xref: /openbmc/qemu/crypto/tlscredsx509.c (revision 56411125)
1 /*
2  * QEMU crypto TLS x509 credential support
3  *
4  * Copyright (c) 2015 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #include "crypto/tlscredsx509.h"
22 #include "crypto/tlscredspriv.h"
23 #include "qom/object_interfaces.h"
24 #include "trace.h"
25 
26 
27 #ifdef CONFIG_GNUTLS
28 
29 #include <gnutls/x509.h>
30 
31 
32 static int
33 qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert,
34                                    const char *certFile,
35                                    bool isServer,
36                                    bool isCA,
37                                    Error **errp)
38 {
39     time_t now = time(NULL);
40 
41     if (now == ((time_t)-1)) {
42         error_setg_errno(errp, errno, "cannot get current time");
43         return -1;
44     }
45 
46     if (gnutls_x509_crt_get_expiration_time(cert) < now) {
47         error_setg(errp,
48                    (isCA ?
49                     "The CA certificate %s has expired" :
50                     (isServer ?
51                      "The server certificate %s has expired" :
52                      "The client certificate %s has expired")),
53                    certFile);
54         return -1;
55     }
56 
57     if (gnutls_x509_crt_get_activation_time(cert) > now) {
58         error_setg(errp,
59                    (isCA ?
60                     "The CA certificate %s is not yet active" :
61                     (isServer ?
62                      "The server certificate %s is not yet active" :
63                      "The client certificate %s is not yet active")),
64                    certFile);
65         return -1;
66     }
67 
68     return 0;
69 }
70 
71 
72 #if LIBGNUTLS_VERSION_NUMBER >= 2
73 /*
74  * The gnutls_x509_crt_get_basic_constraints function isn't
75  * available in GNUTLS 1.0.x branches. This isn't critical
76  * though, since gnutls_certificate_verify_peers2 will do
77  * pretty much the same check at runtime, so we can just
78  * disable this code
79  */
80 static int
81 qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
82                                                gnutls_x509_crt_t cert,
83                                                const char *certFile,
84                                                bool isServer,
85                                                bool isCA,
86                                                Error **errp)
87 {
88     int status;
89 
90     status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
91     trace_qcrypto_tls_creds_x509_check_basic_constraints(
92         creds, certFile, status);
93 
94     if (status > 0) { /* It is a CA cert */
95         if (!isCA) {
96             error_setg(errp, isServer ?
97                        "The certificate %s basic constraints show a CA, "
98                        "but we need one for a server" :
99                        "The certificate %s basic constraints show a CA, "
100                        "but we need one for a client",
101                        certFile);
102             return -1;
103         }
104     } else if (status == 0) { /* It is not a CA cert */
105         if (isCA) {
106             error_setg(errp,
107                        "The certificate %s basic constraints do not "
108                        "show a CA",
109                        certFile);
110             return -1;
111         }
112     } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
113         /* Missing basicConstraints */
114         if (isCA) {
115             error_setg(errp,
116                        "The certificate %s is missing basic constraints "
117                        "for a CA",
118                        certFile);
119             return -1;
120         }
121     } else { /* General error */
122         error_setg(errp,
123                    "Unable to query certificate %s basic constraints: %s",
124                    certFile, gnutls_strerror(status));
125         return -1;
126     }
127 
128     return 0;
129 }
130 #endif
131 
132 
133 static int
134 qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 *creds,
135                                        gnutls_x509_crt_t cert,
136                                        const char *certFile,
137                                        bool isCA,
138                                        Error **errp)
139 {
140     int status;
141     unsigned int usage = 0;
142     unsigned int critical = 0;
143 
144     status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
145     trace_qcrypto_tls_creds_x509_check_key_usage(
146         creds, certFile, status, usage, critical);
147 
148     if (status < 0) {
149         if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
150             usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
151                 GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
152         } else {
153             error_setg(errp,
154                        "Unable to query certificate %s key usage: %s",
155                        certFile, gnutls_strerror(status));
156             return -1;
157         }
158     }
159 
160     if (isCA) {
161         if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
162             if (critical) {
163                 error_setg(errp,
164                            "Certificate %s usage does not permit "
165                            "certificate signing", certFile);
166                 return -1;
167             }
168         }
169     } else {
170         if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
171             if (critical) {
172                 error_setg(errp,
173                            "Certificate %s usage does not permit digital "
174                            "signature", certFile);
175                 return -1;
176             }
177         }
