mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-05 13:17:51 +03:00
rpc: split out helpers for TLS cert path location
We'll want to access these paths from outside the TLS context code, so split them into a standalone file. Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
a2455fd53d
commit
e66c3bcd0c
@ -1,6 +1,10 @@
|
|||||||
gendispatch_prog = find_program('gendispatch.pl')
|
gendispatch_prog = find_program('gendispatch.pl')
|
||||||
|
|
||||||
socket_sources = [
|
tlsconfig_sources = files(
|
||||||
|
'virnettlsconfig.c',
|
||||||
|
)
|
||||||
|
|
||||||
|
socket_sources = tlsconfig_sources + [
|
||||||
'virnettlscontext.c',
|
'virnettlscontext.c',
|
||||||
'virnetsocket.c',
|
'virnetsocket.c',
|
||||||
]
|
]
|
||||||
|
202
src/rpc/virnettlsconfig.c
Normal file
202
src/rpc/virnettlsconfig.c
Normal file
@ -0,0 +1,202 @@
|
|||||||
|
/*
|
||||||
|
* virnettlsconfig.c: TLS x509 configuration helpers
|
||||||
|
*
|
||||||
|
* Copyright (C) 2010-2024 Red Hat, Inc.
|
||||||
|
*
|
||||||
|
* This library is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU Lesser General Public
|
||||||
|
* License as published by the Free Software Foundation; either
|
||||||
|
* version 2.1 of the License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This library is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
* Lesser General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Lesser General Public
|
||||||
|
* License along with this library. If not, see
|
||||||
|
* <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <config.h>
|
||||||
|
|
||||||
|
#include "virnettlsconfig.h"
|
||||||
|
#include "virlog.h"
|
||||||
|
#include "virutil.h"
|
||||||
|
|
||||||
|
#define VIR_FROM_THIS VIR_FROM_RPC
|
||||||
|
|
||||||
|
VIR_LOG_INIT("rpc.nettlscontext");
|
||||||
|
|
||||||
|
char *virNetTLSConfigUserPKIBaseDir(void)
|
||||||
|
{
|
||||||
|
g_autofree char *userdir = virGetUserDirectory();
|
||||||
|
|
||||||
|
return g_strdup_printf("%s/.pki/libvirt", userdir);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void virNetTLSConfigTrust(const char *cacertdir,
|
||||||
|
const char *cacrldir,
|
||||||
|
char **cacert,
|
||||||
|
char **cacrl)
|
||||||
|
{
|
||||||
|
if (!*cacert)
|
||||||
|
*cacert = g_strdup_printf("%s/%s", cacertdir, "cacert.pem");
|
||||||
|
if (!*cacrl)
|
||||||
|
*cacrl = g_strdup_printf("%s/%s", cacrldir, "cacrl.pem");
|
||||||
|
|
||||||
|
VIR_DEBUG("TLS CA cert %s", *cacert);
|
||||||
|
VIR_DEBUG("TLS CA CRL %s", *cacrl);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void virNetTLSConfigIdentity(int isServer,
|
||||||
|
const char *certdir,
|
||||||
|
const char *keydir,
|
||||||
|
char **cert,
|
||||||
|
char **key)
|
||||||
|
{
|
||||||
|
if (!*key)
|
||||||
|
*key = g_strdup_printf("%s/%s", keydir,
|
||||||
|
isServer ? "serverkey.pem" : "clientkey.pem");
|
||||||
|
if (!*cert)
|
||||||
|
*cert = g_strdup_printf("%s/%s", certdir,
|
||||||
|
isServer ? "servercert.pem" : "clientcert.pem");
|
||||||
|
|
||||||
|
VIR_DEBUG("TLS key %s", *key);
|
||||||
|
VIR_DEBUG("TLS cert %s", *cert);
|
||||||
|
}
|
||||||
|
|
||||||
|
void virNetTLSConfigCustomTrust(const char *pkipath,
|
||||||
|
char **cacert,
|
||||||
|
char **cacrl)
|
||||||
|
{
|
||||||
|
VIR_DEBUG("Locating trust chain in custom dir %s", pkipath);
|
||||||
|
virNetTLSConfigTrust(pkipath,
|
||||||
|
pkipath,
|
||||||
|
cacert,
|
||||||
|
cacrl);
|
||||||
|
}
|
||||||
|
|
||||||
|
void virNetTLSConfigUserTrust(char **cacert,
|
||||||
|
char **cacrl)
|
||||||
|
{
|
||||||
|
