mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-03 05:17:54 +03:00
rpc: split out helpers for TLS cert path location
We'll want to access these paths from outside the TLS context code, so split them into a standalone file. Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
a2455fd53d
commit
e66c3bcd0c
@ -1,6 +1,10 @@
|
||||
gendispatch_prog = find_program('gendispatch.pl')
|
||||
|
||||
socket_sources = [
|
||||
tlsconfig_sources = files(
|
||||
'virnettlsconfig.c',
|
||||
)
|
||||
|
||||
socket_sources = tlsconfig_sources + [
|
||||
'virnettlscontext.c',
|
||||
'virnetsocket.c',
|
||||
]
|
||||
|
202
src/rpc/virnettlsconfig.c
Normal file
202
src/rpc/virnettlsconfig.c
Normal file
@ -0,0 +1,202 @@
|
||||
/*
|
||||
* virnettlsconfig.c: TLS x509 configuration helpers
|
||||
*
|
||||
* Copyright (C) 2010-2024 Red Hat, Inc.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library. If not, see
|
||||
* <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include "virnettlsconfig.h"
|
||||
#include "virlog.h"
|
||||
#include "virutil.h"
|
||||
|
||||
#define VIR_FROM_THIS VIR_FROM_RPC
|
||||
|
||||
VIR_LOG_INIT("rpc.nettlscontext");
|
||||
|
||||
char *virNetTLSConfigUserPKIBaseDir(void)
|
||||
{
|
||||
g_autofree char *userdir = virGetUserDirectory();
|
||||
|
||||
return g_strdup_printf("%s/.pki/libvirt", userdir);
|
||||
}
|
||||
|
||||
static void virNetTLSConfigTrust(const char *cacertdir,
|
||||
const char *cacrldir,
|
||||
char **cacert,
|
||||
char **cacrl)
|
||||
{
|
||||
if (!*cacert)
|
||||
*cacert = g_strdup_printf("%s/%s", cacertdir, "cacert.pem");
|
||||
if (!*cacrl)
|
||||
*cacrl = g_strdup_printf("%s/%s", cacrldir, "cacrl.pem");
|
||||
|
||||
VIR_DEBUG("TLS CA cert %s", *cacert);
|
||||
VIR_DEBUG("TLS CA CRL %s", *cacrl);
|
||||
}
|
||||
|
||||
static void virNetTLSConfigIdentity(int isServer,
|
||||
const char *certdir,
|
||||
const char *keydir,
|
||||
char **cert,
|
||||
char **key)
|
||||
{
|
||||
if (!*key)
|
||||
*key = g_strdup_printf("%s/%s", keydir,
|
||||
isServer ? "serverkey.pem" : "clientkey.pem");
|
||||
if (!*cert)
|
||||
*cert = g_strdup_printf("%s/%s", certdir,
|
||||
isServer ? "servercert.pem" : "clientcert.pem");
|
||||
|
||||
VIR_DEBUG("TLS key %s", *key);
|
||||
VIR_DEBUG("TLS cert %s", *cert);
|
||||
}
|
||||
|
||||
void virNetTLSConfigCustomTrust(const char *pkipath,
|
||||
char **cacert,
|
||||
char **cacrl)
|
||||
{
|
||||
VIR_DEBUG("Locating trust chain in custom dir %s", pkipath);
|
||||
virNetTLSConfigTrust(pkipath,
|
||||
pkipath,
|
||||
cacert,
|
||||
cacrl);
|
||||
}
|
||||
|
||||
void virNetTLSConfigUserTrust(char **cacert,
|
||||
char **cacrl)
|
||||
{
|
||||
g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
|
||||
|
||||
VIR_DEBUG("Locating trust chain in user dir %s", pkipath);
|
||||
|
||||
virNetTLSConfigTrust(pkipath,
|
||||
pkipath,
|
||||
cacert,
|
||||
cacrl);
|
||||
}
|
||||
|
||||
void virNetTLSConfigSystemTrust(char **cacert,
|
||||
char **cacrl)
|
||||
{
|
||||
VIR_DEBUG("Locating trust chain in system dir %s", LIBVIRT_PKI_DIR);
|
||||
|
||||
virNetTLSConfigTrust(LIBVIRT_CACERT_DIR,
|
||||
LIBVIRT_CACRL_DIR,
|
||||
cacert,
|
||||
cacrl);
|
||||
}
|
||||
|
||||
void virNetTLSConfigCustomIdentity(const char *pkipath,
|
||||
int isServer,
|
||||
char **cert,
|
||||
char **key)
|
||||
{
|
||||
VIR_DEBUG("Locating creds in custom dir %s", pkipath);
|
||||
virNetTLSConfigIdentity(isServer,
|
||||
pkipath,
|
||||
pkipath,
|
||||
cert,
|
||||
key);
|
||||
}
|
||||
|
||||
void virNetTLSConfigUserIdentity(int isServer,
|
||||
char **cert,
|
||||
char **key)
|
||||
{
|
||||
g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