178         if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
179             if (critical) {
180                 error_setg(errp,
181                            "Certificate %s usage does not permit key "
182                            "encipherment", certFile);
183                 return -1;
184             }
185         }
186     }
187 
188     return 0;
189 }
190 
191 
192 static int
193 qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509 *creds,
194                                          gnutls_x509_crt_t cert,
195                                          const char *certFile,
196                                          bool isServer,
197                                          Error **errp)
198 {
199     int status;
200     size_t i;
201     unsigned int purposeCritical;
202     unsigned int critical;
203     char *buffer = NULL;
204     size_t size;
205     bool allowClient = false, allowServer = false;
206 
207     critical = 0;
208     for (i = 0; ; i++) {
209         size = 0;
210         status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
211                                                      &size, NULL);
212 
213         if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
214 
215             /* If there is no data at all, then we must allow
216                client/server to pass */
217             if (i == 0) {
218                 allowServer = allowClient = true;
219             }
220             break;
221         }
222         if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
223             error_setg(errp,
224                        "Unable to query certificate %s key purpose: %s",
225                        certFile, gnutls_strerror(status));
226             return -1;
227         }
228 
229         buffer = g_new0(char, size);
230 
231         status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
232                                                      &size, &purposeCritical);
233 
234         if (status < 0) {
235             trace_qcrypto_tls_creds_x509_check_key_purpose(
236                 creds, certFile, status, "<none>", purposeCritical);
237             g_free(buffer);
238             error_setg(errp,
239                        "Unable to query certificate %s key purpose: %s",
240                        certFile, gnutls_strerror(status));
241             return -1;
242         }
243         trace_qcrypto_tls_creds_x509_check_key_purpose(
244             creds, certFile, status, buffer, purposeCritical);
245         if (purposeCritical) {
246             critical = true;
247         }
248 
249         if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
250             allowServer = true;
251         } else if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
252             allowClient = true;
253         } else if (g_str_equal(buffer, GNUTLS_KP_ANY)) {
254             allowServer = allowClient = true;
255         }
256 
257         g_free(buffer);
258     }
259 
260     if (isServer) {
261         if (!allowServer) {
262             if (critical) {
263                 error_setg(errp,
264                            "Certificate %s purpose does not allow "
265                            "use with a TLS server", certFile);
266                 return -1;
267             }
268         }
269     } else {
270         if (!allowClient) {
271             if (critical) {
272                 error_setg(errp,
273                            "Certificate %s purpose does not allow use "
274                            "with a TLS client", certFile);
275                 return -1;
276             }
277         }
278     }
279 
280     return 0;
281 }
282 
283 
284 static int
285 qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds,
286                              gnutls_x509_crt_t cert,
287                              const char *certFile,
288                              bool isServer,
289                              bool isCA,
290                              Error **errp)
291 {
292     if (qcrypto_tls_creds_check_cert_times(cert, certFile,
293                                            isServer, isCA,
294                                            errp) < 0) {
295         return -1;
296     }
297 
298 #if LIBGNUTLS_VERSION_NUMBER >= 2
299     if (qcrypto_tls_creds_check_cert_basic_constraints(creds,
300                                                        cert, certFile,
301                                                        isServer, isCA,
302                                                        errp) < 0) {
303         return -1;
304     }
305 #endif
306 
307     if (qcrypto_tls_creds_check_cert_key_usage(creds,
308                                                cert, certFile,
309                                                isCA, errp) < 0) {
310         return -1;
311     }
312 
313     if (!isCA &&
314         qcrypto_tls_creds_check_cert_key_purpose(creds,
315                                                  cert, certFile,
316                                                  isServer, errp) < 0) {
317         return -1;
318     }
319 
320     return 0;
321 }
322 
323 
324 static int
325 qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t cert,
326                                   const char *certFile,
327                                   gnutls_x509_crt_t *cacerts,
328                                   size_t ncacerts,
329                                   const char *cacertFile,
330                                   bool isServer,
331                                   Error **errp)
332 {
333     unsigned int status;
334 
335     if (gnutls_x509_crt_list_verify(&cert, 1,
336                                     cacerts, ncacerts,
337                                     NULL, 0,
338                                     0, &status) < 0) {
339         error_setg(errp, isServer ?
