703 Error **errp G_GNUC_UNUSED)
705 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
707 return creds->data != NULL;
711 #else /* ! CONFIG_GNUTLS */
715 qcrypto_tls_creds_x509_prop_get_loaded(Object *obj G_GNUC_UNUSED,
716 Error **errp G_GNUC_UNUSED)
722 #endif /* ! CONFIG_GNUTLS */
726 qcrypto_tls_creds_x509_prop_set_sanity(Object *obj,
728 Error **errp G_GNUC_UNUSED)
730 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
732 creds->sanityCheck = value;
737 qcrypto_tls_creds_x509_prop_set_passwordid(Object *obj,
739 Error **errp G_GNUC_UNUSED)
741 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
743 creds->passwordid = g_strdup(value);
748 qcrypto_tls_creds_x509_prop_get_passwordid(Object *obj,
749 Error **errp G_GNUC_UNUSED)
751 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
753 return g_strdup(creds->passwordid);
758 qcrypto_tls_creds_x509_prop_get_sanity(Object *obj,
759 Error **errp G_GNUC_UNUSED)
761 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
763 return creds->sanityCheck;
771 qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, Error **errp)
773 QCryptoTLSCredsX509 *x509_creds = QCRYPTO_TLS_CREDS_X509(creds);
774 Error *local_err = NULL;
775 gnutls_certificate_credentials_t creds_data = x509_creds->data;
776 gnutls_dh_params_t creds_dh_params = x509_creds->parent_obj.dh_params;
778 x509_creds->data = NULL;
779 x509_creds->parent_obj.dh_params = NULL;
780 qcrypto_tls_creds_x509_load(x509_creds, &local_err);
782 qcrypto_tls_creds_x509_unload(x509_creds);
783 x509_creds->data = creds_data;
784 x509_creds->parent_obj.dh_params = creds_dh_params;
785 error_propagate(errp, local_err);
790 gnutls_certificate_free_credentials(creds_data);
792 if (creds_dh_params) {
793 gnutls_dh_params_deinit(creds_dh_params);
799 #else /* ! CONFIG_GNUTLS */
803 qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, Error **errp)
809 #endif /* ! CONFIG_GNUTLS */
813 qcrypto_tls_creds_x509_init(Object *obj)
815 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
817 creds->sanityCheck = true;
822 qcrypto_tls_creds_x509_finalize(Object *obj)
824 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
826 g_free(creds->passwordid);
827 qcrypto_tls_creds_x509_unload(creds);
832 qcrypto_tls_creds_x509_class_init(ObjectClass *oc, void *data)
834 UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
835 QCryptoTLSCredsClass *ctcc = QCRYPTO_TLS_CREDS_CLASS(oc);
837 ctcc->reload = qcrypto_tls_creds_x509_reload;
839 ucc->complete = qcrypto_tls_creds_x509_complete;
841 object_class_property_add_bool(oc, "loaded",
842 qcrypto_tls_creds_x509_prop_get_loaded,
844 object_class_property_add_bool(oc, "sanity-check",
845 qcrypto_tls_creds_x509_prop_get_sanity,
846 qcrypto_tls_creds_x509_prop_set_sanity);
847 object_class_property_add_str(oc, "passwordid",
848 qcrypto_tls_creds_x509_prop_get_passwordid,
849 qcrypto_tls_creds_x509_prop_set_passwordid);
853 static const TypeInfo qcrypto_tls_creds_x509_info = {
854 .parent = TYPE_QCRYPTO_TLS_CREDS,
855 .name = TYPE_QCRYPTO_TLS_CREDS_X509,
856 .instance_size = sizeof(QCryptoTLSCredsX509),
857 .instance_init = qcrypto_tls_creds_x509_init,
858 .instance_finalize = qcrypto_tls_creds_x509_finalize,
859 .class_size = sizeof(QCryptoTLSCredsX509Class),
860 .class_init = qcrypto_tls_creds_x509_class_init,
861 .interfaces = (InterfaceInfo[]) {
862 { TYPE_USER_CREATABLE },
869 qcrypto_tls_creds_x509_register_types(void)
871 type_register_static(&qcrypto_tls_creds_x509_info);
875 type_init(qcrypto_tls_creds_x509_register_types);