1 /*
2 * QEMU crypto TLS x509 credential support
3 *
4 * Copyright (c) 2015 Red Hat, Inc.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21 #include "qemu/osdep.h"
22 #include "crypto/tlscredsx509.h"
23 #include "tlscredspriv.h"
24 #include "crypto/secret.h"
25 #include "qapi/error.h"
26 #include "qemu/module.h"
27 #include "qom/object_interfaces.h"
28 #include "trace.h"
29
30
31 #ifdef CONFIG_GNUTLS
32
33 #include <gnutls/gnutls.h>
34 #include <gnutls/x509.h>
35
36
37 static int
qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert,const char * certFile,bool isServer,bool isCA,Error ** errp)38 qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert,
39 const char *certFile,
40 bool isServer,
41 bool isCA,
42 Error **errp)
43 {
44 time_t now = time(NULL);
45
46 if (now == ((time_t)-1)) {
47 error_setg_errno(errp, errno, "cannot get current time");
48 return -1;
49 }
50
51 if (gnutls_x509_crt_get_expiration_time(cert) < now) {
52 error_setg(errp,
53 (isCA ?
54 "The CA certificate %s has expired" :
55 (isServer ?
56 "The server certificate %s has expired" :
57 "The client certificate %s has expired")),
58 certFile);
59 return -1;
60 }
61
62 if (gnutls_x509_crt_get_activation_time(cert) > now) {
63 error_setg(errp,
64 (isCA ?
65 "The CA certificate %s is not yet active" :
66 (isServer ?
67 "The server certificate %s is not yet active" :
68 "The client certificate %s is not yet active")),
69 certFile);
70 return -1;
71 }
72
73 return 0;
74 }
75
76
77 static int
qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 * creds,gnutls_x509_crt_t cert,const char * certFile,bool isServer,bool isCA,Error ** errp)78 qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
79 gnutls_x509_crt_t cert,
80 const char *certFile,
81 bool isServer,
82 bool isCA,
83 Error **errp)
84 {
85 int status;
86
87 status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
88 trace_qcrypto_tls_creds_x509_check_basic_constraints(
89 creds, certFile, status);
90
91 if (status > 0) { /* It is a CA cert */
92 if (!isCA) {
93 error_setg(errp, isServer ?
94 "The certificate %s basic constraints show a CA, "
95 "but we need one for a server" :
96 "The certificate %s basic constraints show a CA, "
97 "but we need one for a client",
98 certFile);
99 return -1;
100 }
101 } else if (status == 0) { /* It is not a CA cert */
102 if (isCA) {
103 error_setg(errp,
104 "The certificate %s basic constraints do not "
105 "show a CA",
106 certFile);
107 return -1;
108 }
109 } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
110 /* Missing basicConstraints */
111 if (isCA) {
112 error_setg(errp,
113 "The certificate %s is missing basic constraints "
114 "for a CA",
115 certFile);
116 return -1;
117 }
118 } else { /* General error */
119 error_setg(errp,
120 "Unable to query certificate %s basic constraints: %s",
121 certFile, gnutls_strerror(status));
122 return -1;
123 }
124
125 return 0;
126 }
127
128
129 static int
qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 * creds,gnutls_x509_crt_t cert,const char * certFile,bool isCA,Error ** errp)130 qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 *creds,
131 gnutls_x509_crt_t cert,
132 const char *certFile,
133 bool isCA,
134 Error **errp)
135 {
136 int status;
137 unsigned int usage = 0;
138 unsigned int critical = 0;
139
140 status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
141 trace_qcrypto_tls_creds_x509_check_key_usage(
142 creds, certFile, status, usage, critical);
143
144 if (status < 0) {
145 if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
146 usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
147 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT;
148 } else {
149 error_setg(errp,
150 "Unable to query certificate %s key usage: %s",
151 certFile, gnutls_strerror(status));
152 return -1;
153 }
154 }
155
156 if (isCA) {
157 if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
158 if (critical) {
159 error_setg(errp,
160 "Certificate %s usage does not permit "
161 "certificate signing", certFile);
162 return -1;
163 }
164 }
165 } else {
166 if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
167 if (critical) {
168 error_setg(errp,
169 "Certificate %s usage does not permit digital "