340                    "Unable to verify server certificate %s against "
341                    "CA certificate %s" :
342                    "Unable to verify client certificate %s against "
343                    "CA certificate %s",
344                    certFile, cacertFile);
345         return -1;
346     }
347 
348     if (status != 0) {
349         const char *reason = "Invalid certificate";
350 
351         if (status & GNUTLS_CERT_INVALID) {
352             reason = "The certificate is not trusted";
353         }
354 
355         if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
356             reason = "The certificate hasn't got a known issuer";
357         }
358 
359         if (status & GNUTLS_CERT_REVOKED) {
360             reason = "The certificate has been revoked";
361         }
362 
363 #ifndef GNUTLS_1_0_COMPAT
364         if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
365             reason = "The certificate uses an insecure algorithm";
366         }
367 #endif
368 
369         error_setg(errp,
370                    "Our own certificate %s failed validation against %s: %s",
371                    certFile, cacertFile, reason);
372         return -1;
373     }
374 
375     return 0;
376 }
377 
378 
379 static gnutls_x509_crt_t
380 qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509 *creds,
381                             const char *certFile,
382                             bool isServer,
383                             Error **errp)
384 {
385     gnutls_datum_t data;
386     gnutls_x509_crt_t cert = NULL;
387     char *buf = NULL;
388     gsize buflen;
389     GError *gerr;
390     int ret = -1;
391 
392     trace_qcrypto_tls_creds_x509_load_cert(creds, isServer, certFile);
393 
394     if (gnutls_x509_crt_init(&cert) < 0) {
395         error_setg(errp, "Unable to initialize certificate");
396         goto cleanup;
397     }
398 
399     if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
400         error_setg(errp, "Cannot load CA cert list %s: %s",
401                    certFile, gerr->message);
402         g_error_free(gerr);
403         goto cleanup;
404     }
405 
406     data.data = (unsigned char *)buf;
407     data.size = strlen(buf);
408 
409     if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) {
410         error_setg(errp, isServer ?
411                    "Unable to import server certificate %s" :
412                    "Unable to import client certificate %s",
413                    certFile);
414         goto cleanup;
415     }
416 
417     ret = 0;
418 
419  cleanup:
420     if (ret != 0) {
421         gnutls_x509_crt_deinit(cert);
422         cert = NULL;
423     }
424     g_free(buf);
425     return cert;
426 }
427 
428 
429 static int
430 qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509 *creds,
431                                     const char *certFile,
432                                     gnutls_x509_crt_t *certs,
433                                     unsigned int certMax,
434                                     size_t *ncerts,
435                                     Error **errp)
436 {
437     gnutls_datum_t data;
438     char *buf = NULL;
439     gsize buflen;
440     int ret = -1;
441     GError *gerr = NULL;
442 
443     *ncerts = 0;
444     trace_qcrypto_tls_creds_x509_load_cert_list(creds, certFile);
445 
446     if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
447         error_setg(errp, "Cannot load CA cert list %s: %s",
448                    certFile, gerr->message);
449         g_error_free(gerr);
450         goto cleanup;
451     }
452 
453     data.data = (unsigned char *)buf;
454     data.size = strlen(buf);
455 
456     if (gnutls_x509_crt_list_import(certs, &certMax, &data,
457                                     GNUTLS_X509_FMT_PEM, 0) < 0) {
458         error_setg(errp,
459                    "Unable to import CA certificate list %s",
460                    certFile);
461         goto cleanup;
462     }
463     *ncerts = certMax;
464 
465     ret = 0;
466 
467  cleanup:
468     g_free(buf);
469     return ret;
470 }
471 
472 
473 #define MAX_CERTS 16
474 static int
475 qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds,
476                                     bool isServer,
477                                     const char *cacertFile,
478                                     const char *certFile,
479                                     Error **errp)
480 {
481     gnutls_x509_crt_t cert = NULL;
482     gnutls_x509_crt_t cacerts[MAX_CERTS];
483     size_t ncacerts = 0;
484     size_t i;
485     int ret = -1;
486 
487     memset(cacerts, 0, sizeof(cacerts));
488     if (access(certFile, R_OK) == 0) {
489         cert = qcrypto_tls_creds_load_cert(creds,
490                                            certFile, isServer,
491                                            errp);
492         if (!cert) {
493             goto cleanup;
494         }
495     }
496     if (access(cacertFile, R_OK) == 0) {
497         if (qcrypto_tls_creds_load_ca_cert_list(creds,
498                                                 cacertFile, cacerts,