g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
|
||||||
|
|
||||||
|
VIR_DEBUG("Locating trust chain in user dir %s", pkipath);
|
||||||
|
|
||||||
|
virNetTLSConfigTrust(pkipath,
|
||||||
|
pkipath,
|
||||||
|
cacert,
|
||||||
|
cacrl);
|
||||||
|
}
|
||||||
|
|
||||||
|
void virNetTLSConfigSystemTrust(char **cacert,
|
||||||
|
char **cacrl)
|
||||||
|
{
|
||||||
|
VIR_DEBUG("Locating trust chain in system dir %s", LIBVIRT_PKI_DIR);
|
||||||
|
|
||||||
|
virNetTLSConfigTrust(LIBVIRT_CACERT_DIR,
|
||||||
|
LIBVIRT_CACRL_DIR,
|
||||||
|
cacert,
|
||||||
|
cacrl);
|
||||||
|
}
|
||||||
|
|
||||||
|
void virNetTLSConfigCustomIdentity(const char *pkipath,
|
||||||
|
int isServer,
|
||||||
|
char **cert,
|
||||||
|
char **key)
|
||||||
|
{
|
||||||
|
VIR_DEBUG("Locating creds in custom dir %s", pkipath);
|
||||||
|
virNetTLSConfigIdentity(isServer,
|
||||||
|
pkipath,
|
||||||
|
pkipath,
|
||||||
|
cert,
|
||||||
|
key);
|
||||||
|
}
|
||||||
|
|
||||||
|
void virNetTLSConfigUserIdentity(int isServer,
|
||||||
|
char **cert,
|
||||||
|
char **key)
|
||||||
|
{
|
||||||
|
g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
|
||||||
|
|
||||||
|
VIR_DEBUG("Locating creds in user dir %s", pkipath);
|
||||||
|
|
||||||
|
virNetTLSConfigIdentity(isServer,
|
||||||
|
pkipath,
|
||||||
|
pkipath,
|
||||||
|
cert,
|
||||||
|
key);
|
||||||
|
}
|
||||||
|
|
||||||
|
void virNetTLSConfigSystemIdentity(int isServer,
|
||||||
|
char **cert,
|
||||||
|
char **key)
|
||||||
|
{
|
||||||
|
VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR);
|
||||||
|
|
||||||
|
virNetTLSConfigIdentity(isServer,
|
||||||
|
LIBVIRT_CERT_DIR,
|
||||||
|
LIBVIRT_KEY_DIR,
|
||||||
|
cert,
|
||||||
|
key);
|
||||||
|
}
|
||||||
|
|
||||||
|
void virNetTLSConfigCustomCreds(const char *pkipath,
|
||||||
|
int isServer,
|
||||||
|
char **cacert,
|
||||||
|
char **cacrl,
|
||||||
|
char **cert,
|
||||||
|
char **key)
|
||||||
|
{
|
||||||
|
VIR_DEBUG("Locating creds in custom dir %s", pkipath);
|
||||||
|
virNetTLSConfigTrust(pkipath,
|
||||||
|
pkipath,
|
||||||
|
cacert,
|
||||||
|
cacrl);
|
||||||
|
virNetTLSConfigIdentity(isServer,
|
||||||
|
pkipath,
|
||||||
|
pkipath,
|
||||||
|
cert,
|
||||||
|
key);
|
||||||
|
}
|
||||||
|
|
||||||
|
void virNetTLSConfigUserCreds(int isServer,
|
||||||
|
char **cacert,
|
||||||
|
char **cacrl,
|
||||||
|
char **cert,
|
||||||
|
char **key)
|
||||||
|
{
|
||||||
|
g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
|
||||||
|
|
||||||
|
VIR_DEBUG("Locating creds in user dir %s", pkipath);
|
||||||
|
|
||||||
|
virNetTLSConfigTrust(pkipath,
|
||||||
|
pkipath,
|
||||||
|
cacert,
|
||||||
|
cacrl);
|
||||||
|
virNetTLSConfigIdentity(isServer,
|
||||||
|
pkipath,
|
||||||
|
pkipath,
|
||||||
|
cert,
|
||||||
|
key);
|
||||||
|
}
|
||||||
|
|
||||||
|
void virNetTLSConfigSystemCreds(int isServer,
|
||||||
|
char **cacert,
|
||||||
|
char **cacrl,
|
||||||
|
char **cert,
|
||||||
|
char **key)
|
||||||
|
{
|
||||||
|
VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR);
|
||||||
|
|
||||||
|
virNetTLSConfigTrust(LIBVIRT_CACERT_DIR,
|
||||||
|
LIBVIRT_CACRL_DIR,
|
||||||
|
cacert,
|
||||||
|
cacrl);
|
||||||
|
virNetTLSConfigIdentity(isServer,
|
||||||
|
LIBVIRT_CERT_DIR,
|
||||||
|
LIBVIRT_KEY_DIR,
|
||||||
|
cert,
|
||||||
|
key);
|
||||||
|
}
|
68
src/rpc/virnettlsconfig.h
Normal file
68
src/rpc/virnettlsconfig.h
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
/*
|
||||||
|
* virnettlsconfig.h: TLS x509 configuration helpers
|
||||||
|
*
|
||||||
|
* Copyright (C) 2010-2024 Red Hat, Inc.