170 "signature", certFile);
171 return -1;
172 }
173 }
174 if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
175 if (critical) {
176 error_setg(errp,
177 "Certificate %s usage does not permit key "
178 "encipherment", certFile);
179 return -1;
180 }
181 }
182 }
183
184 return 0;
185 }
186
187
188 static int
qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509 * creds,gnutls_x509_crt_t cert,const char * certFile,bool isServer,Error ** errp)189 qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509 *creds,
190 gnutls_x509_crt_t cert,
191 const char *certFile,
192 bool isServer,
193 Error **errp)
194 {
195 int status;
196 size_t i;
197 unsigned int purposeCritical;
198 unsigned int critical;
199 char *buffer = NULL;
200 size_t size;
201 bool allowClient = false, allowServer = false;
202
203 critical = 0;
204 for (i = 0; ; i++) {
205 size = 0;
206 status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
207 &size, NULL);
208
209 if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
210
211 /* If there is no data at all, then we must allow
212 client/server to pass */
213 if (i == 0) {
214 allowServer = allowClient = true;
215 }
216 break;
217 }
218 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
219 error_setg(errp,
220 "Unable to query certificate %s key purpose: %s",
221 certFile, gnutls_strerror(status));
222 return -1;
223 }
224
225 buffer = g_new0(char, size);
226
227 status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
228 &size, &purposeCritical);
229
230 if (status < 0) {
231 trace_qcrypto_tls_creds_x509_check_key_purpose(
232 creds, certFile, status, "<none>", purposeCritical);
233 g_free(buffer);
234 error_setg(errp,
235 "Unable to query certificate %s key purpose: %s",
236 certFile, gnutls_strerror(status));
237 return -1;
238 }
239 trace_qcrypto_tls_creds_x509_check_key_purpose(
240 creds, certFile, status, buffer, purposeCritical);
241 if (purposeCritical) {
242 critical = true;
243 }
244
245 if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
246 allowServer = true;
247 } else if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
248 allowClient = true;
249 } else if (g_str_equal(buffer, GNUTLS_KP_ANY)) {
250 allowServer = allowClient = true;
251 }
252
253 g_free(buffer);
254 buffer = NULL;
255 }
256
257 if (isServer) {
258 if (!allowServer) {
259 if (critical) {
260 error_setg(errp,
261 "Certificate %s purpose does not allow "
262 "use with a TLS server", certFile);
263 return -1;
264 }
265 }
266 } else {
267 if (!allowClient) {
268 if (critical) {
269 error_setg(errp,
270 "Certificate %s purpose does not allow use "
271 "with a TLS client", certFile);
272 return -1;
273 }
274 }
275 }
276
277 return 0;
278 }
279
280
281 static int
qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 * creds,gnutls_x509_crt_t cert,const char * certFile,bool isServer,bool isCA,Error ** errp)282 qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds,
283 gnutls_x509_crt_t cert,
284 const char *certFile,
285 bool isServer,
286 bool isCA,
287 Error **errp)
288 {
289 if (qcrypto_tls_creds_check_cert_times(cert, certFile,
290 isServer, isCA,
291 errp) < 0) {
292 return -1;
293 }
294
295 if (qcrypto_tls_creds_check_cert_basic_constraints(creds,
296 cert, certFile,
297 isServer, isCA,
298 errp) < 0) {
299 return -1;
300 }
301
302 if (qcrypto_tls_creds_check_cert_key_usage(creds,
303 cert, certFile,
304 isCA, errp) < 0) {
305 return -1;
306 }
307
308 if (!isCA &&
309 qcrypto_tls_creds_check_cert_key_purpose(creds,
310 cert, certFile,
311 isServer, errp) < 0) {
312 return -1;
313 }
314
315 return 0;
316 }
317
318
319 static int
qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t cert,const char * certFile,gnutls_x509_crt_t * cacerts,size_t ncacerts,const char * cacertFile,bool isServer,Error ** errp)320 qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t cert,
321 const char *certFile,
322 gnutls_x509_crt_t *cacerts,
323 size_t ncacerts,
324 const char *cacertFile,
325 bool isServer,
326 Error **errp)
327 {
328 unsigned int status;
329
330 if (gnutls_x509_crt_list_verify(&cert, 1,
331 cacerts, ncacerts,
332 NULL, 0,
333 0, &status) < 0) {
334 error_setg(errp, isServer ?