499                                                 MAX_CERTS, &ncacerts,
500                                                 errp) < 0) {
501             goto cleanup;
502         }
503     }
504 
505     if (cert &&
506         qcrypto_tls_creds_check_cert(creds,
507                                      cert, certFile, isServer,
508                                      false, errp) < 0) {
509         goto cleanup;
510     }
511 
512     for (i = 0; i < ncacerts; i++) {
513         if (qcrypto_tls_creds_check_cert(creds,
514                                          cacerts[i], cacertFile,
515                                          isServer, true, errp) < 0) {
516             goto cleanup;
517         }
518     }
519 
520     if (cert && ncacerts &&
521         qcrypto_tls_creds_check_cert_pair(cert, certFile, cacerts,
522                                           ncacerts, cacertFile,
523                                           isServer, errp) < 0) {
524         goto cleanup;
525     }
526 
527     ret = 0;
528 
529  cleanup:
530     if (cert) {
531         gnutls_x509_crt_deinit(cert);
532     }
533     for (i = 0; i < ncacerts; i++) {
534         gnutls_x509_crt_deinit(cacerts[i]);
535     }
536     return ret;
537 }
538 
539 
540 static int
541 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
542                             Error **errp)
543 {
544     char *cacert = NULL, *cacrl = NULL, *cert = NULL,
545         *key = NULL, *dhparams = NULL;
546     int ret;
547     int rv = -1;
548 
549     trace_qcrypto_tls_creds_x509_load(creds,
550             creds->parent_obj.dir ? creds->parent_obj.dir : "<nodir>");
551 
552     if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
553         if (qcrypto_tls_creds_get_path(&creds->parent_obj,
554                                        QCRYPTO_TLS_CREDS_X509_CA_CERT,
555                                        true, &cacert, errp) < 0 ||
556             qcrypto_tls_creds_get_path(&creds->parent_obj,
557                                        QCRYPTO_TLS_CREDS_X509_CA_CRL,
558                                        false, &cacrl, errp) < 0 ||
559             qcrypto_tls_creds_get_path(&creds->parent_obj,
560                                        QCRYPTO_TLS_CREDS_X509_SERVER_CERT,
561                                        true, &cert, errp) < 0 ||
562             qcrypto_tls_creds_get_path(&creds->parent_obj,
563                                        QCRYPTO_TLS_CREDS_X509_SERVER_KEY,
564                                        true, &key, errp) < 0 ||
565             qcrypto_tls_creds_get_path(&creds->parent_obj,
566                                        QCRYPTO_TLS_CREDS_DH_PARAMS,
567                                        false, &dhparams, errp) < 0) {
568             goto cleanup;
569         }
570     } else {
571         if (qcrypto_tls_creds_get_path(&creds->parent_obj,
572                                        QCRYPTO_TLS_CREDS_X509_CA_CERT,
573                                        true, &cacert, errp) < 0 ||
574             qcrypto_tls_creds_get_path(&creds->parent_obj,
575                                        QCRYPTO_TLS_CREDS_X509_CLIENT_CERT,
576                                        false, &cert, errp) < 0 ||
577             qcrypto_tls_creds_get_path(&creds->parent_obj,
578                                        QCRYPTO_TLS_CREDS_X509_CLIENT_KEY,
579                                        false, &key, errp) < 0) {
580             goto cleanup;
581         }
582     }
583 
584     if (creds->sanityCheck &&
585         qcrypto_tls_creds_x509_sanity_check(creds,
586             creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
587             cacert, cert, errp) < 0) {
588         goto cleanup;
589     }
590 
591     ret = gnutls_certificate_allocate_credentials(&creds->data);
592     if (ret < 0) {
593         error_setg(errp, "Cannot allocate credentials: '%s'",
594                    gnutls_strerror(ret));
595         goto cleanup;
596     }
597 
598     ret = gnutls_certificate_set_x509_trust_file(creds->data,
599                                                  cacert,
600                                                  GNUTLS_X509_FMT_PEM);
601     if (ret < 0) {
602         error_setg(errp, "Cannot load CA certificate '%s': %s",
603                    cacert, gnutls_strerror(ret));
604         goto cleanup;
605     }
606 
607     if (cert != NULL && key != NULL) {
608         ret = gnutls_certificate_set_x509_key_file(creds->data,
609                                                    cert, key,
610                                                    GNUTLS_X509_FMT_PEM);
611         if (ret < 0) {
612             error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
613                        cert, key, gnutls_strerror(ret));
614             goto cleanup;
615         }
616     }
617 
618     if (cacrl != NULL) {
619         ret = gnutls_certificate_set_x509_crl_file(creds->data,
620                                                    cacrl,
621                                                    GNUTLS_X509_FMT_PEM);