|
||||||
|
*
|
||||||
|
* This library is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU Lesser General Public
|
||||||
|
* License as published by the Free Software Foundation; either
|
||||||
|
* version 2.1 of the License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This library is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
* Lesser General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Lesser General Public
|
||||||
|
* License along with this library. If not, see
|
||||||
|
* <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#pragma once
|
||||||
|
|
||||||
|
#include "configmake.h"
|
||||||
|
|
||||||
|
#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
|
||||||
|
#define LIBVIRT_CACERT_DIR LIBVIRT_PKI_DIR "/CA"
|
||||||
|
#define LIBVIRT_CACRL_DIR LIBVIRT_PKI_DIR "/CA"
|
||||||
|
#define LIBVIRT_KEY_DIR LIBVIRT_PKI_DIR "/libvirt/private"
|
||||||
|
#define LIBVIRT_CERT_DIR LIBVIRT_PKI_DIR "/libvirt"
|
||||||
|
|
||||||
|
char *virNetTLSConfigUserPKIBaseDir(void);
|
||||||
|
|
||||||
|
void virNetTLSConfigCustomTrust(const char *pkipath,
|
||||||
|
char **cacert,
|
||||||
|
char **cacrl);
|
||||||
|
void virNetTLSConfigUserTrust(char **cacert,
|
||||||
|
char **cacrl);
|
||||||
|
void virNetTLSConfigSystemTrust(char **cacert,
|
||||||
|
char **cacrl);
|
||||||
|
|
||||||
|
void virNetTLSConfigCustomIdentity(const char *pkipath,
|
||||||
|
int isServer,
|
||||||
|
char **cert,
|
||||||
|
char **key);
|
||||||
|
void virNetTLSConfigUserIdentity(int isServer,
|
||||||
|
char **cert,
|
||||||
|
char **key);
|
||||||
|
void virNetTLSConfigSystemIdentity(int isServer,
|
||||||
|
char **cert,
|
||||||
|
char **key);
|
||||||
|
|
||||||
|
|
||||||
|
void virNetTLSConfigCustomCreds(const char *pkipath,
|
||||||
|
int isServer,
|
||||||
|
char **cacert,
|
||||||
|
char **cacrl,
|
||||||
|
char **cert,
|
||||||
|
char **key);
|
||||||
|
void virNetTLSConfigUserCreds(int isServer,
|
||||||
|
char **cacert,
|
||||||
|
char **cacrl,
|
||||||
|
char **cert,
|
||||||
|
char **key);
|
||||||
|
void virNetTLSConfigSystemCreds(int isServer,
|
||||||
|
char **cacert,
|
||||||
|
char **cacrl,
|
||||||
|
char **cert,
|
||||||
|
char **key);
|
@ -27,6 +27,7 @@
|
|||||||
#include <gnutls/x509.h>
|
#include <gnutls/x509.h>
|
||||||
|
|
||||||
#include "virnettlscontext.h"
|
#include "virnettlscontext.h"
|
||||||
|
#include "virnettlsconfig.h"
|
||||||
#include "virstring.h"
|
#include "virstring.h"
|
||||||
|
|
||||||
#include "viralloc.h"
|
#include "viralloc.h"
|
||||||
@ -36,15 +37,6 @@
|
|||||||
#include "virlog.h"
|
#include "virlog.h"
|
||||||
#include "virprobe.h"
|
#include "virprobe.h"
|
||||||
#include "virthread.h"
|
#include "virthread.h"
|
||||||
#include "configmake.h"
|
|
||||||
|
|
||||||
#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
|
|
||||||
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
|
|
||||||
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
|
|
||||||
#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem"
|
|
||||||
#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
|
|
||||||
#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
|
|
||||||
#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"
|
|
||||||
|
|
||||||