335 "Unable to verify server certificate %s against "
336 "CA certificate %s" :
337 "Unable to verify client certificate %s against "
338 "CA certificate %s",
339 certFile, cacertFile);
340 return -1;
341 }
342
343 if (status != 0) {
344 const char *reason = "Invalid certificate";
345
346 if (status & GNUTLS_CERT_INVALID) {
347 reason = "The certificate is not trusted";
348 }
349
350 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
351 reason = "The certificate hasn't got a known issuer";
352 }
353
354 if (status & GNUTLS_CERT_REVOKED) {
355 reason = "The certificate has been revoked";
356 }
357
358 if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
359 reason = "The certificate uses an insecure algorithm";
360 }
361
362 error_setg(errp,
363 "Our own certificate %s failed validation against %s: %s",
364 certFile, cacertFile, reason);
365 return -1;
366 }
367
368 return 0;
369 }
370
371
372 static gnutls_x509_crt_t
qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509 * creds,const char * certFile,bool isServer,Error ** errp)373 qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509 *creds,
374 const char *certFile,
375 bool isServer,
376 Error **errp)
377 {
378 gnutls_datum_t data;
379 gnutls_x509_crt_t cert = NULL;
380 g_autofree char *buf = NULL;
381 gsize buflen;
382 GError *gerr = NULL;
383 int ret = -1;
384 int err;
385
386 trace_qcrypto_tls_creds_x509_load_cert(creds, isServer, certFile);
387
388 err = gnutls_x509_crt_init(&cert);
389 if (err < 0) {
390 error_setg(errp, "Unable to initialize certificate: %s",
391 gnutls_strerror(err));
392 goto cleanup;
393 }
394
395 if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
396 error_setg(errp, "Cannot load CA cert list %s: %s",
397 certFile, gerr->message);
398 g_error_free(gerr);
399 goto cleanup;
400 }
401
402 data.data = (unsigned char *)buf;
403 data.size = strlen(buf);
404
405 err = gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM);
406 if (err < 0) {
407 error_setg(errp, isServer ?
408 "Unable to import server certificate %s: %s" :
409 "Unable to import client certificate %s: %s",
410 certFile,
411 gnutls_strerror(err));
412 goto cleanup;
413 }
414
415 ret = 0;
416
417 cleanup:
418 if (ret != 0) {
419 gnutls_x509_crt_deinit(cert);
420 cert = NULL;
421 }
422 return cert;
423 }
424
425
426 static int
qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509 * creds,const char * certFile,gnutls_x509_crt_t ** certs,unsigned int * ncerts,Error ** errp)427 qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509 *creds,
428 const char *certFile,
429 gnutls_x509_crt_t **certs,
430 unsigned int *ncerts,
431 Error **errp)
432 {
433 gnutls_datum_t data;
434 g_autofree char *buf = NULL;
435 gsize buflen;
436 GError *gerr = NULL;
437
438 *ncerts = 0;
439 trace_qcrypto_tls_creds_x509_load_cert_list(creds, certFile);
440
441 if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
442 error_setg(errp, "Cannot load CA cert list %s: %s",
443 certFile, gerr->message);
444 g_error_free(gerr);
445 return -1;
446 }
447
448 data.data = (unsigned char *)buf;
449 data.size = strlen(buf);
450
451 if (gnutls_x509_crt_list_import2(certs, ncerts, &data,
452 GNUTLS_X509_FMT_PEM, 0) < 0) {
453 error_setg(errp,
454 "Unable to import CA certificate list %s",
455 certFile);
456 return -1;
457 }
458
459 return 0;
460 }
461
462
463 static int
qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 * creds,bool isServer,const char * cacertFile,const char * certFile,Error ** errp)464 qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds,