622         if (ret < 0) {
623             error_setg(errp, "Cannot load CRL '%s': %s",
624                        cacrl, gnutls_strerror(ret));
625             goto cleanup;
626         }
627     }
628 
629     if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
630         if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhparams,
631                                                  &creds->parent_obj.dh_params,
632                                                  errp) < 0) {
633             goto cleanup;
634         }
635         gnutls_certificate_set_dh_params(creds->data,
636                                          creds->parent_obj.dh_params);
637     }
638 
639     rv = 0;
640  cleanup:
641     g_free(cacert);
642     g_free(cacrl);
643     g_free(cert);
644     g_free(key);
645     g_free(dhparams);
646     return rv;
647 }
648 
649 
650 static void
651 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds)
652 {
653     if (creds->data) {
654         gnutls_certificate_free_credentials(creds->data);
655         creds->data = NULL;
656     }
657 }
658 
659 
660 #else /* ! CONFIG_GNUTLS */
661 
662 
663 static void
664 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED,
665                             Error **errp)
666 {
667     error_setg(errp, "TLS credentials support requires GNUTLS");
668 }
669 
670 
671 static void
672 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED)
673 {
674     /* nada */
675 }
676 
677 
678 #endif /* ! CONFIG_GNUTLS */
679 
680 
681 static void
682 qcrypto_tls_creds_x509_prop_set_loaded(Object *obj,
683                                        bool value,
684                                        Error **errp)
685 {
686     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
687 
688     if (value) {
689         qcrypto_tls_creds_x509_load(creds, errp);
690     } else {
691         qcrypto_tls_creds_x509_unload(creds);
692     }
693 }
694 
695 
696 #ifdef CONFIG_GNUTLS
697 
698 
699 static bool
700 qcrypto_tls_creds_x509_prop_get_loaded(Object *obj,
701                                        Error **errp G_GNUC_UNUSED)
702 {
703     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
704 
705     return creds->data != NULL;
706 }
707 
708 
709 #else /* ! CONFIG_GNUTLS */
710 
711 
712 static bool
713 qcrypto_tls_creds_x509_prop_get_loaded(Object *obj G_GNUC_UNUSED,
714                                        Error **errp G_GNUC_UNUSED)
715 {
716     return false;
717 }
718 
719 
720 #endif /* ! CONFIG_GNUTLS */
721 
722 
723 static void
724 qcrypto_tls_creds_x509_prop_set_sanity(Object *obj,
725                                        bool value,
726                                        Error **errp G_GNUC_UNUSED)
727 {
728     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
729 
730     creds->sanityCheck = value;
731 }
732 
733 
734 static bool
735 qcrypto_tls_creds_x509_prop_get_sanity(Object *obj,
736                                        Error **errp G_GNUC_UNUSED)
737 {
738     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
739 
740     return creds->sanityCheck;
741 }
742 
743 
744 static void
745 qcrypto_tls_creds_x509_complete(UserCreatable *uc, Error **errp)
746 {
747     object_property_set_bool(OBJECT(uc), true, "loaded", errp);
748 }
749 
750 
751 static void
752 qcrypto_tls_creds_x509_init(Object *obj)
753 {
754     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
755 
756     creds->sanityCheck = true;
757 
758     object_property_add_bool(obj, "loaded",
759                              qcrypto_tls_creds_x509_prop_get_loaded,
760                              qcrypto_tls_creds_x509_prop_set_loaded,
761                              NULL);
762     object_property_add_bool(obj, "sanity-check",
763                              qcrypto_tls_creds_x509_prop_get_sanity,
764                              qcrypto_tls_creds_x509_prop_set_sanity,
765                              NULL);
766 }
767 
768 
769 static void
770 qcrypto_tls_creds_x509_finalize(Object *obj)
771 {
772     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
773 
774     qcrypto_tls_creds_x509_unload(creds);
775 }
776 
777 
778 static void
779 qcrypto_tls_creds_x509_class_init(ObjectClass *oc, void *data)
780 {
781     UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
782 
783     ucc->complete = qcrypto_tls_creds_x509_complete;
784 }
785 
786 
787 static const TypeInfo qcrypto_tls_creds_x509_info = {
788     .parent = TYPE_QCRYPTO_TLS_CREDS,
789     .name = TYPE_QCRYPTO_TLS_CREDS_X509,
790     .instance_size = sizeof(QCryptoTLSCredsX509),
791     .instance_init = qcrypto_tls_creds_x509_init,
792     .instance_finalize = qcrypto_tls_creds_x509_finalize,
793     .class_size = sizeof(QCryptoTLSCredsX509Class),
794     .class_init = qcrypto_tls_creds_x509_class_init,
795     .interfaces = (InterfaceInfo[]) {
796         { TYPE_USER_CREATABLE },
797         { }
798     }
799 };
800 
801 
802 static void
803 qcrypto_tls_creds_x509_register_types(void)
804 {
805     type_register_static(&qcrypto_tls_creds_x509_info);
806 }
807 
808 
809 type_init(qcrypto_tls_creds_x509_register_types);
810