|
||||
|
||||
VIR_DEBUG("Locating creds in user dir %s", pkipath);
|
||||
|
||||
virNetTLSConfigIdentity(isServer,
|
||||
pkipath,
|
||||
pkipath,
|
||||
cert,
|
||||
key);
|
||||
}
|
||||
|
||||
void virNetTLSConfigSystemIdentity(int isServer,
|
||||
char **cert,
|
||||
char **key)
|
||||
{
|
||||
VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR);
|
||||
|
||||
virNetTLSConfigIdentity(isServer,
|
||||
LIBVIRT_CERT_DIR,
|
||||
LIBVIRT_KEY_DIR,
|
||||
cert,
|
||||
key);
|
||||
}
|
||||
|
||||
void virNetTLSConfigCustomCreds(const char *pkipath,
|
||||
int isServer,
|
||||
char **cacert,
|
||||
char **cacrl,
|
||||
char **cert,
|
||||
char **key)
|
||||
{
|
||||
VIR_DEBUG("Locating creds in custom dir %s", pkipath);
|
||||
virNetTLSConfigTrust(pkipath,
|
||||
pkipath,
|
||||
cacert,
|
||||
cacrl);
|
||||
virNetTLSConfigIdentity(isServer,
|
||||
pkipath,
|
||||
pkipath,
|
||||
cert,
|
||||
key);
|
||||
}
|
||||
|
||||
void virNetTLSConfigUserCreds(int isServer,
|
||||
char **cacert,
|
||||
char **cacrl,
|
||||
char **cert,
|
||||
char **key)
|
||||
{
|
||||
g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
|
||||
|
||||
VIR_DEBUG("Locating creds in user dir %s", pkipath);
|
||||
|
||||
virNetTLSConfigTrust(pkipath,
|
||||
pkipath,
|
||||
cacert,
|
||||
cacrl);
|
||||
virNetTLSConfigIdentity(isServer,
|
||||
pkipath,
|
||||
pkipath,
|
||||
cert,
|
||||
key);
|
||||
}
|
||||
|
||||
void virNetTLSConfigSystemCreds(int isServer,
|
||||
char **cacert,
|
||||
char **cacrl,
|
||||
char **cert,
|
||||
char **key)
|
||||
{
|
||||
VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR);
|
||||
|
||||
virNetTLSConfigTrust(LIBVIRT_CACERT_DIR,
|
||||
LIBVIRT_CACRL_DIR,
|
||||
cacert,
|
||||
cacrl);
|
||||
virNetTLSConfigIdentity(isServer,
|
||||
LIBVIRT_CERT_DIR,
|
||||
LIBVIRT_KEY_DIR,
|
||||
cert,
|
||||
key);
|
||||
}
|
68
src/rpc/virnettlsconfig.h
Normal file
68
src/rpc/virnettlsconfig.h
Normal file
@ -0,0 +1,68 @@
|
||||
/*
|
||||
* virnettlsconfig.h: TLS x509 configuration helpers
|
||||
*
|
||||
* Copyright (C) 2010-2024 Red Hat, Inc.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library. If not, see
|
||||
* <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#pragma once
|
||||
|
||||
#include "configmake.h"
|
||||
|
||||
#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
|
||||
#define LIBVIRT_CACERT_DIR LIBVIRT_PKI_DIR "/CA"
|
||||
#define LIBVIRT_CACRL_DIR LIBVIRT_PKI_DIR "/CA"
|
||||
#define LIBVIRT_KEY_DIR LIBVIRT_PKI_DIR "/libvirt/private"
|
||||
#define LIBVIRT_CERT_DIR LIBVIRT_PKI_DIR "/libvirt"
|
||||
|
||||
char *virNetTLSConfigUserPKIBaseDir(void);
|
||||
|
||||
void virNetTLSConfigCustomTrust(const char *pkipath,
|
||||
char **cacert,
|
||||
char **cacrl);
|
||||
void virNetTLSConfigUserTrust(char **cacert,
|
||||
char **cacrl);
|
||||
void virNetTLSConfigSystemTrust(char **cacert,
|
||||
char **cacrl);
|
||||
|
||||
void virNetTLSConfigCustomIdentity(const char *pkipath,
|
||||
int isServer,
|
||||
char **cert,
|
||||
char **key);
|
||||
void virNetTLSConfigUserIdentity(int isServer,
|
||||
char **cert,
|
||||
char **key);
|
||||
void virNetTLSConfigSystemIdentity(int isServer,
|
||||
char **cert,
|
||||
char **key);
|
||||
|
||||
|
||||
void virNetTLSConfigCustomCreds(const char *pkipath,
|
||||
int isServer,
|
||||
char **cacert,
|
||||
char **cacrl,
|
||||
char **cert,
|
||||
char **key);
|
||||
void virNetTLSConfigUserCreds(int isServer,
|
||||
char **cacert,
|
||||
char **cacrl,
|
||||
char **cert,
|
||||
char **key);
|
||||
void virNetTLSConfigSystemCreds(int isServer,
|
||||
char **cacert,
|
||||
char **cacrl,
|
||||