465 bool isServer,
466 const char *cacertFile,
467 const char *certFile,
468 Error **errp)
469 {
470 gnutls_x509_crt_t cert = NULL;
471 gnutls_x509_crt_t *cacerts = NULL;
472 unsigned int ncacerts = 0;
473 size_t i;
474 int ret = -1;
475
476 if (certFile &&
477 access(certFile, R_OK) == 0) {
478 cert = qcrypto_tls_creds_load_cert(creds,
479 certFile, isServer,
480 errp);
481 if (!cert) {
482 goto cleanup;
483 }
484 }
485 if (access(cacertFile, R_OK) == 0) {
486 if (qcrypto_tls_creds_load_ca_cert_list(creds,
487 cacertFile,
488 &cacerts,
489 &ncacerts,
490 errp) < 0) {
491 goto cleanup;
492 }
493 }
494
495 if (cert &&
496 qcrypto_tls_creds_check_cert(creds,
497 cert, certFile, isServer,
498 false, errp) < 0) {
499 goto cleanup;
500 }
501
502 for (i = 0; i < ncacerts; i++) {
503 if (qcrypto_tls_creds_check_cert(creds,
504 cacerts[i], cacertFile,
505 isServer, true, errp) < 0) {
506 goto cleanup;
507 }
508 }
509
510 if (cert && ncacerts &&
511 qcrypto_tls_creds_check_cert_pair(cert, certFile, cacerts,
512 ncacerts, cacertFile,
513 isServer, errp) < 0) {
514 goto cleanup;
515 }
516
517 ret = 0;
518
519 cleanup:
520 if (cert) {
521 gnutls_x509_crt_deinit(cert);
522 }
523 for (i = 0; i < ncacerts; i++) {
524 gnutls_x509_crt_deinit(cacerts[i]);
525 }
526 g_free(cacerts);
527
528 return ret;
529 }
530
531
532 static int
qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 * creds,Error ** errp)533 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
534 Error **errp)
535 {
536 char *cacert = NULL, *cacrl = NULL, *cert = NULL,
537 *key = NULL, *dhparams = NULL;
538 int ret;
539 int rv = -1;
540
541 trace_qcrypto_tls_creds_x509_load(creds,
542 creds->parent_obj.dir ? creds->parent_obj.dir : "<nodir>");
543
544 if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
545 if (qcrypto_tls_creds_get_path(&creds->parent_obj,
546 QCRYPTO_TLS_CREDS_X509_CA_CERT,
547 true, &cacert, errp) < 0 ||
548 qcrypto_tls_creds_get_path(&creds->parent_obj,
549 QCRYPTO_TLS_CREDS_X509_CA_CRL,
550 false, &cacrl, errp) < 0 ||
551 qcrypto_tls_creds_get_path(&creds->parent_obj,
552 QCRYPTO_TLS_CREDS_X509_SERVER_CERT,
553 true, &cert, errp) < 0 ||
554 qcrypto_tls_creds_get_path(&creds->parent_obj,
555 QCRYPTO_TLS_CREDS_X509_SERVER_KEY,
556 true, &key, errp) < 0 ||
557 qcrypto_tls_creds_get_path(&creds->parent_obj,
558 QCRYPTO_TLS_CREDS_DH_PARAMS,
559 false, &dhparams, errp) < 0) {
560 goto cleanup;
561 }
562 } else {
563 if (qcrypto_tls_creds_get_path(&creds->parent_obj,
564 QCRYPTO_TLS_CREDS_X509_CA_CERT,
565 true, &cacert, errp) < 0 ||
566 qcrypto_tls_creds_get_path(&creds->parent_obj,
567 QCRYPTO_TLS_CREDS_X509_CLIENT_CERT,
568 false, &cert, errp) < 0 ||
569 qcrypto_tls_creds_get_path(&creds->parent_obj,
570 QCRYPTO_TLS_CREDS_X509_CLIENT_KEY,
571 false, &key, errp) < 0) {
572 goto cleanup;
573 }
574 }
575
576 if (creds->sanityCheck &&
577 qcrypto_tls_creds_x509_sanity_check(creds,
578 creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
579 cacert, cert, errp) < 0) {
580 goto cleanup;
581 }
582
583 ret = gnutls_certificate_allocate_credentials(&creds->data);
584 if (ret < 0) {
585 error_setg(errp, "Cannot allocate credentials: '%s'",
586 gnutls_strerror(ret));
587 goto cleanup;
588 }
589
590 ret = gnutls_certificate_set_x509_trust_file(creds->data,
591 cacert,
592 GNUTLS_X509_FMT_PEM);
593 if (ret < 0) {
594 error_setg(errp, "Cannot load CA certificate '%s': %s",
595 cacert, gnutls_strerror(ret));