#define VIR_FROM_THIS VIR_FROM_RPC
|
#define VIR_FROM_THIS VIR_FROM_RPC
|
||||||
|
|
||||||
@ -721,9 +713,6 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
|
|||||||
char **cert,
|
char **cert,
|
||||||
char **key)
|
char **key)
|
||||||
{
|
{
|
||||||
char *userdir = NULL;
|
|
||||||
char *user_pki_path = NULL;
|
|
||||||
|
|
||||||
*cacert = NULL;
|
*cacert = NULL;
|
||||||
*cacrl = NULL;
|
*cacrl = NULL;
|
||||||
*key = NULL;
|
*key = NULL;
|
||||||
@ -736,33 +725,13 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
|
|||||||
* files actually exist there
|
* files actually exist there
|
||||||
*/
|
*/
|
||||||
if (pkipath) {
|
if (pkipath) {
|
||||||
VIR_DEBUG("Told to use TLS credentials in %s", pkipath);
|
virNetTLSConfigCustomCreds(pkipath, isServer,
|
||||||
*cacert = g_strdup_printf("%s/%s", pkipath, "cacert.pem");
|
cacert, cacrl,
|
||||||
*cacrl = g_strdup_printf("%s/%s", pkipath, "cacrl.pem");
|
cert, key);
|
||||||
*key = g_strdup_printf("%s/%s", pkipath,
|
|
||||||
isServer ? "serverkey.pem" : "clientkey.pem");
|
|
||||||
|
|
||||||
*cert = g_strdup_printf("%s/%s", pkipath,
|
|
||||||
isServer ? "servercert.pem" : "clientcert.pem");
|
|
||||||
} else if (tryUserPkiPath) {
|
} else if (tryUserPkiPath) {
|
||||||
/* Check to see if $HOME/.pki contains at least one of the
|
virNetTLSConfigUserCreds(isServer,
|
||||||
* files and if so, use that
|
cacert, cacrl,
|
||||||
*/
|
cert, key);
|
||||||
userdir = virGetUserDirectory();
|
|
||||||
|
|
||||||
user_pki_path = g_strdup_printf("%s/.pki/libvirt", userdir);
|
|
||||||
|
|
||||||
VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_path);
|
|
||||||
|
|
||||||
*cacert = g_strdup_printf("%s/%s", user_pki_path, "cacert.pem");
|
|
||||||
|
|
||||||
*cacrl = g_strdup_printf("%s/%s", user_pki_path, "cacrl.pem");
|
|
||||||
|
|
||||||
*key = g_strdup_printf("%s/%s", user_pki_path,
|
|
||||||
isServer ? "serverkey.pem" : "clientkey.pem");
|
|
||||||
|
|
||||||
*cert = g_strdup_printf("%s/%s", user_pki_path,
|
|
||||||
isServer ? "servercert.pem" : "clientcert.pem");
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If some of the files can't be found, fallback
|
* If some of the files can't be found, fallback
|
||||||
@ -782,28 +751,9 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* No explicit path, or user path didn't exist, so
|
virNetTLSConfigSystemCreds(isServer,
|
||||||
* fallback to global defaults
|
cacert, cacrl,
|
||||||
*/
|
cert, key);
|
||||||
if (!*cacert) {
|
|
||||||
VIR_DEBUG("Using default TLS CA certificate path");
|
|
||||||
*cacert = g_strdup(LIBVIRT_CACERT);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!*cacrl) {
|
|
||||||
VIR_DEBUG("Using default TLS CA revocation list path");
|
|
||||||
*cacrl = g_strdup(LIBVIRT_CACRL);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!*key && !*cert) {
|
|
||||||
VIR_DEBUG("Using default TLS key/certificate path");
|
|
||||||
*key = g_strdup(isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY);
|
|
||||||
|
|
||||||
*cert = g_strdup(isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTCERT);
|
|
||||||
}
|
|
||||||
|
|
||||||
VIR_FREE(user_pki_path);
|
|
||||||
VIR_FREE(userdir);
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user