1 /* 2 * QEMU crypto TLS x509 credential support 3 * 4 * Copyright (c) 2015 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #include "qemu/osdep.h" 22 #include "crypto/tlscredsx509.h" 23 #include "tlscredspriv.h" 24 #include "crypto/secret.h" 25 #include "qapi/error.h" 26 #include "qemu/module.h" 27 #include "qom/object_interfaces.h" 28 #include "trace.h" 29 30 31 #ifdef CONFIG_GNUTLS 32 33 #include <gnutls/x509.h> 34 35 36 static int 37 qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert, 38 const char *certFile, 39 bool isServer, 40 bool isCA, 41 Error **errp) 42 { 43 time_t now = time(NULL); 44 45 if (now == ((time_t)-1)) { 46 error_setg_errno(errp, errno, "cannot get current time"); 47 return -1; 48 } 49 50 if (gnutls_x509_crt_get_expiration_time(cert) < now) { 51 error_setg(errp, 52 (isCA ? 53 "The CA certificate %s has expired" : 54 (isServer ? 55 "The server certificate %s has expired" : 56 "The client certificate %s has expired")), 57 certFile); 58 return -1; 59 } 60 61 if (gnutls_x509_crt_get_activation_time(cert) > now) { 62 error_setg(errp, 63 (isCA ? 64 "The CA certificate %s is not yet active" : 65 (isServer ? 66 "The server certificate %s is not yet active" : 67 "The client certificate %s is not yet active")), 68 certFile); 69 return -1; 70 } 71 72 return 0; 73 } 74 75 76 static int 77 qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds, 78 gnutls_x509_crt_t cert, 79 const char *certFile, 80 bool isServer, 81 bool isCA, 82 Error **errp) 83 { 84 int status; 85 86 status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL); 87 trace_qcrypto_tls_creds_x509_check_basic_constraints( 88 creds, certFile, status); 89 90 if (status > 0) { /* It is a CA cert */ 91 if (!isCA) { 92 error_setg(errp, isServer ? 93 "The certificate %s basic constraints show a CA, " 94 "but we need one for a server" : 95 "The certificate %s basic constraints show a CA, " 96 "but we need one for a client", 97 certFile); 98 return -1; 99 } 100 } else if (status == 0) { /* It is not a CA cert */ 101 if (isCA) { 102 error_setg(errp, 103 "The certificate %s basic constraints do not " 104 "show a CA", 105 certFile); 106 return -1; 107 } 108 } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { 109 /* Missing basicConstraints */ 110 if (isCA) { 111 error_setg(errp, 112 "The certificate %s is missing basic constraints " 113 "for a CA", 114 certFile); 115 return -1; 116 } 117 } else { /* General error */ 118 error_setg(errp, 119 "Unable to query certificate %s basic constraints: %s", 120 certFile, gnutls_strerror(status)); 121 return -1; 122 } 123 124 return 0; 125 } 126 127 128 static int 129 qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 *creds, 130 gnutls_x509_crt_t cert, 131 const char *certFile, 132 bool isCA, 133 Error **errp) 134 { 135 int status; 136 unsigned int usage = 0; 137 unsigned int critical = 0; 138 139 status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical); 140 trace_qcrypto_tls_creds_x509_check_key_usage( 141 creds, certFile, status, usage, critical); 142 143 if (status < 0) { 144 if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { 145 usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN : 146 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT; 147 } else { 148 error_setg(errp, 149 "Unable to query certificate %s key usage: %s", 150 certFile, gnutls_strerror(status)); 151 return -1; 152 } 153 } 154 155 if (isCA) { 156 if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) { 157 if (critical) { 158 