596 goto cleanup;
597 }
598
599 if (cert != NULL && key != NULL) {
600 char *password = NULL;
601 if (creds->passwordid) {
602 password = qcrypto_secret_lookup_as_utf8(creds->passwordid,
603 errp);
604 if (!password) {
605 goto cleanup;
606 }
607 }
608 ret = gnutls_certificate_set_x509_key_file2(creds->data,
609 cert, key,
610 GNUTLS_X509_FMT_PEM,
611 password,
612 0);
613 g_free(password);
614 if (ret < 0) {
615 error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
616 cert, key, gnutls_strerror(ret));
617 goto cleanup;
618 }
619 }
620
621 if (cacrl != NULL) {
622 ret = gnutls_certificate_set_x509_crl_file(creds->data,
623 cacrl,
624 GNUTLS_X509_FMT_PEM);
625 if (ret < 0) {
626 error_setg(errp, "Cannot load CRL '%s': %s",
627 cacrl, gnutls_strerror(ret));
628 goto cleanup;
629 }
630 }
631
632 if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
633 if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhparams,
634 &creds->parent_obj.dh_params,
635 errp) < 0) {
636 goto cleanup;
637 }
638 gnutls_certificate_set_dh_params(creds->data,
639 creds->parent_obj.dh_params);
640 }
641
642 rv = 0;
643 cleanup:
644 g_free(cacert);
645 g_free(cacrl);
646 g_free(cert);
647 g_free(key);
648 g_free(dhparams);
649 return rv;
650 }
651
652
653 static void
qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 * creds)654 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds)
655 {
656 if (creds->data) {
657 gnutls_certificate_free_credentials(creds->data);
658 creds->data = NULL;
659 }
660 if (creds->parent_obj.dh_params) {
661 gnutls_dh_params_deinit(creds->parent_obj.dh_params);
662 creds->parent_obj.dh_params = NULL;
663 }
664 }
665
666
667 #else /* ! CONFIG_GNUTLS */
668
669
670 static void
qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 * creds G_GNUC_UNUSED,Error ** errp)671 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED,
672 Error **errp)
673 {
674 error_setg(errp, "TLS credentials support requires GNUTLS");
675 }
676
677
678 static void
qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 * creds G_GNUC_UNUSED)679 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED)
680 {
681 /* nada */
682 }
683
684
685 #endif /* ! CONFIG_GNUTLS */
686
687
688 static void
qcrypto_tls_creds_x509_complete(UserCreatable * uc,Error ** errp)689 qcrypto_tls_creds_x509_complete(UserCreatable *uc, Error **errp)
690 {
691 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(uc);
692
693 qcrypto_tls_creds_x509_load(creds, errp);
694 }
695
696
697 static void
qcrypto_tls_creds_x509_prop_set_sanity(Object * obj,bool value,Error ** errp G_GNUC_UNUSED)698 qcrypto_tls_creds_x509_prop_set_sanity(Object *obj,
699 bool value,
700 Error **errp G_GNUC_UNUSED)
701 {
702 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
703
704 creds->sanityCheck = value;
705 }
706
707
708 static void
qcrypto_tls_creds_x509_prop_set_passwordid(Object * obj,const char * value,Error ** errp G_GNUC_UNUSED)709 qcrypto_tls_creds_x509_prop_set_passwordid(Object *obj,
710 const char *value,
711 Error **errp G_GNUC_UNUSED)
712 {
713 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
714
715 creds->passwordid = g_strdup(value);
716 }
717
718
719 static char *
qcrypto_tls_creds_x509_prop_get_passwordid(Object * obj,Error ** errp G_GNUC_UNUSED)720 qcrypto_tls_creds_x509_prop_get_passwordid(Object *obj,
721 Error **errp G_GNUC_UNUSED)
722 {
723 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
724
725 return g_strdup(creds->passwordid);
726 }
727
728