char **cert,
|
||||
char **key);
|
@ -27,6 +27,7 @@
|
||||
#include <gnutls/x509.h>
|
||||
|
||||
#include "virnettlscontext.h"
|
||||
#include "virnettlsconfig.h"
|
||||
#include "virstring.h"
|
||||
|
||||
#include "viralloc.h"
|
||||
@ -36,15 +37,6 @@
|
||||
#include "virlog.h"
|
||||
#include "virprobe.h"
|
||||
#include "virthread.h"
|
||||
#include "configmake.h"
|
||||
|
||||
#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
|
||||
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
|
||||
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
|
||||
#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem"
|
||||
#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
|
||||
#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
|
||||
#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"
|
||||
|
||||
#define VIR_FROM_THIS VIR_FROM_RPC
|
||||
|
||||
@ -721,9 +713,6 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
|
||||
char **cert,
|
||||
char **key)
|
||||
{
|
||||
char *userdir = NULL;
|
||||
char *user_pki_path = NULL;
|
||||
|
||||
*cacert = NULL;
|
||||
*cacrl = NULL;
|
||||
*key = NULL;
|
||||
@ -736,33 +725,13 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
|
||||
* files actually exist there
|
||||
*/
|
||||
if (pkipath) {
|
||||
VIR_DEBUG("Told to use TLS credentials in %s", pkipath);
|
||||
*cacert = g_strdup_printf("%s/%s", pkipath, "cacert.pem");
|
||||
*cacrl = g_strdup_printf("%s/%s", pkipath, "cacrl.pem");
|
||||
*key = g_strdup_printf("%s/%s", pkipath,
|
||||
isServer ? "serverkey.pem" : "clientkey.pem");
|
||||
|
||||
*cert = g_strdup_printf("%s/%s", pkipath,
|
||||
isServer ? "servercert.pem" : "clientcert.pem");
|
||||
virNetTLSConfigCustomCreds(pkipath, isServer,
|
||||
cacert, cacrl,
|
||||
cert, key);
|
||||
} else if (tryUserPkiPath) {
|
||||
/* Check to see if $HOME/.pki contains at least one of the
|
||||
* files and if so, use that
|
||||
*/
|
||||
userdir = virGetUserDirectory();
|
||||
|
||||
user_pki_path = g_strdup_printf("%s/.pki/libvirt", userdir);
|
||||
|
||||
VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_path);
|
||||
|
||||
*cacert = g_strdup_printf("%s/%s", user_pki_path, "cacert.pem");
|
||||
|
||||
*cacrl = g_strdup_printf("%s/%s", user_pki_path, "cacrl.pem");
|
||||
|
||||
*key = g_strdup_printf("%s/%s", user_pki_path,
|
||||
isServer ? "serverkey.pem" : "clientkey.pem");
|
||||
|
||||
*cert = g_strdup_printf("%s/%s", user_pki_path,
|
||||
isServer ? "servercert.pem" : "clientcert.pem");
|
||||
virNetTLSConfigUserCreds(isServer,
|
||||
cacert, cacrl,
|
||||
cert, key);
|
||||
|
||||
/*
|
||||
* If some of the files can't be found, fallback
|
||||
@ -782,28 +751,9 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
|
||||
}
|
||||
}
|
||||
|
||||
/* No explicit path, or user path didn't exist, so
|
||||
* fallback to global defaults
|
||||
*/
|
||||
if (!*cacert) {
|
||||
VIR_DEBUG("Using default TLS CA certificate path");
|
||||
*cacert = g_strdup(LIBVIRT_CACERT);
|
||||
}
|
||||
|
||||
if (!*cacrl) {
|
||||
VIR_DEBUG("Using default TLS CA revocation list path");
|
||||
*cacrl = g_strdup(LIBVIRT_CACRL);
|
||||
}
|
||||
|
||||
if (!*key && !*cert) {
|
||||
VIR_DEBUG("Using default TLS key/certificate path");
|
||||
*key = g_strdup(isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY);
|
||||
|
||||
*cert = g_strdup(isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTCERT);
|
||||
}
|
||||
|
||||
VIR_FREE(user_pki_path);
|
||||
VIR_FREE(userdir);
|
||||
virNetTLSConfigSystemCreds(isServer,
|
||||
cacert, cacrl,
|
||||
cert, key);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user