error_setg(errp, 159 "Certificate %s usage does not permit " 160 "certificate signing", certFile); 161 return -1; 162 } 163 } 164 } else { 165 if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) { 166 if (critical) { 167 error_setg(errp, 168 "Certificate %s usage does not permit digital " 169 "signature", certFile); 170 return -1; 171 } 172 } 173 if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { 174 if (critical) { 175 error_setg(errp, 176 "Certificate %s usage does not permit key " 177 "encipherment", certFile); 178 return -1; 179 } 180 } 181 } 182 183 return 0; 184 } 185 186 187 static int 188 qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509 *creds, 189 gnutls_x509_crt_t cert, 190 const char *certFile, 191 bool isServer, 192 Error **errp) 193 { 194 int status; 195 size_t i; 196 unsigned int purposeCritical; 197 unsigned int critical; 198 char *buffer = NULL; 199 size_t size; 200 bool allowClient = false, allowServer = false; 201 202 critical = 0; 203 for (i = 0; ; i++) { 204 size = 0; 205 status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, 206 &size, NULL); 207 208 if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { 209 210 /* If there is no data at all, then we must allow 211 client/server to pass */ 212 if (i == 0) { 213 allowServer = allowClient = true; 214 } 215 break; 216 } 217 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) { 218 error_setg(errp, 219 "Unable to query certificate %s key purpose: %s", 220 certFile, gnutls_strerror(status)); 221 return -1; 222 } 223 224 buffer = g_new0(char, size); 225 226 status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, 227 &size, &purposeCritical); 228 229 if (status < 0) { 230 trace_qcrypto_tls_creds_x509_check_key_purpose( 231 creds, certFile, status, "<none>", purposeCritical); 232 g_free(buffer); 233 error_setg(errp, 234 "Unable to query certificate %s key purpose: %s", 235 certFile, gnutls_strerror(status)); 236 return -1; 237 } 238 trace_qcrypto_tls_creds_x509_check_key_purpose( 239 creds, certFile, status, buffer, purposeCritical); 240 if (purposeCritical) { 241 critical = true; 242 } 243 244 if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_SERVER)) { 245 allowServer = true; 246 } else if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) { 247 allowClient = true; 248 } else if (g_str_equal(buffer, GNUTLS_KP_ANY)) { 249 allowServer = allowClient = true; 250 } 251 252 g_free(buffer); 253 buffer = NULL; 254 } 255 256 if (isServer) { 257 if (!allowServer) { 258 if (critical) { 259 error_setg(errp, 260 "Certificate %s purpose does not allow " 261 "use with a TLS server", certFile); 262 return -1; 263 } 264 } 265 } else { 266 if (!allowClient) { 267 if (critical) { 268 error_setg(errp, 269 "Certificate %s purpose does not allow use " 270 "with a TLS client", certFile); 271 return -1; 272 } 273 } 274 } 275 276 return 0; 277 } 278 279 280 static int 281 qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds, 282 gnutls_x509_crt_t cert, 283 const char *certFile, 284 bool isServer, 285 bool isCA, 286 Error **errp) 287 { 288 if (qcrypto_tls_creds_check_cert_times(cert, certFile, 289 isServer, isCA, 290 errp) < 0) { 291 return -1; 292 } 293 294 if (qcrypto_tls_creds_check_cert_basic_constraints(creds, 295 cert, certFile, 296 isServer, isCA, 297 errp) < 0) { 298 return -1; 299 } 300 301 if (qcrypto_tls_creds_check_cert_key_usage(creds, 302 cert, certFile, 303 isCA, errp) < 0) { 304 return -1; 305 } 306 307 if (!isCA && 308 qcrypto_tls_creds_check_cert_key_purpose(creds, 309 cert, certFile, 310 isServer, errp) < 0) { 311 return -1; 312 } 313 314 return 0; 315 } 316 317 318 static int 319 qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t cert, 320 const char *certFile, 321 gnutls_x509_crt_t *cacerts, 322 size_t ncacerts, 323 const char *cacertFile, 324 bool isServer, 325 Error **errp) 326 { 327 unsigned int status; 328 329 if (gnutls_x509_crt_list_verify(&cert, 1, 330 cacerts, ncacerts, 331 NULL, 0, 332 0, &status) < 0) { 333 error_setg(errp, isServer ? 