729 static bool
qcrypto_tls_creds_x509_prop_get_sanity(Object * obj,Error ** errp G_GNUC_UNUSED)730 qcrypto_tls_creds_x509_prop_get_sanity(Object *obj,
731 Error **errp G_GNUC_UNUSED)
732 {
733 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
734
735 return creds->sanityCheck;
736 }
737
738
739 #ifdef CONFIG_GNUTLS
740
741
742 static bool
qcrypto_tls_creds_x509_reload(QCryptoTLSCreds * creds,Error ** errp)743 qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, Error **errp)
744 {
745 QCryptoTLSCredsX509 *x509_creds = QCRYPTO_TLS_CREDS_X509(creds);
746 Error *local_err = NULL;
747 gnutls_certificate_credentials_t creds_data = x509_creds->data;
748 gnutls_dh_params_t creds_dh_params = x509_creds->parent_obj.dh_params;
749
750 x509_creds->data = NULL;
751 x509_creds->parent_obj.dh_params = NULL;
752 qcrypto_tls_creds_x509_load(x509_creds, &local_err);
753 if (local_err) {
754 qcrypto_tls_creds_x509_unload(x509_creds);
755 x509_creds->data = creds_data;
756 x509_creds->parent_obj.dh_params = creds_dh_params;
757 error_propagate(errp, local_err);
758 return false;
759 }
760
761 if (creds_data) {
762 gnutls_certificate_free_credentials(creds_data);
763 }
764 if (creds_dh_params) {
765 gnutls_dh_params_deinit(creds_dh_params);
766 }
767 return true;
768 }
769
770
771 #else /* ! CONFIG_GNUTLS */
772
773
774 static bool
qcrypto_tls_creds_x509_reload(QCryptoTLSCreds * creds,Error ** errp)775 qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, Error **errp)
776 {
777 return false;
778 }
779
780
781 #endif /* ! CONFIG_GNUTLS */
782
783
784 static void
qcrypto_tls_creds_x509_init(Object * obj)785 qcrypto_tls_creds_x509_init(Object *obj)
786 {
787 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
788
789 creds->sanityCheck = true;
790 }
791
792
793 static void
qcrypto_tls_creds_x509_finalize(Object * obj)794 qcrypto_tls_creds_x509_finalize(Object *obj)
795 {
796 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
797
798 g_free(creds->passwordid);
799 qcrypto_tls_creds_x509_unload(creds);
800 }
801
802
803 static void
qcrypto_tls_creds_x509_class_init(ObjectClass * oc,const void * data)804 qcrypto_tls_creds_x509_class_init(ObjectClass *oc, const void *data)
805 {
806 UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
807 QCryptoTLSCredsClass *ctcc = QCRYPTO_TLS_CREDS_CLASS(oc);
808
809 ctcc->reload = qcrypto_tls_creds_x509_reload;
810
811 ucc->complete = qcrypto_tls_creds_x509_complete;
812
813 object_class_property_add_bool(oc, "sanity-check",
814 qcrypto_tls_creds_x509_prop_get_sanity,
815 qcrypto_tls_creds_x509_prop_set_sanity);
816 object_class_property_add_str(oc, "passwordid",
817 qcrypto_tls_creds_x509_prop_get_passwordid,
818 qcrypto_tls_creds_x509_prop_set_passwordid);
819 }
820
821
822 static const TypeInfo qcrypto_tls_creds_x509_info = {
823 .parent = TYPE_QCRYPTO_TLS_CREDS,
824 .name = TYPE_QCRYPTO_TLS_CREDS_X509,
825 .instance_size = sizeof(QCryptoTLSCredsX509),
826 .instance_init = qcrypto_tls_creds_x509_init,
827 .instance_finalize = qcrypto_tls_creds_x509_finalize,
828 .class_size = sizeof(QCryptoTLSCredsX509Class),
829 .class_init = qcrypto_tls_creds_x509_class_init,
830 .interfaces = (const InterfaceInfo[]) {
831 { TYPE_USER_CREATABLE },
832 { }
833 }
834 };
835
836
837 static void
qcrypto_tls_creds_x509_register_types(void)838 qcrypto_tls_creds_x509_register_types(void)
839 {
840 type_register_static(&qcrypto_tls_creds_x509_info);
841 }
842
843
844 type_init(qcrypto_tls_creds_x509_register_types);
845