334 "Unable to verify server certificate %s against " 335 "CA certificate %s" : 336 "Unable to verify client certificate %s against " 337 "CA certificate %s", 338 certFile, cacertFile); 339 return -1; 340 } 341 342 if (status != 0) { 343 const char *reason = "Invalid certificate"; 344 345 if (status & GNUTLS_CERT_INVALID) { 346 reason = "The certificate is not trusted"; 347 } 348 349 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { 350 reason = "The certificate hasn't got a known issuer"; 351 } 352 353 if (status & GNUTLS_CERT_REVOKED) { 354 reason = "The certificate has been revoked"; 355 } 356 357 #ifndef GNUTLS_1_0_COMPAT 358 if (status & GNUTLS_CERT_INSECURE_ALGORITHM) { 359 reason = "The certificate uses an insecure algorithm"; 360 } 361 #endif 362 363 error_setg(errp, 364 "Our own certificate %s failed validation against %s: %s", 365 certFile, cacertFile, reason); 366 return -1; 367 } 368 369 return 0; 370 } 371 372 373 static gnutls_x509_crt_t 374 qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509 *creds, 375 const char *certFile, 376 bool isServer, 377 Error **errp) 378 { 379 gnutls_datum_t data; 380 gnutls_x509_crt_t cert = NULL; 381 g_autofree char *buf = NULL; 382 gsize buflen; 383 GError *gerr = NULL; 384 int ret = -1; 385 int err; 386 387 trace_qcrypto_tls_creds_x509_load_cert(creds, isServer, certFile); 388 389 err = gnutls_x509_crt_init(&cert); 390 if (err < 0) { 391 error_setg(errp, "Unable to initialize certificate: %s", 392 gnutls_strerror(err)); 393 goto cleanup; 394 } 395 396 if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) { 397 error_setg(errp, "Cannot load CA cert list %s: %s", 398 certFile, gerr->message); 399 g_error_free(gerr); 400 goto cleanup; 401 } 402 403 data.data = (unsigned char *)buf; 404 data.size = strlen(buf); 405 406 err = gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM); 407 if (err < 0) { 408 error_setg(errp, isServer ? 409 "Unable to import server certificate %s: %s" : 410 "Unable to import client certificate %s: %s", 411 certFile, 412 gnutls_strerror(err)); 413 goto cleanup; 414 } 415 416 ret = 0; 417 418 cleanup: 419 if (ret != 0) { 420 gnutls_x509_crt_deinit(cert); 421 cert = NULL; 422 } 423 return cert; 424 } 425 426 427 static int 428 qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509 *creds, 429 const char *certFile, 430 gnutls_x509_crt_t *certs, 431 unsigned int certMax, 432 size_t *ncerts, 433 Error **errp) 434 { 435 gnutls_datum_t data; 436 g_autofree char *buf = NULL; 437 gsize buflen; 438 GError *gerr = NULL; 439 440 *ncerts = 0; 441 trace_qcrypto_tls_creds_x509_load_cert_list(creds, certFile); 442 443 if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) { 444 error_setg(errp, "Cannot load CA cert list %s: %s", 445 certFile, gerr->message); 446 g_error_free(gerr); 447 return -1; 448 } 449 450 data.data = (unsigned char *)buf; 451 data.size = strlen(buf); 452 453 if (gnutls_x509_crt_list_import(certs, &certMax, &data, 454 GNUTLS_X509_FMT_PEM, 0) < 0) { 455 error_setg(errp, 456 "Unable to import CA certificate list %s", 457 certFile); 458 return -1; 459 } 460 *ncerts = certMax; 461 462 return 0; 463 } 464 465 466 #define MAX_CERTS 16 467 static int 468 qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds, 469 bool isServer, 470 const char *cacertFile, 471 const char *certFile, 472 Error **errp) 473 { 474 gnutls_x509_crt_t cert = NULL; 475 gnutls_x509_crt_t cacerts[MAX_CERTS]; 476 size_t ncacerts = 0; 477 size_t i; 478 int ret = -1; 479 480 memset(cacerts, 0, sizeof(cacerts)); 481 if (certFile && 482 access(certFile, R_OK) == 0) { 483 cert = qcrypto_tls_creds_load_cert(creds, 484 certFile, isServer, 485 errp); 486 if (!cert) { 487 goto cleanup; 488 } 489 } 490 if (access(cacertFile, R_OK) == 0) { 491 if (qcrypto_tls_creds_load_ca_cert_list(creds, 492 cacertFile, cacerts, 493 MAX_CERTS, &ncacerts, 494 errp) < 0) { 495 goto cleanup; 496 } 497 } 498 499 if (cert && 500 qcrypto_tls_creds_check_cert(creds, 501 cert, certFile, isServer, 502 false, errp) < 0) { 503 goto cleanup; 504 } 505 506 for (i = 0; i < ncacerts; i++) { 507 if (qcrypto_tls_creds_check_cert(creds, 508 cacerts[i], cacertFile, 509 isServer, true, errp) < 0) { 510 goto cleanup; 511 } 512 } 513 514 if (cert && ncacerts && 515 qcrypto_tls_creds_check_cert_pair(cert, certFile, cacerts, 516 ncacerts, cacertFile, 517 isServer, errp) < 0) { 518 goto cleanup; 519 } 520 521 ret = 0; 522 523 cleanup: 524 if (cert) { 525 gnutls_x509_crt_deinit(cert); 526 } 527 for (i = 0; i < ncacerts; i++) { 528 gnutls_x509_crt_deinit(cacerts[i]); 529 } 530 return ret; 531 } 532 533 534 static int 535 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, 536 Error **errp) 537 { 538 char *cacert = NULL, *cacrl = NULL, *cert = NULL, 539 *key = NULL, *dhparams = NULL; 540 int ret; 541 int rv = -1; 542 543 trace_qcrypto_tls_creds_x509_load(creds, 544 creds->parent_obj.dir ? creds->parent_obj.dir : "<nodir>"); 545 546 if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { 547 if (qcrypto_tls_creds_get_path(&creds->parent_obj, 548 QCRYPTO_TLS_CREDS_X509_CA_CERT, 549 true, &cacert, errp) < 0 || 550 qcrypto_tls_creds_get_path(&creds->parent_obj, 551 QCRYPTO_TLS_CREDS_X509_CA_CRL, 552 false, &cacrl, errp) < 0 || 553 qcrypto_tls_creds_get_path(&creds->parent_obj, 554 QCRYPTO_TLS_CREDS_X509_SERVER_CERT, 555 true, &cert, errp) < 0 || 556 qcrypto_tls_creds_get_path(&creds->parent_obj, 557 QCRYPTO_TLS_CREDS_X509_SERVER_KEY, 558 true, &key, errp) < 0 || 559 qcrypto_tls_creds_get_path(&creds->parent_obj, 560 QCRYPTO_TLS_CREDS_DH_PARAMS, 561 false, &dhparams, errp) < 0) { 562 goto cleanup; 563 } 564 } else { 565 if (qcrypto_tls_creds_get_path(&creds->parent_obj, 566 QCRYPTO_TLS_CREDS_X509_CA_CERT, 567 true, &cacert, errp) < 0 || 568 qcrypto_tls_creds_get_path(&creds->parent_obj, 569 QCRYPTO_TLS_CREDS_X509_CLIENT_CERT, 570 false, &cert, errp) < 0 || 571 qcrypto_tls_creds_get_path(&creds->parent_obj, 572 QCRYPTO_TLS_CREDS_X509_CLIENT_KEY, 573 false, &key, errp) < 0) { 574 goto cleanup; 575 } 576 } 577 578 if (creds->sanityCheck && 579 qcrypto_tls_creds_x509_sanity_check(creds, 580 creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, 581 cacert, cert, errp) < 0) { 582 goto cleanup; 583 } 584 585 ret = gnutls_certificate_allocate_credentials(&creds->data); 586 if (ret < 0) { 587 error_setg(errp, "Cannot allocate credentials: '%s'", 588 gnutls_strerror(ret)); 589 goto cleanup; 590 } 591 592 ret = gnutls_certificate_set_x509_trust_file(creds->data, 593 cacert, 594 GNUTLS_X509_FMT_PEM); 595 if (ret < 0) { 596 error_setg(errp, "Cannot load CA certificate '%s': %s", 597 cacert, gnutls_strerror(ret)); 598 goto cleanup; 599 } 600 601 if (cert != NULL && key != NULL) { 602 char *password = NULL; 603 if (creds->passwordid) { 604 password = qcrypto_secret_lookup_as_utf8(creds->passwordid, 605 errp); 606 if (!password) { 607 goto cleanup; 608 } 609 } 610 ret = gnutls_certificate_set_x509_key_file2(creds->data, 611 cert, key, 612 GNUTLS_X509_FMT_PEM, 613 password, 614 0); 615 g_free(password); 616 if (ret < 0) { 617 error_setg(errp, "Cannot load certificate '%s' & key '%s': %s", 618 cert, key, gnutls_strerror(ret)); 619 goto cleanup; 620 } 621 } 622 623 if (cacrl != NULL) { 624 ret = gnutls_certificate_set_x509_crl_file(creds->data, 625 cacrl, 626 GNUTLS_X509_FMT_PEM); 627 if (ret < 0) { 628 error_setg(errp, "Cannot load CRL '%s': %s", 629 cacrl, gnutls_strerror(ret)); 630 goto cleanup; 631 } 632 } 633 634 if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { 635 if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhparams, 636 &creds->parent_obj.dh_params, 637 errp) < 0) { 638 goto cleanup; 639 } 640 gnutls_certificate_set_dh_params(creds->data, 641 creds->parent_obj.dh_params); 642 } 643 644 rv = 0; 645 cleanup: 646 g_free(cacert); 647 g_free(cacrl); 648 g_free(cert); 649 g_free(key); 650 g_free(dhparams); 651 return rv; 652 } 653 654 655 static void 656 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds) 657 { 658 if (creds->data) { 659 gnutls_certificate_free_credentials(creds->data); 660 creds->data = NULL; 661 } 662 if (creds->parent_obj.dh_params) { 663 gnutls_dh_params_deinit(creds->parent_obj.dh_params); 664 creds->parent_obj.dh_params = NULL; 665 } 666 } 667 668 669 #else /* ! CONFIG_GNUTLS */ 670 671 672 static void 673 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED, 674 Error **errp) 675 { 676 error_setg(errp, "TLS credentials support requires GNUTLS"); 677 } 678 679 680 static void 681 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED) 682 { 683 /* nada */ 684 } 685 686 687 #endif /* ! CONFIG_GNUTLS */ 688 689 690 static void 691 qcrypto_tls_creds_x509_prop_set_loaded(Object *obj, 692 bool value, 693 Error **errp) 694 { 695 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj); 696 697 qcrypto_tls_creds_x509_unload(creds); 698 if (value) { 699 qcrypto_tls_creds_x509_load(creds, errp); 700 } 701 } 702 703 704 #ifdef CONFIG_GNUTLS 705 706 707 static bool 708 qcrypto_tls_creds_x509_prop_get_loaded(Object *obj, 709 Error **errp G_GNUC_UNUSED) 710 { 711 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj); 712 713 return creds->data != NULL; 714 } 715 716 717 #else /* ! CONFIG_GNUTLS */ 718 719 720 static bool 721 qcrypto_tls_creds_x509_prop_get_loaded(Object *obj G_GNUC_UNUSED, 722 Error **errp G_GNUC_UNUSED) 723 { 724 return false; 725 } 726 727 728 #endif /* ! CONFIG_GNUTLS */ 729 730 731 static void 732 qcrypto_tls_creds_x509_prop_set_sanity(Object *obj, 733 bool value, 734 Error **errp G_GNUC_UNUSED) 735 { 736 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj); 737 738 creds->sanityCheck = value; 739 } 740 741 742 static void 743 qcrypto_tls_creds_x509_prop_set_passwordid(Object *obj, 744 const char *value, 745 Error **errp G_GNUC_UNUSED) 746 { 747 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj); 748 749 creds->passwordid = g_strdup(value); 750 } 751 752 753 static char * 754 qcrypto_tls_creds_x509_prop_get_passwordid(Object *obj, 755 Error **errp G_GNUC_UNUSED) 756 { 757 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj); 758 759 return g_strdup(creds->passwordid); 760 } 761 762 763 static bool 764 qcrypto_tls_creds_x509_prop_get_sanity(Object *obj, 765 Error **errp G_GNUC_UNUSED) 766 { 767 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj); 768 769 return creds->sanityCheck; 770 } 771 772 773 #ifdef CONFIG_GNUTLS 774 775 776 static bool 777 qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, Error **errp) 778 { 779 QCryptoTLSCredsX509 *x509_creds = QCRYPTO_TLS_CREDS_X509(creds); 780 Error *local_err = NULL; 781 gnutls_certificate_credentials_t creds_data = x509_creds->data; 782 gnutls_dh_params_t creds_dh_params = x509_creds->parent_obj.dh_params; 783 784 x509_creds->data = NULL; 785 x509_creds->parent_obj.dh_params = NULL; 786 qcrypto_tls_creds_x509_load(x509_creds, &local_err); 787 if (local_err) { 788 qcrypto_tls_creds_x509_unload(x509_creds); 789 x509_creds->data = creds_data; 790 x509_creds->parent_obj.dh_params = creds_dh_params; 791 error_propagate(errp, local_err); 792 return false; 793 } 794 795 if (creds_data) { 796 gnutls_certificate_free_credentials(creds_data); 797 } 798 if (creds_dh_params) { 799 gnutls_dh_params_deinit(creds_dh_params); 800 } 801 return true; 802 } 803 804 805 #else /* ! CONFIG_GNUTLS */ 806 807 808 static bool 809 qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, Error **errp) 810 { 811 return false; 812 } 813 814 815 #endif /* ! CONFIG_GNUTLS */ 816 817 818 static void 819 qcrypto_tls_creds_x509_complete(UserCreatable *uc, Error **errp) 820 { 821 object_property_set_bool(OBJECT(uc), "loaded", true, errp); 822 } 823 824 825 static void 826 qcrypto_tls_creds_x509_init(Object *obj) 827 { 828 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj); 829 830 creds->sanityCheck = true; 831 } 832 833 834 static void 835 qcrypto_tls_creds_x509_finalize(Object *obj) 836 { 837 QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj); 838 839 g_free(creds->passwordid); 840 qcrypto_tls_creds_x509_unload(creds); 841 } 842 843 844 static void 845 qcrypto_tls_creds_x509_class_init(ObjectClass *oc, void *data) 846 { 847 UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); 848 QCryptoTLSCredsClass *ctcc = QCRYPTO_TLS_CREDS_CLASS(oc); 849 850 ctcc->reload = qcrypto_tls_creds_x509_reload; 851 852 ucc->complete = qcrypto_tls_creds_x509_complete; 853 854 object_class_property_add_bool(oc, "loaded", 855 qcrypto_tls_creds_x509_prop_get_loaded, 856 qcrypto_tls_creds_x509_prop_set_loaded); 857 object_class_property_add_bool(oc, "sanity-check", 858 qcrypto_tls_creds_x509_prop_get_sanity, 859 qcrypto_tls_creds_x509_prop_set_sanity); 860 object_class_property_add_str(oc, "passwordid", 861 qcrypto_tls_creds_x509_prop_get_passwordid, 862 qcrypto_tls_creds_x509_prop_set_passwordid); 863 } 864 865 866 static const TypeInfo qcrypto_tls_creds_x509_info = { 867 .parent = TYPE_QCRYPTO_TLS_CREDS, 868 .name = TYPE_QCRYPTO_TLS_CREDS_X509, 869 .instance_size = sizeof(QCryptoTLSCredsX509), 870 .instance_init = qcrypto_tls_creds_x509_init, 871 .instance_finalize = qcrypto_tls_creds_x509_finalize, 872 .class_size = sizeof(QCryptoTLSCredsX509Class), 873 .class_init = qcrypto_tls_creds_x509_class_init, 874 .interfaces = (InterfaceInfo[]) { 875 { TYPE_USER_CREATABLE }, 876 { } 877 } 878 }; 879 880 881 static void 882 qcrypto_tls_creds_x509_register_types(void) 883 { 884 type_register_static(&qcrypto_tls_creds_x509_info); 885 } 886 887 888 type_init(qcrypto_tls_creds_x509_register_types); 889